Click to play, the next big problem for many smaller, companies
gijskruitbosch at gmail.com
Tue Sep 10 15:54:23 UTC 2013
On 10/09/13 05:26 , Jesse Ruderman wrote:
> On Mon, Sep 9, 2013 at 3:47 PM, Larissa Co <lco at mozilla.com> wrote:
>> We are planning on distinguishing between regular plugins
>> like yours, and plugins we believe are particularly vulnerable. For those
>> plugins, we'll make it harder for the user to allow the plugin long term.
> Perhaps Firefox could also consider whether the plugin was loaded by
> the main page or by a third-party iframe. Stealthy attacks involving
> ad networks are likely to be the latter.
> firefox-dev mailing list
> firefox-dev at mozilla.org
At least 2-3 years ago, when I still worked for a web company that used
ads, a lot of ad networks (as well as stats/tracking networks, which
were sometimes required by yet other ad networks to have "independent"
verification of visiting numbers etc.) just used a script that needs to
be included with a script tag, often enough outside of iframes in the
real world. They do sometimes then create their own iframes, but if the
network is compromised, obviously the compromise needn't be limited to
I don't know that we could reliably detect what created a plugin
<object>, and even if we added third-party detection there, depending on
how we do it it might break legitimate things like google's CDN hosting
More information about the firefox-dev