[CentOS] FireFox and Plugins

Thu Nov 3 19:28:04 UTC 2016
Phil Wyett <philwyett.hemisphere at gmail.com>

On Thu, 2016-11-03 at 06:13 -0700, Alice Wonder wrote:
> On 11/03/2016 05:28 AM, Phil Wyett wrote:
> > On Wed, 2016-11-02 at 21:37 -0700, Alice Wonder wrote:
> >> While doing a browser fingerprinting survey, I was quite surprised to
> >> see I actually have a FireFox plugin installed.
> >>
> >> The culprit is
> >>
> >> /usr/lib64/mozilla/plugins/librhythmbox-itms-detection-plugin.so
> >>
> >> It appears that whoever maintains the rhythmbox RPM has chosen not to
> >> package the browser plugin separately like it probably should be. So if
> >> I have the rhythmbox RPM installed, I have the plugin.
> >>
> >> This is rather worrisome because I can find no trace of the plugin in
> >> the Mozilla preferences panel, so if it is there it is very well hidden
> >> and if it really isn't there, it can't be disabled there.
> >>
> >> Is there some kind of blacklist file I can put in
> >> /usr/lib64/mozilla/plugins/ or ~/.mozilla/plugins/ to specifically tell
> >> FireFox not to load that plugin, or do I have to uninstall rhythmbox?
> >>
> >> Thank you for suggestions.
> >>
> >> PS does anyone actually have a real world use for an itms detection plugin?
> >
> > Hi,
> >
> > It is possible to rebuild the package ( for CentOS 7) and disable this
> > plugin being built.
> 
> Yes but then any update to rhythmbox would re-install it and it would 
> become a pattern of build, rinse, repeat.
> 
> Hopefully the bugzilla I filed will result in an update being pushed 
> with the plugin either gone or available in a separate package for those 
> who do want it.

Hi,

Sometimes we are only left with the wash, rinse, repeat, though not
ideal. This was a regular for me until I fully moved away from 6.x.

However...

You can update your bugzilla entry as affecting 7.3 also. The 3.3.1-5
build in RHEL 7.3 has the same issue as you reported it.

Note: All patches attached are against 7.3 rhythmbox 3.3.1-5 located on
git.centos.org.

There are a number of scenarios.

Scenario 01:

Disable the plugin, so it is not built and thus removed from RHEL/CentOS
7 altogether. Not something that is likely to be done, taking away a
feature.

Attached patch referenced below does this:

0001-Scenario-01-Disable-building-of-browser-plugin.patch

Scenario 02:

Move the browser plugin into a separate package. Not sure about the
vendor wanting to do this, but is a viable option.

Attached patch referenced below does this:

0001-Scenario-02-Browser-plugin-as-seperate-package.patch

Scenario 03:

The CentOS community agrees with you and decides on one of the methods
above and it is built and released as a 'centosplus' package.

Regards

Phil

-- 

Google+: https://goo.gl/CPjvNo
Blog: https://philwyett-hemi.blogspot.co.uk/
GitLab: https://gitlab.com/philwyett_hemi/




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20161103/1912630e/attachment-0005.sig>