Sandboxing finally comes to the Firefox web browser. After enabling a (currently) non-restrictive content sandbox in Firefox Nightly last month, the organization enabled the upcoming NPAPI plug-in sandbox in Aurora and Nightly versions of the browser as well.
These sandboxes are designed to limit the rights of tabs and plug-ins in the browser to harden and stabilize it.
The plug-in sandbox is deactivated by default and needs to be enabled by the user before it becomes available.
It is sandboxing all browser plug-ins by default when enabled, but there is also an option to enable it only for select plug-ins.
Note: NPAPI plugin sandboxing is enabled by default on Windows in newer versions of Firefox.
Enable the plug-in sandbox
To enable the plug-in sandbox in Firefox do the following:
Enable the sandbox for individual plug-ins
If you don't want to enable the sandbox for all plug-ins, for instance because you noticed issues with some after doing so, you can enable it for specific plug-ins instead.
The preference dom.ipc.plugins.sandbox.flash handles the sandbox for Adobe Flash. You can set it to true (without touching dom.ipc.plugins.sandbox.default to enable the plug-in sandbox for the Flash plug-in in Firefox.
The preference does not exist for all other plug-ins in Firefox. To enable the sandbox for one of those, create a new preference in the browser and name it dom.ipc.plugins.sandbox.<plugin-nice-filename>.
The easiest way to look up <plugin-nice-filename> is to search for plugin.state while you are on the about:config page as it lists all installed plugins and the name that you need to use for the feature.
When you browse the plugin related preferences on the page, you may also notice that Flash Protected Mode is disabled by default in Firefox Nightly and Aurora.
It has been the cause for Flash related issues in Firefox ever since it was introduced by Adobe and Mozilla hopes that the browser's own sandbox and disabling Protected Mode at the same time makes those issues a thing of the past.
The plug-in sandbox, just like the tab sandbox, is not as restrictive yet as Mozilla wants it to be. It is interesting to note however that the plug-in sandbox is not relying on Firefox's multi-process architecture Electrolysis e10s. (via Sören Hentzschel)
If you like our content, and would like to help, please consider making a contribution: