Mozilla adds NPAPI plug-in sandbox to Firefox

Martin Brinkmann
Jan 24, 2015
Updated • Jan 23, 2017

Sandboxing finally comes to the Firefox web browser. After enabling a (currently) non-restrictive content sandbox in Firefox Nightly last month, the organization enabled the upcoming NPAPI plug-in sandbox in Aurora and Nightly versions of the browser as well.

These sandboxes are designed to limit the rights of tabs and plug-ins in the browser to harden and stabilize it.

The plug-in sandbox is deactivated by default and needs to be enabled by the user before it becomes available.

It is sandboxing all browser plug-ins by default when enabled, but there is also an option to enable it only for select plug-ins.

Note: NPAPI plugin sandboxing is enabled by default on Windows in newer versions of Firefox.

Enable the plug-in sandbox

firefox plug-in sandbox

To enable the plug-in sandbox in Firefox do the following:

  1. Type about:config in the address bar and hit enter.
  2. Confirm you will be careful if the prompt appears.
  3. Search for dom.ipc.plugins.sandbox.default.
  4. Double-click the name to change its value from false to true.

Enable the sandbox for individual plug-ins

If you don't want to enable the sandbox for all plug-ins, for instance because you noticed issues with some after doing so, you can enable it for specific plug-ins instead.

The preference dom.ipc.plugins.sandbox.flash handles the sandbox for Adobe Flash. You can set it to true (without touching dom.ipc.plugins.sandbox.default to enable the plug-in sandbox for the Flash plug-in in Firefox.

The preference does not exist for all other plug-ins in Firefox. To enable the sandbox for one of those, create a new preference in the browser and name it dom.ipc.plugins.sandbox.<plugin-nice-filename>.

The easiest way to look up <plugin-nice-filename> is to search for plugin.state while you are on the about:config page as it lists all installed plugins and the name that you need to use for the feature.

plugin state

When you browse the plugin related preferences on the page, you may also notice that Flash Protected Mode is disabled by default in Firefox Nightly and Aurora.

It has been the cause for Flash related issues in Firefox ever since it was introduced by Adobe and Mozilla hopes that the browser's own sandbox and disabling Protected Mode at the same time makes those issues a thing of the past.

The plug-in sandbox, just like the tab sandbox, is not as restrictive yet as Mozilla wants it to be. It is interesting to note however that the plug-in sandbox is not relying on Firefox's multi-process architecture Electrolysis e10s. (via Sören Hentzschel)

Article Name
Mozilla adds NPAPI plug-in sandbox to Firefox
Mozilla added a NPAPI plug-in sandbox to the Firefox web browser recently that limits plug-ins to increase security and stability of the browser.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. neal said on January 26, 2015 at 10:00 am

    @testuser, I dunno about average users, for the most part I agree that security conscious professionals are immune to widespread malware outbreaks. However, we have seen professionals compromised. Like how the Facebook engineers fell victim to a watering hole malware trap a while back. Also sometimes especially with writing software you need the “direct” access to fully debug program and features, thus isolation tricks like virtual machines or sandboxie aren’t always applicable.

  2. Tom Hawack said on January 24, 2015 at 9:35 pm

    With all these singular new functions I wonder sometimes if users are not becoming unwillingly beta-testers, and I’m referring to stable releases. I do understand that everything is done to increase speed and security but is it done or attempted?
    I remain nevertheless a Firefoxer, and happy as. Perfection is not of this world.

    1. Alsi said on January 24, 2015 at 11:11 pm

      New functions are incubated in the Nightly often for a very long time before they get anywhere near the stables. The more complicated the features is, the more likely it will stay in the test channels for polish. It isn’t perfect, you can’t completely replicate in the test channels the number and diversity of users using the stable releases, so sometimes issues pop up that don’t show up with users in the test channels, but I think its the best anyone can do.

      For this feature though, it can’t show up fast enough. For example, right now there security alert with Adobe Flash, there is a dangerous zero day exploit causing all type of mischief that won’t be patched until next week by Adobe. Chrome isn’t affected b/c it sandboxes its own flash.

      1. Testuser said on January 25, 2015 at 3:49 pm

        That’s why I’m (also) using Sandboxie under Windows. And there are also “things” like virtual machines as well, so it’s mainly a threat for the average user. Isn’t it?

  3. All Things Firefox said on January 24, 2015 at 9:25 pm

    This can’t be implemented soon enough into regular Firefox. I just hope that it isn’t buggy when it happens.

    1. Tom Hawack said on January 25, 2015 at 12:59 pm

      I’ve just discovered your blog All Things Firefox. Seems interesting.

      1. All Things Firefox said on January 26, 2015 at 10:43 pm

        Thank you.

  4. Dave said on January 24, 2015 at 7:48 pm

    Wow, sounds like they did this perfectly. Firefox FTW :-)

  5. Dwight Stegall said on January 24, 2015 at 5:48 pm

    Just a note: e10s disables itself if you have a touch screen monitor. They are working on a fix for this.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.