Mozilla may bring Pepper Flash to Firefox
Browser plugins are fading into obscurity, at least when it comes to those using the ancient NPAPI interface for integration with browsers.
All major browser companies and organizations announced the end of support for NPAPI plugins. While some block plugins already (Chrome), others will do so in the near future (Firefox) or shipped without support for plugins out of the box (Edge).
While that means no plugin support whatsoever in Firefox, browsers like Chrome or Edge using custom interfaces to keep plugins such as Flash installed in the browser.
Update: Mozilla discontinued the Project Mortar experiment. PDFium and Pepper API won't be integrated into the web browser:
The Mortar experiment has concluded. Mozilla does not consider the PDF use case justifies the burden of implementing and maintaining PDFium and a Pepper API implementation in Gecko.
And it is here that Mozilla's Mortar Project wants to make a difference. The project explores options to bring some of those plugins to Firefox.
Project Mortar is aiming to explore the possibility to bring PDFium library and the Pepper API based Flash plugin into Firefox.
The wiki entry on Mozilla's Wiki website lists the PDF plugin PDFium and the Flash plugin based on the Pepper API as the plugins that Mozilla considers bringing over to Firefox.
The private project integrated PDFium successfully in Firefox so far with basic rendering functionality. It plans to create a near feature complete version in the second half of 2016, and improve that version further in the first half of 2017.
The Wiki entry does not mention Pepper Flash at all apart from that Project Mortar attempts to bring the plugin to Firefox.
It is unclear whether work on the implementation began or if it will begin once the PDFium integration reaches feature completion.
It is furthermore not clear right now how these plugins are made available in the release channel. The most likely scenario is that they are provided as system add-ons that users may turn on or disable.
Firefox ships with a basic PDF reader already. The PDFium system add-on that could get released in the future will support more features including form submission, form input, and other options such as copying, selecting or pasting images or text in documents.
Mozilla planned to integrate Shumway, a Flash replacement into Firefox initially but gave up on the project more or less some time ago. With that project dead, the organization announced that it would keep Flash NPAPI support enabled in Firefox even after disabling support for all other NPAPI plugins in 2017.
Closing Words
Project Mortar raises a couple of questions. First, can Mozilla integrate PDFium and Pepper Flash in Firefox in a reasonable time frame? Second, does it make sense to integrate those plugins in Firefox? Firefox ships with its own PDF reader and one possible scenario would be to improve it instead of relying on a third-party implementation.
One possible reason for doing so is that Mozilla would no longer need to spend resources on improving the Firefox PDF viewer.
Flash will still be used on sites in 2017 and beyond, and if Mozilla manages to integrate Pepper API as early as in the first half of 2017, it could end NPAPI plugin support at the same time. (via Betanews)
Now You: What's your take on Project Mortar?
Technical details aside, one overlooked Flash market isn’t the casual user, nor the power user … it’s the corporate user. Just like MS Office dominates because it it’s penetration in the corporate market (on those millions of corporate office desktops), Flash has been the primary means of development for years of training films and advertising. It would be next to impossible to change all of that globally existing content into another format. Even if there was a scheduled transition, say … over the course of a year, most corporations would not, could not, convert formats. So if new content was made in HTML5, or even something else, the need for some form of Flash support would exist. The use of Flash has been so pervasive that it’s not like a Beta-Max or an 8-Track where you can easily move into another platform easily. Development for entertainment moves on according to the whims of new technology, but corporations have budgets that are frozen most of the time and will not make the effort to adopt those changes very fast. Major changes and new rollouts are always years behind new development for the corporate user.
Only problem with html5 for me is cant stop auto-playing(or auto-buffering) on chrome
odd,
mozilla claims just like google to be trying to kill off flash and then in the next breath announces this.
contradiction in terms ?
Flash can’t be eliminated for years to come. Developers don’t create new content for it but a ton of content already exists all over the place and no one has a right to decide arbitrarily what content can or cannot be seen. (Law excepted, but that’s another topic)
Browsers are just dealing with the transition one step at a time.
This project from Mozilla is merely trying to evaluate if Pepper Flash is a way to support Flash that is less costly than NP Flash.
For PDF it’s perhaps slightly more ambitious, i.e. mobile availability and perhaps features, although I don’t really see a need for more features than pdf.js already provides, I guess it comes for “free” with PDFium.
Yeah, I had the same idea. Maybe they’re realizing it’s not possible to develop html5 as quickly as they had hoped. I know I had removed Adobe’s Flash system-wide in August 2015 and that after 13 months I discover that domains which decided to adopt html5 did it already some time ago but that the others don’t seem decided to abandon Flash. I cannot wait any longer so I just re-installed Adobe’s Flash, only the plug-in version, not the activeX one since I never-ever use a Microsoft browser.
I fully agree with @Tom Hawack: great with all these facts. however I still have one question: I picked up somewhere that chromium offers a substitute for flash. I do get that chromium is open source and a fork of google. what I dont get: is google still involved somewhere ( = access to my pc ) and is chromium more secure than flash? would anybody like to explain?
Finally, someone who speaks sense. :-)
People need to understand that Flash doesn’t make their system “less-secure”. It is just a malicious flash file when run on a webpage can use some of the vulnerabilities in it. Flash defined online gaming for me. People are uninstalling it for the sake of html5, which might, probably, not so surely will arrive maybe sometime in the future. But this isn’t the future yet, where are the jetpacks? That’s exactly why Google installed Pepperflash in its core.
HAIL HYDRA, urgh, I meant, YEAH, GO FLASH!!
Firefox’s built-in PDF Viewer (pdf.js) works fine even if indeed it lacks several features and occasionally bumps (freezes Firefox for a few seconds), here anyway. If I understand correctly, PDFium would be an api provided by another company?
Flash is the big thing, at the same time disowned by browser manufacturers and striving to persist, helped in this persistence by many sites which refuse to move on to html5 and comforted by many users who do not remove Flash because without Flash they’d miss what the above-mentioned sites attach to Flash only : a vicious circle. I sometimes hesitate to re-install Flash because I do miss as well several features requiring Flash …
So, if the Mortar Project does make a Flash api available that could indeed break the vicious circle, users could view/hear Flash-only supported data, Flash-lover sites could keep on yawning and Adobe’s Flash could make its way to the grave.
Looking forwards to the success of the Project Mortar (be it not mortal) and mainly for its Flash api.
It’s not the Flash API, it’s Flash itself, Pepper Flash is Adobe Flash Player ;)
I told them to take this route years ago when Adobe dropped Linux support and some Mozilla engineers started wanting to build Shumway. Told them it was a waste of resources and if they really didn’t want to keep using NPAPI even if for Flash only, they’d better look at implementing the necessary parts of PPAPI instead of being so naive as to think they could do with Flash what they were able to do with PDF.
Pdf.js itself has shown its limits (i.e. mobile), so of course Shumway is dead as expected. Fortunately it didn’t waste that much resources.
But now Adobe supports Linux again, so Pepper Flash is less interesting and the evaluation to implement it versus the alternative is not obvious. (It was already not obvious, Adobe back on Linux is just a small argument against Pepper.)
Either way, evaluating solutions is good. But sometimes engineers can be dumb too.
@Parker, about Flash which I’ve re-installed, I recovered as well Firefox’s related about:config settings, of which :
// default plugin state (i.e new plugins on discovery) to never activate – 0=disabled, 1=ask to activate, 2=active
// you can override individual plugins
user_pref(“plugin.defaultXpi.state”, 0);
user_pref(“plugin.state.flash”, 1);
// enable click to play and set to 0 minutes
user_pref(“plugins.click_to_play”, true);
user_pref(“plugin.sessionPermissionNow.intervalInMinutes”, 0);
I give permanent authorization for sites I know to be trustful and which interest me and an ‘Allow now’ (temporary indeed) otherwise. The plugin.sessionPermissionNow.intervalInMinutes is set to 0minutes hence if I close the site and return permission will again be asked rather than after a Firefox restart …
I’ve installed latest Adobe Flash Player 23.0.0.162 this morning, plug-in only (not the ActiveX since I ignore Internet Explorer).
I’ve edited Flash’s mms.cfg file as follows :
SilentAutoUpdateEnable=0
AutoUpdateDisable=1
AllowUserLocalTrust=0
AssetCacheSize=0
AVHardwareDisable=1
DisableDeviceFontEnumeration=1
DisableHardwareAcceleration=0
DisableSockets=1
FullScreenDisable=0
LegacyDomainMatching=0
LocalStorageLimit=1
RTMFPP2PDisable=1
ThirdPartyStorage=0
I’ve also been surprised to notice that a Firefox add-on which had made quite a buzz when it appeared, was later on removed by its developer, was still noticeably enhancing Flash videos display on Firefox :
GPU Accelerated Flash Player : gpu_accelerated_flash_player-1.34-fx.xpi
With such a context for Adobe’s Flash all seems to be just fine. I rediscovered a Flash only site here in France, called pluzz – True pleasure.
—
About my 70+ add-ons, some are big most are small, few lines of code for the purpose of making surfing handier, little extras. I love to tweak. When I was a kid in NY my friend’s dad told me once “With all you’ve set on your bike is it still intended to move?!” -> Speed is ok with 70+ add-ons, lengthens the start of Firefox but surfing seems ok. Speed is not my only purpose, why a dragster to move from NY to LA when a comfortable car is a choice against pure speed?
I have to stop now otherwise a new chapter would show up!
“Thanks again, Parker (becomes cumulative!)”
Once I’ll have enough points I’d like to request a coupon. I’m pretty curious about knowing more on your gigantic load of add-ons and how this or that one facilitates your life :)
I mean, 70, that’s crazy, how can one need so many extra features ? Do you have five arms, three heads and four mice to be able to make use of such a toolbox ??
(About Flash, I’d take a look on how exactly the default Firefox click-to-play feature works if I were you. Until you know the details in particular regarding how a site allowed as first-party will be treated when encountered as a third-party, I would only rely on “Activate now” which seems to be a temporary allow, rather than the permanent option. Also how a third-party C allowed on site A will be treated on site B.
As always third-parties are the main threat, privacy and security wise.)
Yes, Firefox’s click to play is per site.
Thanks again, Parker (becomes cumulative!) for a clear answer dressed with explanations.
My state of mind is what it is when one hesitates, thinks about it, gets info and advice (yours up to now), asks his wife her agreement with a simple look, turns towards the salesman and lets slip a “I think we’ll take it” :)
Considering the context, the click-to-play, the precautions you point out… I guess I’ll re-install Flash, the shift to html5 is too long, too many sites (not that many in fact but a few I cherish) are accessed half-way so to say.
We’ll see how things get along, I’ll edit as I used to Flash’s mms.cfg file, keep enabled of course FF’s click-to-play and pay (“pay” is not the right word!) a visit to my good old Flash embedded sites. “I”m coming home, baby” to give the final touch of a Hollywood drama…
^ There are some differences in analysis if you use your browser’s click to play and it allows per site rather than per object. (NoScript does per object, though it can also do per site through the “Blocked objects” interface)
But I think readers will get the idea. It’s all about not exposing yourself to third parties and untrusted first parties. You have to expect that they can kick your ass regardless of technology when the product attack surface is so large. It’s all about chance, and the greatest decrease in chances to get owned comes from reduced exposure :)
I have it installed and activated, but blocked by NoScript along with JavaScript and WebGL :)
To make it short Flash is considered to be architecturally less secure than JavaScript implementations. But if you make Flash click to play there’s no need to worry. The concrete risk for a browser configuration with JavaScript enabled (default) and Flash click-to-play clearly comes from JavaScript.
Flash is not a risk if you don’t run any Flash content, and with click to play it’s essentially the case: You activate Flash content when you know what it’s for, e.g. a video or a game, in which case the risks on a trusted website are very low. The danger comes from ads and web bugs and third-parties that sneak crap into websites, but with click to play it is eliminated.
My policy is this:
If I allow JS on a website, that means I trust it, and I can also allow the necessary Flash content through NoScript’s Click to play.
I actually prefer to allow Flash than JS because for Flash there’s only one bit of content that runs on a given page, while for JS it’s the entire website. You are statistically more likely to encounter bad JS in that case.
(Firefox’s click to play is per site, I think ?)
If a topic includes the history, the background of what it specifically concerns then your most interesting post, Parker, is totally “in-topic”.
Obviously as I understand your comment there is, concerning Flash, a rich context, and that context is unknown for most of us. We remain end-users and happen to be split when speakers point Adobe’s Flash for security reasons while too many sites still depend on it.
I cannot debate on your valuable post, Parker, because I lack knowledge. Prosaically I’d wish to ask you, and anyone being sufficiently aware of Flash, if the security issues we are regularly fed with are sufficiently elaborated to indeed abandon totally Flash (as it is now, not the Pepper developments) or is the balance between security and advantages closer to a 50/50 which would authorize anyone like me — perplex, doubting, between an academic respect of the whistle-blowers and the need of those damn videos — to consider keeping or reinstalling Adobe’s Flash Player?
It’s not a dirty quizz game question, I’m really in the need of what having removed Flash has led me to and I see no planetary mass movements hinting of a near Flash burial. I think I really need objective and talented advice.
Thanks for a very interesting memo.
Presumably, PPAPI is more secure and constrained than NPAPI. Either way they are different, so a number of modifications had to be made to Adobe Flash Player for it to work on PPAPI. Google bought a license to access the source code and modify it and include “Pepper Flash” into Chrome.
Later on Adobe started distributing Pepper Flash separately on their own site. They also provide an ActiveX version (IE), an NPAPI one, and a standalone player with which you can run Flash files from your desktop.
Security wise, PPAPI is presumably an improvement over NPAPI which is an improvement over ActiveX. Performance wise, Pepper Flash is presumed to be clearly behind NP Flash.
WebGL is way behind either of those. Even today Flash is necessary for high performance production quality content. But because of the stupid witch hunt (which was a control grab first and foremost, while security was a – valid – pretext), companies had to stop investing in this web technology or its rising challenger, Unity Webplayer. Adobe who was on a big innovation roll stopped as well, leading to a world where nobody wanted to risk using Flash but nothing else could replace it.
That contributed to the rise of walled gardens like the App Store to use the web versus browsers, which was Apple’s control grab all along. Apps would still have flourished, but Flash within browsers represented a considerable mass of cash from which Apple could not take their eye-popping 30%-cut. (Cut that has now become the norm. Big companies don’t even pay that much in taxes, but curiously nobody complained to Apple or Google.)
Bigpoint, quite a big German company who was a pioneer in high-quality web games (e.g. Drakensang Online) has been hit by this control grab and shifted focus as a result. Had it not occurred, there would still be a shitload of apps, but high quality web games wouldn’t be a thing of the past, they would be a massive market without greedy % cuts that either push prices up for consumers or starve developers.
The opportunity will rise again once all browsers are WebAssembly and SIMD ready, but only if companies can trust the landscape to be stable and reliable, which is not a given.
As for Flash and Unity, they do run as apps now. (Flash is named Air in that setup)
So I’m not a fan of the Flash witch hunt. Fortunately implementation of web standards is mostly up to par now, high quality web games being the only thing left. By the time it’s ready, it will have been almost 10 years of technology advancement lost in total. (While web standards were busy catching up with plug-ins functionality and preventing plug-ins from continuing further improvements)
I’m not sure it was worth the security gains, but clearly to some, it was worth the control gains.
[/Off topic]
Pepper API based Flash plugin… IS Adobe’s Flash player itself? Well, that signs my ignorance and ruins my demonstration :)
What difference then between Pepper Flash and Flash Player as we know it? Is it that Pepper will (would) be included natively in Firefox or should the user install nevertheless Adobe’s Flash, then handled by Pepper? I’m confused, obviously. Good thing you clarified and fixed a wrong assertion.
PDFium was originally created by Google but it is open-source and is written in C/C++.
https://pdfium.googlesource.com/pdfium/
How do you guys know so many things?!
Thanks for the info, anon.
Ah, the grand plug-in replacement, or how to push back the entire web 5 to 10 years behind schedule. I hoped we were done with that by now.
Move firefox to the trashcan
Get another browser
Better browsing experience
Why not just fork Chromium. slap on the Mozilla-icons and call it a day? At this point it’s just embarrassing.
This tbh.
The way it’s put in articles does make it sound embarrassing, but as often things are more subtle than the press can report. This is not a stupid thing to evaluate, the best choice is not directly obvious.
Here we are talking about using Pepper Flash instead of NP Flash, and to change the open source library that parses PDF files in-browser.
That’s all.
Thanks, Martin. I’ve been praying for 10 years that browsers would eventually remove support for all plugins. I stopped getting trojans, hidden toolbars etc. when I stopped installing Java and Silverlight. :)
Would love this! Spotify is refusing to create a HTML5 version of their web player so I still need to use flash for it.
Would love this! Spotify is refusing to create a HTML5 version of their web player so I still need to use flash for it.
Firefox’s PDF.js is programmed in JavaScript while PDFium is written in either C or C++. That’s also a significant difference imo.
Thks for the article, very interesting and good news
Npapi Flash 64 bits doesn’t work correctly
> One possible reason for doing so is that Mozilla would no longer need to spend resources on improving the Firefox PDF viewer.
That’s exactly that what you can read in the announcement. ;)
“In order to enable stronger focus on advancing the Web and to reduce the complexity and long term maintenance cost of Firefox, and as part of our strategy to remove generic plugin support, we are launching Project Mortar.
Project Mortar seeks to reduce the time Mozilla spends on technologies that are required to provide a complete web browsing experience, but are not a core piece of the Web platform.”
Sören, would you be so kind and link to the announcement? Thanks ;)
https://groups.google.com/forum/#!msg/mozilla.dev.planning/j834iDIG3yY/V84Rzw0cEAAJ
Thanks Sören ;)
Announcement Link – https://groups.google.com/d/msg/mozilla.dev.planning/j834iDIG3yY/V84Rzw0cEAAJ
Thanks!
https://groups.google.com/forum/#!msg/mozilla.dev.planning/j834iDIG3yY/V84Rzw0cEAAJ
Thanks ;)
This is probably the announcement:
https://groups.google.com/forum/m/#!topic/mozilla.dev.planning/j834iDIG3yY
Thanks ;)
But installing Pepper Flash is how I keep Flash installed in my secondary browser (Opera) and keep it out of my primary browser (Firefox). If Mozilla adds support for Pepper Flash that will limit my options to either having Flash everywhere or no-where.
PDFJS is slow. I think that by far the nicest PDF solution for Firefox is to install the old Sumatra plugin. Sumatra doesn’t support scripts, so there’s no security concern with it being discontinued. What’s so wrong with a binary PDF interpreter? Mozilla use binary code for Gecko. Forcing PDF rendering to go through JS seems to be merit-less.
@R7
I disable the so called system add-ons using CCleaner, like this: https://www.wilderssecurity.com/threads/how-many-firefox-addons-do-you-use-which-ones.376389/page-5#post-2571572
I have not noticed that it have affected the update process/full package gets downloaded. You can try it to see if it works fine for you too.
Indeed. I had forgotten about this. Thankfully both Pocket and Hello were already disabled. Additionally i had to disable Webcompat. So far so good. The XPI files are still there so hopefully this wont affect the next update to v50.
You can disable system add-ons in Firefox.
Delete – not disable. There are negative aspects to this. Mainly that during Firefox update the full update package is downloaded, instead of partial. This is especially evident during manual update when the update windows literally gives no feedback on progress (even after it shows it has downloaded the update) and for some reason (beyond the size difference) downloading the full update package is significantly slower than downloading partial. So it sits there for ~2-5 minutes doing visually nothing while actually it is downloading the full update in background to %LocalAppData%\Mozilla\updates\\updates\0
So if even one system add-on is deleted then the next Firefox update will take a long time to complete.
However if you know how to disable system add-ons so that it does not affect update i would be glad to test this. About:performance does no longer even list system add-ons. Im using 32bit 49.0.1 on Win7 x64