Mozilla 1.6 ActiveX Control Installer and Scriptable ActiveX Plugin for Mozilla 1.6 Released

Tuesday January 20th, 2004

Adam Lock writes: "Following in the wake of Mozilla 1.6, I'm happy to announce the release of the new standalone Mozilla 1.6 ActiveX Control installer and the Scriptable ActiveX Plugin for Mozilla 1.6. Both are available from my website.

"New features for the control include support for view-source: and data: protocols, plus it ships with the ActiveX plugin so it is possible to host ActiveX content from inside the control. The installer is slightly smaller (4.5Mb) thanks to bzip2 compression.

"There are no new features in the plugin but Mozilla 1.6 is unencumbered by the regression that disabled scripting support in 1.5."

#6 Re: Oops

by locka <>

Wednesday January 21st, 2004 6:38 AM

You are replying to this message

There are plenty of words on security on the plugin page from a technical perspective. Read how many times I talk about activex.js and nsAxSecurityPolicy.js.

However, the default behaviour is to host & script controls marked safe for scripting and to download and offer to install signed controls. All other controls (e.g. those not marked safe) are not hosted. You can change these settings if you like from activex.js which is fully documented. The plugin also honours the IE blacklist as well as allowing you to set up your own blacklist / whitelist.

However, overall I don't think think security is a big deal yet. I'd rather have people exercising the functionality rather than disabling it all by default. I would obviously change the policy if the plugin shipped by default with Firebird / Mozilla. The same thing happened in NS7.1 where the plugin was locked down to host the Windows Media Player control only.

But then again ActiveX security is not what Mozilla users should be worrying about. Ask yourself how many XPI files are signed for example and what a black hat could do with that knowledge if they felt so inclined.