RESOLVED WONTFIX 47773
WebKit allows Netscape plugins using CoreAnimation drawing to use Carbon event model 
https://bugs.webkit.org/show_bug.cgi?id=47773
Summary WebKit allows Netscape plugins using CoreAnimation drawing to use Carbon even...
Nick Zitzmann
Reported 2010-10-16 08:31:09 PDT
Created attachment 70956 [details] Patch for WebNetscapePluginView that destroys Carbon/CoreAnimation combo Summary: According to the documentation for the CoreAnimation drawing model, taken from <https://wiki.mozilla.org/NPAPI:CoreAnimationDrawingModel>: "The Core Animation drawing model only works together with the Cocoa Event Model. If the plug-in tries to use the Carbon Event model with the Core Animation drawing model, the browser will destroy the plug-in after it has been instantiated." However, WebKit fails to do this and allows the CoreAnimation drawing model to work with the Carbon Event Model. Other browsers, such as Chrome, handle this situation correctly and shut down the plugin. Steps to reproduce: 1. Using Git, clone the Weppy plugin, available at the URL <git://github.com/nickzman/weppy.git>. This is the plugin I was working on when I discovered the problem. 2. Download and install yasm from <http://www.tortall.net/projects/yasm/> if you don't already have it installed. 3. Download and install libvpx from <http://code.google.com/p/webm/downloads>. 4. Open the Weppy project in Xcode 3.2 or later. 5. In Weppy main.m, comment out lines 151-155, which are the part of the code in NPP_New() that activates the Cocoa event model. 6. Build the "Weppy (Netscape)" target with the "i386" architecture and "Debug" configuration. 7. Move the resulting "Weppy.plugin" bundle to your ~/Library/Internet Plug-Ins" folder. 8. Open Safari. 9. Navigate to the following URL, which contains an object that runs the plugin: <http://seiryu.home.comcast.net/weppy.html> Expected results: Nothing is expected to happen, because the plugin turns on the CoreAnimation drawing model and uses the Carbon event model (since it is running as 32-bit), which according to the specification is supposed to be an invalid combination. Actual results: WebKit runs the plugin anyway. I've attached a patch to WebNetscapePluginView.mm that fixes the problem by destroying plugins that ask for this combination. I doubt it will cause regressions, since other browsers that support CoreAnimation, such as Chrome, never allowed this in the first place...
Attachments
Patch for WebNetscapePluginView that destroys Carbon/CoreAnimation combo (878 bytes, patch)
2010-10-16 08:31 PDT, Nick Zitzmann 		no flags
DetailsFormatted DiffDiff
Same patch as previous (fixing invalid Carbon event/CoreAnimation draw), with the review flag set (878 bytes, patch)
2010-10-16 17:06 PDT, Nick Zitzmann 		ap: review-
DetailsFormatted DiffDiff
ChangeLog (283.30 KB, application/octet-stream)
2010-10-19 21:41 PDT, Nick Zitzmann 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-10-16 16:03:06 PDT
Would you be willing to submit a patch for review? Please find the guidelines at <http://webkit.org/coding/contributing.html>.
Nick Zitzmann
Comment 2 2010-10-16 17:06:55 PDT
Created attachment 70967 [details] Same patch as previous (fixing invalid Carbon event/CoreAnimation draw), with the review flag set But of course. Sorry I didn't mark it for review the first time.
Alexey Proskuryakov
Comment 3 2010-10-17 12:46:54 PDT
Comment on attachment 70967 [details] Same patch as previous (fixing invalid Carbon event/CoreAnimation draw), with the review flag set Please add a ChangeLog, as described at <http://webkit.org/coding/contributing.html>.
Nick Zitzmann
Comment 4 2010-10-19 21:41:49 PDT
Created attachment 71248 [details] ChangeLog Okay, here you go. What's next?
Ahmad Saleem
Comment 5 2022-06-21 03:48:29 PDT
I am unable to find "WebNetscapePluginView" on Webkit Github mirror in source code and also NPAPI plugin support has been removed from Safari 14 onward and across other builds (e.g. WebkitGTK). Can this be marked as "RESOLVED WONTFIX"? Thanks!
Note You need to log in before you can comment on or make changes to this bug.