While debugging getting plugins working again with the CCK Wizard (it broke when Firefox removed platform specific directories in extensions), I learned a lot about how plugins load within Firefox. In particular, I learned a lot how to stop Firefox from loading plugins from different locations. So I thought I would share. Note that this post is primarily about loading plugins on Windows.
You probably know that there is (or at least used to be) a plugins directory in the same location where the Firefox executable is located. Back in the day, that was where all plugins were loaded from. When you installed a plugin, it placed a DLL or shared library into that directory.
That method became quite cumbersome, so new ways were invented for the browser to find plugins. We’re going to talk about those ways. First, though, type about:plugins in your browser. You’ll see a list of all the plugins that are loaded in your browser. If you’re wondering where they are loaded from, you can go to about:config and set the preference plugin.expose_full_path to true and it will show all the different paths from which Firefox has loaded plugins. (Don’t forget to toggle it back when you are done. It can be a security issue because websites can know paths on your machine by looking at filenames in the navigator.plugins array.)
The first method we’re going to talk about is using the Windows registry. If an app installs a plugin in a central location and wants Firefox to find it, it just adds a registry key. Here are some example locations from my machine:
You can search on MozillaPlugins using the registry editor to see the various locations where these keys are added.
So what do these keys look like? For Adobe flash, they add the key @adobe.com/FlashPlayer. The important value that’s specified in the key for the plugin is Path. This specifies the directory where the plugin is located. Most vendors provide a path to the entire DLL, so Firefox just cuts off the filename and reads all plugins in that path. That explains why even though there is only one entry for Java (C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll), it still loads the other Java plugin in that directory (npdeployJava1.dll).
So then an obvious question might be “how do I prevent the loading of plugins from the registry?” Instead of deleting all the references to MozillaPlugins, you can just go to about:config and set the preference plugin.scan.plid.all to false. Firefox will no longer read plugins from the registry. You can see this change immediately if you type about:plugins.
After typing about:plugins, you might still see plugins that seemed to be referenced in the registry and wonder how they got there. That brings up the second way Firefox locates plugins. It uses known paths to find them. The plugins it looks for this way are Java, Adobe Acrobat, Quicktime and Windows Media Player. (You can click here to see the code that does this if you want.) I’m not going to go into detail as to how this happens, but I will answer the obvious question – “How do I prevent these from being loaded?”
Firefox has four preferences that control the loading of these plugins:
plugin.scan.Acrobat plugin.scan.Quicktime plugin.scan.SunJRE plugin.scan.WindowsMediaPlayer
These preferences are not booleans, though, they are minimum versions. So if you want to prevent them from being loaded, you can just set the versions very high. I set them all to 100.0.
After changing that, now type about:plugins again. If all went well, you shouldn’t see any plugins loaded in Firefox.
If you still see plugins loaded, they can be coming from two other places, either the plugins directory where Firefox is located (unlikely) or they can be coming from an add-on. Firefox add-ons can add plugins to Firefox by putting them in a directory called plugins.
So there you have it. That’s how Firefox loads plugins.
As a side note, things are much easier on Mac. It just loads plugins from the /Library/Internet Plugins directory and ~/Library/Internet Plugins directory.
Special thanks to Mook for helping me find some of the code and preferences.