How Firefox Loads Plugins

While debugging getting plugins working again with the CCK Wizard (it broke when Firefox removed platform specific directories in extensions), I learned a lot about how plugins load within Firefox. In particular, I learned a lot how to stop Firefox from loading plugins from different locations. So I thought I would share. Note that this post is primarily about loading plugins on Windows.

You probably know that there is (or at least used to be) a plugins directory in the same location where the Firefox executable is located. Back in the day, that was where all plugins were loaded from. When you installed a plugin, it placed a DLL or shared library into that directory.

That method became quite cumbersome, so new ways were invented for the browser to find plugins. We’re going to talk about those ways. First, though, type about:plugins in your browser. You’ll see a list of all the plugins that are loaded in your browser. If you’re wondering where they are loaded from, you can go to about:config and set the preference plugin.expose_full_path to true and it will show all the different paths from which Firefox has loaded plugins. (Don’t forget to toggle it back when you are done. It can be a security issue because websites can know paths on your machine by looking at filenames in the navigator.plugins array.)

The first method we’re going to talk about is using the Windows registry. If an app installs a plugin in a central location and wants Firefox to find it, it just adds a registry key. Here are some example locations from my machine:

HKEY_CURRENT_USER\Software\MozillaPlugins
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins

You can search on MozillaPlugins using the registry editor to see the various locations where these keys are added.

So what do these keys look like? For Adobe flash, they add the key @adobe.com/FlashPlayer. The important value that’s specified in the key for the plugin is Path. This specifies the directory where the plugin is located. Most vendors provide a path to the entire DLL, so Firefox just cuts off the filename and reads all plugins in that path. That explains why even though there is only one entry for Java (C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll), it still loads the other Java plugin in that directory (npdeployJava1.dll).

So then an obvious question might be “how do I prevent the loading of plugins from the registry?” Instead of deleting all the references to MozillaPlugins, you can just go to about:config and set the preference plugin.scan.plid.all to false. Firefox will no longer read plugins from the registry. You can see this change immediately if you type about:plugins.

After typing about:plugins, you might still see plugins that seemed to be referenced in the registry and wonder how they got there. That brings up the second way Firefox locates plugins. It uses known paths to find them. The plugins it looks for this way are Java, Adobe Acrobat, Quicktime and Windows Media Player. (You can click here to see the code that does this if you want.) I’m not going to go into detail as to how this happens, but I will answer the obvious question – “How do I prevent these from being loaded?”

Firefox has four preferences that control the loading of these plugins:

plugin.scan.Acrobat
plugin.scan.Quicktime
plugin.scan.SunJRE
plugin.scan.WindowsMediaPlayer

These preferences are not booleans, though, they are minimum versions. So if you want to prevent them from being loaded, you can just set the versions very high. I set them all to 100.0.

After changing that, now type about:plugins again. If all went well, you shouldn’t see any plugins loaded in Firefox.

If you still see plugins loaded, they can be coming from two other places, either the plugins directory where Firefox is located (unlikely) or they can be coming from an add-on. Firefox add-ons can add plugins to Firefox by putting them in a directory called plugins.

So there you have it. That’s how Firefox loads plugins.

As a side note, things are much easier on Mac. It just loads plugins from the /Library/Internet Plugins directory and ~/Library/Internet Plugins directory.

Special thanks to Mook for helping me find some of the code and preferences.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

21 thoughts on “How Firefox Loads Plugins

  1. Why does Firefox still support arbitrary plugins, rather than just the (decreasing) set of 3-4 that people still care about and sites actually use? Anything new should create a Firefox addon, not a legacy NPAPI plugin, which means the set of plugins should never increase. So, why not just handle Java, Flash, Shockwave, and perhaps Acrobat (until native PDF support exists), and drop support for anything else? We can slowly pare down the list as plugins continue to become irrelevant, or in some cases as native support becomes available.

    • Plugins server a very different purpose than addons.

      NPAPI plugins still (occasionally) have their places.

      Obviously things like canvas and HTML audio/video are making them go away, but when you need to carve out a piece of the browser and do your own thing, NPAPI plugins are still the only way to do that.

  2. Hi,

    I have a tough one for you guys.
    I am a sys admin and all my users use a ‘genetically modified’ version of Firefox 3.6.28 (the move to 14.* is scheduled….as soon as times permits it). Everything was ok until I got the following 2 requirements:

    Requirement 1- Disable java (so that Applets don’t run in the user browsers). It has to be done programmatically though. I *have yet* to find the property where that is set in Firefox. I tried security.enable_java, but does not do it…Basically I want to know what file Firefox modifies when we disable java from the addons menu.

    AND,

    Requirement 2- Once 1 is done, still allow a home grown Firefox extension to use java internally. It uses LiveConnect and javaFirefoxExtensionUtils to do some stuff…

    Any suggestion/help/hint is appreciated.
    Thanks in advance,
    elextra–

    would like to security.enable_java

    • The only place to disable Java is to disable individual versions of the Java plugins in the add-ons manager.

      Is that what you are referring to?

  3. I want to know how plugins are loaded in linux(fedora) system.I have build the Mozilla-vlc(2.0.0) plugin,and put the shared lib at /usr/lib/mozilla/plugins,But browser not locating that one.

  4. Sorry for taking so long to respond…
    I don’t know if you suggestion works, I have not tested it…but what I ended up doing was to install the noscript plugin for firefox.
    It has setting to basically block java from running. At the same time, it does not block java from being run by firefox or other firefox extensions…which is exactly what I wanted.

    * Hope this helps anyone *
    If anyone has any other suggestion, please feel free to share it with us.

    On another topic, in order to change the location where Firefox reads the java plugins for instance…Let say I would like to put my java into “c:\myspeciallocation\java…\” and have Firefox load the plugin. The only way I found was (following your pointer Mike) to change the registry. Is there any other ‘cleaner’ way of doing it?
    Thanks

    Later,

  5. Is there any way to disable plugin scanning for all plugins EXCEPT the Adobe Flash plugin?

    I need to keep plugin.scan.plid.all=false since so many programs add their own invasive Firefox plugins when installing and updating, but unfortunately this blocks the Adobe Flash plugin as well.

    Copying the Flash plugin .dll to the plugins folder doesn’t work for some reason (Firefox doesn’t load it), even though all other plugins in that folder are loaded correctly.

    Thanks.

    • Unfortunately not. There are some other directories Firefox will always scan for plugins.

      But you should be able to put flash in the plugins directory and have it load.

      You should only need the files flashplayer.xpt and NPSWF32_11_2_202_235.dll (obviously the version will be named differently).

      Which plugins directory were you putting it in?

      • Just wondering since it is now a year later and something might have changed, if this position is still true. Is there still no way to disable all plugins (plugin.scan.plid.all=false) but leave 1 (in this case flash) running in its native install directory.
        As i see it the only way to do it would be to include flash (currently NPSWF32_12_0_0_43.dll) in the plugin section of CCK2 and for it to deploy that DLL. As i understand it, that will put it in the following dir c:\distribution\bundles\\plugins. If we were to deploy updates to flash seperatly to firefox config updates and place them in its normal install directory but copy over the dll to the above directory would firefox pick up the newly named dll?

        • You are correct, there is really no good way to at this point to disable all plugins. A version of Firefox coming out soon will enable that.

          I honestly don’t know the order in which Firefox would pick up the DLLS, but I have seen people do exactly what you are suggesting – ship the Flash DLL as part of their Firefox bundle.

  6. Hey Mike,

    First thanks for this article which is really helpful and does a good job at explaining how to disable plugins on windows !

    I still have a question though, concerning Mac plugin load.
    As you said, Mac firefox will check /Library/Internet Plugins ~/Library/Internet Plugins directories, but it will also (as on windows) load plugins from its own install folder. More precisely, from the firefox app bundle : firefox.app\Contents\Resources\plugins

    So here is my question, do you know of any way to disable loading from the /Library/Internet Plugins ~/Library/Internet Plugins folders to keep only the plugins from the firefox app bundle?

  7. Fantastic
    I had my Dell laptop for 2 days and was inundated with pop ups, plugins
    Between your helpful information and Revo Uninstaller I am now a happy camper!