Put some plug-ins behind an infobar, where they have:

- Been targeted by mass malware.
- Do not yet have a good sandboxing story.

BUG=60458
TEST=http://java.sun.com/products/plugin/1.4/demos/applets/Blink/example1.html with default plug-in settings.

Review URL: http://codereview.chromium.org/6350010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@72766 0039d316-1c4b-4281-b951-d872f2087c98

13 files changed, 265 insertions, 77 deletions

diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd
index 06b22c9..47de99f 100644
--- a/chrome/app/generated_resources.grd
+++ b/chrome/app/generated_resources.grd
@@ -4165,6 +4165,9 @@ Keep your key file in a safe place. You will need it to create new versions of y
       <message name="IDS_PLUGIN_OUTDATED" desc="The placeholder text for an outdated disabled plug-in.">
         The <ph name="PLUGIN_NAME">$1<ex>Flash</ex></ph> plug-in is out of date.
       </message>
+      <message name="IDS_PLUGIN_NOT_AUTHORIZED" desc="The placeholder text for a plug-in that requires user permission to run.">
+        The <ph name="PLUGIN_NAME">$1<ex>Java</ex></ph> plug-in needs your permission to run.
+      </message>
 
       <!-- Session Crashed Info Bar-->
       <message name="IDS_SESSION_CRASHED_VIEW_RESTORE_BUTTON" desc="Title of the restore button in the session crashed view.">
@@ -7648,6 +7651,9 @@ Keep your key file in a safe place. You will need it to create new versions of y
       <message name="IDS_PLUGIN_ENABLE_TEMPORARILY" desc="Info Bar button to run a blocked outdated plugin">
         Run this time
       </message>
+      <message name="IDS_PLUGIN_ENABLE_ALWAYS" desc="Info Bar button to always run blocked plugins for this web site">
+        Always run on this site
+      </message>
       <message name="IDS_PLUGIN_CRASHED_PROMPT" desc="Info Bar message to notify about a crashed plugin">
         The following plug-in has crashed: <ph name="PLUGIN_NAME">$1<ex>Shockwave</ex></ph>
       </message>
diff --git a/chrome/browser/content_settings/host_content_settings_map.cc b/chrome/browser/content_settings/host_content_settings_map.cc
index 0345e81..241ca3e 100644
--- a/chrome/browser/content_settings/host_content_settings_map.cc
+++ b/chrome/browser/content_settings/host_content_settings_map.cc
@@ -296,7 +296,8 @@ ContentSettings HostContentSettingsMap::GetContentSettings(
     } else {
       // A managed default content setting has the highest priority and hence
       // will overwrite any previously set value.
-      if ((output.settings[j] == CONTENT_SETTING_DEFAULT) ||
+      if ((output.settings[j] == CONTENT_SETTING_DEFAULT &&
+           j != CONTENT_SETTINGS_TYPE_PLUGINS) ||
           IsDefaultContentSettingManaged(ContentSettingsType(j))) {
         output.settings[j] = GetDefaultContentSetting(ContentSettingsType(j));
       }
diff --git a/chrome/browser/renderer_host/browser_render_process_host.cc b/chrome/browser/renderer_host/browser_render_process_host.cc
index 437e61f..5db9e5a 100644
--- a/chrome/browser/renderer_host/browser_render_process_host.cc
+++ b/chrome/browser/renderer_host/browser_render_process_host.cc
@@ -637,6 +637,7 @@ void BrowserRenderProcessHost::PropagateBrowserCommandLineToRenderer(
   static const char* const kSwitchNames[] = {
     switches::kAllowOutdatedPlugins,
     switches::kAllowScriptingGallery,
+    switches::kAlwaysAuthorizePlugins,
     switches::kAppsGalleryURL,
     // We propagate the Chrome Frame command line here as well in case the
     // renderer is not run in the sandbox.
diff --git a/chrome/browser/tab_contents/tab_contents.cc b/chrome/browser/tab_contents/tab_contents.cc
index 4b1b340..2554daa 100644
--- a/chrome/browser/tab_contents/tab_contents.cc
+++ b/chrome/browser/tab_contents/tab_contents.cc
@@ -249,57 +249,179 @@ void MakeNavigateParams(const NavigationEntry& entry,
   params->request_time = base::Time::Now();
 }
 
+// PluginInfoBar --------------------------------------------------------------
+
+class PluginInfoBar : public ConfirmInfoBarDelegate {
+ public:
+  PluginInfoBar(TabContents* tab_contents, const string16& name);
+
+  // ConfirmInfoBarDelegate:
+  virtual void InfoBarClosed() = 0;
+  virtual SkBitmap* GetIcon() const;
+  virtual string16 GetMessageText() const = 0;
+  virtual int GetButtons() const;
+  virtual string16 GetButtonLabel(InfoBarButton button) const = 0;
+  virtual bool Accept() = 0;
+  virtual bool Cancel() = 0;
+  virtual string16 GetLinkText();
+  virtual bool LinkClicked(WindowOpenDisposition disposition) = 0;
+
+ protected:
+  virtual ~PluginInfoBar();
+
+  void CommonCancel();
+  void CommonClose();
+  void CommonLearnMore(WindowOpenDisposition disposition);
+
+  string16 name_;
+  TabContents* tab_contents_;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(PluginInfoBar);
+};
+
+PluginInfoBar::PluginInfoBar(TabContents* tab_contents, const string16& name)
+    : ConfirmInfoBarDelegate(tab_contents),
+      name_(name),
+      tab_contents_(tab_contents) {
+}
+
+PluginInfoBar::~PluginInfoBar() {
+}
+
+void PluginInfoBar::CommonClose() {
+  delete this;
+}
+
+SkBitmap* PluginInfoBar::GetIcon() const {
+  return ResourceBundle::GetSharedInstance().GetBitmapNamed(
+      IDR_INFOBAR_PLUGIN_INSTALL);
+}
+
+int PluginInfoBar::GetButtons() const {
+  return BUTTON_OK | BUTTON_CANCEL;
+}
+
+void PluginInfoBar::CommonCancel() {
+  tab_contents_->render_view_host()->LoadBlockedPlugins();
+}
+
+string16 PluginInfoBar::GetLinkText() {
+  return l10n_util::GetStringUTF16(IDS_LEARN_MORE);
+}
+
+void PluginInfoBar::CommonLearnMore(WindowOpenDisposition disposition) {
+  // TODO(bauerb): Navigate to a help page explaining why we disabled
+  // or blocked the plugin, once we have one.
+}
+
+
+// BlockedPluginInfoBar -------------------------------------------------------
+
+class BlockedPluginInfoBar : public PluginInfoBar {
+ public:
+  BlockedPluginInfoBar(TabContents* tab_contents,
+                       const string16& name);
+
+  // ConfirmInfoBarDelegate:
+  virtual string16 GetMessageText() const;
+  virtual string16 GetButtonLabel(InfoBarButton button) const;
+  virtual bool Accept();
+  virtual bool Cancel();
+  virtual void InfoBarClosed();
+  virtual bool LinkClicked(WindowOpenDisposition disposition);
+
+ protected:
+  virtual ~BlockedPluginInfoBar();
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(BlockedPluginInfoBar);
+};
+
+BlockedPluginInfoBar::BlockedPluginInfoBar(TabContents* tab_contents,
+                                           const string16& name)
+    : PluginInfoBar(tab_contents, name) {
+  tab_contents->AddInfoBar(this);
+  UserMetrics::RecordAction(UserMetricsAction("BlockedPluginInfobar.Shown"));
+}
+
+BlockedPluginInfoBar::~BlockedPluginInfoBar() {
+}
+
+string16 BlockedPluginInfoBar::GetMessageText() const {
+  return l10n_util::GetStringFUTF16(IDS_PLUGIN_NOT_AUTHORIZED, name_);
+}
+
+string16 BlockedPluginInfoBar::GetButtonLabel(InfoBarButton button) const {
+  return l10n_util::GetStringUTF16((button == BUTTON_OK) ?
+      IDS_PLUGIN_ENABLE_ALWAYS : IDS_PLUGIN_ENABLE_TEMPORARILY);
+}
+
+bool BlockedPluginInfoBar::Accept() {
+  UserMetrics::RecordAction(
+      UserMetricsAction("BlockedPluginInfobar.AlwaysAllow"));
+  tab_contents_->profile()->GetHostContentSettingsMap()->AddExceptionForURL(
+      tab_contents_->GetURL(), CONTENT_SETTINGS_TYPE_PLUGINS, std::string(),
+      CONTENT_SETTING_ALLOW);
+  tab_contents_->render_view_host()->LoadBlockedPlugins();
+  return false;
+}
+
+bool BlockedPluginInfoBar::Cancel() {
+  UserMetrics::RecordAction(
+      UserMetricsAction("BlockedPluginInfobar.AllowThisTime"));
+  CommonCancel();
+  return false;
+}
+
+void BlockedPluginInfoBar::InfoBarClosed() {
+  UserMetrics::RecordAction(UserMetricsAction("BlockedPluginInfobar.Closed"));
+  CommonClose();
+}
+
+bool BlockedPluginInfoBar::LinkClicked(WindowOpenDisposition disposition) {
+  UserMetrics::RecordAction(
+      UserMetricsAction("BlockedPluginInfobar.LearnMore"));
+  CommonLearnMore(disposition);
+  return false;
+}
 
 // OutdatedPluginInfoBar ------------------------------------------------------
 
-class OutdatedPluginInfoBar : public ConfirmInfoBarDelegate {
+class OutdatedPluginInfoBar : public PluginInfoBar {
  public:
   OutdatedPluginInfoBar(TabContents* tab_contents,
                         const string16& name,
                         const GURL& update_url);
 
- private:
-  virtual ~OutdatedPluginInfoBar();
-
   // ConfirmInfoBarDelegate:
-  virtual void InfoBarClosed();
-  virtual SkBitmap* GetIcon() const;
   virtual string16 GetMessageText() const;
   virtual string16 GetButtonLabel(InfoBarButton button) const;
   virtual bool Accept();
   virtual bool Cancel();
-  virtual string16 GetLinkText();
+  virtual void InfoBarClosed();
   virtual bool LinkClicked(WindowOpenDisposition disposition);
 
-  TabContents* tab_contents_;
-  string16 name_;
+ protected:
+  virtual ~OutdatedPluginInfoBar();
+
+ private:
   GURL update_url_;
+
+  DISALLOW_COPY_AND_ASSIGN(OutdatedPluginInfoBar);
 };
 
 OutdatedPluginInfoBar::OutdatedPluginInfoBar(TabContents* tab_contents,
                                              const string16& name,
                                              const GURL& update_url)
-    : ConfirmInfoBarDelegate(tab_contents),
-      tab_contents_(tab_contents),
-      name_(name),
-      update_url_(update_url) {
-  UserMetrics::RecordAction(UserMetricsAction("OutdatedPluginInfobar.Shown"));
+    : PluginInfoBar(tab_contents, name), update_url_(update_url) {
   tab_contents->AddInfoBar(this);
+  UserMetrics::RecordAction(UserMetricsAction("OutdatedPluginInfobar.Shown"));
 }
 
 OutdatedPluginInfoBar::~OutdatedPluginInfoBar() {
 }
 
-void OutdatedPluginInfoBar::InfoBarClosed() {
-  UserMetrics::RecordAction(UserMetricsAction("OutdatedPluginInfobar.Closed"));
-  delete this;
-}
-
-SkBitmap* OutdatedPluginInfoBar::GetIcon() const {
-  return ResourceBundle::GetSharedInstance().GetBitmapNamed(
-      IDR_INFOBAR_PLUGIN_INSTALL);
-}
-
 string16 OutdatedPluginInfoBar::GetMessageText() const {
   return l10n_util::GetStringFUTF16(IDS_PLUGIN_OUTDATED_PROMPT, name_);
 }
@@ -319,19 +441,19 @@ bool OutdatedPluginInfoBar::Accept() {
 bool OutdatedPluginInfoBar::Cancel() {
   UserMetrics::RecordAction(
       UserMetricsAction("OutdatedPluginInfobar.AllowThisTime"));
-  tab_contents_->render_view_host()->LoadBlockedPlugins();
+  CommonCancel();
   return false;
 }
 
-string16 OutdatedPluginInfoBar::GetLinkText() {
-  return l10n_util::GetStringUTF16(IDS_LEARN_MORE);
+void OutdatedPluginInfoBar::InfoBarClosed() {
+  UserMetrics::RecordAction(UserMetricsAction("OutdatedPluginInfobar.Closed"));
+  CommonClose();
 }
 
 bool OutdatedPluginInfoBar::LinkClicked(WindowOpenDisposition disposition) {
   UserMetrics::RecordAction(
       UserMetricsAction("OutdatedPluginInfobar.LearnMore"));
-  // TODO(bauerb): Navigate to a help page explaining why we disabled
-  // the plugin, once we have one.
+  CommonLearnMore(disposition);
   return false;
 }
 
@@ -2365,7 +2487,10 @@ void TabContents::OnInstallApplication(const WebApplicationInfo& info) {
 
 void TabContents::OnBlockedOutdatedPlugin(const string16& name,
                                           const GURL& update_url) {
-  new OutdatedPluginInfoBar(this, name, update_url);
+  if (!update_url.is_empty())
+    new OutdatedPluginInfoBar(this, name, update_url);
+  else
+    new BlockedPluginInfoBar(this, name);
 }
 
 void TabContents::OnPageContents(const GURL& url,
diff --git a/chrome/common/chrome_switches.cc b/chrome/common/chrome_switches.cc
index 3733b4b..6ad6356 100644
--- a/chrome/common/chrome_switches.cc
+++ b/chrome/common/chrome_switches.cc
@@ -43,6 +43,10 @@ const char kAllowSandboxDebugging[]         = "allow-sandbox-debugging";
 // useful for automation testing of the gallery.
 const char kAllowScriptingGallery[]         = "allow-scripting-gallery";
 
+// This prevents Chrome from requiring authorization to run certain widely
+// installed but less commonly used plug-ins.
+const char kAlwaysAuthorizePlugins[]        = "always-authorize-plugins";
+
 // Enable web inspector for all windows, even if they're part of the browser.
 // Allows us to use our dev tools to debug browser windows itself.
 const char kAlwaysEnableDevTools[]          = "always-enable-dev-tools";
diff --git a/chrome/common/chrome_switches.h b/chrome/common/chrome_switches.h
index fc91edf..789c8fa 100644
--- a/chrome/common/chrome_switches.h
+++ b/chrome/common/chrome_switches.h
@@ -27,6 +27,7 @@ extern const char kAllowOutdatedPlugins[];
 extern const char kAllowSSLMITMProxies[];
 extern const char kAllowSandboxDebugging[];
 extern const char kAllowScriptingGallery[];
+extern const char kAlwaysAuthorizePlugins[];
 extern const char kAlwaysEnableDevTools[];
 extern const char kApp[];
 extern const char kAppId[];
diff --git a/chrome/renderer/render_view.cc b/chrome/renderer/render_view.cc
index 7cd7ece..1e2be18 100644
--- a/chrome/renderer/render_view.cc
+++ b/chrome/renderer/render_view.cc
@@ -2728,6 +2728,23 @@ WebPlugin* RenderView::createPlugin(WebFrame* frame,
 
   ContentSetting host_setting =
       current_content_settings_.settings[CONTENT_SETTINGS_TYPE_PLUGINS];
+
+  if (group->RequiresAuthorization() &&
+      !cmd->HasSwitch(switches::kAlwaysAuthorizePlugins) &&
+      (plugin_setting == CONTENT_SETTING_ALLOW ||
+       plugin_setting == CONTENT_SETTING_ASK) &&
+      host_setting == CONTENT_SETTING_DEFAULT) {
+    Send(new ViewHostMsg_BlockedOutdatedPlugin(routing_id_,
+                                               group->GetGroupName(),
+                                               GURL()));
+    return CreatePluginPlaceholder(frame,
+                                   params,
+                                   *group,
+                                   IDR_BLOCKED_PLUGIN_HTML,
+                                   IDS_PLUGIN_NOT_AUTHORIZED,
+                                   false);
+  }
+
   if (info.path.value() == webkit::npapi::kDefaultPluginLibraryName ||
       plugin_setting == CONTENT_SETTING_ALLOW ||
       host_setting == CONTENT_SETTING_ALLOW) {
diff --git a/chrome/test/plugin/plugin_test.cpp b/chrome/test/plugin/plugin_test.cpp
index 31b8d53..ace16bc 100644
--- a/chrome/test/plugin/plugin_test.cpp
+++ b/chrome/test/plugin/plugin_test.cpp
@@ -100,6 +100,7 @@ class PluginTest : public UITest {
 #endif  // defined(OS_WIN)
 
     launch_arguments_.AppendSwitch(switches::kAllowOutdatedPlugins);
+    launch_arguments_.AppendSwitch(switches::kAlwaysAuthorizePlugins);
 
     UITest::SetUp();
   }
diff --git a/chrome/tools/chromeactions.txt b/chrome/tools/chromeactions.txt
index d58c665..63ee8d0 100644
--- a/chrome/tools/chromeactions.txt
+++ b/chrome/tools/chromeactions.txt
@@ -114,6 +114,11 @@
 0xc4874f0e8e8b60aa	BadMessageTerminate_WPH
 0x1d145f0af708242c	BlockNonsandboxedPlugins_Disable
 0xd80cc9291c9c82a9	BlockNonsandboxedPlugins_Enable
+0xe0daa169d443430e	BlockedPluginInfobar.AllowThisTime
+0xbc5f7815d41f0a0a	BlockedPluginInfobar.AlwaysAllow
+0xa6092c47f7cd698b	BlockedPluginInfobar.Closed
+0x4937bd47014fb3e0	BlockedPluginInfobar.LearnMore
+0x127e30ad4cde6b00	BlockedPluginInfobar.Shown
 0x114c3050111d8b8d	Bold
 0x02f476e54c6d58bd	BookmarkBarFolder_CtxMenu
 0x3012b56b98c28823	BookmarkBarFolder_DragEnd
diff --git a/webkit/plugins/npapi/plugin_group.cc b/webkit/plugins/npapi/plugin_group.cc
index a20c3be..1884650 100644
--- a/webkit/plugins/npapi/plugin_group.cc
+++ b/webkit/plugins/npapi/plugin_group.cc
@@ -18,6 +18,9 @@ namespace npapi {
 
 const char* PluginGroup::kAdobeReaderGroupName = "Adobe Acrobat";
 const char* PluginGroup::kAdobeReaderUpdateURL = "http://get.adobe.com/reader/";
+const char* PluginGroup::kJavaGroupName = "Java";
+const char* PluginGroup::kQuickTimeGroupName = "QuickTime";
+const char* PluginGroup::kShockwaveGroupName = "Shockwave";
 
 /*static*/
 std::set<string16>* PluginGroup::policy_disabled_plugin_patterns_;
@@ -50,7 +53,8 @@ bool PluginGroup::IsPluginNameDisabledByPolicy(const string16& plugin_name) {
 VersionRange::VersionRange(VersionRangeDefinition definition)
     : low_str(definition.version_matcher_low),
       high_str(definition.version_matcher_high),
-      min_str(definition.min_version) {
+      min_str(definition.min_version),
+      requires_authorization(definition.requires_authorization) {
   if (!low_str.empty())
     low.reset(Version::GetVersionFromString(low_str));
   if (!high_str.empty())
@@ -77,6 +81,7 @@ void VersionRange::InitFrom(const VersionRange& other) {
   low.reset(Version::GetVersionFromString(other.low_str));
   high.reset(Version::GetVersionFromString(other.high_str));
   min.reset(Version::GetVersionFromString(other.min_str));
+  requires_authorization = other.requires_authorization;
 }
 
 PluginGroup::PluginGroup(const string16& group_name,
@@ -401,6 +406,15 @@ bool PluginGroup::IsVulnerable() const {
   return false;
 }
 
+bool PluginGroup::RequiresAuthorization() const {
+  for (size_t i = 0; i < version_ranges_.size(); ++i) {
+    if (IsVersionInRange(*version_, version_ranges_[i]) &&
+        version_ranges_[i].requires_authorization)
+      return true;
+  }
+  return false;
+}
+
 bool PluginGroup::IsEmpty() const {
   return web_plugin_infos_.size() == 0;
 }
diff --git a/webkit/plugins/npapi/plugin_group.h b/webkit/plugins/npapi/plugin_group.h
index cc5ff7c..3f4007f 100644
--- a/webkit/plugins/npapi/plugin_group.h
+++ b/webkit/plugins/npapi/plugin_group.h
@@ -38,6 +38,7 @@ struct VersionRangeDefinition {
   // to match anything higher than |version_matcher_low|.
   const char* version_matcher_high;
   const char* min_version;  // Minimum secure version.
+  bool requires_authorization;  // If this range needs user permission to run.
 };
 
 // Hard-coded definitions of plugin groups.
@@ -64,6 +65,7 @@ struct VersionRange {
   scoped_ptr<Version> low;
   scoped_ptr<Version> high;
   scoped_ptr<Version> min;
+  bool requires_authorization;
  private:
   void InitFrom(const VersionRange& other);
 };
@@ -81,6 +83,9 @@ class PluginGroup {
   // enabled.
   static const char* kAdobeReaderGroupName;
   static const char* kAdobeReaderUpdateURL;
+  static const char* kJavaGroupName;
+  static const char* kQuickTimeGroupName;
+  static const char* kShockwaveGroupName;
 
   PluginGroup(const PluginGroup& other);
 
@@ -160,6 +165,10 @@ class PluginGroup {
   // security problems.
   bool IsVulnerable() const;
 
+  // Returns true if this plug-in group always requires user authorization
+  // to run.
+  bool RequiresAuthorization() const;
+
   // Check if the group has no plugins. Could happen after a reload if the plug-
   // in has disappeared from the pc (or in the process of updating).
   bool IsEmpty() const;
diff --git a/webkit/plugins/npapi/plugin_group_unittest.cc b/webkit/plugins/npapi/plugin_group_unittest.cc
index a4ea89b..54bc25d 100644
--- a/webkit/plugins/npapi/plugin_group_unittest.cc
+++ b/webkit/plugins/npapi/plugin_group_unittest.cc
@@ -20,17 +20,17 @@ namespace webkit {
 namespace npapi {
 
 static const VersionRangeDefinition kPluginVersionRange[] = {
-    { "", "", "3.0.44" }
+    { "", "", "3.0.44", false }
 };
 static const VersionRangeDefinition kPlugin3VersionRange[] = {
-    { "0", "4", "3.0.44" }
+    { "0", "4", "3.0.44", false }
 };
 static const VersionRangeDefinition kPlugin4VersionRange[] = {
-    { "4", "5", "4.0.44" }
+    { "4", "5", "4.0.44", false }
 };
 static const VersionRangeDefinition kPlugin34VersionRange[] = {
-    { "0", "4", "3.0.44" },
-    { "4", "5", "" }
+    { "0", "4", "3.0.44", false },
+    { "4", "5", "", false }
 };
 
 static const PluginGroupDefinition kPluginDef = {
@@ -227,9 +227,9 @@ TEST(PluginGroupTest, DisabledByPolicy) {
 TEST(PluginGroupTest, IsVulnerable) {
   // Adobe Reader 10
   VersionRangeDefinition adobe_reader_version_range[] = {
-      { "10", "11", "" },
-      { "9", "10", "9.4.1" },
-      { "0", "9", "8.2.5" }
+      { "10", "11", "", false },
+      { "9", "10", "9.4.1", false },
+      { "0", "9", "8.2.5", false }
   };
   PluginGroupDefinition adobe_reader_plugin_def = {
       "adobe-reader", "Adobe Reader", "Adobe Acrobat",
@@ -244,11 +244,12 @@ TEST(PluginGroupTest, IsVulnerable) {
   group->AddPlugin(adobe_reader_plugin);
   PluginGroup group_copy(*group);  // Exercise the copy constructor.
   EXPECT_FALSE(group_copy.IsVulnerable());
+  EXPECT_FALSE(group_copy.RequiresAuthorization());
 
   // Silverlight 4
   VersionRangeDefinition silverlight_version_range[] = {
-      { "0", "4", "3.0.50106.0" },
-      { "4", "5", "" }
+      { "0", "4", "3.0.50106.0", false },
+      { "4", "5", "", true }
   };
   PluginGroupDefinition silverlight_plugin_def = {
       "silverlight", "Silverlight", "Silverlight", silverlight_version_range,
@@ -261,6 +262,7 @@ TEST(PluginGroupTest, IsVulnerable) {
   group.reset(PluginGroupTest::CreatePluginGroup(silverlight_plugin_def));
   group->AddPlugin(silverlight_plugin);
   EXPECT_FALSE(PluginGroup(*group).IsVulnerable());
+  EXPECT_TRUE(PluginGroup(*group).RequiresAuthorization());
 }
 }  // namespace npapi
 }  // namespace webkit
diff --git a/webkit/plugins/npapi/plugin_list.cc b/webkit/plugins/npapi/plugin_list.cc
index a4da48d..0d4519c 100644
--- a/webkit/plugins/npapi/plugin_list.cc
+++ b/webkit/plugins/npapi/plugin_list.cc
@@ -29,7 +29,7 @@ FilePath::CharType kDefaultPluginLibraryName[] =
 // Some version ranges can be shared across operating systems. This should be
 // done where possible to avoid duplication.
 static const VersionRangeDefinition kFlashVersionRange[] = {
-    { "", "", "10.1.102" }
+    { "", "", "10.1.102", false }
 };
 
 // Similarly, try and share the group definition for plug-ins that are
@@ -44,36 +44,38 @@ static const PluginGroupDefinition kFlashDefinition = {
 // (new versions) are published.
 // TODO(panayiotis): Get the Real Player version on Mac, somehow.
 static const VersionRangeDefinition kQuicktimeVersionRange[] = {
-    { "", "", "7.6.6" }
+    { "", "", "7.6.6", true }
 };
 static const VersionRangeDefinition kJavaVersionRange[] = {
-    { "13.0", "14.0", "13.3.0" }  // Snow Leopard
+    { "13.0", "14.0", "13.3.0", true }  // Snow Leopard
 };
 static const VersionRangeDefinition kSilverlightVersionRange[] = {
-    { "0", "4", "3.0.50106.0" },
-    { "4", "5", "" }
+    { "0", "4", "3.0.50106.0", false },
+    { "4", "5", "", false }
 };
 static const VersionRangeDefinition kFlip4MacVersionRange[] = {
-    { "", "", "2.2.1" }
+    { "", "", "2.2.1", false }
 };
 static const VersionRangeDefinition kShockwaveVersionRange[] = {
-    { "",  "", "11.5.9.615" }
+    { "",  "", "11.5.9.615", true }
 };
+// TODO(cevans) - I don't see Adobe Reader in here for Mac.
 static const PluginGroupDefinition kGroupDefinitions[] = {
   kFlashDefinition,
-  { "apple-quicktime", "Quicktime", "QuickTime Plug-in", kQuicktimeVersionRange,
-    arraysize(kQuicktimeVersionRange),
+  { "apple-quicktime", PluginGroup::kQuickTimeGroupName, "QuickTime Plug-in",
+    kQuicktimeVersionRange, arraysize(kQuicktimeVersionRange),
     "http://www.apple.com/quicktime/download/" },
-  { "java-runtime-environment", "Java", "Java", kJavaVersionRange,
-    arraysize(kJavaVersionRange), "http://support.apple.com/kb/HT1338" },
+  { "java-runtime-environment", PluginGroup::kJavaGroupName, "Java",
+    kJavaVersionRange, arraysize(kJavaVersionRange),
+    "http://support.apple.com/kb/HT1338" },
   { "silverlight", "Silverlight", "Silverlight", kSilverlightVersionRange,
     arraysize(kSilverlightVersionRange),
     "http://www.microsoft.com/getsilverlight/" },
   { "flip4mac", "Flip4Mac", "Flip4Mac", kFlip4MacVersionRange,
     arraysize(kFlip4MacVersionRange),
     "http://www.telestream.net/flip4mac-wmv/overview.htm" },
-  { "shockwave", "Shockwave", "Shockwave for Director", kShockwaveVersionRange,
-    arraysize(kShockwaveVersionRange),
+  { "shockwave", PluginGroup::kShockwaveGroupName, "Shockwave for Director",
+    kShockwaveVersionRange, arraysize(kShockwaveVersionRange),
     "http://www.adobe.com/shockwave/download/" }
 };
 
@@ -81,41 +83,41 @@ static const PluginGroupDefinition kGroupDefinitions[] = {
 // TODO(panayiotis): We should group "RealJukebox NS Plugin" with the rest of
 // the RealPlayer files.
 static const VersionRangeDefinition kQuicktimeVersionRange[] = {
-    { "", "", "7.6.8" }
+    { "", "", "7.6.8", true }
 };
 static const VersionRangeDefinition kJavaVersionRange[] = {
-    { "0", "7", "6.0.220" }  // "220" is not a typo.
+    { "0", "7", "6.0.220", true }  // "220" is not a typo.
 };
 static const VersionRangeDefinition kAdobeReaderVersionRange[] = {
-    { "10", "11", "" },
-    { "9", "10", "9.4.1" },
-    { "0", "9", "8.2.5" }
+    { "10", "11", "", false },
+    { "9", "10", "9.4.1", false },
+    { "0", "9", "8.2.5", false }
 };
 static const VersionRangeDefinition kSilverlightVersionRange[] = {
-    { "0", "4", "3.0.50106.0" },
-    { "4", "5", "" }
+    { "0", "4", "3.0.50106.0", false },
+    { "4", "5", "", false }
 };
 static const VersionRangeDefinition kShockwaveVersionRange[] = {
-    { "", "", "11.5.9.615" }
+    { "", "", "11.5.9.615", true }
 };
 static const VersionRangeDefinition kDivXVersionRange[] = {
-    { "", "", "1.4.3.4" }
+    { "", "", "1.4.3.4", false }
 };
 static const PluginGroupDefinition kGroupDefinitions[] = {
   kFlashDefinition,
-  { "apple-quicktime", "Quicktime", "QuickTime Plug-in", kQuicktimeVersionRange,
-    arraysize(kQuicktimeVersionRange),
+  { "apple-quicktime", PluginGroup::kQuickTimeGroupName, "QuickTime Plug-in",
+    kQuicktimeVersionRange, arraysize(kQuicktimeVersionRange),
     "http://www.apple.com/quicktime/download/" },
-  { "java-runtime-environment", "Java 6", "Java", kJavaVersionRange,
-    arraysize(kJavaVersionRange), "http://www.java.com/" },
+  { "java-runtime-environment", PluginGroup::kJavaGroupName, "Java",
+    kJavaVersionRange, arraysize(kJavaVersionRange), "http://www.java.com/" },
   { "adobe-reader", PluginGroup::kAdobeReaderGroupName, "Adobe Acrobat",
     kAdobeReaderVersionRange, arraysize(kAdobeReaderVersionRange),
     "http://get.adobe.com/reader/" },
   { "silverlight", "Silverlight", "Silverlight", kSilverlightVersionRange,
     arraysize(kSilverlightVersionRange),
     "http://www.microsoft.com/getsilverlight/" },
-  { "shockwave", "Shockwave", "Shockwave for Director", kShockwaveVersionRange,
-    arraysize(kShockwaveVersionRange),
+  { "shockwave", PluginGroup::kShockwaveGroupName, "Shockwave for Director",
+    kShockwaveVersionRange, arraysize(kShockwaveVersionRange),
     "http://www.adobe.com/shockwave/download/" },
   { "divx-player", "DivX Player", "DivX Web Player", kDivXVersionRange,
     arraysize(kDivXVersionRange),
@@ -135,23 +137,23 @@ static const PluginGroupDefinition kGroupDefinitions[] = {
 
 #else
 static const VersionRangeDefinition kJavaVersionRange[] = {
-    { "0", "1.7", "1.6.0.22" }
+    { "0", "1.7", "1.6.0.22", true }
 };
 
 static const VersionRangeDefinition kRedhatIcedTeaVersionRange[] = {
-    { "0", "1.9", "1.8.3" },
-    { "1.9", "1.10", "1.9.2" },
+    { "0", "1.9", "1.8.3", true },
+    { "1.9", "1.10", "1.9.2", true },
 };
 
 static const PluginGroupDefinition kGroupDefinitions[] = {
   // Flash on Linux is significant because there isn't yet a built-in Flash
   // plug-in on the Linux 64-bit version of Chrome.
   kFlashDefinition,
-  { "java-runtime-environment", "Java 6", "Java", kJavaVersionRange,
-    arraysize(kJavaVersionRange),
+  { "java-runtime-environment", PluginGroup::kJavaGroupName, "Java",
+    kJavaVersionRange, arraysize(kJavaVersionRange),
     "http://www.java.com/en/download/manual.jsp" },
-  { "redhat-icetea-java", "IcedTea", "IcedTea", kRedhatIcedTeaVersionRange,
-    arraysize(kRedhatIcedTeaVersionRange),
+  { "redhat-icetea-java", "IceTea", "IcedTea",
+    kRedhatIcedTeaVersionRange, arraysize(kRedhatIcedTeaVersionRange),
     "http://www.linuxsecurity.com/content/section/3/170/" },
 };
 #endif