Some enterprises only want allow the use of plugins and extensions that are on an allow list. This ensures that the administrator knows what plugins are in use so that they can be patched, and allows an amount of functional testing before full deployment. They don't want to be in a state where users install useful-sounding plugins that, for example, sends sensitive data out to the cloud or to a malicious third party. Unfortunately I'm struggling to implement a configuration to deny all plugins and extensions apart from a specified list (which a user can then choose to manually disable or enable). Are the three options below viable or is there some other route:

I can prevent the installation of plugins with this configuration: lockPref("xpinstall.enabled", 0); I can get plugins to default to disabled whenever the browser starts: lockPref("plugin.default.state", 0); lockPref("plugin.defaultXpi.state", 0); I can enable and disable individual plugins: // Enable Flash as it's in a sandbox lockPref("plugin.state.flash", 2); // Disable Java unless required lockPref("plugin.state.java", 0); lockPref("plugin.state.npdeployjava1", 0);