KidFox: Restricted profiles - Hide all add-ons and apps installation/removal features and related UI

VERIFIED FIXED in Firefox 42

Status

()

defect
VERIFIED FIXED
4 years ago
4 years ago

People

(Reporter: jchaulk, Assigned: sebastian)

Tracking

Trunk
Firefox 42
All
Android
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 verified)

Details

Attachments

(2 attachments)

Comment hidden (empty)
Blocks: FFB
OS: Windows 8.1 → Android
Hardware: x86_64 → All
Version: unspecified → Trunk
(Reporter)

Updated

4 years ago
Blocks: kidfox-v1
Assignee: nobody → s.kaspari
Status: NEW → ASSIGNED
This patch and the following build up on the changes made in bug 1180653.

Part 1: Disallow installation of add-ons and apps.
Part 2: Disallow browsing about:addons if DISALLOW_INSTALL_EXTENSION restriction is enforced.
Attachment #8637908 - Flags: review?(ally)
Attachment #8637940 - Flags: review?(ally)
Comment on attachment 8637908 [details] [diff] [review]
1125289-part1-disallow.patch

Review of attachment 8637908 [details] [diff] [review]:
-----------------------------------------------------------------

This is so much nicer to read. :)
Attachment #8637908 - Flags: review?(ally) → review+
Comment on attachment 8637940 [details] [diff] [review]
1125289-part2-about_addons.patch

Review of attachment 8637940 [details] [diff] [review]:
-----------------------------------------------------------------

So, this seems to work, and we could probably land this for v1 without suffering too much. 

That said, I am concerned that this is not the best approach. I would have though AboutRedirector.java would be a better place as it controls the access to the about: urls. 

Margaret, thoughts?
Attachment #8637940 - Flags: review?(ally) → feedback?(margaret.leibovic)
Comment on attachment 8637940 [details] [diff] [review]
1125289-part2-about_addons.patch

Review of attachment 8637940 [details] [diff] [review]:
-----------------------------------------------------------------

::: mobile/android/base/RestrictedProfiles.java
@@ +277,5 @@
> +        if (restriction == Restriction.DISALLOW_BROWSE_FILES
> +            && url.toLowerCase().startsWith(ABOUT_ADDONS)
> +            && !isAllowed(context, Restriction.DISALLOW_INSTALL_EXTENSION)) {
> +            return false;
> +        }

This seems fine to me.

Does this also catch URLs opened from JS? If it doesn't I suppose that means we have bigger problems to deal with.
Attachment #8637940 - Flags: feedback?(margaret.leibovic) → feedback+
url:        https://hg.mozilla.org/integration/fx-team/rev/2b241cb3d78832537aca9d72c5b933dcdb55eff7
changeset:  2b241cb3d78832537aca9d72c5b933dcdb55eff7
user:       Sebastian Kaspari <s.kaspari@gmail.com>
date:       Tue Jul 28 13:40:37 2015 +0200
description:
Bug 1125289 - (Part 1) Disallow installing add-ons and apps. r=ally
Added 'leave-open' because I only landed part 1 so far.

(In reply to :Margaret Leibovic from comment #5)
> Does this also catch URLs opened from JS? If it doesn't I suppose that means
> we have bigger problems to deal with.

Yeah, I tried redirecting using window.location='..' and for guest/restricted profiles this method is called.

@Ally: Do we want to land part 2 as-is for v1?
Flags: needinfo?(ally)
Keywords: leave-open
Comment on attachment 8637940 [details] [diff] [review]
1125289-part2-about_addons.patch

Drive-by r+ :)
Attachment #8637940 - Flags: review+
sounds like margaret has given you an r+ to land as is. go for it.
Flags: needinfo?(ally)
url:        https://hg.mozilla.org/integration/fx-team/rev/ae3706a5cb96da2f5a645f3b6867652f7b451311
changeset:  ae3706a5cb96da2f5a645f3b6867652f7b451311
user:       Sebastian Kaspari <s.kaspari@gmail.com>
date:       Tue Jul 28 14:20:51 2015 +0200
description:
Bug 1125289 - Restricted profiles: Disallow browsing about:addons. r=margaret
Keywords: leave-open
https://hg.mozilla.org/mozilla-central/rev/ae3706a5cb96
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 42

Comment 13

4 years ago
Verified as fixed on latest Aurora
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.