All users were logged out of Bugzilla on October 13th, 2018

Add support for hiding add-ons

RESOLVED INACTIVE

Status

()

--
enhancement
RESOLVED INACTIVE
3 years ago
5 months ago

People

(Reporter: mossop, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
In a couple of very special cases we have Firefox features shipping as add-ons. The hotfix add-on is one, bug 1156135 will introduce another. In both these cases it is probably desirable to hide the add-ons from the main list to avoid user surprise. Until now that has been difficult to do without also opening the door to allowing other malicious add-ons to hide themselves but now we have add-on signing about to be required I think we can do this.

I think it goes something like this. We have a pref set in the installation defaults with a comma separated list of IDs to hide. The add-ons manager UI gets the default value of this pref (so changes set in the profile don't matter) and hides any add-ons that are fully signed and match an ID in the pref. The only way for an add-on to abuse it is to get itself signed which means it will have to go through AMO review.

We should only hide from the main add-ons manager UI. about:support and other places should still list these add-ons for support purposes.

Dan, does this seem like a safe way to do this?
Flags: needinfo?(dveditz)
Malicious add-ons have already managed to hide themselves by overlaying the addon manager or other tricks. Don't feel great about making it easier, but in practice it's cut-n-paste code so it's pretty easy. (Of course I hope our signing requirement will help us catch these and weed them out.)

I think add-ons used to have a "hidden" property in install.rdf that we took away because of this kind of abuse. If you're going to add a pref (that can be hacked) would it be easier to restore that functionality? Then it's part of the signed content and we can review for it. If we went this route we should make the hidden attribute effective only for signed addons, so that folks with a dev build can't get abused (because I suspect malware will start replacing Firefox with dev builds -- it's happened with Chrome).

The pref list would OK, but a little more abusable. Even if restricted to IDs of legit signed add-ons that still leaves open the possibility of someone side-loading a legit but unwanted add-on, say putting Parental-Monitoring (Employee monitoring?) software on an ex's computer. I know people who have been stalked by a creepy ex with similar monitoring tools, it's not fantasy. 

I agree about:support should still list these, but we should annotate the hidden ones somehow. That may help us find abuses, and if we find the right wording might reassure users it's OK that these "extra" addons didn't show up in the add-on manager.
Flags: needinfo?(dveditz)

Comment 2

5 months ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.