Closed
Bug 1275364
Opened 8 years ago
Closed 8 years ago
[meta] Require user authorization for all plugins and extensions
Categories
(Toolkit :: Add-ons Manager, enhancement)
Tracking
()
RESOLVED
DUPLICATE
of bug 640775
People
(Reporter: brendieellen, Unassigned)
Details
(Keywords: feature)
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160502172042 Steps to reproduce: All plug-ins and extensions should require the user to authorize them on for installation and authorization from within Firefox. Any plug-ins or extension should should be removable by the user from within Firefox. The present system is a terrible security compromise. Not allowing the user to uninstall an extension is a baffling and poor design choice. Even if the extension / plugin folder authorization system needs to be encrypted for protection, it should be done. It is apparent that the current design choices do not best benefit the user.
|
||
Comment 1•8 years ago
|
||
This would really be useful if made possible. Adding 'feature' keyword as this is a feature request. Need others opinions too.
|
||
Comment 2•8 years ago
|
||
Plugins are generally installed in the system by other apps, and not in the Firefox directory nor the user profile. We allow you to disable them (in fact the default is "click to play") but uninstalling is problematic: * might be in a protected directory * the application that installed it might use it independently of Firefox, and break * other users on a shared machine might be using it Global add-ons have similar concerns: other users on the machine might be using it, so we allow it to be disabled but can't uninstall it. Disabling either of those are exactly equivalent (to that user) as uninstalling it--the code will not run. If you want to uninstall it globally then you need to uninstall the application that installed it. If there is no such uninstall then it's probably malware, and any simplistic file deletion Firefox could do would be insufficient to combat malicious software. Add-ons installed from the web do require user consent. Add-ons installed by an application directly to the machine is _supposed_ to have a user consent dialog, but malicious software can defeat that (those installers run at the same rights as Firefox itself). Plugins need to be installed locally by an installer, and those should have a user consent before they run. Malware installers won't, of course, but you need an anti-virus program to defeat those. Moving to the appropriate component but I'm not optimistic we could design something that would satisfy your requirements and actually work.
Severity: normal → enhancement
Component: Security → Add-ons Manager
Product: Firefox → Toolkit
|
Reporter | |
Comment 3•8 years ago
|
||
Hi, The current system is poor. I have 5 disabled legitimate but unwanted add-ons that I never wanted installed: Two versions of Nvidia 3d Vision, Java deployment kit, Flash, Adobe AAARM detect. How can Firefox be a secure platform for user, when users cannot even get rid of legitimate plugins, without dumping their profile? Even then, some of these might just be dropped in by a service. Hope is not a plan.
|
|
Reporter | |
Comment 4•8 years ago
|
||
The user should have total control over what plugins are accepted by Firefox.
|
||
Comment 5•8 years ago
|
||
The user does have total control over what add-ons Firefox will activate. As for removing unwanted items from the add-ons manager list that is covered by bug 640775.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
||
Comment 6•8 years ago
|
||
Removing the qawanted keyword since this bug was marked as duplicate.
Keywords: qawanted
|
|
Reporter | |
Comment 7•8 years ago
|
||
No, this is NOT a duplicate! Allowing removal is not the same as prohibiting installation. This is really getting tiresome!
|
|
Reporter | |
Comment 8•8 years ago
|
||
Please restore they keywords, and triage this as it should be done.
You need to log in
before you can comment on or make changes to this bug.
Description
•