Closed Bug 1329336 Opened 6 years ago Closed 6 years ago
Disable loading remote jars by default
In #1255934 we added Telemetry for remote jars, as we learned IBM iNotes used it. Looking at the Telemetry we can see: - It is overwhelmingly used only on Windows - It is used in ~ .01% of sessions (As the earlier bug mentions, we can divide the number of sessions this probe is in by the number of sessions a different flag probe is in as long as that divisor probe is reliably reported every session.) Because it's used so infrequently, it'd be great if we could completely disallow remote jar file loads to reduce the attack service available to the web. We have a preference for blocking this already, network.jar.block-remote-files. It'd be great to switch it to 'on' by default and the minority who need it turn off the blocking.
Component: Networking → Networking: JAR
See also bug 1215235 where we tried to do this before (spawning the telemetry in bug 1255934 mentioned above), especially bug 1215235 comment 13 which mentions IBM has fixed more recent versions of Notes. We ought to be able to do this post-52 (to give Notes-using enterprises an easy path on the 52 ESR). Updating the summary to reflect the proposal (disable, not "kill"). The patch in bug 1215235 will be a useful start in fixing tests broken by this change, but doesn't appear to have a test to verify that remote jars are in fact blocked by default.
See Also: → 1215235
Summary: Kill Remote Jar Loading Feature → Disable loading remote jars by default
I think the interesting data here is how much this has dropped in the last few releases. We probably can't really test this manually and I'm not sure who controls the upgrade cadence of all IBM Lotus iNotes installations out there (whether it's IBM or each individual site admin), so we should proceed really carefully here.
Note that the REMOTE_JAR_PROTOCOL_USED probe is expiring in 55, if we don't plan to disable loading remote jars in this release, we should probably extend the telemetry.
Opened https://bugzilla.mozilla.org/show_bug.cgi?id=1353123 to extend the probe.
Assuming I successfully disabled it with my patch - all tests pass (run on linux32).
Comment on attachment 8854124 [details] Bug 1329336 Block remote jar files by default https://reviewboard.mozilla.org/r/126112/#review129002 Please note that the commit needs to be rebased, and you also need to remove the previous definitions here: http://searchfox.org/mozilla-central/source/modules/libpref/init/all.js#1702,1704
Attachment #8854124 - Flags: review+
Posted the site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2017/remote-jar-support-has-been-disabled-again/
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/autoland/rev/ce5c79c0654b Block remote jar files by default r=valentin
Mike, gentle ping to watch out for possible fallout from this, especially reports from IBM Lotus iNotes. Thanks!
I have document this, by updating the note at: https://developer.mozilla.org/en-US/docs/Mozilla/Security/Security_and_the_jar_protocol And adding a note to the Fx55 rel notes: https://developer.mozilla.org/en-US/Firefox/Releases/55#Security Let me know if this looks OK. Thanks!
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #15) > I have document this, by updating the note at: > > https://developer.mozilla.org/en-US/docs/Mozilla/Security/ > Security_and_the_jar_protocol > > And adding a note to the Fx55 rel notes: > > https://developer.mozilla.org/en-US/Firefox/Releases/55#Security > > Let me know if this looks OK. Thanks! LGTM
You need to log in before you can comment on or make changes to this bug.