Closed
Bug 1329336
Opened 8 years ago
Closed 8 years ago
Disable loading remote jars by default
Categories
(Core :: Networking: JAR, defect)
Core
Networking: JAR
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox55 | --- | fixed |
People
(Reporter: tjr, Assigned: tjr)
References
Details
(Keywords: addon-compat, dev-doc-complete, site-compat, Whiteboard: [necko-would-take])
Attachments
(1 file)
59 bytes,
text/x-review-board-request
|
Details |
In #1255934 we added Telemetry for remote jars, as we learned IBM iNotes used it. Looking at the Telemetry we can see:
- It is overwhelmingly used only on Windows
- It is used in ~ .01% of sessions
(As the earlier bug mentions, we can divide the number of sessions this probe is in by the number of sessions a different flag probe is in as long as that divisor probe is reliably reported every session.)
Because it's used so infrequently, it'd be great if we could completely disallow remote jar file loads to reduce the attack service available to the web.
We have a preference for blocking this already, network.jar.block-remote-files. It'd be great to switch it to 'on' by default and the minority who need it turn off the blocking.
Updated•8 years ago
|
Component: Networking → Networking: JAR
Whiteboard: [necko-would-take]
Comment 1•8 years ago
|
||
See also bug 1215235 where we tried to do this before (spawning the telemetry in bug 1255934 mentioned above), especially bug 1215235 comment 13 which mentions IBM has fixed more recent versions of Notes. We ought to be able to do this post-52 (to give Notes-using enterprises an easy path on the 52 ESR).
Updating the summary to reflect the proposal (disable, not "kill").
The patch in bug 1215235 will be a useful start in fixing tests broken by this change, but doesn't appear to have a test to verify that remote jars are in fact blocked by default.
See Also: → 1215235
Summary: Kill Remote Jar Loading Feature → Disable loading remote jars by default
Updated•8 years ago
|
Comment 2•8 years ago
|
||
I think the interesting data here is how much this has dropped in the last few releases. We probably can't really test this manually and I'm not sure who controls the upgrade cadence of all IBM Lotus iNotes installations out there (whether it's IBM or each individual site admin), so we should proceed really carefully here.
Comment 3•8 years ago
|
||
Note that the REMOTE_JAR_PROTOCOL_USED probe is expiring in 55, if we don't plan to disable loading remote jars in this release, we should probably extend the telemetry.
Flags: needinfo?(tom)
Assignee | ||
Comment 4•8 years ago
|
||
Opened https://bugzilla.mozilla.org/show_bug.cgi?id=1353123 to extend the probe.
Flags: needinfo?(tom)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 6•8 years ago
|
||
Assuming I successfully disabled it with my patch - all tests pass (run on linux32).
Comment 7•8 years ago
|
||
mozreview-review |
Comment on attachment 8854124 [details]
Bug 1329336 Block remote jar files by default
https://reviewboard.mozilla.org/r/126112/#review129002
Please note that the commit needs to be rebased, and you also need to remove the previous definitions here:
http://searchfox.org/mozilla-central/source/modules/libpref/init/all.js#1702,1704
Attachment #8854124 -
Flags: review+
Comment 8•8 years ago
|
||
Posted the site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2017/remote-jar-support-has-been-disabled-again/
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Updated•8 years ago
|
Assignee: nobody → tom
Comment 11•8 years ago
|
||
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/ce5c79c0654b
Block remote jar files by default r=valentin
Keywords: checkin-needed
Comment 12•8 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Comment 13•8 years ago
|
||
Mike, gentle ping to watch out for possible fallout from this, especially reports from IBM Lotus iNotes. Thanks!
Flags: needinfo?(miket)
Updated•8 years ago
|
status-firefox53:
affected → ---
Comment 15•8 years ago
|
||
I have document this, by updating the note at:
https://developer.mozilla.org/en-US/docs/Mozilla/Security/Security_and_the_jar_protocol
And adding a note to the Fx55 rel notes:
https://developer.mozilla.org/en-US/Firefox/Releases/55#Security
Let me know if this looks OK. Thanks!
Keywords: dev-doc-needed → dev-doc-complete
Assignee | ||
Comment 16•7 years ago
|
||
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #15)
> I have document this, by updating the note at:
>
> https://developer.mozilla.org/en-US/docs/Mozilla/Security/
> Security_and_the_jar_protocol
>
> And adding a note to the Fx55 rel notes:
>
> https://developer.mozilla.org/en-US/Firefox/Releases/55#Security
>
> Let me know if this looks OK. Thanks!
LGTM
You need to log in
before you can comment on or make changes to this bug.
Description
•