Disable loading remote jars by default

RESOLVED FIXED in Firefox 55

Status

()

Core
Networking: JAR
RESOLVED FIXED
5 months ago
2 days ago

People

(Reporter: tjr, Assigned: tjr)

Tracking

({addon-compat, dev-doc-complete, site-compat})

Trunk
mozilla55
addon-compat, dev-doc-complete, site-compat
Points:
---

Firefox Tracking Flags

(firefox55 fixed)

Details

(Whiteboard: [necko-would-take])

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Assignee)

Description

5 months ago
In #1255934 we added Telemetry for remote jars, as we learned IBM iNotes used it. Looking at the Telemetry we can see:

- It is overwhelmingly used only on Windows
- It is used in ~ .01% of sessions 

(As the earlier bug mentions, we can divide the number of sessions this probe is in by the number of sessions a different flag probe is in as long as that divisor probe is reliably reported every session.)

Because it's used so infrequently, it'd be great if we could completely disallow remote jar file loads to reduce the attack service available to the web.  

We have a preference for blocking this already, network.jar.block-remote-files.  It'd be great to switch it to 'on' by default and the minority who need it turn off the blocking.
Component: Networking → Networking: JAR
Whiteboard: [necko-would-take]
See also bug 1215235 where we tried to do this before (spawning the telemetry in bug 1255934 mentioned above), especially bug 1215235 comment 13 which mentions IBM has fixed more recent versions of Notes. We ought to be able to do this post-52 (to give Notes-using enterprises an easy path on the 52 ESR).

Updating the summary to reflect the proposal (disable, not "kill").

The patch in bug 1215235 will be a useful start in fixing tests broken by this change, but doesn't appear to have a test to verify that remote jars are in fact blocked by default.
See Also: → bug 1215235
Summary: Kill Remote Jar Loading Feature → Disable loading remote jars by default

Updated

4 months ago
Keywords: addon-compat, dev-doc-needed, site-compat
I think the interesting data here is how much this has dropped in the last few releases.  We probably can't really test this manually and I'm not sure who controls the upgrade cadence of all IBM Lotus iNotes installations out there (whether it's IBM or each individual site admin), so we should proceed really carefully here.
Note that the REMOTE_JAR_PROTOCOL_USED probe is expiring in 55, if we don't plan to disable loading remote jars in this release, we should probably extend the telemetry.
Flags: needinfo?(tom)
(Assignee)

Updated

2 months ago
Depends on: 1353123
(Assignee)

Comment 4

2 months ago
Opened https://bugzilla.mozilla.org/show_bug.cgi?id=1353123 to extend the probe.
Flags: needinfo?(tom)
Comment hidden (mozreview-request)
(Assignee)

Comment 6

2 months ago
Assuming I successfully disabled it with my patch - all tests pass (run on linux32).

Comment 7

2 months ago
mozreview-review
Comment on attachment 8854124 [details]
Bug 1329336 Block remote jar files by default

https://reviewboard.mozilla.org/r/126112/#review129002

Please note that the commit needs to be rebased, and you also need to remove the previous definitions here:
http://searchfox.org/mozilla-central/source/modules/libpref/init/all.js#1702,1704
Attachment #8854124 - Flags: review+
Posted the site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2017/remote-jar-support-has-been-disabled-again/
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
(Assignee)

Updated

2 months ago
Keywords: checkin-needed
Assignee: nobody → tom

Comment 11

2 months ago
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/ce5c79c0654b
Block remote jar files by default r=valentin
Keywords: checkin-needed

Comment 12

2 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ce5c79c0654b
Status: NEW → RESOLVED
Last Resolved: 2 months ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Mike, gentle ping to watch out for possible fallout from this, especially reports from IBM Lotus iNotes.  Thanks!
Flags: needinfo?(miket)
Roger that!
Flags: needinfo?(miket)
status-firefox53: affected → ---
I have document this, by updating the note at:

https://developer.mozilla.org/en-US/docs/Mozilla/Security/Security_and_the_jar_protocol

And adding a note to the Fx55 rel notes:

https://developer.mozilla.org/en-US/Firefox/Releases/55#Security

Let me know if this looks OK. Thanks!
Keywords: dev-doc-needed → dev-doc-complete
(Assignee)

Comment 16

2 days ago
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #15)
> I have document this, by updating the note at:
> 
> https://developer.mozilla.org/en-US/docs/Mozilla/Security/
> Security_and_the_jar_protocol
> 
> And adding a note to the Fx55 rel notes:
> 
> https://developer.mozilla.org/en-US/Firefox/Releases/55#Security
> 
> Let me know if this looks OK. Thanks!

LGTM
You need to log in before you can comment on or make changes to this bug.