Disable loading remote jars by default

RESOLVED FIXED in Firefox 55



2 years ago
a year ago


(Reporter: tjr, Assigned: tjr)


({addon-compat, dev-doc-complete, site-compat})

addon-compat, dev-doc-complete, site-compat
Dependency tree / graph

Firefox Tracking Flags

(firefox55 fixed)


(Whiteboard: [necko-would-take])


(1 attachment)



2 years ago
In #1255934 we added Telemetry for remote jars, as we learned IBM iNotes used it. Looking at the Telemetry we can see:

- It is overwhelmingly used only on Windows
- It is used in ~ .01% of sessions 

(As the earlier bug mentions, we can divide the number of sessions this probe is in by the number of sessions a different flag probe is in as long as that divisor probe is reliably reported every session.)

Because it's used so infrequently, it'd be great if we could completely disallow remote jar file loads to reduce the attack service available to the web.  

We have a preference for blocking this already, network.jar.block-remote-files.  It'd be great to switch it to 'on' by default and the minority who need it turn off the blocking.
Component: Networking → Networking: JAR
Whiteboard: [necko-would-take]
See also bug 1215235 where we tried to do this before (spawning the telemetry in bug 1255934 mentioned above), especially bug 1215235 comment 13 which mentions IBM has fixed more recent versions of Notes. We ought to be able to do this post-52 (to give Notes-using enterprises an easy path on the 52 ESR).

Updating the summary to reflect the proposal (disable, not "kill").

The patch in bug 1215235 will be a useful start in fixing tests broken by this change, but doesn't appear to have a test to verify that remote jars are in fact blocked by default.
See Also: → bug 1215235
Summary: Kill Remote Jar Loading Feature → Disable loading remote jars by default
Keywords: addon-compat, dev-doc-needed, site-compat

Comment 2

2 years ago
I think the interesting data here is how much this has dropped in the last few releases.  We probably can't really test this manually and I'm not sure who controls the upgrade cadence of all IBM Lotus iNotes installations out there (whether it's IBM or each individual site admin), so we should proceed really carefully here.

Comment 3

2 years ago
Note that the REMOTE_JAR_PROTOCOL_USED probe is expiring in 55, if we don't plan to disable loading remote jars in this release, we should probably extend the telemetry.
Flags: needinfo?(tom)


2 years ago
Depends on: 1353123

Comment 4

2 years ago
Opened https://bugzilla.mozilla.org/show_bug.cgi?id=1353123 to extend the probe.
Flags: needinfo?(tom)
Comment hidden (mozreview-request)

Comment 6

2 years ago
Assuming I successfully disabled it with my patch - all tests pass (run on linux32).

Comment 7

2 years ago
Comment on attachment 8854124 [details]
Bug 1329336 Block remote jar files by default


Please note that the commit needs to be rebased, and you also need to remove the previous definitions here:
Attachment #8854124 - Flags: review+
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)


2 years ago
Keywords: checkin-needed
Assignee: nobody → tom

Comment 11

2 years ago
Pushed by ryanvm@gmail.com:
Block remote jar files by default r=valentin
Keywords: checkin-needed

Comment 12

2 years ago
Last Resolved: 2 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55

Comment 13

2 years ago
Mike, gentle ping to watch out for possible fallout from this, especially reports from IBM Lotus iNotes.  Thanks!
Flags: needinfo?(miket)
Roger that!
Flags: needinfo?(miket)
status-firefox53: affected → ---
I have document this, by updating the note at:


And adding a note to the Fx55 rel notes:


Let me know if this looks OK. Thanks!
Keywords: dev-doc-needed → dev-doc-complete

Comment 16

2 years ago
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #15)
> I have document this, by updating the note at:
> https://developer.mozilla.org/en-US/docs/Mozilla/Security/
> Security_and_the_jar_protocol
> And adding a note to the Fx55 rel notes:
> https://developer.mozilla.org/en-US/Firefox/Releases/55#Security
> Let me know if this looks OK. Thanks!



a year ago
Depends on: 1427726
You need to log in before you can comment on or make changes to this bug.