Closed Bug 1442719 Opened 3 years ago Closed 3 years ago

Policy: disable the ability to bypass Safe Browsing warnings

Categories

(Firefox :: Enterprise Policies, defect)

Product:
Firefox
Component:
Enterprise Policies
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 61
Tracking Flags:
Tracking Status
firefox60 + verified
firefox61 --- verified

People

(Reporter: francois, Assigned: Felipe)

References

Details

Attachments

(1 file)

Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.
59 bytes, text/x-review-board-request
francois
: review+
jcristau
: approval-mozilla-beta+
Details 
Safe Browsing warnings can be bypassed by users. This is something that came up as in a report from the UK Government:

https://groups.google.com/d/msg/mozilla.dev.security/8Cl-HCLmwTU/vg2byz_GCAAJ

and so I added browser.safebrowsing.allowOverride in bug 1226490.

It doesn't yet prevent users from bypassing download protection warnings (that's bug 1239836), but it does at least lock down the webpage warnings.
Sounds like a nice-to-have policy for the security-minded. François, would you be interested in implementing it?
I structured it this way (one object with parameters under the same policy) because I'll add another item to the list, bug 1450761
Blocks: 1450761
Comment on attachment 8964381 [details]
Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

https://reviewboard.mozilla.org/r/233098/#review238924

Looks good.

If the string "SafeBrowsing" is going to be user-visible (or admin-visible) then I'd suggest spelling it "Safe Browsing" (i.e. with a space) since that's the official way to write it.
Attachment #8964381 - Flags: review?(francois) → review+
Pushed by felipc@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6df42e55dbbd
Policy: Disable the ability to bypass Safe Browsing warnings. r=francois
[Tracking Requested - why for this release]:
Enterprise Policies
tracking-firefox60: --- → ?
https://hg.mozilla.org/mozilla-central/rev/6df42e55dbbd
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox61: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 61
Assignee: nobody → felipc
Comment on attachment 8964381 [details]
Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

Approval Request Comment
[Feature/Bug causing the regression]: Enterprise Policies
[User impact if declined]: Policy to forbid users from bypassing safebrowsing warnings
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: not yet
[Needs manual test from QE? If yes, steps to reproduce]: QA is testing it
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: this was already a feature supported by a pref, so the policy just sets the pref
[String changes made/needed]: none
Attachment #8964381 - Flags: approval-mozilla-beta?
We tested this on the latest nightly with JSON policy format and it is verified as fixed.
With this policy "ignore risks" option to deceptive sites can be disabled (hidden).

We will retest this with adm policy format when ready.

Test cases and runs are here- https://testrail.stage.mozaws.net/index.php?/plans/view/8760
Comment on attachment 8964381 [details]
Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

enterprise policy, approved for 60.0b11
Attachment #8964381 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
We retested this on beta builds[FX60] with ADM and JSON policy formats and it is verified as fixed.

Test cases and runs are here- https://testrail.stage.mozaws.net/index.php?/plans/view/8760
Status: RESOLVED → VERIFIED
status-firefox60: fixedverified
status-firefox61: fixedverified
You need to log in before you can comment on or make changes to this bug.