Closed
Bug 1442719
Opened 3 years ago
Closed 3 years ago
Policy: disable the ability to bypass Safe Browsing warnings
Categories
(Firefox :: Enterprise Policies, defect)
Firefox
Enterprise Policies
Tracking
()
VERIFIED
FIXED
Firefox 61
People
(Reporter: francois, Assigned: Felipe)
References
Details
Attachments
(1 file)
59 bytes,
text/x-review-board-request
|
francois
:
review+
jcristau
:
approval-mozilla-beta+
|
Details |
Safe Browsing warnings can be bypassed by users. This is something that came up as in a report from the UK Government: https://groups.google.com/d/msg/mozilla.dev.security/8Cl-HCLmwTU/vg2byz_GCAAJ and so I added browser.safebrowsing.allowOverride in bug 1226490. It doesn't yet prevent users from bypassing download protection warnings (that's bug 1239836), but it does at least lock down the webpage warnings.
Assignee | ||
Comment 1•3 years ago
|
||
Sounds like a nice-to-have policy for the security-minded. François, would you be interested in implementing it?
Comment hidden (mozreview-request) |
Assignee | ||
Comment 3•3 years ago
|
||
I structured it this way (one object with parameters under the same policy) because I'll add another item to the list, bug 1450761
Reporter | ||
Comment 4•3 years ago
|
||
mozreview-review |
Comment on attachment 8964381 [details] Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings. https://reviewboard.mozilla.org/r/233098/#review238924 Looks good. If the string "SafeBrowsing" is going to be user-visible (or admin-visible) then I'd suggest spelling it "Safe Browsing" (i.e. with a space) since that's the official way to write it.
Attachment #8964381 -
Flags: review?(francois) → review+
Pushed by felipc@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6df42e55dbbd Policy: Disable the ability to bypass Safe Browsing warnings. r=francois
Assignee | ||
Comment 6•3 years ago
|
||
[Tracking Requested - why for this release]: Enterprise Policies
tracking-firefox60:
--- → ?
Comment 7•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/6df42e55dbbd
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 61
Updated•3 years ago
|
Assignee: nobody → felipc
Updated•3 years ago
|
status-firefox60:
--- → affected
Assignee | ||
Comment 8•3 years ago
|
||
Comment on attachment 8964381 [details] Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings. Approval Request Comment [Feature/Bug causing the regression]: Enterprise Policies [User impact if declined]: Policy to forbid users from bypassing safebrowsing warnings [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: not yet [Needs manual test from QE? If yes, steps to reproduce]: QA is testing it [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: this was already a feature supported by a pref, so the policy just sets the pref [String changes made/needed]: none
Attachment #8964381 -
Flags: approval-mozilla-beta?
Comment 9•3 years ago
|
||
We tested this on the latest nightly with JSON policy format and it is verified as fixed. With this policy "ignore risks" option to deceptive sites can be disabled (hidden). We will retest this with adm policy format when ready. Test cases and runs are here- https://testrail.stage.mozaws.net/index.php?/plans/view/8760
Comment 10•3 years ago
|
||
Comment on attachment 8964381 [details] Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings. enterprise policy, approved for 60.0b11
Attachment #8964381 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Assignee | ||
Comment 11•3 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/5f285c3a9e4978eb982da4b46f248745b500301b
Comment 12•3 years ago
|
||
We retested this on beta builds[FX60] with ADM and JSON policy formats and it is verified as fixed. Test cases and runs are here- https://testrail.stage.mozaws.net/index.php?/plans/view/8760
You need to log in
before you can comment on or make changes to this bug.
Description
•