Policy: disable the ability to bypass Safe Browsing warnings

VERIFIED FIXED in Firefox 60

Status

()

defect
VERIFIED FIXED
Last year
Last year

People

(Reporter: francois, Assigned: Felipe)

Tracking

unspecified
Firefox 61
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox60+ verified, firefox61 verified)

Details

Attachments

(1 attachment)

Safe Browsing warnings can be bypassed by users. This is something that came up as in a report from the UK Government:

https://groups.google.com/d/msg/mozilla.dev.security/8Cl-HCLmwTU/vg2byz_GCAAJ

and so I added browser.safebrowsing.allowOverride in bug 1226490.

It doesn't yet prevent users from bypassing download protection warnings (that's bug 1239836), but it does at least lock down the webpage warnings.
Sounds like a nice-to-have policy for the security-minded. François, would you be interested in implementing it?
I structured it this way (one object with parameters under the same policy) because I'll add another item to the list, bug 1450761
Reporter

Comment 4

Last year
mozreview-review
Comment on attachment 8964381 [details]
Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

https://reviewboard.mozilla.org/r/233098/#review238924

Looks good.

If the string "SafeBrowsing" is going to be user-visible (or admin-visible) then I'd suggest spelling it "Safe Browsing" (i.e. with a space) since that's the official way to write it.
Attachment #8964381 - Flags: review?(francois) → review+

Comment 5

Last year
Pushed by felipc@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6df42e55dbbd
Policy: Disable the ability to bypass Safe Browsing warnings. r=francois
[Tracking Requested - why for this release]:
Enterprise Policies

Comment 7

Last year
bugherder
https://hg.mozilla.org/mozilla-central/rev/6df42e55dbbd
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → Firefox 61
Assignee: nobody → felipc
Comment on attachment 8964381 [details]
Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

Approval Request Comment
[Feature/Bug causing the regression]: Enterprise Policies
[User impact if declined]: Policy to forbid users from bypassing safebrowsing warnings
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: not yet
[Needs manual test from QE? If yes, steps to reproduce]: QA is testing it
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: this was already a feature supported by a pref, so the policy just sets the pref
[String changes made/needed]: none
Attachment #8964381 - Flags: approval-mozilla-beta?
We tested this on the latest nightly with JSON policy format and it is verified as fixed.
With this policy "ignore risks" option to deceptive sites can be disabled (hidden).

We will retest this with adm policy format when ready.

Test cases and runs are here- https://testrail.stage.mozaws.net/index.php?/plans/view/8760
Comment on attachment 8964381 [details]
Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

enterprise policy, approved for 60.0b11
Attachment #8964381 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
We retested this on beta builds[FX60] with ADM and JSON policy formats and it is verified as fixed.

Test cases and runs are here- https://testrail.stage.mozaws.net/index.php?/plans/view/8760
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.