1442719 - Policy: disable the ability to bypass Safe Browsing warnings

Status: VERIFIED FIXED

Description

[François Marier [:francois]]

Safe Browsing warnings can be bypassed by users. This is something that came up as in a report from the UK Government:

https://groups.google.com/d/msg/mozilla.dev.security/8Cl-HCLmwTU/vg2byz_GCAAJ

and so I added browser.safebrowsing.allowOverride in bug 1226490.

It doesn't yet prevent users from bypassing download protection warnings (that's bug 1239836), but it does at least lock down the webpage warnings.

Comment 1

[:Felipe Gomes (needinfo for replies!)]

Sounds like a nice-to-have policy for the security-minded. François, would you be interested in implementing it?

Comment 2

[:Felipe Gomes (needinfo for replies!)]

Attachment: Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

Review commit: https://reviewboard.mozilla.org/r/233098/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/233098/

Comment 3

[:Felipe Gomes (needinfo for replies!)]

I structured it this way (one object with parameters under the same policy) because I'll add another item to the list, bug 1450761

Comment 4

[François Marier [:francois]]

Comment on attachment 8964381 [details]
Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

https://reviewboard.mozilla.org/r/233098/#review238924

Looks good.

If the string "SafeBrowsing" is going to be user-visible (or admin-visible) then I'd suggest spelling it "Safe Browsing" (i.e. with a space) since that's the official way to write it.

Comment 5

[Pulsebot]

Pushed by felipc@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6df42e55dbbd
Policy: Disable the ability to bypass Safe Browsing warnings. r=francois

Comment 6

[:Felipe Gomes (needinfo for replies!)]

[Tracking Requested - why for this release]:
Enterprise Policies

Comment 7

[Eliza Balazs [:ebalazs_]]

https://hg.mozilla.org/mozilla-central/rev/6df42e55dbbd

Comment 8

[:Felipe Gomes (needinfo for replies!)]

Comment on attachment 8964381 [details]
Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

Approval Request Comment
[Feature/Bug causing the regression]: Enterprise Policies
[User impact if declined]: Policy to forbid users from bypassing safebrowsing warnings
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: not yet
[Needs manual test from QE? If yes, steps to reproduce]: QA is testing it
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: this was already a feature supported by a pref, so the policy just sets the pref
[String changes made/needed]: none

Comment 9

[Abe - QA (:Abe_LV)]

We tested this on the latest nightly with JSON policy format and it is verified as fixed.
With this policy "ignore risks" option to deceptive sites can be disabled (hidden).

We will retest this with adm policy format when ready.

Test cases and runs are here- https://testrail.stage.mozaws.net/index.php?/plans/view/8760

Comment 10

[Julien Cristau [:jcristau]]

Comment on attachment 8964381 [details]
Bug 1442719 - Policy: Disable the ability to bypass Safe Browsing warnings.

enterprise policy, approved for 60.0b11

Comment 11

[:Felipe Gomes (needinfo for replies!)]

https://hg.mozilla.org/releases/mozilla-beta/rev/5f285c3a9e4978eb982da4b46f248745b500301b

Comment 12

[Abe - QA (:Abe_LV)]

We retested this on beta builds[FX60] with ADM and JSON policy formats and it is verified as fixed.

Test cases and runs are here- https://testrail.stage.mozaws.net/index.php?/plans/view/8760