Support Disabling add-ons installation *except* from whitelisted websites

REOPENED
Assigned to

Status

()

defect
P2
normal
REOPENED
6 months ago
a month ago

People

(Reporter: StefanG_QA, Assigned: mkaply)

Tracking

64 Branch
Unspecified
macOS
Points:
---

Firefox Tracking Flags

(firefox64 affected)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

6 months ago
Posted image Prompt.png
STR:
1. Create a configuration profile using the below example

<key>InstallAddonsPermission</key>
<dict>
	<key>Allow</key>
	<array>
		<string>https://addons.mozilla.org</string>
		<string>https://duckduckgo.com</string>
	</array>
	<key>Default</key>
	<false/>
</dict>

2. Install the configuration profile
3. Go to https://addons.mozilla.org or https://duckduckgo.com and try to install any addon

AR: Add-ons cannot be installed from the allowed pages
ER: Add-ons should be installed from the allowed pages


STR:
1. Create a configuration profile using the below example 
<key>InstallAddonsPermission</key>
<dict>
	<key>Allow</key>
	<array>
		<string>https://addons.mozilla.org</string>
	</array>
	<key>Default</key>
	<true/>
</dict>

2. Install the configuration profile
3. Go to https://addons.mozilla.org or https://duckduckgo.com and try to install any addon

AR: Firefox displays a prompt "Allow Nihglty to install software on your computer". When Allow button is pressed addon is installed
ER: Firefox should not display a prompt to Allow addon installation. Add-on should not be installed.



The same behavior is observed if JSON file is used to set the policy.
(Reporter)

Comment 1

6 months ago
Posted image Install add-on
Stefan, there are two different prompts that show up when installing add-ons:

1st - asking if the website itself can ask for extensions to be installed
"Firefox/Nightly prevented this site from asking you to install add-ons"

2nd - asking for confirmation if the specific add-on can be installed
"Add DuckDuckGo Privacy Essentials?"


This policy only bypasses the 1st one, the 2nd can't be bypassed. https://addons.mozilla.org is already whitelisted by default in Firefox to not show the 1st one.


Can you confirm that, with this policy, the 1st popup is skipped on the duckduckgo example?
Flags: needinfo?(stefan.georgiev)
(Reporter)

Comment 3

6 months ago
If I`m using the following example:

<key>InstallAddonsPermission</key>
<dict>
	<key>Allow</key>
	<array>
		<string>https://addons.mozilla.org</string>
		<string>https://duckduckgo.com</string>
	</array>
	<key>Default</key>
	<true/>
</dict>

I can confirm that the 1st prompt is skipped on either duckduckgo.com or addons.mozilla.org. 

However, when using the same example but with Default set to false:

<key>InstallAddonsPermission</key>
<dict>
	<key>Allow</key>
	<array>
		<string>https://addons.mozilla.org</string>
		<string>https://duckduckgo.com</string>
	</array>
	<key>Default</key>
	<false/>
</dict>
Flags: needinfo?(stefan.georgiev)
(Reporter)

Comment 4

6 months ago
I`m not able to install any addon. I see the following message "Software installation has been disabled by your system administrator." 

I would expect to be able to install addon from either  https://addons.mozilla.org or https://duckduckgo.com since they are listed in the Allow array. Let me know if my expectation is wrong!
(Assignee)

Comment 5

6 months ago
> Let me know if my expectation is wrong!

That's the way we want it to work. I'm working to see if we can make that happen.
Attachment #9024777 - Attachment is obsolete: true
As noted in phabricator comments, the way that xpinstall.enabled and Add-ons Install permission interact (and the policy) is a bit confusing, and ideally we should figure out some clearer combination of settings.

Since this has only been reported by QA, and not, as far as I know, a big requirement from users, I suggest we mark this as wontfix for now unless we hear that people really need this.
Status: NEW → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → WONTFIX
Summary: InstallAddonsPremission does not respect the specified "Allow" pages → Support Disabling add-ons installation *except* from whitelisted websites

Comment 8

3 months ago

Hello everyone,

I am not sure if this is the right place to raise this, I just spent a few hours with this topic before I found this bug report.

I wanted to disable addon installation in firefox in general, but I would like to allow an approved whitelist of addons/sources. I tried to solve this with the new firefox group policies https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-policy.

For my understanding this should be covered by following policies:

GPedit:
Computerconfiguration\Administrative templates\Mozilla\FirefoxAddons
Allow add-on installs from websites = Enabled
Allowed sites = Enabled (with the respective whitelist)

I did some tests, but unfortunaltey I got the same results that Stefan got above.
Is it planned to resolve this issue?

BR
Patrick

(Assignee)

Comment 9

3 months ago

Actually, this has been a major request from Github.

This will be my first priority when I'm working on policies.

Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
(Assignee)

Updated

3 months ago
Assignee: nobody → mozilla
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.