Closed Bug 1501450 Opened 6 years ago Closed 6 years ago

Add ability to filter by "about:config" preference directly from address bar in new "about:config" page

Categories

(Toolkit :: Preferences, defect)

Unspecified
All
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox67 --- affected

People

(Reporter: lschwalf, Unassigned, Mentored)

References

(Blocks 1 open bug)

Details

(Keywords: regression)

Attachments

(1 obsolete file)

Add ability to type "about:config?filter=some_filter" into address bar. This can then be saved as a bookmark in Firefox. As seen in this post: https://www.ghacks.net/2017/07/07/access-firefox-aboutconfig-preferences-directly/
Priority: P3 → P5

I'm tentatively assuming that continuing to allow deep linking into the "about:config" page might not be a good idea, and risky in some regard. This page is meant for advanced users anyways, and copying and pasting the preference name in the search box wouldn't be a problem. I don't think this feature is used very much anyways.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX

If you define "advanced user" as someone who uses this screen, then several prefer it the old way- as evidenced by the numerous bug reports you're closing.

For support reasons it's helpful to direct a user to the relevant pref. Regression is now present in product.

Status: RESOLVED → REOPENED
Keywords: regression
OS: Unspecified → All
Priority: P5 → --
Resolution: WONTFIX → ---
Assignee: nobody → ntim.bugs

The deep linking concern doesn't really apply here considering webpages have never been allowed to directly link to any about: pages for security reasons.

This feature remains useful however for bookmarking, and for support instructions like "Visit about:config?filter=..." which are pretty common on SUMO.

Priority: -- → P2

(In reply to Tim Nguyen :ntim from comment #6)

The deep linking concern doesn't really apply here considering webpages have never been allowed to directly link to any about: pages for security reasons.

See the duplicate bug 1522804 comment 3 for a way to work around this restriction, and some more considerations about the implications of this feature.

I'd appreciate if you could check with the person that marked a bug as WONTFIX before reopening. In this case, I can run this request past our Product Manager and maybe revert the decision. I'll reopen the bug if that's the case.

As mentioned in the review, the patch definitely needs a regression test.

Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Priority: P2 → --
Resolution: --- → WONTFIX

Hm, I'll just copy and paste from the other bug:

We explicitly decided to disallow deep linking into internal settings to reduce attack surface, present and potential.

To make a current example, "Open in New Tab" on an "about:config" link on the web works after a reload, even though the first load is disallowed. This probably wasn't foreseen originally, and we may have similar cases in the future.

Less steps for users isn't always better, see for example how the security certificate override dialogs are explicitly designed to slow down such operations. Deep linking into "about:config" to instruct users, for example, to disable those security checks in less steps could make it more attractive for attackers, and the link availability may seem like an official endorsement of the use case.

The fact this mentioned on some websites doesn't change the risk profile.

(In reply to :Paolo Amadini from comment #8)

To make a current example, "Open in New Tab" on an "about:config" link on the web works after a reload, even though the first load is disallowed. This probably wasn't foreseen originally, and we may have similar cases in the future.

The step you mentioned doesn't work, just tried it on the about:config link on https://bugzilla.mozilla.org/show_bug.cgi?id=523508 (the see also field), the reload button is disabled, and the keyboard shortcut doesn't work...

Flags: needinfo?(pamadini)

I reloaded by pressing Enter in the location bar.

To clarify the use case, there seems to be a claim that these links are used on support.mozilla.org to direct users to specific settings. I can find no evidence of this: a cursory search shows that basically all articles instruct users to type "about:config" in the location bar, then filter for a specific setting.

This makes sense because the links don't work anyways unless there is a security flaw, so there's no point in using them, and it's more difficult to type "?filter=" than typing in the filter box directly.

Flags: needinfo?(pamadini)
Attachment #9041718 - Attachment is obsolete: true
Assignee: ntim.bugs → nobody

To clarify the use case, there seems to be a claim that these links are used on support.mozilla.org to direct users to specific settings. I can find no evidence of this: a cursory search shows that basically all articles instruct users to type "about:config" in the location bar, then filter for a specific setting.

As an active user on IRC, I can confirm that we regularly (say a few times per month) direct people to an about:config?filter=foo link. I also encountered such a link on Reddit[1] just now. They definitely are used in the wild. Users will need to copy the url anyway, so we can just as well directly link to the right pref.

As a last counterargument I would want to add that linking to a specific pref avoids that users see other prefs and might keep them from clicking something they don't really understand.

[1] https://www.reddit.com/r/firefox/comments/audhnc/i_hate_when_i_cant_read_the_name_of_the_tab/eh7kizq/

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: