Add ability to filter by "about:config" preference directly from address bar in new "about:config" page

RESOLVED WONTFIX

Status

()

defect
RESOLVED WONTFIX
7 months ago
29 days ago

People

(Reporter: lschwalf, Unassigned, Mentored)

Tracking

(Blocks 1 bug, {regression})

Trunk
Unspecified
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox67 affected)

Details

Attachments

(1 obsolete attachment)

Reporter

Description

7 months ago
Add ability to type "about:config?filter=some_filter" into address bar. This can then be saved as a bookmark in Firefox. As seen in this post: https://www.ghacks.net/2017/07/07/access-firefox-aboutconfig-preferences-directly/

Updated

7 months ago
Priority: P3 → P5

Comment 1

5 months ago

I'm tentatively assuming that continuing to allow deep linking into the "about:config" page might not be a good idea, and risky in some regard. This page is meant for advanced users anyways, and copying and pasting the preference name in the search box wouldn't be a problem. I don't think this feature is used very much anyways.

Status: NEW → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → WONTFIX

Updated

4 months ago
Duplicate of this bug: 1522804

Comment 3

4 months ago

If you define "advanced user" as someone who uses this screen, then several prefer it the old way- as evidenced by the numerous bug reports you're closing.

For support reasons it's helpful to direct a user to the relevant pref. Regression is now present in product.

Status: RESOLVED → REOPENED
Keywords: regression
OS: Unspecified → All
Priority: P5 → --
Resolution: WONTFIX → ---

Updated

4 months ago
Assignee: nobody → ntim.bugs

Comment 6

4 months ago

The deep linking concern doesn't really apply here considering webpages have never been allowed to directly link to any about: pages for security reasons.

This feature remains useful however for bookmarking, and for support instructions like "Visit about:config?filter=..." which are pretty common on SUMO.

Updated

4 months ago
Priority: -- → P2

Comment 7

4 months ago

(In reply to Tim Nguyen :ntim from comment #6)

The deep linking concern doesn't really apply here considering webpages have never been allowed to directly link to any about: pages for security reasons.

See the duplicate bug 1522804 comment 3 for a way to work around this restriction, and some more considerations about the implications of this feature.

I'd appreciate if you could check with the person that marked a bug as WONTFIX before reopening. In this case, I can run this request past our Product Manager and maybe revert the decision. I'll reopen the bug if that's the case.

As mentioned in the review, the patch definitely needs a regression test.

Status: REOPENED → RESOLVED
Last Resolved: 5 months ago4 months ago
Priority: P2 → --
Resolution: --- → WONTFIX

Comment 8

4 months ago

Hm, I'll just copy and paste from the other bug:

We explicitly decided to disallow deep linking into internal settings to reduce attack surface, present and potential.

To make a current example, "Open in New Tab" on an "about:config" link on the web works after a reload, even though the first load is disallowed. This probably wasn't foreseen originally, and we may have similar cases in the future.

Less steps for users isn't always better, see for example how the security certificate override dialogs are explicitly designed to slow down such operations. Deep linking into "about:config" to instruct users, for example, to disable those security checks in less steps could make it more attractive for attackers, and the link availability may seem like an official endorsement of the use case.

The fact this mentioned on some websites doesn't change the risk profile.

Comment 9

4 months ago

(In reply to :Paolo Amadini from comment #8)

To make a current example, "Open in New Tab" on an "about:config" link on the web works after a reload, even though the first load is disallowed. This probably wasn't foreseen originally, and we may have similar cases in the future.

The step you mentioned doesn't work, just tried it on the about:config link on https://bugzilla.mozilla.org/show_bug.cgi?id=523508 (the see also field), the reload button is disabled, and the keyboard shortcut doesn't work...

Flags: needinfo?(pamadini)

Comment 10

4 months ago

I reloaded by pressing Enter in the location bar.

To clarify the use case, there seems to be a claim that these links are used on support.mozilla.org to direct users to specific settings. I can find no evidence of this: a cursory search shows that basically all articles instruct users to type "about:config" in the location bar, then filter for a specific setting.

This makes sense because the links don't work anyways unless there is a security flaw, so there's no point in using them, and it's more difficult to type "?filter=" than typing in the filter box directly.

Flags: needinfo?(pamadini)
Attachment #9041718 - Attachment is obsolete: true

Updated

3 months ago
Assignee: ntim.bugs → nobody

Comment 11

3 months ago

To clarify the use case, there seems to be a claim that these links are used on support.mozilla.org to direct users to specific settings. I can find no evidence of this: a cursory search shows that basically all articles instruct users to type "about:config" in the location bar, then filter for a specific setting.

As an active user on IRC, I can confirm that we regularly (say a few times per month) direct people to an about:config?filter=foo link. I also encountered such a link on Reddit[1] just now. They definitely are used in the wild. Users will need to copy the url anyway, so we can just as well directly link to the right pref.

As a last counterargument I would want to add that linking to a specific pref avoids that users see other prefs and might keep them from clicking something they don't really understand.

[1] https://www.reddit.com/r/firefox/comments/audhnc/i_hate_when_i_cant_read_the_name_of_the_tab/eh7kizq/

You need to log in before you can comment on or make changes to this bug.