"Remove Extension" browser action does not respect enterprise policy

VERIFIED FIXED in Firefox 66

Status

defect
VERIFIED FIXED
3 months ago
a month ago

People

(Reporter: chamilton, Assigned: Oriol)

Tracking

64 Branch
mozilla67

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox65 wontfix, firefox66 verified, firefox67 verified)

Details

Attachments

(3 attachments)

(Reporter)

Description

3 months ago

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce:

  • Downloaded the Firefox ADMX template and properly installed them.
  • Opend GPedit.msc and browsed to the User Configuration->Administrative Templates->Mozilla->Firefox->Extensions
  • Configured the setting "Prevent extensions from being disabled or removed" and added each on their own line: uBlock0@raymondhill.net, webrootsecure@webroot.com, ciscowebexstart1@cisco.com
    • Per the GPO settings I retrieved the Extendion ID (not the internal UUID).

Actual results:

  • After performing a gpupdate (which isn't technically required, but is good to do) firefox opens normally, I see my plugins, but I ran right click uBlock and click remove extension. This will uninstall this extension still. Seems to only effect uBlock but I don't have a large list

Expected results:

Nothing, clicking remove should simply do nothing. Which is exactly what happens for my Webroot plugin, just not uBlock.

Updated

3 months ago
Component: Untriaged → Enterprise Policies

Which version of Firefox are you using?

If it's newer than 63, can you go to about:policies and see if all 3 extensions are listed in the policy there, and make sure no errors are reported? (there'll be a visible "Errors" tab if there are any errors)

Flags: needinfo?(chamilton)
(Reporter)

Comment 2

3 months ago

FF 65.0 64bit

I do see some:

Policy Errors
Unknown policy: DisableDefaultCheck
Unknown policy: DisableRights
Unknown policy: DisableBrowserMilestone
Unknown policy: SupressUpdatePage
Unknown policy: DisableAddonWizard

Under Active I see this in extensions:

Extensions Install "https://addons.mozilla.org/firefox/downloads/file/1376832/"
"https://addons.mozilla.org/firefox/downloads/file/986672/"
Locked "uBlock0@raymondhill.net"
"webrootsecure@webroot.com"
"ciscowebexstart1@cisco.com"

Flags: needinfo?(chamilton)

Thank you for the report and the information. I was able to reproduce this bug.

Blocks: 1401610
Status: UNCONFIRMED → NEW
Component: Enterprise Policies → Frontend
Ever confirmed: true
Keywords: qawanted
Product: Firefox → WebExtensions
Summary: Group policy setting not working as expected → "Remove Extension" browser action does not respect enterprise policy

This action should either be disabled or hidden if it has been disabled by policy. To check it one can use:

Services.policies.isAllowed(`modify-extension:$

(gah, submitted too early)

Services.policies.isAllowed(modify-extension:${id});

However, the most correct fix would be check if the add-on has the permission PERM_CAN_UNINSTALL, as policies are not the only reason that it might be set.

(Assignee)

Comment 6

3 months ago
Assignee: nobody → oriol-bugzilla
Status: NEW → ASSIGNED
(Assignee)

Updated

2 months ago
Keywords: checkin-needed

Comment 8

2 months ago

Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/df8ffcb184de
Disable browser action's "Remove Extension" if the addon can't be uninstalled. r=Felipe

Keywords: checkin-needed

Comment 9

2 months ago
Backout by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1c5bac504475
Backed out changeset df8ffcb184de for Browser-chrome failures in browser/components/downloads/test/browser/browser_downloads_autohide.js. CLOSED TREE
(Assignee)

Comment 10

2 months ago

Just a missing conditional, but I have pushed to try to be sure
https://treeherder.mozilla.org/#/jobs?repo=try&revision=59f8a9aca575cf571205859c7866d0d24d253b54

(Assignee)

Comment 11

2 months ago

OK, the problem was that various tests install extensions without useAddonManager, then they have an ID but AddonManager.getAddonByID(id) doesn't work.

I have updated the code to be more robust and detect when AddonManager.getAddonByID returns null.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=895a619048cf7ed73472d756050ca43f3cff42bb

(Assignee)

Updated

2 months ago
Keywords: checkin-needed

Comment 12

2 months ago

Pushed by fgomes@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/dd561f2bb0f9
Disable browser action's "Remove Extension" if the addon can't be uninstalled. r=Felipe

Keywords: checkin-needed

Comment 13

2 months ago
bugherder
Status: ASSIGNED → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Comment 14

2 months ago

Verified as fixed using Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

I will attach a postfix screenshot where it is visible that uBlock Origin and Enhancer for YouTube cannot be deleted on Fx67 (I added uBlock0@raymondhill.net and enhancerforyoutube@maximerf.addons.mozilla.org to "Prevent extensions from being disabled or removed")

Status: RESOLVED → VERIFIED

Comment 15

2 months ago
Posted image Postfix Screenshot

We should get this on beta. Maybe even release?

(Assignee)

Comment 18

2 months ago

Comment on attachment 9041011 [details]
Bug 1522820 - Disable browser action's "Remove Extension" if the addon can't be uninstalled. r=Felipe

Beta/Release Uplift Approval Request

Feature/Bug causing the regression

Bug 1401610

User impact if declined

Enterprise policy preventing add-on from being removed can be bypassed in toolbar button's context menu.

Is this code covered by automated tests?

No

Has the fix been verified in Nightly?

Yes

Needs manual test from QE?

Yes

If yes, steps to reproduce

  1. Install uBlock Origin add-on.
  2. Right-click the uBlock Origin's toolbar button
  3. "Remove Extension" should be enabled
  4. Close Firefox.
  5. In the Firefox installation directory, create a folder named distribution, and create a policies.json file inside it with:
{
  "policies": {
    "Extensions": {
      "Locked":  ["uBlock0@raymondhill.net"]
    }
  }
}
  1. Open Firefox
  2. Right-click the uBlock Origin's toolbar button
  3. "Remove Extension" should be disabled

List of other uplifts needed

None

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

Just checking if the add-on has the permission to be uninstalled before offering to do so.

String changes made/needed

Attachment #9041011 - Flags: approval-mozilla-beta?

Comment on attachment 9041011 [details]
Bug 1522820 - Disable browser action's "Remove Extension" if the addon can't be uninstalled. r=Felipe

Fix for recent regression (in 65), verified in Nightly.
Let's uplift for beta 7.

Attachment #9041011 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 21

2 months ago

Verified as fixed in latest beta 7.

Updated

a month ago
Duplicate of this bug: 1533699
You need to log in before you can comment on or make changes to this bug.