Closed Bug 1522820 Opened 5 years ago Closed 5 years ago

"Remove Extension" browser action does not respect enterprise policy

Categories

(WebExtensions :: Frontend, defect)

Product:
WebExtensions
Component:
Frontend
Version:
64 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr60 unaffected, firefox65 wontfix, firefox66 verified, firefox67 verified)

Status:
VERIFIED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- wontfix
firefox66 --- verified
firefox67 --- verified

People

(Reporter: chamilton, Assigned: Oriol)

References

Details

Attachments

(3 files)

Bug 1522820 - Disable browser action's "Remove Extension" if the addon can't be uninstalled. r=Felipe
47 bytes, text/x-phabricator-request
lizzard
: approval-mozilla-beta+
Details | Review
Postfix Screenshot
55.62 KB, image/png
Details
Posfix video showing the disabled Remove options from toolbar
138.37 KB, image/gif
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce:

  • Downloaded the Firefox ADMX template and properly installed them.
  • Opend GPedit.msc and browsed to the User Configuration->Administrative Templates->Mozilla->Firefox->Extensions
  • Configured the setting "Prevent extensions from being disabled or removed" and added each on their own line: uBlock0@raymondhill.net, webrootsecure@webroot.com, ciscowebexstart1@cisco.com
    • Per the GPO settings I retrieved the Extendion ID (not the internal UUID).

Actual results:

  • After performing a gpupdate (which isn't technically required, but is good to do) firefox opens normally, I see my plugins, but I ran right click uBlock and click remove extension. This will uninstall this extension still. Seems to only effect uBlock but I don't have a large list

Expected results:

Nothing, clicking remove should simply do nothing. Which is exactly what happens for my Webroot plugin, just not uBlock.

Component: Untriaged → Enterprise Policies

Which version of Firefox are you using?

If it's newer than 63, can you go to about:policies and see if all 3 extensions are listed in the policy there, and make sure no errors are reported? (there'll be a visible "Errors" tab if there are any errors)

Flags: needinfo?(chamilton)

FF 65.0 64bit

I do see some:

Policy Errors
Unknown policy: DisableDefaultCheck
Unknown policy: DisableRights
Unknown policy: DisableBrowserMilestone
Unknown policy: SupressUpdatePage
Unknown policy: DisableAddonWizard

Under Active I see this in extensions:

Extensions Install "https://addons.mozilla.org/firefox/downloads/file/1376832/"
"https://addons.mozilla.org/firefox/downloads/file/986672/"
Locked "uBlock0@raymondhill.net"
"webrootsecure@webroot.com"
"ciscowebexstart1@cisco.com"

Flags: needinfo?(chamilton)

Thank you for the report and the information. I was able to reproduce this bug.

Blocks: 1401610
Status: UNCONFIRMED → NEW
status-firefox65: --- → affected
status-firefox66: --- → affected
status-firefox67: --- → affected
status-firefox-esr60: --- → unaffected
Component: Enterprise Policies → Frontend
Ever confirmed: true
Keywords: qawanted
Product: Firefox → WebExtensions
Summary: Group policy setting not working as expected → "Remove Extension" browser action does not respect enterprise policy

This action should either be disabled or hidden if it has been disabled by policy. To check it one can use:

Services.policies.isAllowed(`modify-extension:$

(gah, submitted too early)

Services.policies.isAllowed(modify-extension:${id});

However, the most correct fix would be check if the add-on has the permission PERM_CAN_UNINSTALL, as policies are not the only reason that it might be set.

So from Felipe's comment I guess I only need to copy https://searchfox.org/mozilla-central/rev/69d3c6c61dca9a41f14797cd9924733289238d1a/toolkit/components/extensions/parent/ext-management.js#239

Assignee: nobody → oriol-bugzilla
Status: NEW → ASSIGNED
Keywords: checkin-needed

Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/df8ffcb184de
Disable browser action's "Remove Extension" if the addon can't be uninstalled. r=Felipe

Keywords: checkin-needed
Backout by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1c5bac504475
Backed out changeset df8ffcb184de for Browser-chrome failures in browser/components/downloads/test/browser/browser_downloads_autohide.js. CLOSED TREE

Just a missing conditional, but I have pushed to try to be sure
https://treeherder.mozilla.org/#/jobs?repo=try&revision=59f8a9aca575cf571205859c7866d0d24d253b54

OK, the problem was that various tests install extensions without useAddonManager, then they have an ID but AddonManager.getAddonByID(id) doesn't work.

I have updated the code to be more robust and detect when AddonManager.getAddonByID returns null.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=895a619048cf7ed73472d756050ca43f3cff42bb

Keywords: checkin-needed

Pushed by fgomes@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/dd561f2bb0f9
Disable browser action's "Remove Extension" if the addon can't be uninstalled. r=Felipe

Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/dd561f2bb0f9

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Verified as fixed using Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

I will attach a postfix screenshot where it is visible that uBlock Origin and Enhancer for YouTube cannot be deleted on Fx67 (I added uBlock0@raymondhill.net and enhancerforyoutube@maximerf.addons.mozilla.org to "Prevent extensions from being disabled or removed")

Status: RESOLVED → VERIFIED
Attached image Postfix Screenshot

We should get this on beta. Maybe even release?

Comment on attachment 9041011 [details]
Bug 1522820 - Disable browser action's "Remove Extension" if the addon can't be uninstalled. r=Felipe

Beta/Release Uplift Approval Request

Feature/Bug causing the regression

Bug 1401610

User impact if declined

Enterprise policy preventing add-on from being removed can be bypassed in toolbar button's context menu.

Is this code covered by automated tests?

No

Has the fix been verified in Nightly?

Yes

Needs manual test from QE?

Yes

If yes, steps to reproduce

  1. Install uBlock Origin add-on.
  2. Right-click the uBlock Origin's toolbar button
  3. "Remove Extension" should be enabled
  4. Close Firefox.
  5. In the Firefox installation directory, create a folder named distribution, and create a policies.json file inside it with:
{
  "policies": {
    "Extensions": {
      "Locked":  ["uBlock0@raymondhill.net"]
    }
  }
}
  1. Open Firefox
  2. Right-click the uBlock Origin's toolbar button
  3. "Remove Extension" should be disabled

List of other uplifts needed

None

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

Just checking if the add-on has the permission to be uninstalled before offering to do so.

String changes made/needed

Attachment #9041011 - Flags: approval-mozilla-beta?

Comment on attachment 9041011 [details]
Bug 1522820 - Disable browser action's "Remove Extension" if the addon can't be uninstalled. r=Felipe

Fix for recent regression (in 65), verified in Nightly.
Let's uplift for beta 7.

Attachment #9041011 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Verified as fixed in latest beta 7.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: