1529251 - Extensions can be installed/enabled even though the xpinstall is disabled via policy (if policies are applied before creating the Fx profile)

Status: ASSIGNED

(Firefox :: Enterprise Policies, defect, P1)

Description

[Emil Ghitta, QA [:emilghitta]]

Attachment: xpinstall.gif

Affected versions

• Firefox 67.0a1 (BuildId:20190219213951).
• Firefox 66.0b9 (BuildId:20190218131312).
• Firefox 65.0.1 (BuildId:20190211233335).
• Firefox 60.5.1esr (BuildId:20190211182645).

Affected platforms

• Windows 10 64bit.
• macOS 10.13.6
• Ubuntu 18.04 64bit.

Steps to reproduce

1. Create the “distribution” folder.
2. Add the attached json file inside the “distribution” folder.
3. Launch Firefox with a clean profile.
4. Paste the attached .xpi file inside the extensions directory.
5. Restart Firefox.

Expected result

• The extension can’t be installed/enabled and the .xpi file is removed from the extensions folder.

Actual result

• The extension can be successfully installed/enabled.

Regression range

• I don’t think that this is a regression.

Additional notes

• Please note that you must follow the mentioned steps in order to reproduce this (You need to create the distribution folder and add the .json file inside before creating a new Firefox profile).
• For further information regarding this issue, please observe the attached screencast.

Comment 1

[Emil Ghitta, QA [:emilghitta]]

Attachment: policies.json

Comment 2

[Emil Ghitta, QA [:emilghitta]]

Attachment: {446900e4-71c2-419f-a6a7-df9c091e268b}.xpi

Comment 3

[Mike Kaply [:mkaply]]

The policies was not designed to address the distribution folder because a user wouldn't be able to place extensions into their distribution folder (since this requires admin access).

Comment 4

[Emil Ghitta, QA [:emilghitta]]

Leaving a comment here to add more transparency (already discussed this in private with mkpaly). The .xpi file was placed inside the "extensions" folder, not inside the distribution one.

Comment 5

[Angelgrant.851]

What