Open Bug 1529251 Opened 2 years ago Updated 1 year ago

Extensions can be installed/enabled even though the xpinstall is disabled via policy (if policies are applied before creating the Fx profile)

Categories

(Firefox :: Enterprise Policies, defect, P1)

defect

Tracking

()

ASSIGNED
Tracking Status
firefox-esr60 --- affected
firefox65 --- affected
firefox66 --- affected
firefox67 --- affected

People

(Reporter: emilghitta, Assigned: mkaply)

References

Details

Attachments

(3 files)

Attached image xpinstall.gif

Affected versions

  • Firefox 67.0a1 (BuildId:20190219213951).
  • Firefox 66.0b9 (BuildId:20190218131312).
  • Firefox 65.0.1 (BuildId:20190211233335).
  • Firefox 60.5.1esr (BuildId:20190211182645).

Affected platforms

  • Windows 10 64bit.
  • macOS 10.13.6
  • Ubuntu 18.04 64bit.

Steps to reproduce

  1. Create the “distribution” folder.
  2. Add the attached json file inside the “distribution” folder.
  3. Launch Firefox with a clean profile.
  4. Paste the attached .xpi file inside the extensions directory.
  5. Restart Firefox.

Expected result

  • The extension can’t be installed/enabled and the .xpi file is removed from the extensions folder.

Actual result

  • The extension can be successfully installed/enabled.

Regression range

  • I don’t think that this is a regression.

Additional notes

  • Please note that you must follow the mentioned steps in order to reproduce this (You need to create the distribution folder and add the .json file inside before creating a new Firefox profile).
  • For further information regarding this issue, please observe the attached screencast.
Attached file policies.json

The policies was not designed to address the distribution folder because a user wouldn't be able to place extensions into their distribution folder (since this requires admin access).

Leaving a comment here to add more transparency (already discussed this in private with mkpaly). The .xpi file was placed inside the "extensions" folder, not inside the distribution one.

Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Priority: -- → P1
You need to log in before you can comment on or make changes to this bug.