Closed Bug 1549258 Opened 5 years ago Closed 5 years ago

cert hotfix installed despite user.js attempting to disable it

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Version:
66 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: fzbbr, Unassigned, NeedInfo)

References

Details

(Whiteboard: [cert2019])

Hello!
I'm using 66.0.3 on Linux, i downloaded the 66.0.4 tarball, run it once, then i was able to install addons on a new 66.0.3 profile
The thing is, everytime i do a fresh OS install, or want to delete my firefox profile, i first disconnect from the internet, delete ALL folders manually, open firefox to create a new profile folder, and then throw in my custom user.js before i connect to the internet again

all experiment settings are disabled on my user.js
the tarball version is supposed to use my default profile and respect the user.js settings when i run it, correct? apparently it doesn't respect some settings

because now i have the 66.0.4 hotfix-update-xpi-intermediate@mozilla.com.xpi (it's not inside the extensions folder) which appears to be using the experiment api "background.js"]},"permissions":[],"hidden":true,"experiment_apis applied on a profile that does not allow the experiment api in the first place

i appreciate the weekend fix and all, but i don't like my settings to be overridden -even in a situation like this- just because i runned the latest version from a tarball

Blocks: armagadd-on-2.0

Can you please provide the affected prefs in your user.js?

Flags: needinfo?(fzbbr)

(In reply to sjw from comment #2)

Can you please provide the affected prefs in your user.js?

Yeah, this. Please attach this user.js file.

The most likely explanation on the face of it is that your user.js is/was insufficient to block the hotfix. Some other points:

(In reply to fzbbr from comment #0)

open firefox to create a new profile folder, and then throw in my custom user.js before i connect to the internet again

I don't really understand these steps. It'd make more sense to delete all the contents of your extant profile, copy in the user.js in the already-existing-but-now-empty profile folder, before ever running Firefox. As it is, it sounds like the instance that you ran this way, without the custom user.js, might have had access to the net after all (otherwise, how did anything download?).

all experiment settings are disabled on my user.js
the tarball version is supposed to use my default profile and respect the user.js settings when i run it, correct?

This also doesn't really make sense to me. You deleted all the profiles, so it'll create a new profile...

because now i have the 66.0.4 hotfix-update-xpi-intermediate@mozilla.com.xpi (it's not inside the extensions folder)

Sorry, so how do you "have" this xpi, and also it's not in the extensions folder? Does it show in about:studies ? about:support ? Somewhere else? Where is this xpi?

which appears to be using the experiment api "background.js"]},"permissions":[],"hidden":true,"experiment_apis applied on a profile that does not allow the experiment api in the first place

There seems to be some mix-up here about what used to be called "experiments" (which were a type of add-on / hotfix / dynamically-downloaded-thing on Firefox, and AFAIK have been discontinued) vs. what an experiment_api annotation in an extension manifest is.

The experiment_api thing allows Mozilla-signed add-ons (on release Firefox; you can write your own on Nightly if you change about:config prefs) to define their own webextension APIs against core Firefox code. Normally, add-ons are restricted to the APIs Firefox ships with. This is a way to do more than what those APIs provide for.

I am not aware of any way to disable that part of the webextensions implementation in Firefox. You can generally choose not to install such add-ons. In this case, the add-on was installed through a system called Normandy, which is unrelated.

i appreciate the weekend fix and all, but i don't like my settings to be overridden -even in a situation like this- just because i runned the latest version from a tarball

That's understandable. Unfortunately, we're going to need a copy of the user.js file to figure out what happened here (and even then, it may not be possible).

Summary: cert hotfix overrides experiment settings → cert hotfix installed despite user.js attempting to disable it

Without more information unfortunately this report isn't actionable.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE

Just for reference, you can prevent these types of hotfix add-ons from being installed by disabling telemetry or setting the app.normandy.enabled preference to false. That won't prevent ordinary system add-on hotfixes from being installed. For that, you'd need to disable app updates entirely.

I wouldn't recommend that, though. We use app updates and system add-on hotfixes to fix things like major zero-day security issues, and disabling them could leave you vulnerable.

You need to log in before you can comment on or make changes to this bug.