Should preferences be read from default branch only?
Categories
(Firefox :: Remote Settings Client, enhancement)
Tracking
()
Tracking | Status | |
---|---|---|
firefox68 | --- | fixed |
People
(Reporter: leplatrem, Assigned: leplatrem)
References
Details
Attachments
(1 file)
We should check if we have some preferences that are not meant to be changed by users, by web extensions, or during runtime.
Those could be read from default branch only.
For example, services.settings.poll_interval
is set to 24H. We can imagine using Normandy to change it and increase the frequency. But we never did, and having this value as a pref opens the possibility for an attacker to change the value and disable updates.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 1•5 years ago
|
||
Apparently, there is a way to set min/max values for timer intervals: https://bugzilla.mozilla.org/show_bug.cgi?id=1315505
We could set min/max to 1H / 72H or anything that's not more than a week.
As for preferences, the only 2 that we never change at run-time are:
services.settings.changes.path
services.settings.default_signer
And they could both become constants.
All other prefs are used to store state between sessions (last Etag etc.) or by the Remote Settings Dev Tools to switch environments (eg. Server)
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
Pushed by mleplatre@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8553fd10ee89 Add guardrails for Remote Settings preferences r=glasserc
Comment 5•5 years ago
|
||
bugherder |
Description
•