Closed Bug 1567206 Opened 5 years ago Closed 4 years ago

Protocol Handling: Don't allow Firefox to automatically open the Windows Store app upon clicking a Windows Store URL

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Version:
68 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: elliottabarnes, Unassigned)

References

(Regression)

Details

(Keywords: regression, sec-vector)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Tested on both Windows 10 1703 and 1803 X64 with Firefox 68.0.

When navigating to any URL pertaining to the Windows Store, Firefox automatically opens the built-in Windows Store application which then handles the URL sent by Firefox. Whilst this may offer convenience, there are several security implications to consider - namely that if a security issue is found within the Windows Store app directly which could lead to a MITM attack or similar, users could be tricked into clicking URLs on web pages - and with the current behaviour, Firefox would automatically allow the Windows Store to open. The other security issue to consider is the potential for apps to be published to the Windows Store which could in some way escape the Windows 10 sandbox - whilst this would require a user to explicitly download the app, the way that Firefox does this requires less decision making on the part of the user and fewer interactions. From the point-of-view of security-minded users, this can be disabled from about:config by changing "network.protocol-handler.external.ms-windows-store". Apologies if anybody thinks that it was inappropriate for me to check the box for a security-sensitive issue; I would rather this was reviewed before being displayed to everybody.

Actual results:

See above

Expected results:

I see two possibilities for the best way to approach this:

  1. Upon clicking a link to the Windows Store, Firefox could display the standard "Launch Application" dialog; this would then allow a user to cancel, or choose to always open "ms-windows-store" URLs in the native Windows Store app

  2. The alternative is that we simply remove this protocol altogether; however, due to the increasing number of apps being published to the Windows Store the first option may be more logical

Normally Firefox knows nothing about external protocols so it asks the OS if there's a handler and then ask the user to choose. Launching without prompting exposes Firefox users to any future discovered security bugs in that software. Apparently in bug 866065 we made an explicit choice to launch this specific app without asking for compatibility with Chrome and Edge, as well as to resolve a poor user experience. Normally I would say launching without asking is dangerous, but this is essentially part of the Windows OS and I'm fairly confident that if there's a security bug in it MS will patch it quickly and has extensive telemetry that would alert them to abuse.

Group: firefox-core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Shell Integration
Ever confirmed: true
Keywords: sec-vector
Regressed by: 866065
See Also: → 866065
Keywords: regression

My concern is that whilst this makes things easier for the average user, an acception has now been made; for the majority of protocols, Firefox explicitly asks users what they'd like to do when they click on a link associated with a protocol, and to remain consistent with other protocols, in my opinion, the same approach should be considered. My concern is that if we're now making an exception for this protocol, would we now consider doing the same for others - "mailto:" being a good example? Microsoft also allow Windows Update to be called from web pages (I can provide an example URL if required); would we also consider opening Windows Update when a link is clicked as we have done with the Windos Store?

Component: Shell Integration → File Handling

The priority flag is not set for this bug.
:Gijs, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(gijskruitbosch+bugs)

(In reply to elliottabarnes from comment #2)

My concern is that if we're now making an exception for this protocol, would we now consider doing the same for others - "mailto:" being a good example?

mailto: is already treated this way - we do not prompt if you have a default mail client installed (and it's not Firefox).

Microsoft also allow Windows Update to be called from web pages (I can provide an example URL if required); would we also consider opening Windows Update when a link is clicked as we have done with the Windos Store?

Consider it, yes. Depending on what such a link allows, we may or may not end up doing it...

It sounds like we don't want to change the windows store decision at this time.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(gijskruitbosch+bugs)
Resolution: --- → WONTFIX
See Also: → 1677753
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.