Closed
Bug 1569623
Opened 5 years ago
Closed 5 years ago
The user can bypass the popup blocking policy from the banner section
Categories
(Firefox :: Enterprise Policies, defect, P5)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: cbaica, Unassigned)
Details
Attachments
(1 file)
3.28 MB,
video/mp4
|
Details |
[Affected versions]:
- Fx 70.0a1
- Fx 69.0b9
- Fx 68.0ESR
[Affected platforms]:
- windows 10
- macOS 10.11
- ubuntu 18.04
[Steps to reproduce]:
- Setup the popub blocking policy:
{
"policies": {
"PopupBlocking": {
"Allow": ["https://google.com"],
"Locked": true
}
}
}
- Launch Firefox with a clean profile.
- Go to http://www.dummysoftware.com/popupdummy_testpage.html .
- From the yellow banner, click the preferences banner.
- Choose to 'allow' the popups from the displayed drop-down menu.
[Expected result]:
- The user shouldn't be able to allow popups from other websites than the ones mentioned in the policy.
[Actual result]:
- The policy is bypassed and popups are displayed.
[Regression range]:
- I will invesitgate further, but this does no look like a regression.
[Additional notes]:
- If the policy is deleted and the browser is restarted, it can be noticed that the website was added to the exception list.
- The fix from bug 1568246 was intended to deny access to the exceptions part, but by using these steps, the user doesn't even need access to the exceptions list to add in websites.
Comment 1•5 years ago
|
||
I think that adding websites is OK. The thing we don't want people to be able to do is remove them...
Updated•5 years ago
|
Priority: -- → P5
Comment 2•5 years ago
|
||
Our goal with locking is to prevent folks from removing, not from adding. So I think we're good here.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•