Closed Bug 1588059 Opened 6 years ago Closed 6 years ago

Group Policy Addon Whitelisting not working as expected

Categories

(Firefox :: Enterprise Policies, defect)

Product:
Firefox
Component:
Enterprise Policies
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mark, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Steps to reproduce:

Computer Configuration

  1. Mozilla/Firefox/Add-ons/Add-On Installation = Disable
    --> All Addons are blocked from installation. Perfekt! Thats the goal
  2. Mozilla/Firefox/Add-ons/Allowed Sites = Enable
    add a specific URL for a single Addon, e.G.
    https://addons.mozilla.org/en-US/firefox/addon/dev-colorpicker
    https://addons.mozilla.org/de/firefox/addon/dev-colorpicker
    tried with and without "/"

Actual results:

All Adons are allowed. The URL seems to be cutted, it is interpreted as "https://addons.mozilla.org"

Expected results:

All Addons despite of colorpicker should be disabled. Colorpicker should be the only one on the Whitelist

This doesn't seem like a security bug to me. Mike, can you confirm?

Also, I don't understand what "Mozilla/Firefox/Add-ons/Allowed Sites" refers to - is it something in CCK? Or somewhere else? It doesn't seem to match up with anything on https://github.com/mozilla/policy-templates or about:policies or anywhere else.

Component: Untriaged → Enterprise Policies
Flags: needinfo?(mozilla)

Definitely not a security bug.

Allowed Sites point to origins/domains allowed to install XPIs, not URLs. Per the documentation:

Configure the default extension install policy as well as origins for extension installs are allowed. This policy does not override turning off all extension installs.

Allow is a list of origins where extension installs are allowed.

The new ExtensionSettings policy should accomplish what you are trying to do:

https://github.com/mozilla/policy-templates/blob/master/README.md#extensionsettings

Flags: needinfo?(mozilla)

Resolving per comment #3

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID

(In reply to :Gijs (he/him) from comment #2)

Also, I don't understand what "Mozilla/Firefox/Add-ons/Allowed Sites" refers to

Thats the Category Path, you create with your ADMx templates within the GP editor, where "Allowed Path" is the Policy that is defined

Thanks a lot! for clarifying this. But I think there is still a little issue in it.

I defined it wrong, by pointing to "https://addons.mozilla.org/de/firefox/addon/dev-colorpicker" instead of the XPI.
So, everything should be still save. No Addons should be installed in any case, because the Policy "Add-On Installation = Disable" is active and only the whitelisting enty is wrong.

But, what will haoen is, that the WRONG Url for the whitelist will be shortened to "https://addons.mozilla.org" als ALL(!) addons can be installed. That is a security issue, because the intention is still blocking everything despite of whitelist.

(In reply to Mike Kaply [:mkaply] from comment #3)

Allowed Sites point to origins/domains allowed to install XPIs, not URLs. Per the documentation:

It would be greate if you could write that into the Explain String in ADMl file.

The actual exlain is referring to URL ...
"If this policy is enabled, add-ons are always allowed for the URLS indicated unless add-on install is disabled. If a top level domain is specified (http://example.org), add-ons are allowed for all subdomains as well"

Admins like me, handling Chrome since years will always take the URL of the Addon, not the file URL. Thats the reason, why I did not even thaught about XPI path.

Thanks again

I did update this in a newer version:

  <string id="InstallAddonsPermission_Allow_Explain">If this policy is enabled, add-ons are always allowed for the origins indicated unless add-on install is disabled. If a top level domain is specified (http://example.org), add-ons are allowed for all subdomains as well.

Comming back to my problem, it would be nice to integrate a whitelisting sample in the ADMl aswell.

Is the path to the XPI:
https://addons.mozilla.org/firefox/downloads/file/1022282/colorpick_eyedropper-0.0.2.13-an+fx.xpi?src=dp-btn-primary
or
https://addons.mozilla.org/firefox/downloads/file/1022282/colorpick_eyedropper-0.0.2.13-an+fx.xpi

and could it be possible to integrate the schema of that kind of URL/Whitelist? e.g.
https://addons.mozilla.org/firefox/downloads/file/vendornumber/name-of-addon+fx.xpi

Actually it's better if you use:

https://addons.mozilla.org/firefox/downloads/latest/SHORT_NAME/latest.xpi

Where SHORT_NAME in your case is probably colorpick_eyedropper.

I'm working on an extension for Firefox that will give you this information.

You need to log in before you can comment on or make changes to this bug.