Closed Bug 1596393 Opened 5 years ago Closed 3 years ago

"remote.enabled" is only evaluated during startup

Categories

(Remote Protocol :: Agent, defect, P5)

Product:
Remote Protocol
Component:
Agent
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: whimboo, Unassigned)

Details

To turn on the remote agent the preference value from "remote.enabled" will be read. This works fine when it was set before Firefox gets started, but not when you change the value in "about:config".

I assume nothing should block us from allowing the remote agent to instantly be enabled or disabled?

Andreas, do you have any concerns?

Flags: needinfo?(ato)

Only the --remote-debugging-port and --remote-debugger flags
will cause the remote agent to listen for incoming connections. The
remote.enabled preference controls whether these flags are available
and blocks any attempt to make the remote agent listen when
nsIRemoteAgent.listen() is called.

In other words the behaviour of remote.enabled is different to
marionette.enabled because it doesn’t control the listener, but
the availability of the component. This is by design.

To make the remote agent listen at runtime you will have to evaluate
the following code in the browser console (with bug 1543115 applied):

Cc["@mozilla.org/remote/agent;1"].getService(Ci.nsIRemoteAgent).listen()

You can also import chrome://remote/content/RemoteAgent.jsm
and call RemoteAgent.listen().

Flags: needinfo?(ato)

(In reply to Andreas Tolfsen 「:ato」 from comment #1)

Only the --remote-debugging-port and --remote-debugger flags
will cause the remote agent to listen for incoming connections. The
remote.enabled preference controls whether these flags are available
and blocks any attempt to make the remote agent listen when
nsIRemoteAgent.listen() is called.

Not sure I fully understand that part. When you say that remote.enabled controls if the command line flags are available what does that mean? Those flags are chosen way before the profiler manager is used to select a profile, and as such it doesn't know about the setting of this preference. For a default profile with the preference value of false those arguments are still listed on the command line.

If we don't allow to use those CLI args, we should maybe bail out. Otherwise we could save the values of those arguments and check whenever the preference remote.enabled gets changed during runtime, and enable/disable the remote agent based on its value.

To make the remote agent listen at runtime you will have to evaluate
the following code in the browser console (with bug 1543115 applied):

Cc["@mozilla.org/remote/agent;1"].getService(Ci.nsIRemoteAgent).listen()

You can also import chrome://remote/content/RemoteAgent.jsm
and call RemoteAgent.listen().

And we don't want to run this automatically when the preference is turned on?

Flags: needinfo?(ato)

What I mean is that when remote.enabled is not set, the flags won’t work.
Trying to start Firefox with --remote-debugger will in that case cause an error in RemoteAgent.listen().

Think of it as a feature flag, not a control switch.

When Firefox starts shipping the remote agent this lets us control
the availability of the component to users without rebuilding Firefox.
For example if we later find we need to disable the feature due to some problem,
all we have to do is disable the feature.

By contrast, to disable Marionette you would need to recompile with --disable-marionette
and hope we got #ifdefs in all the right places and that they still work.

Flags: needinfo?(ato)

I understand all that but what I still miss is the following part: Why do we put the Remote Agent in listen mode only during startup, but not at runtime. If the pref intentionally gets flipped it would be convenient to just put the agent in listen mode, or stop it from listening. Above you showed a workaround how this could work.

Is it an extra protection layer that no code running with chrome scope could potentially enable/disable the agent, but you have to explicitly do that with a following restart of Firefox (after flipping the pref)?

A single entry-point causing the agent to listen for browser-external connections
is conceptually simpler, but also reduces potential attack vectors.
It also resonates better with how (most) other *.enable feature flags in about:config work.

If we have a use case that requires starting the listener at runtime,
I would rather we developed a dedicated UI for it in about:debugging,
as we have for RDP remote debugging via USB and WLAN.
Requiring explicit user consent seems better overall
than relying on the implicitness of flipping a preference.

A separate UI handling such a case would make total sense, indeed. As this is not something we can work on right now lets push this to the backlog.

Priority: -- → P5

The remote.enabled preference has been removed by bug 1710839. As such this bug is invalid now.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.