Closed Bug 1735806 Opened 4 years ago Closed 3 years ago

Specifying install_sources still allows installs from addons.mozilla.org

Categories

(Firefox :: Enterprise Policies, defect, P2)

Product:
Firefox
Component:
Enterprise Policies
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox99 --- fixed

People

(Reporter: mkaply, Assigned: mkaply)

References

Details

Attachments

(1 file)

Bug 1735806 - Don't allow installs from AMO if not in policy install_sources r?willdurand!
48 bytes, text/x-phabricator-request
Details | Review

If you specify install_sources in policy, it should only allow installs from that domain.

We still allow installs from addons.mozilla.org in that case

I swear this worked when we first implemented.

The issue is that installs from AMO don't go through isInstallAllowedByPolicy which checks the install_sources list.

AMO uses the mozAddonManager API here:

https://searchfox.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManagerWebAPI.cpp

I thought we had code at one point to do this properly, but I guess I'm wrong.

The easiest fix would be to flip "privacy.resistFingerprinting.block_mozAddonManager" if install_sources doesn't contain addons.mozilla.org

I don't think it would be straightforward to call Services.policies.allowedInstallSource(aInstallingPrincipal.URI) from the CPP.iam, d

William, do you have any other thoughts?

Basically this policy allows you to specify the only URLs where addons are allowed to be installed from using match patterns.

Flags: needinfo?(wdurand)

Looking at the original patch, I don't see any coverage for mozAddonManager. I think we can still call isInstallAllowedByPolicy() for mozAddonManager, probably here: https://searchfox.org/mozilla-central/rev/46ff2252568db36e811109fa4026c8e3c12e9ee1/toolkit/mozapps/extensions/AddonManager.jsm#3261-3274 (as suggested by :rpl) but we didn't try.

Flags: needinfo?(wdurand)
See Also: → 1522823

So the only downside to throwing the error there is that AMO shows the error, we don't get an error via the doorhanger, but I'm not convinced that's a big deal.

But we would have that same problem using mozAddonManager as well.

I'll see if there's some way to do the doorhanger in this case.

Assignee: nobody → mozilla
Status: NEW → ASSIGNED

The severity field is not set for this bug.
:mkaply, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mozilla)
Severity: -- → S2
Flags: needinfo?(mozilla)
Priority: -- → P2
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/9e4421c103b8 Don't allow installs from AMO if not in policy install_sources r=willdurand,extension-reviewers,rpl,flod

https://hg.mozilla.org/mozilla-central/rev/9e4421c103b8

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: