Default engine is automatically switched if a WebExtension receives an update, even when opted out
Categories
(WebExtensions :: General, defect)
Tracking
(firefox-esr91 verified, firefox97 wontfix, firefox98 wontfix, firefox99 verified, firefox100 verified)
People
(Reporter: deepak.gupta, Assigned: mixedpuppy)
References
Details
(Keywords: sec-other, Whiteboard: [addons-jira][adv-main99-])
Attachments
(3 files)
|
814.02 KB,
video/mp4
|
Details | |
|
1.30 MB,
video/mp4
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
Steps to reproduce:
- Install a addon that takes over Default Search using Search Settings "chrome_settings_overrides"
- During install Opt-out from updating the Search engine
- Check for addon update
- If addon is updated with new version, Search engine is automatically updated without FF Opt-in message
Actual results:
If addon is updated with new version, Search engine is automatically updated without FF Opt-in message
Expected results:
If addon is updated with new version, Since user has already opted out from Search engine update, users should not be prompted for Search engine update and search engine should stay as is.
|
||
Comment 1•1 year ago
|
||
Including a bunch of folks so they're aware.
Andreas, is this your wheelhouse? If not, can you forward to whoever's it is?
|
Assignee | |
Comment 2•1 year ago
|
||
This would be an api bug (or maybe in the search service, but leaning to api right now). moving it for next triage.
|
|
Assignee | |
Comment 3•1 year ago
|
||
Alex, can you try to reproduce? It would need to be a search engine that sets default in the manifest.
|
||
Comment 4•1 year ago
|
||
Is this a security issue?
|
|
Assignee | |
Comment 5•1 year ago
|
||
(In reply to Andreas Wagner [:TheOne] [use NI] from comment #4)
Is this a security issue?
I don't think so, but leaving that for triage. Getting QA confirmation first will also be helpful.
|
||
Comment 6•1 year ago
|
||
Hello,
I reproduced the issue on the latest Nightly (99.0a1/20220302212501), Beta (98.0/20220302164716) and Release (97.0.1/20220216172458) under Windows 10 x64 and Ubuntu 16.04 LTS.
I’ve opted to use an older version of the “Ecosia — The search engine that plants trees” – v4.0.3 as it matches the pre-requisites of setting a search engine via “chrome_settings_overrides” in the manifest.
Proceeding with the STR described in the issue, even though I’ve opted out from updating the Search Engine during add-on install, updating the add-on will also update the Search Engine automatically without the consent of the user, since the Opt-In/Out doorhanger is not displayed.
For further details, see the attached video.
|
|
||
Comment 7•1 year ago
|
||
Hello, I am reaching out to see if this can be prioritizes as high. The bug is stopping us from pushing update to our Search extension as update will change Search engine for existing extension user who has opted out from this during installation flow.
|
|
||
Comment 9•1 year ago
|
||
Shane, given QA can repro can you or someone else on the add-ons team investigate and respond to comment #8?
|
|
||
Comment 10•1 year ago
|
||
Seems people agree at least this isn't a security issue as such, so moving to moco-confidential and leaving it to the webextensions team to determine if this should just be public.
|
|
Assignee | |
Comment 11•1 year ago
|
||
Sorry for the delay looking back at this.
If I read between the lines, this is the str that should be verified.
- user installs an addon that has is_default
- during install they see the "set search as default" prompt, and say no.
2a. the addon does not become the default search for firefox - user later receives an update to the same addon
3a. by design we never show the panel at this stage
expected result:
search engine is updated, but does not become firefox default search
actual result:
From the report and QA it sounds like it is becoming the default search, but I am not clear on that due to terminology (ie. it is being "updated")
|
|
||
Updated•1 year ago
|
|
|
||
Comment 12•1 year ago
|
||
Hello @Shane
I see where what I’ve reproduced earlier was a bit misleading so I’ll try and clear things out.
These are the STR that I used and the corresponding results:
- Install older version of “Ecosia — The search engine that plants trees” add-on, for example v4.0.0
- During add-on install, choose “No” on the “set search engine as default” prompt.
Result: The search engine provided by the add-on is not set as the default search engine in Firefox as it can be seen in about:preferences#search. - Update the “Ecosia — The search engine that plants trees” add-on.
Result 1: The add-on is updated and no additional panels are shown.
Result 2: The search engine provided by the add-on is set as the default search engine in Firefox as it can be seen after reloading about:preferences#search.
See the attached video for more details.
So the effect of this is that updating the search engine add-on will also set the search engine provided by the add-on as default in Firefox, without the user’s consent as the “set search engine as default” prompt/panel is not displayed at this stage (add-on update).
Hope this clears thing out.
|
|
||
Comment 13•1 year ago
|
||
|
||
Comment 14•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Search' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 15•1 year ago
|
||
Moving back to WebExtensions, as I think this is in the API code. Also updating title to better summarise the issue.
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 16•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 17•1 year ago
|
||
Pushed by scaraveo@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f41423a594b9 retain correct search default setting after addon update r=rpl
|
||
Comment 18•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 19•1 year ago
|
||
Verified the fix on the latest Nightly (100.0a1/20220320213921) under Windows 10 x64 and Ubuntu 16.04 LTS.
Following the STR from Comment 12, updating the search engine extension will no longer set the default search engine in Firefox to the one provided by the extension, confirming the fix.
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
Reporter | |
Comment 20•1 year ago
|
||
If I understand it right the fix will go in FF 100 based on release schedule (https://wiki.mozilla.org/Release_Management/Calendar) its 4/28 over a month away.
I am trying to see if this needs to be prioritized sooner than later, in my opinion extension developers (knowingly or unknowingly) can really abuse this issue to take over search setting in Firefox until the issue is fixed. Also I am planning to deploy some enhancement to my search extension and am hesitant to update existing users as update will override user's choice of using default Search engine without their consent.
|
|
||
Comment 21•1 year ago
|
||
There's one more beta tomorrow - is this safe enough for uplift?
|
|
Assignee | |
Comment 22•1 year ago
|
||
Comment on attachment 9268155 [details]
Bug 1757760 retain correct search default setting after addon update
Beta/Release Uplift Approval Request
- User impact if declined: An addon update can change the default engine without user interaction.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Change is limited to addons with search engines and well covered in tests.
- String changes made/needed: n/a
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 23•1 year ago
|
||
Comment on attachment 9268155 [details]
Bug 1757760 retain correct search default setting after addon update
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: default search can be modified by a simple addon update.
- User impact if declined: same as beta request.
- Fix Landed on Version: 100
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): same as beta request.
|
||
Comment 24•1 year ago
|
||
Comment on attachment 9268155 [details]
Bug 1757760 retain correct search default setting after addon update
Approved for 99.0b8. Thanks.
|
|
||
Comment 25•1 year ago
|
||
| bugherderuplift | ||
|
|
||
Comment 26•1 year ago
|
||
Comment on attachment 9268155 [details]
Bug 1757760 retain correct search default setting after addon update
Approved for 91.8esr.
|
|
||
Comment 27•1 year ago
|
||
| bugherderuplift | ||
|
|
||
Comment 28•1 year ago
|
||
Verified the fix on the latest Beta (99.0b8/20220324185704) under Windows 10 x64 and Ubuntu 16.04 LTS.
Following the STR from Comment 12, updating the search engine extension will no longer set the default search engine in Firefox to the one provided by the extension, confirming the fix.
|
||
Updated•1 year ago
|
|
|
||
Comment 29•1 year ago
|
||
Verified the fix on the latest ESR (91.8.0esr/20220330151638) under Windows 10 x64 and Ubuntu 16.04 LTS.
Following the STR from Comment 12, updating the search engine extension will no longer set the default search engine in Firefox to the one provided by the extension, confirming the fix.
Description
•