Allow recommended extensions access to Quarantined domains
Categories
(WebExtensions :: General, enhancement, P2)
Tracking
(firefox115 fixed)
Tracking | Status | |
---|---|---|
firefox115 | --- | fixed |
People
(Reporter: zombie, Assigned: rpl)
References
(Blocks 2 open bugs)
Details
Attachments
(2 files)
To minimize disruption, we might want to allow the set of "trusted" addons to access Quarantined domains. Certainly privileged, builtin and system, and potentially also for Recommended.
Reporter | ||
Comment 1•1 year ago
|
||
For some reason, I don't see a Confidential checkbox while filing a new bug.
Reporter | ||
Comment 2•1 year ago
|
||
Andreas, does this match your expectation about Recommended extensions? Are we're ok to give them access to Quarantined domains without user needing to take any action?
Comment 3•1 year ago
|
||
Konstantin, given our limited review capacity going forward, what do you think is the best course of action here? I don't know what the plan looks like, so I am wondering if it's safe to do that for Recommended Extensions.
Reporter | ||
Comment 4•1 year ago
•
|
||
In the office hours, Andreas said we should check in with legal about this, as it might be considered "preferential treatment". I believe this concern (if valid) goes away in 116 when we allow users to override the quarantine.
Also he says that exempting recommended today would prevent us from ever skipping pre-review on them in the future.
But I don't think this needs to be a "forever" decision. It could be temporary just for 115 (until we have user override), and/or we can make this depend on remote settings flag to be able to change our mind later if needed.
Comment 5•1 year ago
|
||
I chatted with Konstantin about this. We will exempt any addon with a recommended state (recommended, line, etc). If a solid reason turns up we can reverse that. The goal is to reduce the impact of the current block, especially since initially there will not be user control. As will, there is minimal risk with these addons.
Assignee | ||
Updated•1 year ago
|
Comment 6•1 year ago
|
||
Legal was going to make the same suggestion, they were thinking along the same lines. So, we will exempt builtin, system, any recommended including line extensions.
Reporter | ||
Updated•1 year ago
|
Comment 7•1 year ago
|
||
any recommended including line extensions
Fwiw, those two sets are mutually exclusive.
In the office hours, Andreas said we should check in with legal about this, as it might be considered "preferential treatment". I believe this concern (if valid) goes away in 116 when we allow users to override the quarantine.
Does that mean in 116, we will no longer allow access to quarantined domains by default for the aforementioned promoted groups? If not, the concern won't go away.
Comment 8•1 year ago
|
||
Also, we recently removed some add-ons from being Recommended. As far as I understand, if there is no newer public version, the installed version would still be considered Recommended and thus have access to quarantined domains, right? Is that a concern?
Updated•1 year ago
|
Comment 9•1 year ago
|
||
Konstantin, what about the questions in comment 7 and 8?
Updated•1 year ago
|
Comment 10•1 year ago
|
||
(In reply to Andreas Wagner [:TheOne] [use NI] from comment #8)
Also, we recently removed some add-ons from being Recommended. As far as I understand, if there is no newer public version, the installed version would still be considered Recommended and thus have access to quarantined domains, right? Is that a concern?
If we remove something from recommended, either it is malicious or it is not. If it is we can block it with the traditional blocklist.
Does that mean in 116, we will no longer allow access to quarantined domains by default for the aforementioned promoted groups? If not, the concern won't go away.
No, it means the are allowed access. The concern was already discussed, Feldman and others were going to suggest this approach.
Comment 11•1 year ago
|
||
(In reply to Andreas Wagner [:TheOne] [use NI] from comment #8)
Also, we recently removed some add-ons from being Recommended. As far as I understand, if there is no newer public version, the installed version would still be considered Recommended and thus have access to quarantined domains, right? Is that a concern?
Recommendations expire after 5 years. E.g. this is what the (prettified) mozilla-recommendation.json
file in uBlock Origin version 1.49.2 looks like:
{
"addon_id": "uBlock0@raymondhill.net",
"states": [
"recommended-android",
"recommended"
],
"validity": {
"not_after": "2028-05-02T22:25:54Z",
"not_before": "2023-05-03T16:25:54Z"
},
"schema_version": 1
}
Assignee | ||
Comment 12•1 year ago
|
||
Assignee | ||
Comment 13•1 year ago
|
||
Updated•1 year ago
|
Updated•1 year ago
|
Comment 14•1 year ago
|
||
https://hg.mozilla.org/mozilla-central/rev/62e03cadbce7c12d6b0b1829f587122a26886758
https://hg.mozilla.org/mozilla-central/rev/bf01737c7b13b1363c5a6cde3f2f4265c3e60c8c
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Description
•