Open Bug 1884948 Opened 9 months ago Updated 6 months ago

Force installed extensions in FF 115 ESR not auto updating when Firefox update is disabled (windows group policies)

Categories

(Toolkit :: Add-ons Manager, defect, P3)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: bugzilla, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0

Steps to reproduce:

Set user based windows group policies for Firefox using latest admx files from mozilla:
DisableAppUpdate=true
ExtensionSettings={"*":{"installation_mode":"blocked"},"{3bdedc7b-4521-44e0-bffe-519f60814d95}":{"installation_mode":"force_installed","updates_disabled":"false","install_url":"https://addons.mozilla.org/firefox/downloads/latest/password-safe-browser-add-on/latest.xpi","default_area":"navbar"}}
ExtensionUpdate=true

user agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Actual results:

Firefox ESR extensions are not auto updating

Expected results:

Even if Firefox ESR own update mechanism is disabled (because it is being updated by centralized software update mechanisms), (force) installed extensions should be auto updated.

The Bugbug bot thinks this bug should belong to the 'Toolkit::Application Update' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Application Update
Product: Firefox → Toolkit

I think it probably makes more sense to have the extensions folks look at this.

Component: Application Update → Untriaged
Product: Toolkit → WebExtensions

Hello,

Would you be able to provide the exact admx file you are currently using and also mention the location where it should be? Thank you !

I tried using the policy information from Comment 0 and set a local policy via the distribution folder in the browser installation folder, however the policy is not recognized. I’m not sure I’ve set it up correctly.

Flags: needinfo?(bugzilla)

Thank you for your reply. I'm using these policy templates: https://github.com/mozilla/policy-templates/releases/download/v5.8/policy_templates_v5.8.zip
The content of the included windows folder has to be placed into C:\WINDOWS\PolicyDefinitions folder. Then you can open gpedit.msc and configure the following settings:
Administrative Templates (Users)/Mozilla/Firefox/Disable Update = enabled
Administrative Templates (Users)/Mozilla/Firefox/Extensions/Extension Update = enabled
Administrative Templates (Users)/Mozilla/Firefox/Extensions/Extension Management = {"*":{"installation_mode":"blocked"},"{3bdedc7b-4521-44e0-bffe-519f60814d95}":{"installation_mode":"force_installed","updates_disabled":"false","install_url":"https://addons.mozilla.org/firefox/downloads/latest/password-safe-browser-add-on/latest.xpi","default_area":"navbar"}}

Your windows registry keys then look like this:
[HKEY_CURRENT_USER\Software\Policies\Mozilla\Firefox]
"DisableAppUpdate"=dword:00000001
"ExtensionUpdate"=dword:00000001
"ExtensionSettings"=hex(7):7b,00,22,00,2a,00,22,00,3a,00,7b,00,22,00,69,00,6e,
00,73,00,74,00,61,00,6c,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,5f,00,6d,00,
6f,00,64,00,65,00,22,00,3a,00,22,00,62,00,6c,00,6f,00,63,00,6b,00,65,00,64,
00,22,00,7d,00,2c,00,00,00,22,00,7b,00,33,00,62,00,64,00,65,00,64,00,63,00,
37,00,62,00,2d,00,34,00,35,00,32,00,31,00,2d,00,34,00,34,00,65,00,30,00,2d,
00,62,00,66,00,66,00,65,00,2d,00,35,00,31,00,39,00,66,00,36,00,30,00,38,00,
31,00,34,00,64,00,39,00,35,00,7d,00,22,00,3a,00,7b,00,22,00,69,00,6e,00,73,
00,74,00,61,00,6c,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,5f,00,6d,00,6f,00,
64,00,65,00,22,00,3a,00,20,00,22,00,66,00,6f,00,72,00,63,00,65,00,5f,00,69,
00,6e,00,73,00,74,00,61,00,6c,00,6c,00,65,00,64,00,22,00,2c,00,22,00,75,00,
70,00,64,00,61,00,74,00,65,00,73,00,5f,00,64,00,69,00,73,00,61,00,62,00,6c,
00,65,00,64,00,22,00,3a,00,20,00,22,00,66,00,61,00,6c,00,73,00,65,00,22,00,
2c,00,22,00,69,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,5f,00,75,00,72,00,6c,
00,22,00,3a,00,20,00,22,00,68,00,74,00,74,00,70,00,73,00,3a,00,2f,00,2f,00,
61,00,64,00,64,00,6f,00,6e,00,73,00,2e,00,6d,00,6f,00,7a,00,69,00,6c,00,6c,
00,61,00,2e,00,6f,00,72,00,67,00,2f,00,66,00,69,00,72,00,65,00,66,00,6f,00,
78,00,2f,00,64,00,6f,00,77,00,6e,00,6c,00,6f,00,61,00,64,00,73,00,2f,00,6c,
00,61,00,74,00,65,00,73,00,74,00,2f,00,70,00,61,00,73,00,73,00,77,00,6f,00,
72,00,64,00,2d,00,73,00,61,00,66,00,65,00,2d,00,62,00,72,00,6f,00,77,00,73,
00,65,00,72,00,2d,00,61,00,64,00,64,00,2d,00,6f,00,6e,00,2f,00,6c,00,61,00,
74,00,65,00,73,00,74,00,2e,00,78,00,70,00,69,00,22,00,2c,00,22,00,64,00,65,
00,66,00,61,00,75,00,6c,00,74,00,5f,00,61,00,72,00,65,00,61,00,22,00,3a,00,
20,00,22,00,6e,00,61,00,76,00,62,00,61,00,72,00,22,00,7d,00,7d,00,00,00,00,
00

To test the non-working update functionality, you probably have to replace the install_url with a link to latest.xpi on your own webserver so you can update that file there without changing the policy setting. All versions can be downloaded from https://addons.mozilla.org/de/firefox/addon/password-safe-browser-add-on/versions/

Flags: needinfo?(bugzilla)

Hi Mike, would you mind to take a look into this issue?
In particular we were wondering if there is any expected relationship betwen the "Firefox/Disable Update" and the "Firefox/Extensions/Extension Update" policy settings.

Flags: needinfo?(mozilla)

The bug is in the Extension Settings policy that was written:

"updates_disabled":"false"

should be

"updates_disabled": false

"false" is interpreted as being a truthy string by:

if (Services.policies.getExtensionSettings(this.id)?.updates_disabled) {

I'll make the docs more clear.

Flags: needinfo?(mozilla)

(In reply to Mike Kaply [:mkaply] from comment #6)

The bug is in the Extension Settings policy that was written:

"updates_disabled":"false"

should be

"updates_disabled": false

"false" is interpreted as being a truthy string by:

if (Services.policies.getExtensionSettings(this.id)?.updates_disabled) {

I'll make the docs more clear.

Thank you for your detailed feedback regarding this setting. But even when not using setting "updates_disabled" at all (thus using the standard setting = false), the extensions are not auto updating. I think the main problem here is that setting ExtensionUpdate=true is conflicting with setting DisableAppUpdate=true and the last one wins. Could this be possible?

How are you verifying that updates aren't happening?

Here's what I did. I used the following policies.json:

{
  "policies": {
      "DisableAppUpdate": true,
      "ExtensionSettings": {
          "*": {
              "installation_mode": "blocked"
          },
          "{d634138d-c276-4fc8-924b-40a0ea21d284}": {
              "installation_mode": "force_installed",
              "updates_disabled": false,
              "install_url": "https://addons.mozilla.org/firefox/downloads/file/4232852/1password_x_password_manager-2.20.2.xpi",
              "default_area": "navbar"
          }
      },
      "ExtensionUpdate": true
  }
}

which deliberately installed an older version of one password.

I then went to the addons manager, selected the settings icon and clicked "check for updates" and the extension was updated.

(In reply to Mike Kaply [:mkaply] from comment #8)

How are you verifying that updates aren't happening?

Here's what I did. I used the following policies.json:

{
  "policies": {
      "DisableAppUpdate": true,
      "ExtensionSettings": {
          "*": {
              "installation_mode": "blocked"
          },
          "{d634138d-c276-4fc8-924b-40a0ea21d284}": {
              "installation_mode": "force_installed",
              "updates_disabled": false,
              "install_url": "https://addons.mozilla.org/firefox/downloads/file/4232852/1password_x_password_manager-2.20.2.xpi",
              "default_area": "navbar"
          }
      },
      "ExtensionUpdate": true
  }
}

which deliberately installed an older version of one password.

I then went to the addons manager, selected the settings icon and clicked "check for updates" and the extension was updated.

This is correct: manually triggering the "check for updates" works as expected. But I expect Firefox to automatically update the installed extensions without any user interaction. What also indicates that extension auto updating is disabled is when clicking the settings icon in addons manager the check mark next to "update add-ons automatically" is missing with this configuration.

Don't get me wrong: I'm questioning the described behavior of Firefox for large enterprise usage - not for home usage. Enterprise usage means updating Firefox via software deployment tools and force installing several extensions via group policy. Disabling Firefox own update service is then applied via group policy but still expecting the installed extensions updating automatically anyway.

The severity field is not set for this bug.
:rpl, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(lgreco)

Mike, is it expected that the policies defined in Comment 9 only allow manual updates (with the "check for updates" button in about:addons)? I am wondering if DisableAppUpdate is somehow disabling the timer or something along those lines, which would explain why (1) manual updates of the add-on with id {d634138d-c276-4fc8-924b-40a0ea21d284} works but (2) it doesn't automatically get updated. Thoughts?

Flags: needinfo?(lgreco) → needinfo?(mozilla)

(In reply to William Durand [:willdurand] from comment #11)

I am wondering if DisableAppUpdate is somehow disabling the timer or something along those lines

I don't believe that we do anything like this. The DisableAppUpdate policy's only direct affect is to cause Services.policies.isAllowed("appUpdate") to return false. This is mostly used to control nsIApplicationUpdateService.disabled as well as some telemetry and UI stuff that should probably be changed to use nsIApplicationUpdateService.disabled as well. We don't make any changes involving UpdateTimerManager whatsoever when this policy is active. We just bail out immediately when the timer fires.

I'll leave the needinfo for mkaply just in case he has anything to add.

There is definitely no expectation addon automatic updates would be disabled. And as Robin said, app updates shouldn't affect this.

I have this on my list of things to investigate deeper. Was planning to look next week.

What's the best way to trigger automatic updates for testing?

Flags: needinfo?(mozilla)

Needinfo-ing Wlliam as a reminder to answer mkaply question from comment 13.

Flags: needinfo?(wdurand)

I would either set the extensions.update.interval pref to a lower value (in seconds) or run some code snippet to check for updates manually in the browser console:

{
  const { AddonManagerPrivate } = ChromeUtils.importESModule(
    "resource://gre/modules/AddonManager.sys.mjs"
  );
  AddonManagerPrivate.backgroundUpdateCheck();
}
Flags: needinfo?(wdurand)

Hi Mike, we are moving this bug to the "Toolkit :: Add-ons Manager" bugzilla component while we are still investigating it to decide if this should be tracked on the Addon Manager or Enterprise Policies bugzilla components.

We would like to set a priority for this investigation too, in your opinion should this be a P2 or can it be a P3?

Component: Untriaged → Add-ons Manager
Flags: needinfo?(mozilla)
Product: WebExtensions → Toolkit
Version: Firefox 115 → unspecified

I think P3. It just keeps moving off my plate.

Flags: needinfo?(mozilla)
Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.