Open Bug 1888477 Opened 1 year ago Updated 1 year ago

PopupBlocking policy - locking is not working completely correct

Categories

(Firefox :: Enterprise Policies, defect, P3)

Product:
Firefox
Component:
Enterprise Policies
Platform:
Desktop
All
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox125 --- affected
firefox126 --- affected

People

(Reporter: pascal.reintjens, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

  1. Created a policies.json file with the following contents:
{
	"policies": {		
		"PopupBlocking": {
			"Default": true,
			"Allow": ["https://test.de"],
			"Locked": true
		}
	}	
}
  1. Subsequently, placed this file within the installation directory: C:\Program Files\Mozilla Firefox\distribution\policies.json
  2. restarted the browser and went to Settings > Privacy & Security > Permissions
  3. Went to https://moodle.ib-hochschule-online.de/ibfiles/technik/popup.html for a popup demo (could use any other popup demo site)
  4. Clicked the Options button on the banner announcing "Firefox prevented this site from opening a pop-up window."
  5. Clicked "Allow pop-ups for domain.ending
  6. A popup opens.
  7. restarted the browser and again went to the same url.

Actual results:

At step 3, the "default" and "locked" setting within PopupBlocking correctly results in the option Block pop-up windows being activated and greyed out, including the Exceptions... Button so that the user can't change any popup settings.
But when the user then visits a popup demo page in step 4, and clicks the buttons / options in step 5 and 6, he can allow popups permanently. When then restarting Firefox and visiting the same url again, the popups get displayed directly. Additionally he can also permanently allow popups within the adressbar settings option, that gets displayed after a popup has been blocked.

Expected results:

The user shouldn't be provided with an option on a website to allow popups permanently for the website when PopupBlocking has set both "default" to true and "locked" to true.

Additionally the same popup banner has an option to just show the blocked popup that resulted in the popup banner being shown. Maybe there could be an option within PopupBlocking too, that sets whether this option is available as well.

Otherwise my thoughts are, that maybe there should even be an additional option "exceptions_locked" that controls whether the user can add exceptions on both sides (settings and banner), instead of being locked by the main locked (as it is half now), so that a company can decide to block pop-ups by default while allowing users to add individual exceptions, while another company might want to lock even the exceptions.

Hello! I have managed to reproduce the issue with firefox 126.0a1(2024-04-11) and 125.0 on Ubuntu 22.04 and Windows 10. I will mark this issue as NEW and set a component for it, if it's not the right component please feel free to change it to an appropriate one.

Have a nice day!

Status: UNCONFIRMED → NEW
Has STR: --- → yes
status-firefox125: --- → affected
status-firefox126: --- → affected
Component: Untriaged → Site Permissions
Ever confirmed: true
OS: Unspecified → All
Hardware: Unspecified → Desktop
Component: Site Permissions → Enterprise Policies

The severity field is not set for this bug.
:mkaply, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mozilla)
Severity: -- → S3
Flags: needinfo?(mozilla)
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.