Open Bug 1904061 Opened 1 year ago Updated 1 month ago

Allow fine grained control of permissions via ExtensionSettings policy

Categories

(WebExtensions :: General, enhancement, P5)

Product:
WebExtensions
Component:
General
Type:
enhancement

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: mkaply, Assigned: mkaply)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1904061 - Add support for blocked_permissions. r?rpl
48 bytes, text/x-phabricator-request
Details | Review

This might end up in enterprise policies, but I wanted to start it here.

On Chrome and Edge, you can use enterprise policy to override extension permissions. So an extension might ask to have access to all sites, but you can prevent it from accessing specific sites or lock it to specific sites.

You can also prevent an extension from having a specific permission even if it wants it.

The specific settings are:
blocked_permissions
runtime_blocked_hosts
runtime_allowed_hosts

See:

https://support.google.com/chrome/a/answer/9867568?hl=en

I imagine this would work similar to the existing addon policy where you would ask the policy engine what permissions/hosts were allowed, not allowed.

Severity: -- → N/A
Priority: -- → P5

I'm also interested in this feature. The way ExtensionSettings are current implemented makes me feel very uneasy, security-wise.

I think another useful behavior we could have here is to automatically disable extensions that requests permissions they are not allowed to. Extensions installed through ExtensionSettings currently will not notify you when an extension update enables new permissions.

There has been a few cases of malicious extension take-overs in the past and a common thread is that they often request new permissions during an update. So for the sake of security, I'd like to review extensions when their permission changes across updates, before installing and running them.

I think another useful behavior we could have here is to automatically disable extensions that requests permissions they are not allowed to. Extensions installed through ExtensionSettings currently will not notify you when an extension update enables new permissions.

The problem is that you don't want an important extension (DLP for instance) to be disabled because it needs a new permission; it should just keep working in the enterprise environment (this is consistent with how Chrome and Edge work).

You can't rely on the user knowing whether or not they should reenable.

Yes, but I believe the behavior should be customizable according to the administrator's needs. Similar to installation_mode, maybe we can have something like permission_mode.

Yes, but I believe the behavior should be customizable according to the administrator's needs. Similar to installation_mode, maybe we can have something like permission_mode.

Would you completely rely on the user though? There would be no way for the admin to say "OK, this is OK, enable it".

There would be no way for the admin to say "OK, this is OK, enable it".

Of course, it shouldn't be the user's responsibility to activate/deactivate the extension after an update.

The way I envision it is that the administrator would review the extension after a user report (or if the admin noticed it themselves). Once the extension is deemed to comply with the organization's security policies, the administrator could then roll out updated policies containing the new permissions through an automated process. The automated process highly depends on the environment, but as an example it could be done through Microsoft Intune.

Assignee: nobody → mozilla
Status: NEW → ASSIGNED

I tried to comment on the revision, but my comment remains unsubmitted for some reason. Maybe I don't have enough permissions?
Anyways, I'll repost it here:

rpl
@mkaply the Chrome docs seems to also mention another ExtensionSettings named allowed_permissions, is that something we will consider implementing (in the short and/or mid term)?

mkaply
I have not seen allowed_permissions anywhere. This is the official doc:

https://support.google.com/chrome/a/answer/9867568?hl=en

dough.mean
allowed_permissions is mentioned in this official PDF document: https://support.google.com/chrome/a/answer/9296680

In any case, I believe allowlists are absolutely crucial for security. Time and time again has showed that the blocklist-style permission model is very fragile and too easy to break.

Thank you! I'll implement this.

I just wanted to jump in to add weight to the fact that enterprise use of Firefox really needs these settings. Short of fully controlling the permitted extensions across the estate via the extension allowlist (which is a bit of a blocker in many cases), these settings are the only way to permit fairly free extension use while still protecting tabs on mission-critical domains.

Right now Firefox presents a much higher supply-chain risk (indirectly via its addons) than any of our Chromium browsers.

Attachment #9527899 - Attachment description: Bug 1904061 - Add support for blocked_permissions. r?rpl → WIP: Bug 1904061 - Add support for blocked_permissions. r?rpl
Attachment #9527899 - Attachment description: WIP: Bug 1904061 - Add support for blocked_permissions. r?rpl → Bug 1904061 - Add support for blocked_permissions. r?rpl
See Also: → 1805205
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: