Accessibility is not working with Microsoft Defender DLP application
Categories
(Core :: Disability Access APIs, defect, P2)
Tracking
()
People
(Reporter: psamady, Assigned: morgan, NeedInfo)
Details
(Keywords: enterprise)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Steps to reproduce:
User agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0"
On macOS, the Microsoft Defender dlpdaemon process is entitled to receive accessibility information.
However, it does not receive the full accessibility tree for Firefox, preventing it from extracting the URL. Interestingly, when the Accessibility Inspector is opened, something changes, and the dlpdaemon then receives the complete AX tree.
Actual results:
DLP daemon fails to retrieve the URL
Expected results:
The DLP daemon needs access to the complete accessibility tree to retrieve the URL successfully.
|
||
Comment 1•9 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Data Loss Prevention' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Updated•9 months ago
|
|
||
Updated•9 months ago
|
|
||
Comment 2•9 months ago
|
||
Marking as an S2 because DLP does not work at all on Firefox without this resolved.
|
||
Comment 3•2 months ago
|
||
What is the end-user impact of this?
Microsoft Defender DLP is a security solution that helps prevent sensitive data from leaving the organization.
When it cannot access the full accessibility tree in Firefox, it’s unable to accurately identify sensitive content shared through the browser.
In such cases, DLP relies on network-level analysis, which is less precise and can lead to a higher rate of false positives.
To maintain data protection effectiveness and reduce noise, Firefox is therefore blocked in most enterprise environments.
|
Assignee | |
Comment 5•2 months ago
•
|
||
(In reply to Pedram from comment #4)
Microsoft Defender DLP is a security solution that helps prevent sensitive data from leaving the organization.
When it cannot access the full accessibility tree in Firefox, it’s unable to accurately identify sensitive content shared through the browser.
In such cases, DLP relies on network-level analysis, which is less precise and can lead to a higher rate of false positives.
To maintain data protection effectiveness and reduce noise, Firefox is therefore blocked in most enterprise environments.
As a workaround, you can set accessibility.force_disabled = -1 in about:config
|
|
||
Comment 6•2 months ago
|
||
(In reply to Pedram from comment #4)
Microsoft Defender DLP is a security solution that helps prevent sensitive data from leaving the organization.
When it cannot access the full accessibility tree in Firefox, it’s unable to accurately identify sensitive content shared through the browser.
In such cases, DLP relies on network-level analysis, which is less precise and can lead to a higher rate of false positives.
To maintain data protection effectiveness and reduce noise, Firefox is therefore blocked in most enterprise environments.
Mike, this might be interesting in the context of Firefox for Enterprise, in case you are not aware.
|
|
Assignee | |
Comment 7•2 months ago
•
|
||
/removing comment per 1:1 discussion -- we need to investigate exactly what DLP is requesting here. I've put in a service desk request for access.
|
|
Assignee | |
Updated•2 months ago
|
|
|
Assignee | |
Comment 8•2 months ago
|
||
P2'ing this per Frank's concern about enterprise impact
Unfortunately, the suggested workaround didn't solve the issue (accessibility.force_disabled = -1)
|
||
Comment 10•2 months ago
|
||
I've reached out to the Purview team about this to see if they were aware.
|
|
Assignee | |
Comment 11•1 month ago
|
||
(In reply to Pedram from comment #9)
Unfortunately, the suggested workaround didn't solve the issue (accessibility.force_disabled = -1)
If you navigate to about:support, can you provide the information you see there, both with this pref on and with this pref off? That will help us investigate this further.
|
|
||
Comment 12•1 month ago
|
||
FYI, Pedram is with Microsoft on the Purview team.
They are currently not recommending Firefox due to this limitation.
|
Reporter | |
Comment 13•1 month ago
|
||
|
|
Reporter | |
Comment 14•1 month ago
|
||
|
|
Reporter | |
Comment 15•1 month ago
|
||
Hi Team,
Thank you for your help in investigating this issue.
Please let me know if you need any additional information from my side.
Attached:
force_disabled_minus_one.txt
force_disabled_zero.txt
|
|
Assignee | |
Comment 16•1 month ago
|
||
Interesting, it looks like in the force_disabled=-1 case, our accessibility engine is not instantiating, but it is working in the regular case...
I'm not sure this is as cut-and-dry as we'd hoped, but I can still work with you to debug. I'll follow up on email. Thank you :)
|
|
Assignee | |
Comment 17•1 month ago
|
||
Hmm, on second look I'm not sure your pref-flip went through.
Underneath the Accessibility heading in about:support, there's a table row with "Prevent Accessibility: 0". This value is coped from the accessibility.force_disabled preference.
In both the about:support samples you shared, this value is 0. This means the -1 value was never saved or applied.
Can you try setting the value to -1 again and re-sharing your about:support info? Note you'll need to refresh about:support after the pref-flip (or close the tab and open a new one). It won't update automatically.
STR:
- Navigate to
about:config - Search for
accessibility.force_disabled - Click on the "0" to the right of the preference name
- Delete the "0" and enter "-1"
- Hit return on your keyboard or click the checkmark to the right of the newly entered value
- Open a new tab and navigate to
about:support - Save and post your
about:supportresults here
|
|
||
Comment 18•1 month ago
|
||
I'd also suggest restarting Firefox after any change to accessibility.force_disabled, just to be extra certain it applies correctly.
Description
•