Open Bug 2019345 Opened 9 days ago Updated 1 day ago

User Allow list overrides company level blocklist, unblocking all blocked websites

Categories

(Firefox Enterprise :: Console, defect)

Product:
Firefox Enterprise
Component:
Console
Type:
defect

Tracking

(Not tracked)

People

(Reporter: lburuian, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

allowed website filter at user level overrides company level website filter.mov
5.61 MB, video/quicktime
Details

Found in

  • Firefox Enterprise 149.0a1 (2026-02-21)

Tested platforms

  • Affected platforms: All

Preconditions

  • Have a WebsiteFilter policy set up at the company level, blocking some websites.
{
  "Block": [
    "https://www.reddit.com/",
    "https://www.youtube.com/"
  ]
}
  • Restart Enterprise and make sure the websites are blocked.

Steps to reproduce

  1. At the user level, set up a WebsiteFilter policy to allow some other websites (different from the ones in the company policy).
  2. Restart the Enterprise client for the changes to take effect.

Expected result

  • The company blocked websites are still not accessible.

Actual result

  • The company blocked websites are now accessible.

Additional notes

  • This also occurs when, at user level you set up a WebsiteFilter policy to only allow some of the sites blocked by the company level policy.
Component: Console → Client
Summary: User Allow list Overrides Company-Level Blocklist, Unblocking ALL Blocked Sites → User Allow list overrides company level blocklist, unblocking all blocked websites

hey Luminita,
can you please share what specific values you've set in both cases?
also I don't understand fully the Expected and Actual results, they read the same way to me.
Thank you!

Flags: needinfo?(lburuian)

Hello Julien,
Thank you for looking in to this. I edited the Actual result, sorry about that.
This was set at at company level:

{
  "Block": [
    "https://www.reddit.com/",
    "https://www.youtube.com/"
  ]
}

This was set at user level:

{
  "Allow": [
    "https://www.reddit.com/",
  ]
}

We later noticed that no matter what websites we set as Allow at user level, all the company blocked websites get unblocked.

{
  "Allow": [
    "https://www.facebook.com/*",
    "https://facebook.com/*",
    "https://www.instagram.com/*",
    "https://instagram.com/*",
    "https://www.twitter.com/*",
    "https://twitter.com/*",
    "https://www.tiktok.com/*",
    "https://tiktok.com/*"
  ]
}

Arguably, by setting a custom policy at user level, you basically uncheck the inheritance, but we still feel this is not really clear and could create issue in policy setting.
Please let me know if I can be of more assistance.

Flags: needinfo?(lburuian)

Thank you, then I think this is the expected outcome: the policies are not merged, they are completely replaced. Once you set the policy at the user level, the policy at the company level does not exist anymore for this user.

I understand the confusion though, and that could be an improvement in how we handle policies in the future. Flagging Romain for the future roadmap, but I don't think this is a bug for Pilot.

Flags: needinfo?(rtestard)

Agreed it would be an improvement, not in scope for pilot.
Let's keep the bug opened and figure out how to address the legitimlate feedback in the policy UI or in the docs.

Flags: needinfo?(rtestard)
Component: Client → Console
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: