Firefox keeps requesting Documents folder permission without explaining why
Categories
(Firefox :: Profile Backup, defect)
Tracking
()
People
(Reporter: sam, Assigned: hsohaney, NeedInfo)
References
Details
Recently, on macOS, Nightly keeps requesting access to my Documents folder. Because there is no explanation given at the time of requesting access, it appears malicious, so I keep denying access.
I noticed within the browser console the following error when this occurs, so I believe the backup service is responsible:
BackupService: There was an error while looking for backups: DOMException: Could not get children of `/Users/sam/Documents/Restore Firefox' (NS_ERROR_FILE_ACCESS_DENIED) BackupService.sys.mjs:5124:23
findIfABackupFileExists resource:///modules/backup/BackupService.sys.mjs:5124
I've never used this feature. Could this user experience be improved so that it does not make Firefox appear to be maliciously sniffing my Documents folder?
|
||
Comment 1•28 days ago
|
||
Thanks for reporting this.
I'm not super familiar with backup. Are we deliberately using Documents here, Chris?
I've got some painful memories of macOS' directory access restrictions. In some cases there is deeper magic that Apple (deliberately) provides no way to figure out or give a good user experience for - I'd point at bug 1493103 and various others (for when users initiate imports from Safari and macOS makes it Really Complicated; but also keeps some kind of magic flag set if you ever make it through, which in turn makes testing and verifying fixes Even More Complicated) if interested. In that vein... Stephen, is it expected we don't get access to Documents by default? Can we test if we have access in some way before showing the OS prompt? Are there better locations we could/should use as a default?
|
Assignee | |
Comment 2•28 days ago
|
||
We do default to the Documents folder for saving backups on MacOS. Unfortunately we don't check for access when doing the initial finding for backups, but I'm not sure how to avoid the access request since the intended flow is to look for a valid backup file in Documents/Restore Firefox so users can restore their profiles. We should however, atleast respect the user's choice not to give access to the Documents folder. As it stands, it might request it every startup.
Did the prompt show up again and again even after you dismissed it/denied access?
|
Reporter | |
Comment 3•27 days ago
|
||
(In reply to Harshit Sohaney [:hsohaney] from comment #2)
Did the prompt show up again and again even after you dismissed it/denied access?
It does eventually show up again, but not immediately.
|
||
Comment 4•27 days ago
|
||
(In reply to :Gijs (he/him) from comment #1)
Stephen, is it expected we don't get access to
Documentsby default? Can we test if we have access in some way before showing the OS prompt? Are there better locations we could/should use as a default?
Yes, it's expected that we don't have default access to Documents and there isn't a way to test for access without triggering this OS prompt. A better location for this type of data would be something like ~/Library/Application Support/Firefox/BackupService/ which does not trigger the OS prompt. I'm not sure if Documents was deliberately chosen because it is different from ~/Library/Application Support/Firefox/ where we store our Profiles data.
|
|
Assignee | |
Comment 5•27 days ago
|
||
Documents was mainly chosen for portability (which we wanted for backups for the purpose of device migration). It was also primarily designed for windows (which doesnt ask for this prompt) - is there a better place to put backups into which is visible to users and easily portable?
|
|
||
Comment 6•27 days ago
|
||
(In reply to Harshit Sohaney [:hsohaney] from comment #5)
Documents was mainly chosen for portability (which we wanted for backups for the purpose of device migration). It was also primarily designed for windows (which doesnt ask for this prompt) - is there a better place to put backups into which is visible to users and easily portable?
This depends on the kind of "visibility to users" that you require. Documents may be the right choice, but the user should be informed at the time of opting into the feature that they will need to provide access to this directory. If you are referring to a similar level of visibility as for Profiles, then ~/Library/Application Support/Firefox/BackupService/ (or similar) would be the right choice.
|
|
||
Comment 7•6 days ago
|
||
(In reply to :Gijs (he/him) from comment #1)
I'm not super familiar with backup. Are we deliberately using
Documentshere, Chris?
Based on Harshit's comments I assume the answer is yes.
(In reply to Stephen A Pohl [:spohl] from comment #6)
(In reply to Harshit Sohaney [:hsohaney] from comment #5)
Documents was mainly chosen for portability (which we wanted for backups for the purpose of device migration). It was also primarily designed for windows (which doesnt ask for this prompt) - is there a better place to put backups into which is visible to users and easily portable?
This depends on the kind of "visibility to users" that you require.
Documentsmay be the right choice, but the user should be informed at the time of opting into the feature that they will need to provide access to this directory. If you are referring to a similar level of visibility as for Profiles, then~/Library/Application Support/Firefox/BackupService/(or similar) would be the right choice.
Bouncing this one back to Harshit to arrive at an actionable next step here (possibly after liaising with Chris and/or product folks), to be summarized in the bug. Obvious choices so far:
- move the default macOS location elsewhere;
- not probe the directory on macOS unless backups are enabled / stop probing after the first startup of the browser
- set a flag (pref) if access fails to stop probing again each startup
- document this better / give users a more informed chance to try this again if permission is not given first time
- gather telemetry on how often this fails
There may be others (and these aren't mutually exclusive)
Off-hand, I think the status quo means:
- the feature basically won't work for macOS users (as trying to use it on a new machine, Firefox likely won't have access to the directory);
- we'll be prompting every new Firefox user on macOS for this permission on first startup and that really sucks, in terms of user experience.
So I think this should be fairly high priority. Perhaps we could add a symlink in the Documents folder when creating backups (which does require explicit user input!) so that they become more discoverable that way (I don't think ~/Library/ is particularly user-discoverable)
|
|
Reporter | |
Comment 8•6 days ago
|
||
(In reply to :Gijs (he/him) from comment #7)
So I think this should be fairly high priority.
This is going to hit release in a week. Should this be disabled for macOS before then to prevent unnecessary friction when users upgrade?
|
|
Assignee | |
Comment 9•5 days ago
•
|
||
hmmm maybe it's just me, but an application requesting access to a folder doesn't seem that detrimental to UX right? Imo not something worth stopping the train ride for - but I'll let Chris chime in here too.
Either ways, we should add a guard against reprompting after first startup - that seems particularly annoying if the user chooses not to give access. The only reason this is requesting access is to LOOK for any existing backup files - if we do decide this has too much friction, we can just disable the finding mechanism for macOS. The feature can stay as is
|
|
||
Comment 10•5 days ago
•
|
||
(In reply to Harshit Sohaney [:hsohaney] from comment #9)
hmmm maybe it's just me, but an application requesting access to a folder doesn't seem that detrimental to UX right? Imo not something worth stopping the train ride for - but I'll let Chris chime in here too.
The concern here is that users don't know why Firefox is requesting access to this folder. This leads to questions/concerns as in the description of this bug:
(In reply to Sam Johnson from comment #0)
I've never used this feature. Could this user experience be improved so that it does not make Firefox appear to be maliciously sniffing my Documents folder?
Users get the impression that this is malicious. There is no way to differentiate this between a legitimate access request vs. a user being "hacked" by a malicious website, extension or otherwise.
|
|
||
Comment 11•5 days ago
•
|
||
(edit: fix dupe comment)
(In reply to Harshit Sohaney [:hsohaney] from comment #9)
hmmm maybe it's just me, but an application requesting access to a folder doesn't seem that detrimental to UX right? Imo not something worth stopping the train ride for - but I'll let Chris chime in here too.
Stephen answered this well, I think:
(In reply to Stephen A Pohl [:spohl] from comment #10)
The concern here is that users don't know why Firefox is requesting access to this folder. This leads to questions/concerns as in the description of this bug:
(In reply to Sam Johnson from comment #0)
I've never used this feature. Could this user experience be improved so that it does not make Firefox appear to be maliciously sniffing my Documents folder?
Users get the impression that this is malicious. There is no way to differentiate this between a legitimate access request vs. a user being "hacked" by a malicious website, extension or otherwise.
Honestly given macOS users aren't really the primary audience for this feature anyway, I think we should disable on macOS while we evaluate. Our window to do this for 152 is rapidly closing so we would need to make a decision soon.
|
||
Comment 12•5 days ago
|
||
Disabled on Fx151 beta via Bug 2039334. As mentioned in Comment 11, there is little time to fix this for Fx152 also
|
||
Comment 13•4 days ago
|
||
The bug is marked as tracked for firefox152 (nightly). However, the bug still isn't assigned.
:pluk, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
|
||
Updated•4 days ago
|
Description
•