Closed Bug 2036021 Opened 1 month ago Closed 1 month ago

Feature Request: Browser Addon whitelistening

Categories

(Firefox :: Enterprise Policies, enhancement)

Product:
Firefox
Component:
Enterprise Policies
Version:
Firefox 150
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1672923

People

(Reporter: stefan_matthaeus, Unassigned)

References

Details

Attachments

(1 file)

Addon error message
19.16 KB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0

Steps to reproduce:

In my role as a systems security engineer in a large company I have to keep our systems clean and secure. Until now we weren't strict to the users about browser extensions. But since several monthes we are aware that hijaking browser extensions is a new strategy by attackers to steal data at users. The advantage of this attack vecotor is that browser extensions are operating system independend, often not strictly controlled, and it's easy to make user them to install if they promise some fancy new functions, like IA integration, privacy, security bypass (browser VPN) and so on. And through such malware extension the attacker could steal data everywhere a user logs in with the browser. So based on security blog reports (like koi.ai) since the beginning of 2026 we already added more than 600 browser extensions ID to the blacklist functions of Chrome, Edge and a hand full to Firefox through group policy. But this work is annonying and not the best strategy. So we decided to inventory the browser extenions used by our users, evaluate them and put the good ones on whitelist and disallow all others (and install an approval process for new extensions)

Actual results:

Creating whitelist for Chrome and Edge through group policy. That's easy as these browsers are prepared for this security feature. But Firefox we can't do as there is no such GPO. Firefox GPO only supprts blacklist and install-list for extensions. No whitelist.

Expected results:

Feature request:

Implement whitelist GPO for active directory/intune member Windows machines for Firefox addon and, if possible, find also a way to enable that on not centrally managed Linux systems (json file?).

Note: A few monthes ago I already complained here that on the information page of a Firefox extension one can't find the extension ID which would be necessary for black and whitelist of extensions. (For Chrome and Edge it is easys to get the extension ID, it's a part of the URL displaying details of the specific extension) Someone here at bugzilla confirmed this, but I can't find my case anymore. That person nicely added this as a feature request / issue to Firefox website on github, but nothing has been done yet. So it is still VERY difficult to find out a firefox addon ID to use it for black/whitelistening. My only possibility at the moment is an automated generated report for browser extensions in our enterprise Antivirus console (Sophos). And that's a chicken-egg-question, how can I whitelist an extension if it can't be installed that this report can scan it?

Because of that we already discussed if it still makes sense to support the usage of Firefox in the enterprise and tell the users to use Chrome/Edge instead. I really don't want this, FF is still the better solution than Chrome/Edge for more privacy, but it-security is no fun!

Currently, after long discussion - as we really want to support FF - we decided to give the users stronger rules for FF addons, trust them that they follow the advice, and to use that AV report to control them. But that's much more work than a whitelist as we do in Edge and Chrome.

Please, implement addon whitelist functionality! I think we are not alone with that experience. Thank you.

Lacking a feature is not a security flaw we need to keep hidden, so removing the security group so more people can help triage.

I'm not an expert on Firefox's enterprise policy support, but from casual reading of:

https://mozilla.github.io/policy-templates/#extensionsettings

It looks to me like you could use GPO to set a config for extension ID * with installation_mode: "blocked", and then allowlist specific add-ons, which appears to be what you're asking for?

Checking with Mike who knows our enterprise policy support better than me.

Group: firefox-core-security
Type: defect → enhancement
Component: Untriaged → Enterprise Policies
Flags: needinfo?(mozilla)

Can you tell me were you got your Firefox information? I'd like to correct it.

We support the same mechanism as Chrome/Edge (even named the same - ExtensionSettings)

https://firefox-admin-docs.mozilla.org/reference/policies/extensionsettings/

I do agree it is harder to get the extension ID. There are a couple ways to do that in Firefox.

  1. Look in about:support.
  2. Look in about:debugging

I've also created an addon that makes it easy to get an addon ID from a page on addons.mozilla.org

https://github.com/mkaply/queryamoid/releases

We've also got a lot more going on with Firefox Enterprise. If you'd like to reach out to me via email, I'd love to have a conversation about how you are using Firefox.

Flags: needinfo?(mozilla)

Hello, it's not. I have copied the latest ADMX (which contains the new AI setting) in our SYSVOL and it has two options where I can add addon IDs. One is to block/uninstall addons (blacklisting) and one is for install addons by default to any user. THis is more a "hichtelist + force install" function. They are both usefull and make sense on special case, but they aren't whitelist function. So I can forbid extension and I can force-install extension. But there is no whitelist from where the user itself can choose to install an extension or not. On Chrome/Edge there is blacklist, whitelist and force-install.

Your AMO extension can be of some help for users to indentify addon id if they want who start approval process for new extension to be added to whitelist. But there is no description in your guthub, how it works. So without trying I can't see if it only lists the IDs of installed addons or if it displays the ID when visiting the addon's detail website. Only the 2nd would be a good solution, the first is still the chicken-egg-problem. And this extension is not available officially, so we can't put into the install-automatically-list.

Why here is no "edit function"?

THis is more a "hichtelist + force install" function. --> This is more a "whitelist + force install" function.

Attached image Addon error message

In the Extensions group, there is also a setting called "Extension Management"

This allows the control you're asking for, using the JSON here:

https://firefox-admin-docs.mozilla.org/reference/policies/extensionsettings/

I didn't add the allowlist originally because at the time, Chrome was switching to ExtensionSettings and it didn't make sense to keep adding things like they were doing. I'll look at adding it.

If you use ExtensionSettings to block addon installs, you can add a custom message and it shows the name and ID of the extension, so a user can send that to you to request a specific extension.

The QueryAMOID extension is not intended to be used by end users, it's intended to be used by admins. So if a user says "I want to install the extension here: https://addons.mozilla.org/en-US/firefox/addon/gesturefy/

You can use the addon on that page and it will give you the ID of the extension for policy.

I see this "Extension Management" entry in the GPO but it is not understandable, also with the explanation web link!

On the other side you have "Extensions to install" (=automatic install) and "Extensions to Uninstall" (=blackist") which are easy to understand, just enable and put the extension ID in the integrated list. Very easy to understand and use. So should be the whitelist function as well. Name it "Extensions allowed" and make choose of "Not configured", "Disabled" and "Enabled" where in enabled we can add the allowed extension IDs and then go on. This is the way Chrome and Edge do as well.

For approval of extensions by using another inofficial extension to get the extension ID is too complicated. Just ask the maintainers of the extensions website to add the extension id as an extra information to the extension website. This would be the easy and transparent way.

Thanks for the reply. Based on the thread, I think what you're looking for is done by 'block all extensions by default, then mark approved extension IDs as allowed':

{
  "*": {
    "installation_mode": "blocked",
    "blocked_install_message": "Contact IT to request approval."
  },
  "some-extension@example.com": {
    "installation_mode": "allowed"
  }
}

Users can install the allowed extensions, but other extensions would be blocked. Mike's screenshot shows that a message displays the name and ID of the extension when users hit a blocked extension - they can then request it to be allowed by IT.

For other extensions that you want to allowlist before users try to install it, you still need the extension IDs. For that part, there's a bug tracking adding the addon ID to AMO for convenience here: https://github.com/mozilla/addons/issues/16011

I hope that's helpful.

See Also: → 2009824

Editing such a thing is too complicated. The editor inside of GPO is very basic and uncomfortable. The blacklist and install-force list is much easier to use, like in Chrome & Edge.

I'm duping this to a bug we've had open a while to add this.

We can make this easier (although the JSON is much more powerful).

FYI, I write the JSON elsewhere and paste it into the editor.

Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Duplicate of bug: 1672923
Resolution: --- → DUPLICATE

One step ahead... :) Now it is quite easy to get the addon ID on the website of the addon. It's not displayed directly (as besides a random ID it also can be a email adress what would be a privacy issue) there is a button which copies the addon ID into the clipboard. thx!

So next step would be to make the whitelist as easy to administrate as the blacklist.

Hello, when you will proceed to implement whitelist functionality same way as Chrome and Edge are doing?

json is maybe more powerfull, but that power is usually not needed. Do you have any feedback from anywhere that many admins are using this? What is necessary is easy whitelist. Chome/Edge do like this:

Enable blacklist, enter a star (*) into it for all extensions as the only member of the list
Enable whitelist, enter allowed IDs one by one to the list.

READY.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: