Closed Bug 381525 Opened 18 years ago Closed 15 years ago

Ability to turn off loading of global extensions

Categories

(Toolkit :: Add-ons Manager, enhancement)

Product:
Toolkit
Component:
Add-ons Manager
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.3a5

People

(Reporter: dveditz, Assigned: mossop)

References

Details

(Whiteboard: [AddonsRewrite])

"admin" from Torrify writes that somewhere along the way we've added the ability to load globally installed extensions (not in the install directory nor the profile directory) using the windows registry (not sure if we have similar features on other platforms). This is described at http://developer.mozilla.org/en/docs/Adding_Extensions_using_the_Windows_Registry For users who choose to use a "portable" type Firefox for security (Portable Firefox or Torrify, for example) would be dismayed to know that something installed on the Internet Cafe's PC could insinuate itself into their Firefox. It's also probable that some non-browser apps built on XULRunner would appreciate the ability to restrict where external chrome can be loaded without hhaving to hack their own copy of the Extension Manager. (a similar issue applies to plugins, but since that's handled in different code I'll file a separate bug)
Flags: blocking-firefox3?
Of course the PC you visit could be infested with keyloggers and screen scrapers. Fixing this is no guarantee of safety, but many cafes do anti-malware scans that have a decent chance of catching keyloggers and the like based on behavior but are unlikely to be looking for malware that hooks Firefox, at least not until it become pervasive.
I don't think this blocks, but if we can get a patch that does this we'd take it.
Flags: blocking-firefox3? → blocking-firefox3-
Product: Firefox → Toolkit
This is something that would also be useful for the testing environments. I was burned the other week when talos failed to run due to my globally installed add-ons.
This has now received attention from major media. Fortunately, the blame is going to Microsoft for now. We need the ability to disable global extensions from Firefox. We need this because illegitimate extensions, like Microsoft's .NET, take advantage of our politeness/weakness in not checking what is installed, or in giving the user any options to make configuration changes regarding global extensions from within Firefox. Yes, since we do not run at Ring 0, the enhancement called for here would not be 100% secure. Nothing is 100% secure. Security is layers. This would be an important layer to have, contra the frequently-heard argument to the effect that "keyloggers/malware could be infesting your machine, hence we need not implement any security measures whatsoever." http://voices.washingtonpost.com/securityfix/2009/05/microsoft_update_quietly_insta.html "Microsoft Update Quietly Installs Firefox Extension "A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser. . . . ." The Digg thread that links to the above article is full of incorrect information, by the way. If we take control of our own application, the confusion would significantly dissipate. http://digg.com/security/Microsoft_Update_Secretly_Installs_Firefox_Extension
Blocks: 495687
(In reply to comment #4) > We need the ability to disable global extensions from Firefox. We need this > because illegitimate extensions, like Microsoft's .NET, take advantage of our > politeness/weakness in not checking what is installed, or in giving the user > any options to make configuration changes regarding global extensions from > within Firefox. Users can already disable global extensions within Firefox. This bug would be about providing something that system administrators/customisers could use to completely ignore all global extensions. It wouldn't be something that would be generally user exposed in my opinion.
OS: Windows XP → All
Hardware: x86 → All
No longer blocks: 495687
Fixed by bug 555486
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee: nobody → dtownsend
Depends on: 555486
Flags: in-testsuite+
Flags: in-litmus-
Whiteboard: [AddonsRewrite]
Target Milestone: --- → mozilla1.9.3a5
Dave, does it mean someone has to create an extension to disable the installation of globally installed add-ons? We suffer from the same problem in our Mozmill tests and would need a solution.
(In reply to comment #7) > Dave, does it mean someone has to create an extension to disable the > installation of globally installed add-ons? We suffer from the same problem in > our Mozmill tests and would need a solution. Just setting extensions.enabledScopes is enough
Thanks Dave. Works perfect on Linux with Ubufox. Filed bug 579745 for the Mozmill behavior. Marking as verified fixed with Mozilla/5.0 (X11; Linux i686; en-US; rv:2.0b2pre) Gecko/20100718 Minefield/4.0b2pre
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.