Block XPI install can be bypassed
Hi,
We are setting the firefox settings inside our organisation via a mozilla.cfg file. Users can't change this file, as they don't have rights to the location of this file.
As we only want add-ons to be installed via an "administrator", we locked down xpiinstall: lockPref("xpinstall.enabled", false);
This works fine, but recently a bypass was created by Mozilla... on the about:addons page there is an option "install from file". This option isn't blocked. Meaning, users can install add-ons. Other install options are blocked nicely though: executing the xpi-file, click install from the add-ons website, ... But, "install from file" is still working.
Anyone has a clue how to disable this option? or block installation via this way? @Mozilla, was this by design you bypassed your own security? When will this be fixed?
Thanks for suggestions and answers.
所有回覆 (8)
... but recently a bypass was created by Mozilla... on the about:addons page there is an option "install from file".
It has always been possible to "Install from file" by either using File > Open File with a saved XPI file or by dragging a saved XPI into the browser window; along with another manual method that quit working back around Firefox 30 or 31 when SDK was introduced. That fairly recent menu item just made that "XPI file" installation more visible to new or less technically inclined users.
As far as working with a mozilla.cfg file, I never had the need for it and can't help you. It's liable to be 3-6 hours before the support contributors who usually can address that subject are available. Few Mozilla employees "do support", the vast majority of us are simply Firefox users who volunteer their time to help fellow Firefox users.
Overall, that is more of a development with / for Firefox subject. So if "time is of the essence" for you please see this: https://support.mozilla.org/en-US/kb/where-go-developer-support
Opening the save xpi file via your browser, like you described, was also blocked when setting the xpiinstall to false
recently, by "making it more visible" it isn't anymore.... (double clicking the xpi and choose to open with firefox is still blocked, installing via the webbrowser by navigating to the add-ons "shop" webpage is also still blocked)
is there a setting administrators can use to block this?
See also: https://mike.kaply.com/cck2/
Beyond my level of experience with Firefox, and I can't try to duplicate what you say was changed via that about:addons pref.
I'm going to try to escalate this thread to get higher level attention for you.
Drag and drop also works for me on the about:addons page just like the menu item you mentioned, but not when I display a website. So it sounds like a bug with the permissions on the about:addons page.
cor-el said
See also: https://mike.kaply.com/cck2/
This is a nice solution, which I also checked, but not free. According the mozilla wiki pages the setting xpiinstall:false should do the trick. This should also block "install from file", otherwise the setting has no use.
@the-edmeister: thanks for escalating.
matthiasvandenberghe said
cor-el saidSee also: https://mike.kaply.com/cck2/This is a nice solution, which I also checked, but not free. According the mozilla wiki pages the setting xpiinstall:false should do the trick. This should also block "install from file", otherwise the setting has no use.
@the-edmeister: thanks for escalating.
I think the extension is free, I was just able to right-click the "Download" button and use "Save Link As...." to save it to disk.
"Support" requires payment. It used to be free for simple one-off inquires, but Mike had to start to charge for support once that extension got real popular and support was taking so much of his time, so I read somewhere.
But I don't know squat about that extension, never even looked at it out of curiosity. My enthusiasm for Firefox had lessened quite a bit before CCK came along and thus my curiosity for "all things related to Firefox".