為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Block XPI install can be bypassed

more options

Hi,

We are setting the firefox settings inside our organisation via a mozilla.cfg file. Users can't change this file, as they don't have rights to the location of this file.

As we only want add-ons to be installed via an "administrator", we locked down xpiinstall: lockPref("xpinstall.enabled", false);

This works fine, but recently a bypass was created by Mozilla... on the about:addons page there is an option "install from file". This option isn't blocked. Meaning, users can install add-ons. Other install options are blocked nicely though: executing the xpi-file, click install from the add-ons website, ... But, "install from file" is still working.

Anyone has a clue how to disable this option? or block installation via this way? @Mozilla, was this by design you bypassed your own security? When will this be fixed?

Thanks for suggestions and answers.

Hi, We are setting the firefox settings inside our organisation via a mozilla.cfg file. Users can't change this file, as they don't have rights to the location of this file. As we only want add-ons to be installed via an "administrator", we locked down xpiinstall: lockPref("xpinstall.enabled", false); This works fine, but recently a bypass was created by Mozilla... on the about:addons page there is an option "install from file". This option isn't blocked. Meaning, users can install add-ons. Other install options are blocked nicely though: executing the xpi-file, click install from the add-ons website, ... But, "install from file" is still working. Anyone has a clue how to disable this option? or block installation via this way? @Mozilla, was this by design you bypassed your own security? When will this be fixed? Thanks for suggestions and answers.

所有回覆 (8)

more options
... but recently a bypass was created by Mozilla... on the about:addons page there is an option "install from file".

It has always been possible to "Install from file" by either using File > Open File with a saved XPI file or by dragging a saved XPI into the browser window; along with another manual method that quit working back around Firefox 30 or 31 when SDK was introduced. That fairly recent menu item just made that "XPI file" installation more visible to new or less technically inclined users.

As far as working with a mozilla.cfg file, I never had the need for it and can't help you. It's liable to be 3-6 hours before the support contributors who usually can address that subject are available. Few Mozilla employees "do support", the vast majority of us are simply Firefox users who volunteer their time to help fellow Firefox users.

Overall, that is more of a development with / for Firefox subject. So if "time is of the essence" for you please see this: https://support.mozilla.org/en-US/kb/where-go-developer-support

more options

Opening the save xpi file via your browser, like you described, was also blocked when setting the xpiinstall to false

recently, by "making it more visible" it isn't anymore.... (double clicking the xpi and choose to open with firefox is still blocked, installing via the webbrowser by navigating to the add-ons "shop" webpage is also still blocked)

more options

is there a setting administrators can use to block this?

more options

Beyond my level of experience with Firefox, and I can't try to duplicate what you say was changed via that about:addons pref.

I'm going to try to escalate this thread to get higher level attention for you.

more options

Drag and drop also works for me on the about:addons page just like the menu item you mentioned, but not when I display a website. So it sounds like a bug with the permissions on the about:addons page.

more options

cor-el said

See also: https://mike.kaply.com/cck2/

This is a nice solution, which I also checked, but not free. According the mozilla wiki pages the setting xpiinstall:false should do the trick. This should also block "install from file", otherwise the setting has no use.

@the-edmeister: thanks for escalating.

more options

matthiasvandenberghe said

cor-el said
See also: https://mike.kaply.com/cck2/

This is a nice solution, which I also checked, but not free. According the mozilla wiki pages the setting xpiinstall:false should do the trick. This should also block "install from file", otherwise the setting has no use.

@the-edmeister: thanks for escalating.

I think the extension is free, I was just able to right-click the "Download" button and use "Save Link As...." to save it to disk.

"Support" requires payment. It used to be free for simple one-off inquires, but Mike had to start to charge for support once that extension got real popular and support was taking so much of his time, so I read somewhere.

But I don't know squat about that extension, never even looked at it out of curiosity. My enthusiasm for Firefox had lessened quite a bit before CCK came along and thus my curiosity for "all things related to Firefox".