Bug 1525357 - Don't allow third party installs if xpinstall disabled by policy. r=kmag a=lizzard DEVEDITION_66_0b12_BUILD1 DEVEDITION_66_0b12_RELEASE FIREFOX_66_0b12_BUILD1 FIREFOX_66_0b12_RELEASE
authorMichael Kaply <mozilla@kaply.com>
Fri, 08 Feb 2019 19:17:36 +0000
changeset 516203 67710331eb1f09878f5524b76490cf1730049f5e
parent 516202 420d4410f71f9cc7a53c13885c973134e5b3bd9a
child 516204 bf393d217b1a8fe53f2bcf97f3f66c3074b0593c
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskmag, lizzard
bugs1525357
milestone66.0
Bug 1525357 - Don't allow third party installs if xpinstall disabled by policy. r=kmag a=lizzard Differential Revision: https://phabricator.services.mozilla.com/D18727
browser/components/enterprisepolicies/Policies.jsm
toolkit/mozapps/extensions/internal/XPIDatabase.jsm
--- a/browser/components/enterprisepolicies/Policies.jsm
+++ b/browser/components/enterprisepolicies/Policies.jsm
@@ -664,16 +664,17 @@ var Policies = {
       if ("Allow" in param) {
         addAllowDenyPermissions("install", param.Allow, null);
       }
       if ("Default" in param) {
         setAndLockPref("xpinstall.enabled", param.Default);
         if (!param.Default) {
           blockAboutPage(manager, "about:debugging");
           setAndLockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false);
+          manager.disallowFeature("xpinstall");
         }
       }
     },
   },
 
   "NoDefaultBookmarks": {
     onProfileAfterChange(manager, param) {
       if (param) {
--- a/toolkit/mozapps/extensions/internal/XPIDatabase.jsm
+++ b/toolkit/mozapps/extensions/internal/XPIDatabase.jsm
@@ -2323,16 +2323,22 @@ this.XPIDatabaseReconcile = {
 
     // If it's a new install and we haven't yet loaded the manifest then it
     // must be something dropped directly into the install location
     let isDetectedInstall = isNewInstall && !aNewAddon;
 
     // Load the manifest if necessary and sanity check the add-on ID
     let unsigned;
     try {
+      // Do not allow third party installs if xpinstall is disabled by policy
+      if (isDetectedInstall && Services.policies &&
+          !Services.policies.isAllowed("xpinstall")) {
+        throw new Error("Extension installs are disabled by enterprise policy.");
+      }
+
       if (!aNewAddon) {
         // Load the manifest from the add-on.
         let file = new nsIFile(aAddonState.path);
         aNewAddon = XPIInstall.syncLoadManifestFromFile(file, aLocation);
       }
       // The add-on in the manifest should match the add-on ID.
       if (aNewAddon.id != aId) {
         throw new Error(`Invalid addon ID: expected addon ID ${aId}, found ${aNewAddon.id} in manifest`);