search

arkenfox / user.js

Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
MIT License
9.43k stars 507 forks source link

Quarantined domains aren't enforced if a certain add-on is disabled #1866

Closed Tiagoquix closed 2 days ago

Tiagoquix commented 4 days ago

If extensions.webextensions.addons-restricted-domains@mozilla.com.disabled is set to true, quarantined domains are automatically disabled.

See the following links for more information:

From my testing, this does not seem to be directly related to extensions.webextensions.restrictedDomains; you can disable/empty the latter without needing to modify the former preference.

Suggestion for user.js:

Change

https://github.com/arkenfox/user.js/blob/23caf6961483e0e55544cd4f3594734d0aa35cf0/user.js#L1044-L1046

to

/* 6012: enforce Quarantined Domains [FF115+]
 * [WHY] https://support.mozilla.org/en-US/kb/quarantined-domains and https://support.mozilla.org/en-US/kb/addons-restricted-domains
 * Quarantined domains are automatically disabled if the restricted domains add-on is disabled,
 * so we make sure the add-on preference is enabled as well.
 * [1] https://searchfox.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.sys.mjs#772-787 ***/
user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true]
user_pref("extensions.webextensions.addons-restricted-domains@mozilla.com.disabled", false); // [HIDDEN PREF] [DEFAULT: false]
Thorin-Oakenpants commented 2 days ago

that pref is for SYSTEM addons

Tiagoquix commented 2 days ago

Whatever that pref. may be for doesn't matter; what's relevant here is that it disables quarantined domains automatically. You can test yourself if you don't believe me.

If we want to enforce quarantined domains, we should enforce the value of this pref. too.

Thorin-Oakenpants commented 2 days ago

who is going to change the value of that pref besides Mozilla? And if Mozilla does it's for good reason. - I see no need to interfere. No-body else will change it and if they do, then fuck them

All we need to do is ensure the main pref isn't disabled due to some misguided "but censorship" or "how dare they provide security by dictating something" BS recommendation