How to block Firefox extension installs with CIS

Since Firefox extensions (add-ons) have the power to do almost anything, many parents would like to protect their children from installing undesirable ones. I found a way to do this with CIS…

This adds Firefox extensions, which always have a file extension of .XPI, to the protected files:
CIS|Defense+|Common Tasks|My Protected Files|Groups…|click Executables|Add|Select From|Browse…|type *.xpi|Apply|Yes|Apply|Apply

Allow firefox downloads to a known folder and block otherwise (installs):
CIS|Defense+|Advanced|Computer Security Policy|double-click firefox.exe|Access Rights|Protected Files/Folders|Block|Modify…|Allowed Files/Folders|Add|Browse|type C:\Downloads*|Apply|Yes|OK|Apply|Apply|Apply

To prevent the child from changing the settings, enable the Parental Control feature. See:
https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/configuring_cis_for_maximum_security_with_zero_alerts-t37233.0.html

When the parent/administrator wants to install a Firefox extension, temporarily change to Allow:
CIS|Defense+|Advanced|Computer Security Policy|double-click firefox.exe|Access Rights|Protected Files/Folders|Allow|Apply|Apply|Apply

The settings above work in spite of the following Defense+ bugs in V3.9.95478.509:
https://forums.comodo.com/defense_bugs/protected_folders_not_protected_after_download_of_any_exe_v3995478509_x32-t41327.0.html
https://forums.comodo.com/defense_bugs/no_alert_for_firefox_write_to_protected_filesfolders_v3995478509_x32-t41370.0.html

If Comodo fixes those bugs, the access rights can be set to Ask, without the need to change.

With Firefox’s access right blocked, the user will be able to download an .XPI file to the C:\Downloads\ folder, but double-clicking the .XPI in Explorer will produce a failed install alert from Firefox. If the user double-clicks a .XPI on a web page, Firefox will also produce a failed install alert. In both cases, a temp folder remains called extensions\staged-xpis\ in the Firefox profile, which can be deleted safely after closing Firefox.

My thanks to Comodo for making CIS so flexible to support customized security like this! :slight_smile:

I realized that some observant reader is going to say that this effort is unnecessary if Opera or Google Chrome is used instead of Firefox, as they don’t support extensions. The main reason I use Firefox is because it supports an extension to block ads, which are responsible for a significant percentage of web threats. I also found ways to automatically block super cookies with Firefox. See https://forums.comodo.com/empty-t39123.0.html

Why don’t you just disable installation if firefox?

Open about:config (or create a user.js (a better option)) find xpinstall.enabled and set it false. Done…

I tried that already.

When the user tries to install an extension, they get a pop-up asking if they want to enable installing extensions. They just click “Yes” and proceed with the install.

Not really disabled…

So create a lock file in your profile folder to prevent access…

Explain details please.

  1. find the names of the preferences you wish to lock. (about:config)
  2. create a file called mozilla.txt.
  3. edit the file. first line should be // followed by your settings…
//
lockPref("xpiinstall.enable", false);
lockPref("browser.startup.homepage", "http://....");
etc.

The hard(er) part…

  1. The file must be encoded, and renamed. Program here:

here

  1. Put the mozilla.cfg. in the same directory as firefox.exe.

  2. Open all.js. (normally in your fx folder) and add the following line at the end of it:
    pref(“general.config.filename”, “mozilla.cfg”);

  3. Save and restart…

Extensions are not bad nor are they pornographic in anyway so why have the need to block them.

Good to see you are anticipating observant readers.

It worths mentioning also some baseline safelisted autolearning behavior to prevent unintentional misunderstanding.
https://forums.comodo.com/defense_bugs/protected_folders_not_protected_after_download_of_any_exe_v3995478509_x32-t41327.0.html;msg301156#msg301156

Though for those willing to pursue the approach to restrict/cripple safelisted apps to the fullest extent Paranoid mode will provide what they need (including Ask alerts for whatsoever access right).

Forum members may be interested in this article about the subject:
http://voices.washingtonpost.com/securityfix/2007/05/bungled_addon_updates_endanger.html

Looks like extensions are coming to the Google Chrome browser:
http://www.washingtonpost.com/wp-dyn/content/article/2009/02/05/AR2009020502784.html

slight paranoia: A Remote Vulnerability in Firefox Extensions provides a FAQ too

Although implying that users cannot trust their DNS server is no funny thing whereas on such compromised networks not only Firefox extensions would be potentially affected (YMMV)

[attachment deleted by admin]

Simply use Sandboxie and no changes to your browser will be made.

I haven’t used Sandboxie, but that seems a potentially good strategy for the advanced user, who is also the administrator. But is Sandboxie good for a parent locking down the PC for their child using CIS Parental Control or for anyone using a limited user account (LUA) on XP?

Thanks for the detailed instructions. I’m glad to learn about another area of Firefox, and its good to have a way to do it with Firefox alone. I found the file all.js in the C:\Program Files\Mozilla Firefox\greprefs\ folder on my PC. But how would you temporarily allow extension installs?

For those who already have CIS installed, the CIS method looks easier. If Comodo fixes the bugs, then no CIS configuration changes are needed temporarily.

It would be more appropriate if bugs weren’t misreported in the first place… although it looks like that misrepresenting design behaviors (whenever in few cases reported as as bugs) is not disregarded as well (whereas it could be indication of misunderstanding if unintentional).

Apparently there is no fix for the above mentioned cases…

Overriding the deny permissions would be as simple as Drag&drop whereas there are also other simple ways, provided users do not neglect them, whenever paranoid mode would be a perfect match for those willing to outsmart safelisted auto-learning.

Although apparently even Firefox extensions updates could theoretically be misrepresented, it would be a moot point to prevent Firefox extension to address the possibility of a compromised network whereas it looks instrumental to provide a need.

Even crippling Firefox won’t be of much help whereas many sites do not even provide an encrypted login page whenever this would seemingly be the last of worries…

Sandboxie is awesome. But you don’t need parent lock down features. If you have your browser forced to always start Sandboxed then no changes can ever be made to your browser unless you run them outside of a Sandbox. Its very easy. More easy then what your suggesting.

If I understand correctly, Sandboxie doesn’t prevent installing a Firefox extension by the user – it makes Firefox effectively forget changes when Firefox is closed. This allows a user to install a malicious extension and get their identity stolen. Also, the inexperienced user is not able to save their bookmarks update between sessions.

No you are completely wrong. Please read the Sandboxie site. It tells you everything. And how did we go from Extensions to Identity theft? If you browse under a Sandbox then any changes you make such as extensions or themes will never be installed cause they never actually did get installed. Think of Sandboxie as a virtual machine. Try it yourself if you don’t believe me. You can also install programs under a sandbox. As soon as you empty the sandbox then the program is gone cause it never really got installed. It was never written to the hard drive. Yes bookmarks can be saved. There is the option to do so in Sandboxie settings.

I did spend a few hours reading the Sandboxie site. My understanding is that, from the (inexperienced) user’s point of view, they can install an extension under Sandboxie. But when they restart Firefox (new sandbox), the new extension is gone.

I used identity theft (phishing, etc.) as an example of possible results of malicious extensions – even those that are not permanently installed (because of a sandbox).

The topic of this thread is to help parents and others prevent Firefox installs by a child or another inexperienced user. Someone who investigates the Comodo forum to find this thread likely is already familiar with CIS and wants to learn more about it. I don’t understand how adding Sandboxie to CIS is simpler than the CIS configuration I suggested for this audience. I suspect that learning Sandboxie and CIS takes longer than only learning CIS, especially since new versions of Firefox may require Sandboxie updates and investigation. Also, Sandboxie requires extra memory and CPU resources when supplementing CIS than CIS alone, which I cannot afford on one of my PCs. Finally, other posts in this forum mention unresolved security flaws and/or bugs with Sandboxie. For an experienced user that doesn’t share their PC, I understand Sandboxie’s appeal.

WOW…you are completely not reading the site. Sandboxie is free. It takes 2 seconds to install it and by default needs no tweaking unlike CIS. Also you are not adding Sandboxie to CIS. Your adding it to your browser. To install CIS and configure like your saying will take well over 15 minutes and some knowledge. A newbie can install Sandboxie within 2-3 secs and be under way. I have ran Sandboxie successfully with CIS and Online Armor. It also works with Outpost. You really do not understand what the term “sandboxed” means. Heck there are tons of people who use Sandboxie as there only means of security. BTW I have been a Firefox users for well over 5 years now and I have never seen an extension that requires my personally information.