Hi guys,
is there a way to set "security.fileuri.strict_origin_policy" to false via GPO?
Thanks!
Can the latest release of Firefox be hardened to DISA standards through GPOs only.
We have a customer using our SaaS solution running through Firefox 91.12.0 ESR. The web application we provide requires access to the camera on the local machine so we ca… (pročitajte više)
We have a customer using our SaaS solution running through Firefox 91.12.0 ESR. The web application we provide requires access to the camera on the local machine so we can capture a photo. We give them instructions and they configure their instance of Firefox to ALLOW access to the camera, along with several other adjustments (like allowing pop-ups, and no autofill).
However, whenever they restart Firefox the camera permission reverts back to the DEFAULT of Always Ask. The other settings adjustments we make, like pop-ups and no autofill stick around, but not the camera setting.
We've checked the PREF.js file in the Profile folder and that doesn't appear to be a problem. On our in-house machines we are running the same version of Windows and Firefox and cannot reproduce the problem.
The customer has recently applied the upgrade from an earlier version of Firefox ESR to 91.12.0. The customer has also imaged the PC and copied over to a large number of additional machines for use around their organization. This problem is causing a serious disruption to their deployment of the updated PC's as we work with them to try and troubleshoot the problem.
Any ideas on what to try would be appreciated.
Some users in my organization have been complaining about FireFox location protection since the update to 103.0.2. We would like an option to completely disable this "fea… (pročitajte više)
Some users in my organization have been complaining about FireFox location protection since the update to 103.0.2. We would like an option to completely disable this "feature". Our users are complaining about having to individually make exceptions via the shield icon and selecting custom and unchecking all boxes does not work for our use case scenario. Is there any option to disable this completely or are there plans in future releases to allow us a disable feature (like you used to have) or is the only solution to switch our users to Chrome? Thanks
I am an administrator at a university and we use Blackboard and Zoom as a couple of the tools at our university. We install Firefox on all of our PCs across campus. After… (pročitajte više)
I am an administrator at a university and we use Blackboard and Zoom as a couple of the tools at our university. We install Firefox on all of our PCs across campus. After a recent update, when our instructors try to launch Zoom using the integration setup in Blackboard, the meeting fails to launch. We have found that disabling Enhanced Protection fixes this issue. Is there a way to add this exception to an install file that can be sent across many PCs on our campus? We have hundreds of PCs and going from one to another to install this exception would not be practical.
Do you have any suggestions? Justin
Hi, I've been tasked to make some changes to the way users deal with logins and passwords in the office. So, in short, one of the issues is this: is there ANY way to dis… (pročitajte više)
Hi,
I've been tasked to make some changes to the way users deal with logins and passwords in the office. So, in short, one of the issues is this: is there ANY way to disable (I'd say "hide" is more accurate) the about:logins page on Firefox?
As for policies:
Any help is appreciated. Thanks in advance!
Hi, Background: a few months ago I had to redeploy the CA for a network I manage. I was able to do so and publish the new intermediate CA's cert via Active Directory. Sin… (pročitajte više)
Hi, Background: a few months ago I had to redeploy the CA for a network I manage. I was able to do so and publish the new intermediate CA's cert via Active Directory. Since then, I've updated certs on webhosts with certs from the new CA. Whenever a user uses FF (version 91.12.0) to browse to a site with the newly signed cert, I get an error stating "sec_error_ocsp_old". I've been able to temporarily advise users to disable OCSP Validation in FF security settings, but I'd REALLY like to fix this.
Other browsers (Edge, Chrome, Opera) all load the sites without issue.
Using this the below article, I double checked the time settings on the CA, Webserver, and clients: https://support.mozilla.org/en-US/kb/troubleshoot-time-errors-secure-websites
All the machines/VMs in question show the same time source, time, time zone, and sync interval.
I'm at a loss for what is happening. Any help would be greatly appreciated.
I have a need to use regular browser (not kiosk), but disable the "open downloads folder" once a file has been downloaded. This is opening a file manager (thunar or alike… (pročitajte više)
I have a need to use regular browser (not kiosk), but disable the "open downloads folder" once a file has been downloaded. This is opening a file manager (thunar or alike) which then allows the user to browse the filesystem and open a terminal emulator from /usr/bin.
Using the policies, I am able to prompt for downloads, or select a download location, however I have been unable to completely stop the user from opening the download folder which opens a file browser.
Is there any way I can select policies or profile options for disabling the option for opening download folder?
Hi Team, I'm using the Zscaler in my network, when I use the Firefox, appear the error: "Software is Preventing Firefox From Safely Connecting to This Site www.googlead… (pročitajte više)
Hi Team, I'm using the Zscaler in my network, when I use the Firefox, appear the error:
"Software is Preventing Firefox From Safely Connecting to This Site
www.googleadservices.com is most likely a safe site, but a secure connection could not be established. This issue is caused by Zscaler Root CA, which is either software on your computer or your network.
What can you do about it?
www.googleadservices.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely...." Picture 1
I have root certificate in path: /usr/share/ca-certificates/mozilla$ Picture 2
I run the command for updates CA but it doesn't work: sudo update-ca-certificates
Errors keep popping up.
The certificate not appear in the Certificate manager > Authorities Picture 3
But if I open the firefox > Settings > Privacy & Security> Certifcates > View Certificates > Import And I import the certificate ZscalerRoot.crt and I mark the option "trust this CA to identify websites" the firefox works, and I can open the site without error message.
Picture 4
And the certificate appear in the manager certificate: Picture 5
How can I put the command terminal certificate, which I have on hundreds of machines?
Note: I need to put the certificate only for internet access.
Environment: Windows 10 22h2 clients, latest ESR build, Domain servers Windows 2016 or better. So I followed the guide https://github.com/mozilla/policy-templates/blob/m… (pročitajte više)
Environment: Windows 10 22h2 clients, latest ESR build, Domain servers Windows 2016 or better.
So I followed the guide https://github.com/mozilla/policy-templates/blob/master/README.md#extensionsettings and tried to set up the config. We are using the latest ESR build but after the settings is applied I still dont have working extensions.
Here is the code
{
"*": {
"blocked_install_message": "Addon or Extension is not approved. Please submit a ticket to Help Desk if you need access to this extension.",
"install_sources": ["https://addons.mozilla.org/"],
"installation_mode": "blocked"
},
"{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/latest/adblock-plus/latest.xpi"
},
"ciscowebexstart1@cisco.com": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/latest/cisco-webex-extension/latest.xpi"
},
"{d0210f13-a970-4f1e-8322-0f76ec80adde}": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/latest/instapaper-official/latest.xpi"
},
"appstore-mini@feedly.com": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/latest/feedly_mini/latest.xpi"
},
"extension@one-tab.com": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/latest/onetab/latest.xpi"
},
"support@lastpass.com": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/latest/lastpass-password-manager/latest.xpi"
},
"sweb2pdfextension.4@kofax.com": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/latest/kofax-pdf-create-4-0/latest.xpi"
},
"Aternity-WebExt-12.1.4@aternity.com": {
"installation_mode": "allowed",
},
"its_addons_wrap@onelog.com": {
"installation_mode": "allowed",
"install_url": "https://extensions.onelog.com/extension/onelog.xpi"
}
}
I have placed the settings in HKCU but also tried in HKLM and there has been no difference. in each case I get Unable to parse JSON for Extensionsettings when checking the about:policies section and when I look at the registry I see the REG_MULTI_SZ value but when i click on it to read it I get another error message. Cannot edit ExtensionSettings: Error reading the values contents.
I tried re-entering the code and tried not listing the install URLs and even tried only listing 1 item. I haven't been able to get past this error so any help would be greatly appreciated.
on GitHub the commands are all based on Java https://github.com/mozilla/policy-templates#preferences Is there a list of all available registry settings? Or where do thes… (pročitajte više)
on GitHub the commands are all based on Java https://github.com/mozilla/policy-templates#preferences
Is there a list of all available registry settings? Or where do these Java options come from, where can I read them out?
Hello I am looking for a way to disable the QUIC protocol in Firefox by GPO. I got your latest AMDX templates but I don't see the option to modify network.http.http3.ena… (pročitajte više)
Hello
I am looking for a way to disable the QUIC protocol in Firefox by GPO. I got your latest AMDX templates but I don't see the option to modify network.http.http3.enabled.
Either an AMDX template with this option or a Registry will do the trick
Thanks
Hello, I have a problem with a pac file in our org. We download it from a server. The basic functionality is applied and it does redirect the desired traffic to the prox… (pročitajte više)
Hello,
I have a problem with a pac file in our org. We download it from a server. The basic functionality is applied and it does redirect the desired traffic to the proxy. The problem occurs when the proxy goes down, it then should automaticaly start making direct connections, but the connections fail. We want to proxy only http and https and event that with some exceptions.
It was done according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file#example_6
Is there any problem with PAC file or does the browser have issues with the config?
Thanks for any help.
function FindProxyForURL(url, host) {
/* Our proxy list */ OURPROXY = "PROXY 172.22.59.X:3128; DIRECT" INOUR = "ourgroup.internal"
/* Normalize the URL and HOST for pattern matching */ url = url.toLowerCase(); host = host.toLowerCase();
/* Our Network Entry */
if (isResolvable(INOUR)) {
/* Don't proxy local services */
if (isInNet(host, "10.0.0.0", "255.0.0.0")
) {
return "DIRECT";
}
/* Proxy only http & https */
if (url.substring(0, 5) == "http:" || url.substring(0, 6) == "https:") {
/* Don't proxy local hostnames (without dots) */
if (isPlainHostName(host)) {
return "DIRECT";
}
/* END: Don't proxy local hostnames */
/* START: Internal systems */
if (shExpMatch(host, "*.example.com") ||
shExpMatch(host, "example.com") ||
/* END: Internal systems */
/* START: Split VPN tunnel */
shExpMatch(host, "*.example2.com") ||
shExpMatch(host, "example2.com") ||
/* END: Split VPN tunnel */
) {
return "DIRECT";
}
/* END: Don't proxy to internal systems */
return OURPROXY;
} else {
return "DIRECT";
}
/* END: Proxy only http & https */
} else {
return "DIRECT";
}
/* END: Our Network Entry */
return "DIRECT";
}
in our organisation i need several domainnames to be added in network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris, so that sso for some webappl… (pročitajte više)
in our organisation i need several domainnames to be added in network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris, so that sso for some webapplications is working. some are allready in the list. when i make changes to the list, everything is working ok, but when i clos all mozilla windows and restart mozilla, the changes are gone.
I am looking for information regarding the support life for settings that are defined in the Preferences (Deprecated) section of the ADMX templates provided in GitHub. Th… (pročitajte više)
I am looking for information regarding the support life for settings that are defined in the Preferences (Deprecated) section of the ADMX templates provided in GitHub. There doesn't appear to be a definitive answer as to when these preferences are no longer applicable to a version of Firefox. The term "Deprecated" certainly applies they're on their way to extinction. But only a small handful of preferences have been ported over to non-deprecated template settings (like Auto Update). Is there an expected version of Firefox where all these preferences are meaningless? Or will they be supported indefinitely? "Industry recommendations' from 3rd party security vendors are bloating my policies in the domain space and I can't definitively say they are 'no longer supported as of version xyz' for all these Firefox Preference settings, which happen to be about 80% of the security parameters defined by STIG and/or CIS Workbench.
Hi there, we trying to restrict internet access that used Mozilla Firefox on client computers through Microsoft Intune. We have already configured policy by uploading A… (pročitajte više)
Hi there,
we trying to restrict internet access that used Mozilla Firefox on client computers through Microsoft Intune.
We have already configured policy by uploading ADMX template & Custom OMA-URI as described in https://github.com/mozilla/policy-templates/blob/master/README.md
We are trying to add custom allowed web sites to "WebsiteFilter" OMA-URI ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/B_WebsiteFilter_Exceptions. added web sites are not allowed. my question is what is the best way to enter URLs (I mean format) to allow list & how I can used wild card to allow all the web sites of one specific domain. eg:- microsoft
We try to deploy Extension Management Settings via GPO. Goal is to allow only whitelisted extensions, but don't block themes, dictionaries and locales. Below find the J… (pročitajte više)
We try to deploy Extension Management Settings via GPO.
Goal is to allow only whitelisted extensions, but don't block themes, dictionaries and locales.
Below find the JSON-settings deployed to the client, which should allow all themes and whitelisted extensions. Unfortunately this blocks everything except whitelisted IDs. See example screenshot with error-message, when trying to install a theme. We don't want to whitelist locales or themes, they should be still allowed for installation.
What I'm doing wrong? - Thanks for your feedback.
##############
{
"*": {
"installation_mode": "blocked",
"allowed_types": ["theme"]
},
"uBlock0@raymondhill.net": {
"installation_mode": "allowed"
},
"jid1-ZSMfwe4lCAw9oQ@jetpack": {
"installation_mode": "allowed"
}
}We downloaded the GPO Templates for AD and looking to customize Firefox. We would like to disable Forms and Autofill: Autofill addresses Autofill credit cards Also wou… (pročitajte više)
We downloaded the GPO Templates for AD and looking to customize Firefox.
We would like to disable Forms and Autofill: Autofill addresses Autofill credit cards
Also would like to lock down so they can't reenable if possible.
We would like to do this all through GPOs if possible. I found these in the about:config: extensions.formautofill.addresses.enabled extensions.formautofill.creditCards.enabled
But again want to do through the GPO. Is this possible?
Side note while working on GPOs, I set Exceptions for the popup blocker and they are not showing up in the browser. I also filled out to remove Search Engines but they all still appear in the browsers. These two GPO settings don't appear to be working.
I am an admin of some servers, i modify the proxy settings of firefox in a GPO, and it works, but now ont thing is that users can modify the settings of "No proxy for" in… (pročitajte više)
I am an admin of some servers, i modify the proxy settings of firefox in a GPO, and it works, but now ont thing is that users can modify the settings of "No proxy for" in Connection Settings, then add the urls, then users can access to any web site which they want to, is there a method to disable this? thanks.