Firefox for Enterprise Community Forum

Hi,

I need to ask regardining this security.cert_pinning.enforcement_level. how can i set this value using the windwos server GPO? i could not find this even after copying the firefox.admx file. could someone please guide me how can i acheive it?

I would really appreciate the help!

Regards Sheras

I need to be able to hide the Extensions button from the toolbar. Is there a way to do that outside of the user.js or prefs.js? Preferably I'd like to do this though the policies.json file though I could not find any options for this.

Hello, I am trying to create a deny all & white list only gpo for Firefox extensions.

I am using the gpo; Computer Configuration/Policies/Administrative Templates/Mozilla/Firefox/Extensions/Extension Management

I started out simple using a template which worked.

{ "*": { "blocked_install_message": "Your Company Blocked Message", "installation_mode": "blocked" }, "uBlock0@raymondhill.net": { "installation_mode": "allowed" } }

However, when I tried to add in more allowed extensions it now longer worked and was able to install any extension.

{ "*": { "blocked_install_message": "Your Company Blocked Message", "installation_mode": "blocked" }, "uBlock0@raymondhill.net": { "installation_mode": "allowed" }, "querymoid@kaply.com": { "installation_mode": "allowed" } }

Good afternoon,

We're currently trying to set up a Hardening Guide for Firefox ESR but are struggling with a few policies and setting wildcards.

For example, we're trying to set an origin in Cookies > Block Settings to something like "*", and we get the error "Ignoring parameter "*" - not a valid origin."

In Chrome / Edge you can set a wildcard like this: [*.]google.com for example - we receive the same error message for this.

Can you do such a thing for Firefox ESR without having to list every site you want to block?

ESR Version: 115.6.0esr (64-bit)

Kind Regards, Ethan Jerrum

We are currently considering using Firefox ESR as our default browser but experiencing a few issues and one of them is with our configured SailPoint IdentityIQ Single Sign-On Experience, which uses Basic Authentication.

Issue Description First, the login button needs to be clicked multiple times before access to the site is granted. Once signed in, the Firefox inbuilt authentication dialogue appears, prompting the user to log in again (see the attached screenshot). The landing page is only presented after clicking the login button several times. This creates a poor user experience, sometimes causing pages to load improperly. Interestingly, the same process works seamlessly in Edge Chromium.

Troubleshooting Steps Taken I have already attempted the following: 1. Temporarily disabled all custom and security settings in mozilla.cfg and config.json. 2. Temporarily disabled Firefox Tracking Protection. 3. Allowed third-party cookies for the specific URL. 4. Upgraded Firefox Version to 128.7.0 5. Since our Firefox browser is significantly hardened, I have also enabled and reconfigured the following settings in mozilla.cfg to ensure Basic Authentication is allowed, functions properly, and suppresses Firefox’s authentication prompt, but without success:

network.http.phishy-userpass-length = 255 network.http.use-basic-auth network.automatic-ntlm-auth.allow-non-fqdn network.automatic-ntlm-auth.trusted-uris security.enterprise_roots.enabled security.enterprise_roots.enabled

Observations from SailPoint Team Our colleagues from SailPoint have tested the setup in their environment, and according to them, it works as expected. However, their browser is not hardened, and they have leveraged the SailPoint UI for authentication instead of the built-in Firefox authentication prompt.

Further Investigation • Is there a specific configuration required in the user profile settings? • Network trace analysis shows 404 errors on GET requests and the following error codes on POST requests: • 302 Redirect: Mozilla Documentation • 408 Request Timeout: Mozilla Documentation

Next Steps Is there a specific security setting that needs to be enabled or disabled? Are there any particular Firefox enterprise policies we should modify? I have also attached screenshots for reference. Let me know if you need specific logs or network traces for further troubleshooting.

One of our vendors websites does not load under Firefox ESR, with errors in the console pointing to CSP. Error is: Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src")

However if I load the site under the normal Firefox release, it displays correctly. When looking at errors in console, it is showing 3 errors for CSP, however it does not stop the site from working correctly. Content-Security-Policy: The page's settings blocked the loading of a resources at https://..... ("connect-src") or ("img-src")

The site is https://app.approvalmax.com If you get the login screen then the site is working otherwise just getting a green background when it is not working.

I am unsure why ESR and RR versions are behaving differently in this case. Using the latest versions of each.

Hi everyone. I have installed Firefox on all windows 10 workstations and I have also installed latest Firefox Group Policy ADMX on Server. I need to set some preferences on all Workstations. The preferences that I want to set are the ones that can be found in about:config.

But the problem is that only some of these preferences exist in Group Policy by default and it says "deprecated". I know that I can add additional about:config preferences in a Group Policy object called "Preferences". But no matter how I enter the format or how I change the JASON file, no preference policy is applied to Firefox in workstations. By the way when I change "Preferences" gpo in group Policy the next Policy called "Preferences (JASON on one file)" does also change. I have thoroughly searched the web and Mozilla support and have tested all suggestions but all to no avail. Can you please help me and Give me an example of how to do that? I would appreciate any answer in advance.

Hi,

We are using Firefox Enterprise on Windows Server 2016 Remote Desktop for approx 100 users.

The users need very often to create a new profile when launching FireFox, and then loose all their bookmarks.

Is there a way to manage the profiles correctly to bypass this problem ?

Thank you for your help ! Have a nice day.

Firefox (129.0.2) displays "401 - Unauthorized: Access is denied due to invalid credentials" (see attached image)

I have tried various combinations of setting and not setting the following in Firefox:

• network.negotiate-auth.trusted-uris
• network.negotiate-auth.delegation-uris
• network.auth.use-sspi

For the URI settings I have tried both .domainname.domainextension and https://servicename.domainname.domainextension

In Windows 10 Control Panel -> Internet Options, the site is in "Trusted sites" using a domain wildcard, and also "Local intranet" and both "Automatic logon" and "Enable Integrated Windows Authentication" are enabled. I suspect those setting aren't relevant since other browsers are authenticating without error or prompt, but calling this out to show that I've covered that base.

The web service is served by IIS 10.0 on Windows Server 2022 and the authentication provider list only includes Negotiate, but I don't believe this issue has anything to do with IIS or its configuration as, again, other browsers are authenticating without error or prompt.

Anything else to check?

Thank you for any guidance you can offer.

Hello,

We have a vulnerability scanner in our environment that tells us when Firefox needs to be updated. We found that in order to update it, we need to go the settings tab and then to the updates portion of the menu to initiate the update. After this we are asked to restart. Any way to avoid this entire process?

Is there a way to force Firefox updates within a specified time window via group policy? The ADMX templates appear to allow enabling or disabling updates or enforcing background updates, but we are not seeing an option in Group Policy to configure a delay or time window for searching for app updates.

Hi

  Anyone experiencing an issue with Firefox 91 ESR on Win10 with blocking downloads?  We have the desktop blocked with controlled folder access and a plugin loaded which stops downloads of most file types, but when clicked on, the box appears to save the file after regardless.  The user cannot select a file location, but if they just click save it saves to the desktop anyway.  Cannot seem to stop firefox doing this. Anyone know a fix ?

Thanks,

      Jon Dickens

Can we set up these gpo`s so that there is a check for dependencies?

Windows (GPO)

Software\Policies\Mozilla\Firefox\SecurityDevices\Add\NAME_OF_DEVICE_TO_ADD = PATH_TO_LIBRARY_FOR_DEVICE Software\Policies\Mozilla\Firefox\SecurityDevices\Remove\1 = NAME_OF_DEVICE_TO_REMOVE

Thank you.

When looking at the ExtensionSettings page for Firefox or Chrome they both use an example that shows the registry key Software\Policies\Mozilla\Firefox\ExtensionSettings (REG_MULTI_SZ) being set to a long JSON string with every extension ID and the settings for that particular ID. For example...

{

 "*": {
   "blocked_install_message": "Custom error message.",
   "install_sources": ["https://yourwebsite.com/*"],
   "installation_mode": "blocked",
   "allowed_types": ["extension"]
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
 },
 "https-everywhere@eff.org": {
   "installation_mode": "allowed"
 }

}

The problem with this method is that if I am installing an extension, and I overwrite what already exists in Software\Policies\Mozilla\Firefox\ExtensionSettings then all of those other settings get removed. So even if I am a non-malicious actor and just make a mistake with my installer I can easily delete every other extension's settings. Instead what I have to do is during install I have to read the current value of Software\Policies\Mozilla\Firefox\ExtensionSettings and then insert my extension's settings into the JSON blob.

So the examples that Firefox and Chrome provides do of course work, however they do not make very much sense to me. Why would it be formatted this way since all of those are additional key/value pairs and that is exactly what the registry excels at storing. So why put all of those into a single key/value instead of breaking them into multiple?

Additionally breaking them a part into multiple key/value pairs does work! So if instead of the example above I were to split them into multiple key value pairs it works just fine!

Software\Policies\Mozilla\Firefox\ExtensionSettings

   uBlock0@raymondhill.net
       "installation_mode": "force_installed",
       "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"

So knowing that this way with multiple key/value pairs works why am I bothering to ask this question at all instead of just doing it the way that makes sense to me? Well the issue is that by breaking it up into multiple key value pairs it actually overrides the other method and makes it so that all those registry settings are ignored. So it doesn't delete them but it still leaves me with nearly the exact same problem.

While I believe "my" way is superior because it uses the registry in a more common sense route, if that is not what the majority of extension developers do then it doesn't matter and I should be conforming to the other way.

As I am typing this question up I did realize just how hard/annoying it is to properly format and make it clear and digestible what the multi key/value format of the registry would look like instead of being a JSON string. So perhaps that is the reason why all the documentation puts it all as one JSON string?

Hi, I am looking for a security Hardening guidelines for Firefox from Mozilla. Could you please guide me to the right direction where I can find one.

Thanks Raju

I would like to prevent users to navigate on the Linux system when they view a PDF and then use the Save option. The "PDFjs" policy enables or disables the PDF Viewer but does not control the built-in PDF Viewer menus.

Hi All,

I'm using Firefox on 24 PC's in a primary school computer Lab, I have had reports of students installing extensions and plugins that i wish to stop, also i've had issues with students not signing out of their email and other students gaining access.

Im looking for solutions for the following and was hoping someone could point me in the right direction -

1. Disabling the installations of extensions and plugins. 2. Clearing browsing history/logging out of any accounts. 3. Locking settings so students can't change settings.

Any help would be greatly appreciated. Adam

I have a number of servers which need firefox updating They do not have internet.

There is one machine that does have internet

How do i get them to point to that server for updates?

FF should have an easy deployment console for rolling out their product.

I saw something about an MAR server however its not clear.

We just have WSUS so cant use that to update like Edge.

With Firefox 115.14.0esr, 115.2esr and 128.xesr we can`t log in into a company website with a certificate. After the certificate login we end up on the WebSeal again. Http status 302 for pkmslogin.form and pkmscertpromptstagen is called ~12x repeatedly with 302 error each time and then jump back to the login screen.