Firefox for Enterprise Community Forum

I am trying to reach an internal company website (www.gqma.drw), with a certificate chain rooted in a company certificate authority. This works fine in Chrome, and worked in Firefox on my previous computer. But i recently got a new machine, and something somewhere is not quite right. I get an error message looking like this (between the ~~~s):

~~~ Someone could be trying to impersonate the site and you should not continue.

Web sites prove their identity via certificates. Firefox does not trust www.gqma.drw because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER

View Certificate ~~~

If i click on the error code, i get these details:

~~~ https://www.gqma.drw/

Peer's Certificate issuer is not recognised.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain:

MIICczCCAhigAwIBAgIUcg0ZTKoxYO3E5288qtNnymZ/L6AwCgYIKoZIzj0EAwIw NzEMMAoGA1UEChMDRFJXMRQwEgYDVQQLDAtJU1NAZHJ3LmNvbTERMA8GA1UEAxMI U1NETlMgQ0EwHhcNMjIwMzA5MTQxOTAwWhcNMjQwMzA4MTQxOTAwWjA5MQwwCgYD VQQKEwNEUlcxFDASBgNVBAsMC0lTU0BkcncuY29tMRMwEQYDVQQDEwoqLmdxbWEu ZHJ3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfXDxyLTebEuPHmneR4faNHoQ PouLPrBqOKnDOW/T+eexbAHcghiZqcQHoHW/Qo/kNQZYPhoHeMZK1ACdvnFTUaOB /zCB/DAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T AQH/BAIwADAdBgNVHQ4EFgQUvuzqIs1O1ioHT3qF+olSZ3dDseEwHwYDVR0jBBgw FoAUjGD9eMez/VkLc5nlNkg/U6dBgmUwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUF BzABhhlodHRwOi8vb2NzcC5pc3MuZHJ3L3NzZG5zMB8GA1UdEQQYMBaCCiouZ3Ft YS5kcneCCGdxbWEuZHJ3MC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9jZXJ0cy5p c3MuZHJ3L3NzZG5zL2NybDAKBggqhkjOPQQDAgNJADBGAiEAtEj7K/C2IHMzh175 9TpPu74YktH/1WJM12zUNIioi30CIQDpLqn09bmTFDgQDkg+0YHu1YSBTlCArWYJ KUxQUa0KPQ==

MIIB3DCCAYKgAwIBAgIUeLNrkgHyp2GhO6Ee4fyvVbGaUg0wCgYIKoZIzj0EAwIw OjEMMAoGA1UEChMDRFJXMRQwEgYDVQQLDAtJU1NAZHJ3LmNvbTEUMBIGA1UEAxML SVNTIFJvb3QgQ0EwHhcNMTcwMzAxMjA0MzAwWhcNMjcwMjI3MjA0MzAwWjA6MQww CgYDVQQKEwNEUlcxFDASBgNVBAsMC0lTU0BkcncuY29tMRQwEgYDVQQDEwtJU1Mg Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAjg18NvaBfwKP0BC/9U Cppc1W2rfSqzsY4KCRIAubItoMyQ13zp25KjVg9IF7Uru7cWQcUMvwf4+2Gb/4m4 sFSjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud DgQWBBSA3cairIJP/ooZLqrq+L9hSNwxczAfBgNVHSMEGDAWgBSA3cairIJP/ooZ Lqrq+L9hSNwxczAKBggqhkjOPQQDAgNIADBFAiAgvGnmTJgMosKFYuRJ7HZMuD/p ZTNapVJltFiGzKAtewIhAJMVQ72U+m7kLNRw6ej7icBQ9d+T4MuhGyJEeYeX5wR4

MIICYjCCAgigAwIBAgIUDZxs4OPknZA8SgUkWZ7EncHkYVIwCgYIKoZIzj0EAwIw OjEMMAoGA1UEChMDRFJXMRQwEgYDVQQLDAtJU1NAZHJ3LmNvbTEUMBIGA1UEAxML SVNTIFJvb3QgQ0EwHhcNMTcwMzAxMjA0NDAwWhcNMjcwMjI3MjA0NDAwWjA3MQww CgYDVQQKEwNEUlcxFDASBgNVBAsMC0lTU0BkcncuY29tMREwDwYDVQQDEwhTU0RO UyBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNsaSU2QU1Z5ktRf19DaXZk6 TrPko0TPZFTSYFH9bPxVJ4guUfGnN5nZ7vQajX2NJJLZEL9TZGYSsE8RD/ftcsij ge4wgeswDgYDVR0PAQH/BAQDAgGmMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSMYP14x7P9WQtzmeU2 SD9Tp0GCZTAfBgNVHSMEGDAWgBSA3cairIJP/ooZLqrq+L9hSNwxczA1BggrBgEF BQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLmlzcy5kcncvc3NkbnMw LwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NlcnRzLmlzcy5kcncvc3NkbnMvY3Js MAoGCCqGSM49BAMCA0gAMEUCIBU5FNCu7ZmE7H1Oautblig4iA5JIgOO+4D/do2c pQ8IAiEAkIdZb5Doptfk1C5uofcvww3E0ZrSG98ZJ2+TW9sz4VA=

~~~

If i click 'View Certificate', i get a chain of three certificates:

1. Subject common name = *.gqma.drw, issuer common name = SSDNS CA, subject key ID = BE:EC:EA:22:CD:4E:D6:2A:07:4F:7A:85:FA:89:52:67:77:43:B1:E1
2. Subject common name = SSDNS CA, issuer common name = ISS Root CA, subject key ID = 8C:60:FD:78:C7:B3:FD:59:0B:73:99:E5:36:48:3F:53:A7:41:82:65
3. Subject common name = ISS Root CA, issuer common name = SS Root CA, subject key ID = 80:DD:C6:A2:AC:82:4F:FE:8A:19:2E:AA:EA:F8:BF:61:48:DC:31:73

If i go to Settings > Privacy & Security > View Certificates > Authorities, i can find both the SSDNS CA and ISS Root CA certificates. As far as i can tell, they are identical - i can open the certificate from 'View Certificate' and the corresponding one from the certificate manager and flip between tabs, and all the details are the same.

I am using Firefox 120.0, via a flatpak, on Ubuntu 22. I have given the flatpak access to /etc/ssl/certs, where my company's internal CA certificates are located.

To me, this seems like it should all work. The server has a certificate signed by an internal CA, which is signed by another internal CA, and both those internal CA certificates are in my certificate manager. So what is going wrong? Is there any way i can debug this?

We have recently enabled background updates in our organization, however I noticed that a requirement for this to work is that Firefox needs to be run with the default profile at least once after the feature is enabled. The issue we have is that not all users are actively using Firefox and therefore they are not being updated. I realize the security flaws won't be exposed if it's not in use, but management doesn't like seeing out of date browsers. Is there a way to force auto updates on all device where Firefox isn't not being used. Background updating is working for the majority of those that do use Firefox.

Also, we do have a couple of users reporting a credential prompt when updating from 119 to 119.0.1. These same users had no issues updating from 118 to 119. I have not figured out why this is happening just yet and why only for a handful of users so far. Would anyone have an idea why that is happening?

Hi,

I'm blocked because for my company i have to make a GPO that will setup the default handler for pdf files. I picked up different codes on internet but it went the same way for all of them, it didn't work. Im pretty sure that's not a GPO application issue because actually all the others setings are working perfectly.

The json code was paste on the Handlers settings as u can see in the attachement.

Hopefully that i will find help there.

Cordially.

I'm setting up addon installation through `policy.json`. Below is an example. I am wondering howto configure addons thus installed using the same file. Is it possible? If yes: where to find addon-specific keys/options? As an example: when providing below `policy.json`, starting any fresh firefox profile/installation produces the dialog "Startpage.com - Private Search Engine would like to change your default search engine from Google to Startpage.com - English. Is that OK?", followed by yes/no buttons. I would like to be able to just make the addon do so forgoing the dialog.

Thanks for any pointers.

{

 "policies": {
   "ExtensionSettings": {
     "*": {
       "blocked_install_message": "Installation of extensions only allowed from 'policy.json'.",
       "installation_mode": "blocked"
     },
     "{20fc2e06-e3e4-4b2b-812b-ab431220cada}": {
       "installation_mode": "force_installed",
       "install_url": "https://addons.mozilla.org/firefox/downloads/latest/startpage-private-search/latest.xpi"
     }
   },
   "ExtensionUpdate": true
 }

}

Hi, I have a domain network that use an app open it in mozilla firefox.when we want to print a page the url address of app print with page in top and bottom of the page. 1- i want that url dont print with it page 2- how i distribute this config to all clients with group policy? Note: when i changed the margin options that url would be removed from print page.but i want do this for all page and clients.

Hello,

I used to deploy add-ons via group policies - this worked like a charm: Firefox esr (91.11.0esr x64), ADMX-templates in Sysvol\PolicyDefinitions, Group Policies: User configuration, administrative templates, mozilla, firefox, add-ons --> install add-ons --> https://addons.mozilla.org/firefox/downloads/file/1234567/goodaddon-1.0.01.xpi

A few months ago, we had to change our network-configuration. We were using a proxy before, but our proxy had direct access to the internet. Now our proxy forwards everything to another proxy. Since about that time, add-on-deployment via gpo doesn't work anymore. It could be something else, but i suspect the proxy-change.

I tried to deploy unc-paths, internal websites and different syntaxes; none of this works:

• http://192.168.100.10/goodaddon-1.0.01.xpi
• http://internalwebsite/goodaddon-1.0.01.xpi
• https://192.168.100.10/goodaddon-1.0.01.xpi
• https://internalwebsite/goodaddon-1.0.01.xpi
• \\192.168.100.20\netshare\goodaddon-1.0.01.xpi
• \\internalfileserver\netshare\goodaddon-1.0.01.xpi
• file://///192.168.100.20/netshare/goodaddon-1.0.01.xpi
• file://///internalfileserver/netshare/goodaddon-1.0.01.xpi

As you can see I tried using internal sites, so that no proxy would be needed. And I also added these sites to the allowed add-on-installation-sites (computer configuration, same group policy). The sites are all accessible; if I enter these addresses as url, firefox can access the xpi-file.

I know how to pack add-ons into the firefox-setup-file; that still works. But first of all, firefox is already installed on most of my clients. Second, after a fresh installation of firefox with this self-created package, all add-ons are installed, but not activated. And I would like to restrict activation/deactivation of add-ons via gpo.

1. 1 Are there other ways to deploy add-ons in a domain-network (e.g. script-based)?
2. 2 Are there any logs where I could find out what exactly goes wrong?
3. 3 Are there any other syntaxes I could try (group policy urls)?
4. 4 Can anyone guess what the problem is (why it is not working anymore)?

Help would be very much appreciated.

Best regards.

Hi

  Anyone experiencing an issue with Firefox 91 ESR on Win10 with blocking downloads?  We have the desktop blocked with controlled folder access and a plugin loaded which stops downloads of most file types, but when clicked on, the box appears to save the file after regardless.  The user cannot select a file location, but if they just click save it saves to the desktop anyway.  Cannot seem to stop firefox doing this. Anyone know a fix ?

Thanks,

      Jon Dickens

Hi, I am looking for a security Hardening guidelines for Firefox from Mozilla. Could you please guide me to the right direction where I can find one.

Thanks Raju

Good morning,

I'm reaching out to see if I can get some assistance with Firefox on of our network. I'm System Admin at Goodfellow AFB. I've tried searching this issues on the web and found similar issues but solutions that were recommend online have not worked for us. Yes I have uninstalled Firefox completely and installed it from scratch. I know it has something to do with autoconfig file but not sure what exactly I'm looking for. Thanks.

Every time Firefox is opened it gives an error message (see image).

I have tried:

• Deleting and reinstalling.
• Deleting Firefox folder in //users/xxxxxxx/Library/Application Support & //Library/Caches then uninstalling Firefox.
• Both above using older Firefox versions.

This issue is happening on all of the Macs in our org. We have no custom configurations. The pkg is installed via FileWave device management. It occurs whether installed through FileWave or manually.

Thanks

My company needs to follow regulation on Export rules. I need to provide our ITAR regulation team "Vendor documentation" regarding the Export Control Classification Number (ECCN) for Mozilla Firefox ESR. They will not accept a blog or article. Any one from Mozilla able to provide this in an official capacity?

We have used Firefox in our environment for well over a year in the configuration explained here: https://help.okta.com/en-us/content/topics/directory/ad-dsso-configure-browsers.htm

OKTA is our Identity provider to do Single Sign on to our SaaS applications.

today when version 118 rolled out, this functionality stopped working. Can you help me to get this working again. Chrome and Edge are not affected, so we have options, but we would really like to use Firefox.

Thanks so much for your help

Scott

When setting Windows to "Require DoH", firefox will not resolve DNS addresses, regardless of which "Enable secure DNS" setting is picked in FireFox security settings tab.

I expected at least "Off -- Use your default DNS resolver" to work.

If Windows is configured to just "Allow DoH", Firefox has no issues resolving DNS addresses, for any of the Firefox policy settings.

For reference, you can find the DoH policy setting in windows group policy editor, here:

gpedit.msc

Computer Configuration -> Administrative Templates -> Network -> DNS Client -> Configure DNS over HTTPS

(Have to enable it, then select Configure DoH options: Require DoH.)

you may need to issue a gpupdate /force for the setting to be picked up quickly.

When looking at the ExtensionSettings page for Firefox or Chrome they both use an example that shows the registry key Software\Policies\Mozilla\Firefox\ExtensionSettings (REG_MULTI_SZ) being set to a long JSON string with every extension ID and the settings for that particular ID. For example...

{

 "*": {
   "blocked_install_message": "Custom error message.",
   "install_sources": ["https://yourwebsite.com/*"],
   "installation_mode": "blocked",
   "allowed_types": ["extension"]
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
 },
 "https-everywhere@eff.org": {
   "installation_mode": "allowed"
 }

}

The problem with this method is that if I am installing an extension, and I overwrite what already exists in Software\Policies\Mozilla\Firefox\ExtensionSettings then all of those other settings get removed. So even if I am a non-malicious actor and just make a mistake with my installer I can easily delete every other extension's settings. Instead what I have to do is during install I have to read the current value of Software\Policies\Mozilla\Firefox\ExtensionSettings and then insert my extension's settings into the JSON blob.

So the examples that Firefox and Chrome provides do of course work, however they do not make very much sense to me. Why would it be formatted this way since all of those are additional key/value pairs and that is exactly what the registry excels at storing. So why put all of those into a single key/value instead of breaking them into multiple?

Additionally breaking them a part into multiple key/value pairs does work! So if instead of the example above I were to split them into multiple key value pairs it works just fine!

Software\Policies\Mozilla\Firefox\ExtensionSettings

   uBlock0@raymondhill.net
       "installation_mode": "force_installed",
       "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"

So knowing that this way with multiple key/value pairs works why am I bothering to ask this question at all instead of just doing it the way that makes sense to me? Well the issue is that by breaking it up into multiple key value pairs it actually overrides the other method and makes it so that all those registry settings are ignored. So it doesn't delete them but it still leaves me with nearly the exact same problem.

While I believe "my" way is superior because it uses the registry in a more common sense route, if that is not what the majority of extension developers do then it doesn't matter and I should be conforming to the other way.

As I am typing this question up I did realize just how hard/annoying it is to properly format and make it clear and digestible what the multi key/value format of the registry would look like instead of being a JSON string. So perhaps that is the reason why all the documentation puts it all as one JSON string?

Hi All,

I am trying to block the Last Pass extension in Firefox using Intune, and the ADMX configuration setting is not working on the endpoint. I've used the templates found here

https://github.com/mozilla/policy-templates/releases / Target Extension "support@lastpass.com"

And have tried using the imported admx template as well as a single line OMA-URI.

I've worked with Microsoft, and they see the correct settings on the device as pushed out via Intune, so they said it is not on their end. Any ideas why blocking named browser extenstions is not working? I've configured a few other settings with Intune/ADMX templates and they work.

Thanks! -Doug

Hello,

I have a plug-in installed on multiple machines using group policy. The installation source is a link to <my_add_on.xpi>. My question is regarding the updates approach. If I replace the source file with an updated version, but keeping the name/link the same. Will Firefox automatically update the plug-in? Only found brief docs here: https://github.com/mozilla/policy-templates/blob/master/README.md#extensionsettings """

If you need to update the extension, you can change the name of the extension and it will be automatically updated. Extensions installed from file URLs will additional be updated when their internal version changes.

""" I don't point to a local file, but rather a URL. Does that make a difference. Or I'll have to provide the updates.json in the plug-in manifest that points to the latest version?

Thank you.

Hello, I am trying to manage extensions in my organization. What would be the best way to block all extensions by default and allow only certain specific extensions?

I am following the Mac OS Extension Settings Policy and adding this to a configuration profile, but I am not sure how to manipulate it to suit my needs.

What would be the best way to go about this, and what would the plist file look like?

Thanks!

Dears, Based on your documentation on https://github.com/mozilla/policy-templates/blob/master/README.md#extensionsettings I am not able to successfully deliver setting to firefox app via Intune OMA-URI. Can you check this on your side and help?

ExtensionSettings [./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings] Error -2016281112

Summary Session ID 68f1c5af4fb3404789cf Resource ID Not available Extension Microsoft_Intune_DeviceSettings Content PolicyReportSettingDetailBlade Error code 404

Thank you very much

Hi there,

I'm playing with policies.json on Linux/Ubuntu now, trying to improve my knowledge of Firefox customization through different policies and user interaction after the Firefox deployment. I added a custom bookmark and extension, which show and install okay when I restart the browser. But when I delete them from within the browser and restart Firefox, they show up again. To avoid this, I can delete /etc/firefox/policies/policies.json after the Firefox deployment. Hence my questions:

• Is the deletion of the JSON file after the Firefox deployment a reasonable option at all?
• If yes, how can I automate the process silently, without user interaction?
• If no, what would be your advice to let users modify the browser settings like removing extension(s) or bookmark(s) set in policies.json so that they do not reappear after the browser restart?

Thank you! Rustam

I have one extension to be installed on the enterprise network machines. There are host permissions required to access All websites data. How can I, as an Admin, enable this host permissions for the installation ?