How to block new add-on or plugin installations in Firefox
One of the things in Firefox that Mozilla has been criticized for in the past is that plugins get picked up by the browser automatically when they are installed. This was also the case for third party add-ons but that at least has been changed by the company so that Firefox users are asked whether they want to use a newly installed third party extension or not.
Mozilla is preparing to implement the very same feature for plugins in the future so that Firefox users will be asked whether they want to enable a new plugin or not. For now though, that feature does exist only on paper.
So what can you do, to protect your Firefox version from third party installations of plugins? What can you do to prevent the installation of add-ons by users who work with the PC?
Update: Mozilla changed the way extension installations are set in Firefox. The organization added a policy system to Firefox that Enterprise admins and home users may utilize. One of the easier options is to use the Firefox Policy Generator add-on to generate the policies, but it is also possible to configure the policy manually. The policy in question is InstallAddonsPermission.
Policies can be specified using a policies.json file which needs to be placed in the distribution folder (create it) of the Firefox installation.
Here is an example policy file:
{
"policies": {
"InstallAddonsPermission": {
"Allow": ["http://example.org/",
"http://example.edu/"],
"Default": [true|false] /* If this is set to false, add-ons cannot be installed by the user */
}
}
}
Windows administrators may also use Group Policy templates, and Mac OS X admins configuration profiles. End
Old information that does not apply to current versions of Firefox
The answer is right here. There is a hidden switch in Firefox that does that. When enabled, it will block all future installations of plugins and extensions, no matter how someone tries to install them in the browser.
Lets take a look at how you can set up that switch in your version of Firefox:
- Type about:config into the address bar and tap on the enter key. This loads Firefox's advanced configuration screen.
- If this is your first time here, state that you will be careful.
- The parameter needs to be created in Firefox. To do so right-click the main pane and select New > Boolean from the context menu.
- When asked for a name, type xpinstall.enabled
- When asked for a value, select false
Once set, installations of plugins and extensions will be prevented in the browser. Should you at any time in the future need that feature again, for instance to install a new exciting add-on or plugin, you can switch the parameter to true again in the option to do so, or simply wait for the prompt that you see on the screenshot above to appear to enable it from there for the time being.
Since a prompt is shown, the parameter is more or less only useful in situations where you want to be in total control of new plugin or extension installations in Firefox. It cannot be used to prevent other users from installing add-ons or enabling plugins, as it displays the prompt that allows them to bypass the protection.
Plugins that are picked up by Firefox are still displayed in the browser but disabled by default.
Second option for browser add-ons
You can block extensions that are loaded from specific locations. This is doing using the extensions.enabledScopes preference which you can only add via an autoconfig file. Here is how that is done.
- Open the Firefox program directory on your system. Windows users find it under C:\Program Files (x86)\Firefox or C:\Program Files\Firefox.
- If you are running a different channel, you may find it named differently, for instance Nightly instead of Firefox.
- Open defaults in the folder, and add a new folder preferences to it if it does not exist.
- Place the file firefox.js into it. You can create it as a text document and rename it afterwards. If you cannot create it directly in the folder, create it in a different folder and move it in there.
- Add the line pref("extensions.enabledScopes", 14); to it and save it.
The preference extensions.enabledScopes can be assigned the sum of the following values or 0 to disable it.
- 0 disables it
- 1 will block installations of add-ons from the user's profile directory.
- 2 will block installations referenced by the current user's Registry entry or add-ons that are in the user's extensions directory.
- 4 will block extensions that are in the extension directory of the Firefox installation.
- 8 will block any add-on from being loaded in Firefox if it is referenced by System Registry entries, or add-ons that are in the system's extension directory if it exists.
Add all values and use it as the value in the preference file. The 14 used above will block all extensions except for those that are placed in the user's profile directory.
FYI, in 2019 Firefox 67 this has changed. If you want to prevent someone from installing Addons, you need to create a policies.json file and disable it.
https://github.com/mozilla/policy-templates/blob/master/README.md#installaddonspermission
So if you’re doing this on MacOS, you’d do the following:
open Terminal
cd /Applications/Firefox.app/Contents/Resources
mkdir distribution
Then create a file called “policies.json” and put it inside the distribution directory. It should have the following contents:
{
“policies”: {
“InstallAddonsPermission”: {
“Allow”: [“http://example.org/”,
“http://example.edu/”],
“Default”: false
}
}
}
Seems like should be “will allow” instead of “will block”
https://dxr.mozilla.org/mozilla-release/rev/d47195ec274d20ed53ff0eb0ea2f72f7168f6ad9/toolkit/mozapps/extensions/internal/XPIProvider.jsm#2106
This is Enabled scopes, not Disabled
Awesome trick. Thanks for sharing. I will certainly like to feature this article in my blog too.
I didn’t use this, but using lockPref might be the key. I don’t know yet. Might be why it isn’t working in Nightly.
I’m still researching this and right now I’m at a great and very informative article.
http://mike.kaply.com/2012/03/16/customizing-firefox-autoconfig-files/
Martin this great thanks!
I’ve done the following (in Windows) so that this preference is enabled for all Firefox (release) profiles existing and new.
Go to > C:\Program Files > Mozilla Firefox > defaults > create a folder named preferences (pref is in there, don’t use it).
Open your text editor paste the following.
pref(“xpinstall.enabled”, false);
Save it as xpinstall.js (or whatever name that you’d like) and put in the preferences folder you created.
For some reason, this didn’t work in Nightly, but I haven’t spent time yet to find out why and I haven’t tried with Aurora.
You should be able do this with pretty much any preference that you’d like.
There are certain preferences that I always change when creating new profiles so I’m going to dive into this more to see if I can simplify things and save myself some time in the future.
@imu,
You could setup different Firefox profiles for different users.
https://www.ghacks.net/2011/08/05/how-to-create-multiple-firefox-profiles-for-specific-tasks/
https://developer.mozilla.org/en-US/docs/Profile_Manager
https://developer.mozilla.org/en-US/docs/Mozilla/Multiple_Firefox_Profiles
For a highly advanced way.
http://mike.kaply.com/2012/07/03/customizing-firefox-blocking-add-ons/
Ken, locking preferences is not working on my version of Firefox somehow. I wanted to write about it several times in the past but never got it to work.
Would this also block adware?
I had problems with ad pages opening automatically in Firefox. I used all possible malware/spyware/adware removal tools, at no avail. I also used Combofix and OTL with an ad-hoc script prepared by an engineer, agan with no success.
In the end I found out I had an add-on in Firefox which I had never installed, called Game Center 1.0
It wasn’t possible to unistall it (no option available), so I searched among my installed programs and there was one called GameCenter which I had never installed! After uninstalling that program from Control Panel, the annoying automatic ad pages opening disappeared.
Would this add-on you are presenting alert me in a case like that, where a program installs an add-on without my being aware?
Thanks.
Thunderbird as well.
Thanks for this “veto”-style trick. Good to know.
“What can you do to prevent the installation of add-ons by users who work with the PC?” that trick won’t stop them for sure :)
Martin,
So if I use this to block Adobe Reader plugin the next time I update AR, will I be able to update currently installed add on and plugins without enabling “xpinstall.enabled”?
Bill, the browser should pick up plugin updates automatically. I can’t seem to remember though if you need to re-enable the plugin or not.
You *do not* need to set the value to true in order to get automatic updates.
You *do* need to set the value to true if you install an extension from a website or from a file stored on your local disk drive. You will need to do this regardless of whether you are installing a new add-on or updating an existing one.
Thanks for the clarification OtherBill.