How to block new add-on or plugin installations in Firefox - gHacks Tech News

How to block new add-on or plugin installations in Firefox

One of the things in Firefox that Mozilla has been criticized for in the past is that plugins get picked up by the browser automatically when they are installed. This was also the case for third party add-ons but that at least has been changed by the company so that Firefox users are asked whether they want to use a newly installed third party extension or not.

Mozilla is preparing to implement the very same feature for plugins in the future so that Firefox users will be asked whether they want to enable a new plugin or not. For now though, that feature does exist only on paper.

So what can you do, to protect your Firefox version from third party installations of plugins? What can you do to prevent the installation of add-ons by users who work with the PC?

The answer is right here. There is a hidden switch in Firefox that does that. When enabled, it will block all future installations of plugins and extensions, no matter how someone tries to install them in the browser.

Lets take a look at how you can set up that switch in your version of Firefox:

  • Type about:config into the address bar and tap on the enter key. This loads Firefox's advanced configuration screen.
  • If this is your first time here, state that you will be careful.
  • The parameter needs to be created in Firefox. To do so right-click the main pane and select New > Boolean from the context menu.
  • When asked for a name, type xpinstall.enabled
  • When asked for a value, select false

firefox software installation disabled screenshot

Once set, installations of plugins and extensions will be prevented in the browser. Should you at any time in the future need that feature again, for instance to install a new exciting add-on or plugin, you can switch the parameter to true again in the option to do so, or simply wait for the prompt that you see on the screenshot above to appear to enable it from there for the time being.

Since a prompt is shown, the parameter is more or less only useful in situations where you want to be in total control of new plugin or extension installations in Firefox. It cannot be used to prevent other users from installing add-ons or enabling plugins, as it displays the prompt that allows them to bypass the protection.

Plugins that are picked up by Firefox are still displayed in the browser but disabled by default.

Second option for browser add-ons

You can block extensions that are loaded from specific locations. This is doing using the extensions.enabledScopes preference which you can only add via an autoconfig file. Here is how that is done.

  1. Open the Firefox program directory on your system. Windows users find it under C:\Program Files (x86)\Firefox or C:\Program Files\Firefox.
  2. If you are running a different channel, you may find it named differently, for instance Nightly instead of Firefox.
  3. Open defaults in the folder, and add a new folder preferences to it if it does not exist.
  4. Place the file firefox.js into it. You can create it as a text document and rename it afterwards. If you cannot create it directly in the folder, create it in a different folder and move it in there.
  5. Add the line pref("extensions.enabledScopes", 14); to it and save it.

The preference extensions.enabledScopes can be assigned the sum of the following values or 0 to disable it.

  • 0 disables it
  • 1 will block installations of add-ons from the user's profile directory.
  • 2 will block installations referenced by the current user's Registry entry or add-ons that are in the user's extensions directory.
  • 4 will block extensions that are in the extension directory of the Firefox installation.
  • 8 will block any add-on from being loaded in Firefox if it is referenced by System Registry entries, or add-ons that are in the system's extension directory if it exists.

Add all values and use it as the value in the preference file. The 14 used above will block all extensions except for those that are placed in the user's profile directory.

  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:


    1. Bill said on February 20, 2013 at 3:10 pm

      So if I use this to block Adobe Reader plugin the next time I update AR, will I be able to update currently installed add on and plugins without enabling “xpinstall.enabled”?

      1. Martin Brinkmann said on February 20, 2013 at 5:39 pm

        Bill, the browser should pick up plugin updates automatically. I can’t seem to remember though if you need to re-enable the plugin or not.

        1. OtherBill said on February 20, 2013 at 10:02 pm

          You *do not* need to set the value to true in order to get automatic updates.

          You *do* need to set the value to true if you install an extension from a website or from a file stored on your local disk drive. You will need to do this regardless of whether you are installing a new add-on or updating an existing one.

        2. Martin Brinkmann said on February 21, 2013 at 2:57 am

          Thanks for the clarification OtherBill.

    2. imu said on February 20, 2013 at 6:41 pm

      “What can you do to prevent the installation of add-ons by users who work with the PC?” that trick won’t stop them for sure :)

    3. Transcontinental said on February 21, 2013 at 4:48 am

      Thunderbird as well.
      Thanks for this “veto”-style trick. Good to know.

    4. Marco said on February 21, 2013 at 5:04 am

      Would this also block adware?
      I had problems with ad pages opening automatically in Firefox. I used all possible malware/spyware/adware removal tools, at no avail. I also used Combofix and OTL with an ad-hoc script prepared by an engineer, agan with no success.
      In the end I found out I had an add-on in Firefox which I had never installed, called Game Center 1.0
      It wasn’t possible to unistall it (no option available), so I searched among my installed programs and there was one called GameCenter which I had never installed! After uninstalling that program from Control Panel, the annoying automatic ad pages opening disappeared.
      Would this add-on you are presenting alert me in a case like that, where a program installs an add-on without my being aware?

    5. Ken Saunders said on February 22, 2013 at 3:14 am

      Martin this great thanks!
      I’ve done the following (in Windows) so that this preference is enabled for all Firefox (release) profiles existing and new.
      Go to > C:\Program Files > Mozilla Firefox > defaults > create a folder named preferences (pref is in there, don’t use it).
      Open your text editor paste the following.
      pref(“xpinstall.enabled”, false);
      Save it as xpinstall.js (or whatever name that you’d like) and put in the preferences folder you created.

      For some reason, this didn’t work in Nightly, but I haven’t spent time yet to find out why and I haven’t tried with Aurora.

      You should be able do this with pretty much any preference that you’d like.
      There are certain preferences that I always change when creating new profiles so I’m going to dive into this more to see if I can simplify things and save myself some time in the future.

      You could setup different Firefox profiles for different users.

      For a highly advanced way.

      1. Martin Brinkmann said on February 22, 2013 at 3:17 am

        Ken, locking preferences is not working on my version of Firefox somehow. I wanted to write about it several times in the past but never got it to work.

    6. Ken Saunders said on February 22, 2013 at 3:35 am

      I didn’t use this, but using lockPref might be the key. I don’t know yet. Might be why it isn’t working in Nightly.
      I’m still researching this and right now I’m at a great and very informative article.

    7. Rabin said on February 24, 2013 at 10:04 pm

      Awesome trick. Thanks for sharing. I will certainly like to feature this article in my blog too.

    8. User said on December 10, 2017 at 8:23 pm

      Seems like should be “will allow” instead of “will block”

      This is Enabled scopes, not Disabled

    Leave a Reply