Update: It looks like Flash has been updated to 220.127.116.11, so this workaround shouldn’t be needed. Save it for a rainy day (or the next time Firefox blocklists Flash.)
This big news today is that Mozilla blocked version 18.104.22.168 of Flash because of security vulnerabilities. At the time they blocked it, it was the latest version of Flash available. While this might be great for users, there are enterprises that have mission critical apps that require Flash.
Although you can use the various notifications in Firefox to re-enable Flash (it’s what Firefox calls a soft block), you might wonder how you can make sure Flash is enabled for the specific domains you need it on regardless of the status of Flash security. You can do that using the Firefox permissions manager.
The easiest way to do this is using the CCK2. When you enable all plugins for a domain on the permissions page, it makes sure that Flash and Java work on that domain even if they are vulnerable.
If you are using AutoConfig, you can add this code to your config file:
Services.perms.add(NetUtil.newURI("http://some.domain"), "plugine:flash", 1);
Services.perms.add(NetUtil.newURI("http://some.domain"), "plugin-vulnerable:flash", 1);
This will make sure that flash always works on the given domain. If you want to do this inside of your browser, you can check out the Scratchpad.
Note that for security reasons, you shouldn’t enable the vulnerable versions of Flash and Java for any domain that you don’t have control over.
With the release of Firefox 39 today also comes the final release of the Firefox 31 ESR (barring any security updates in the next six weeks).
That means you have six weeks to manage your switch over to the Firefox 38 ESR.
If you’ve been wondering if you should use the ESR instead of keeping up with current Firefox releases, now might be a good time to switch. That’s because there are a couple features coming in the Firefox mainline that might affect you. These include the removal of the distribution/bundles directory as well as the requirement for all add-ons to be signed by Mozilla.
It’s much easier going from Firefox 38 to the Firefox 38 ESR then going from Firefox 39 to the Firefox 38 ESR.
If you want to continue on the Firefox mainline, you can use the CCK2 to bring back some of the distribution/bundles functionality, but I won’t be able to do anything about the signing requirement.
I announced and released CCK2 2.1 to my mailing list subscribers last week. A couple bugs were found and fixed, and so I am officially releasing CCK 2.1.1 to the world and making it available as an update to CCK 2.0 users. You can download it here.
This new CCK2 represents a major change over previous versions in that it no longer depends on the distribution/bundles directory when using AutoConfig. It creates its own directory (cck2) that should be preserved across Firefox installs. I made this change in anticipation of Firefox 40 where the distribution/bundles directory will no longer work. For people that were using the distribution/bundles directory to distribute their own add-ons, I’ve enabled the cck2/bundles directory to serve the same purpose. As with the distribution/bundles directory, add-ons built with the SDK and restartless add-ons will not work.
Other changes in this new version include the ability to disable various new Firefox features like Pocket and Social Sharing.
I’ve also made a change to the export function that should make it easier to move CCK2 configs to other machines. If you’ve placed your resources (search plugins, certs, etc.) under your output directory, when you export your config, it will use relative paths. After transferring all the data to the new machine, you can edit the JSON file to change to the new output directory before importing.
As always, the CCK2 Wizard is provided as-is. You can open issues and feature requests, as well as participate in forum discussions at cck2.freshdesk.com, but the only way to guarantee responses is to purchase a CCK2 Support plan.
I really appreciate the support of the folks who have done that.
Beta 6 of CCK2 2.1 is available here.
This version includes the ability to turn off the following features:
- Firefox Marketplace
- Firefox Hello
- Social Sharing
- The Forget Button
Also, for AutoConfig only, it adds the ability to to install extensions that previously used to work in the distribution/bundles directory.
To use this feature, after unzipping the autoconfig.zip, create a bundles directory under the cck2 directory and place any directories there the same way you placed them in distribution/bundles.
This feature is experimental, but in my testing, it worked for most things. It will not allow you to disable safe mode, though. This only works for extensions that worked in distribution/bundles, so it does NOT work for restartless extensions.
I’d appreciate any help testing. Please report any problems you have at cck2.freshdesk.com.
Bug 1144127 was checked in. This means that starting in Firefox 40, placing add-ons in the distribution/bundles directory will no longer work.
For many years I recommended distribution/bundles as the best place for enterprises to deploy non bootstrapped extensions. It allowed them to make their extensions a part of core Firefox and prevent users from removing them. Unfortunately adware/spyware folks started using this method as well, so we lost this ability. (This is why we can’t have nice things.)
So what does this mean going forward?
- You will no longer be able to disable safe mode. You can set the environment variable MOZ_DISABLE_SAFE_MODE_KEY to prevent using the startup shortcut or set MOZ_DISABLE_AUTO_SAFE_MODE to prevent crashes from starting safe mode, but a user will always be able to start Firefox in safe mode from the command line.
It’s much more difficult for you to prevent a user from disabling any extensions you need to add for your company. You’ll probably need to do something evil like hide them inside of the add-ons manager. You can contact me if you need code to do that.
AutoConfig now becomes the preferred method of doing pretty much any Firefox configuration (since you can’t place a custom extension into the distribution/bundles directory).
I’m actively working on making the CCK2 work without the distribution directory. The latest beta is here. Obviously some features will be lost st first. I hope to bring as many back as I can. It should be ready by the end of the week I hope.
As a side note, this means that many of my blog posts will have incorrect information. I’m still trying to figure out how to solve that going forward.
The first beta of the next CCK2 is available here.
This upgrade has three main areas of focus:
- Support for the new in content preferences
- Remove the need for the distribution directory (except in the case of disabling safe mode)
- Support for new Firefox 38 features (not done yet).
Removing support for the distribution directory was a major internal change, so I would appreciate any testing you can do.
My plan is to finish support for a few Firefox 38 specific features and then release next week.
This post will provide a high level overview of changes coming up in the next Firefox ESR. This list is primarily focused on changes that will impact enterprise users. It is not intended to be an exhaustive list. For a list of all the changes, see the release notes links.
Note: Firefox Hello and Encrypted Media Extensions will NOT be part of the ESR.
- Firefox Marketplace Menu and Button
- New Search UI in more locales
- Release Notes (35.0, 35.0.1)
- Preferences in tabs
- Release Notes (38.0)
My plan is to have a new CCK2 beta that coincides with the Firefox 38 release that will allow for disabling some of these new features. It’s a beta because it also has the new code for no longer using the distribution directory.
If I missed something, please post it in the comments.
Just a reminder that the next Firefox ESR is only three weeks away. In my next post I’ll give you some details on what to expect.
Also, if there are any Firefox enterprise topics you’d like to see me cover on my blog, please let me know.
With the removal of the distribution/bundles directory, as well as multiprocess Firefox, I’m currently rewriting portions of the CCK2 to be more forward compatible.
This involves removing any dependencies on the distribution/bundles directory as well as rewriting the code to no longer use XUL overlays.
As I’m doing this work, it has me wondering; should the CCK2 be a library that you simply pass a config to and it does the work (as it is today), or should the CCK2 Wizard generate a complete AutoConfig.js file that stands alone and can be included with little or no other outside files?
In doing surveys in the past, there are quite a few people that just use AutoConfig. Would it be worthwhile to make the process of generating AutoConfig files easier? Or is this a very small group of people?
What do you think the future should hold for the CCK2?
There are a few changes that are coming for Firefox that will be major headaches for enterprise, educational, government and other institutional deployments. These include the removal of the distribution/bundles directory as well as the requirement for all add-ons to be signed by Mozilla.
Given that these two changes are not needed for enterprise, there has been some discussion of not putting these changes into the Firefox ESR.
So I’m curious: besides these two changes, what other things do you think should be different between regular Firefox and the Firefox ESR? I’m not talking about creating new features for the ESR, I’m only talking about enabling and/or disabling features.
Put your suggestions in the comments. I’ll put mine there as well.