Blocklisting/Admin: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Doing some refactoring for the kinto instructions)
(Fixed typo)
 
(5 intermediate revisions by the same user not shown)
Line 13: Line 13:
# Click on "Create" (or edit/delete icons if you need to change an existing record)
# Click on "Create" (or edit/delete icons if you need to change an existing record)
# Enter in the appropriate fields. Example below (see the current list<sup>1</sup> for more examples)
# Enter in the appropriate fields. Example below (see the current list<sup>1</sup> for more examples)
#* Keep the Enabled checkbox checked.
#* Keep the '''Enabled''' checkbox checked.
#* You'll generally want to enter the add-on ID, version range (0 to * to block all versions), and severity of the block.
#* You'll generally want to enter the '''Add-on ID''', '''Version Range''' (0 to * to block all versions), and '''Severity''' of the block.
#* The OS can be set to [https://developer.mozilla.org/en-US/docs/OS_TARGET any of these], but OS-specific blocks are rarely needed.
#* The '''OS''' can be set to [https://developer.mozilla.org/en-US/docs/OS_TARGET any of these], but OS-specific blocks are rarely needed.
#* The Target Application is only necessary for blocks that only target specific applications, which should also be very rare.
#* The '''Target Application''' is only necessary for blocks that only target specific applications, which should also be very rare.
#* The Preferences fields are used in case the add-on changed important Firefox preferences that need to be reset.
#* The '''Preferences''' fields are used in case the add-on changed important Firefox preferences that need to be reset.
#* The '''name''', '''why''', '''who''', and '''bug''' fields are shown to end users, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name. '''bug''' should be a Bugzilla URL.
#* The '''name''', '''why''', '''who''', and '''bug''' fields are shown to end users, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name. '''bug''' should be a Bugzilla URL.
# When done, click on '''Create Record'''. This saves the block in the '''staging''' bucket.
# If you don't need to make more changes to the block, click on '''Request review''' back in the main bucket view. The block should be moved to the '''blocklists-preview''' bucket.
# Notify your reviewer/QA that the block is ready for testing.


<sup>1</sup> Data for the blocklist can be found in the [https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/addons/records public JSON endpoint], or on [https://addons.mozilla.org/en-US/firefox/blocked/ addons.mozilla.org].
<sup>1</sup> Data for the blocklist can be found in the [https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/addons/records public JSON endpoint].
===Testing===
===Testing===
To test a staged block:
# You must first enable chrome debugging: in <code>about:config</code>, set <code>devtools.chrome.enabled</code> to <code>true</code>.
# Go to <code>about:config</code>, find the <code>extensions.blocklist.url</code> pref and change its value to https://firefox.settings.services.mozilla.com/v1/preview/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
# Open Browser Console (Tools > Web Developer > Browser Console)
#Paste and run this snippet:
  Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);


====JSON Example====
====JSON Example====
Line 55: Line 64:
}
}
</pre>
</pre>
===Deploying===
===Deploying===
# Click on '''staging bucket''' :: '''addons'''
# The staged blocks should be shown with an option to Approve.
# Approve :)


== Plugin blocks ==
== Plugin blocks ==
# Go to the [https://addons.mozilla.org/admin/models/blocklist/blocklistdetail/ blocklist detail page] and click on Add blocklist detail.
===Staging===
# Enter a clear name and descriptions for the block. End users will read these, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name.
# Click on '''staging bucket''' :: '''plugins'''
#* See the [https://addons.mozilla.org/firefox/blocked/ Blocked Add-ons page] for examples.
# Click on "Create" (or edit/delete icons if you need to change an existing record)
# Set the Bug field to the blocklist bug. The bug should also have instructions for end users if the plugin is heavily used.
# Enter in the appropriate fields. Example below (see the current list<sup>1</sup> for more examples)
# In the Blocklist Plugin #1 section, set the identification criteria and Severity.
#* Keep the '''Enabled checkbox''' checked.
#* Plugins rarely have a GUID, so we use the filename field to identify plugins. Since filenames are OS-specific, the OS field is usually redundant.
#* Plugins are usually identified by their '''Filename'''. '''Name''' and '''Description''' regular expression matches are used when the '''Filename''' doesn't work. [http://mzl.la/SemegK Regexp Pal] is a good tool for testing regular expression blocks.
#* The OS can be set to [https://developer.mozilla.org/en-US/docs/OS_TARGET any of these].
#* The '''OS''' can be set to [https://developer.mozilla.org/en-US/docs/OS_TARGET any of these]. It's generally only needed for Linux blocks, since Linux and Android distributions use the same filename and plugins are never blocked on Android.
#* Plugin version numbers can also be tricky and inconsistent, specially on Linux, where the version number isn't properly detected. We generally use regular expressions in the Name or Descriptions to identify the versions to block.
#* The '''Version Range''' should always be set (0 to * to block all versions).
#* Regular expressions in plugins should be meticulously tested. [http://mzl.la/SemegK Regexp Pal] is a good tool for this.
#* The '''Severity''' should always be set to 0 (click to activate).
#* The Severity should be 1 for soft blocks and 3 for hard blocks. A severity set to 2 (reserved for a medium block), or no severity will also produce a hard block. To avoid ambiguity, these options shouldn't be used. Hard blocks should be limited to malware.
#* The '''Vulnerability status''' should be set depending on whether the latest version is being blocked or not.
#* A Severity set to 0 has different meanings depending on the vulnerability status value. If not set, it is an update prompt block. If set to 1 or 2, it means it's a click-to-play block (1 when there's a known fixed update, 2 when there isn't).
#* The '''OS''' can be set to [https://developer.mozilla.org/en-US/docs/OS_TARGET any of these], but OS-specific blocks are rarely needed.
To limit a block to a specific application versions, the detail can be added with an invalid filename, to keep it temporarily disabled. Then you can add a [https://addons.mozilla.org/admin/models/blocklist/blocklistapp/ blocklist app item] and link it to the detail item. Once that's done, the Severity or GUID can be set to their real values.
#* The '''Target Application''' is only necessary for blocks that only target specific applications, which should be very rare.
#* The '''name''', '''why''', '''who''', and '''bug''' fields are shown to end users, so they need to be clear as to why the block was put in place and what options are available. '''bug''' should be a Bugzilla URL.
# When done, click on '''Create Record'''. This saves the block in the '''staging''' bucket.
# If you don't need to make more changes to the block, click on '''Request review''' back in the main bucket view. The block should be moved to the '''blocklists-preview''' bucket.
# Notify your reviewer/QA that the block is ready for testing.


===XML Examples===
<sup>1</sup> Data for the blocklist can be found in the [https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/plugins/records public JSON endpoint].
This is how the different block types look in blocklist.xml.


Soft block on Mac OS (where version numbers work correctly):
===Testing===
<pre><pluginItem  blockID="p85">
  <match name="filename" exp="JavaPlugin2_NPAPI\.plugin" />
  <versionRange  minVersion="0" maxVersion="13.6.0" severity="1">
  </versionRange>
</pluginItem></pre>


Update prompt block:
To test a staged block:
<pre><pluginItem  blockID="p134">
# You must first enable chrome debugging: in <code>about:config</code>, set <code>devtools.chrome.enabled</code> to <code>true</code>.
  <match name="name" exp="Java\(TM\) Platform SE 7 U[5-6](\s[^\d\._U]|$)" />
# Go to <code>about:config</code>, find the <code>extensions.blocklist.url</code> pref and change its value to https://firefox.settings.services.mozilla.com/v1/preview/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
  <match name="filename" exp="npjp2\.dll" />
# Open Browser Console (Tools > Web Developer > Browser Console)
  <versionRange  severity="0">
#Paste and run this snippet:
  </versionRange>
  Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);
</pluginItem></pre>


Hard block with target application:
===Deploying===
<pre><pluginItem  blockID="p27">
# Click on '''staging bucket''' :: '''plugins'''
  <match name="name" exp="QuickTime Plug-in 7[.]1[.]" />
# The staged blocks should be shown with an option to Approve.
  <match name="filename" exp="npqtplugin.?[.]dll" />
# Approve :)
  <versionRange >
    <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
      <versionRange  minVersion="3.0a1" maxVersion="3.*" />
    </targetApplication>
  </versionRange>
</pluginItem></pre>


== Graphics card blocks ==
== Graphics card blocks ==
Line 108: Line 109:
# In the Blocklist Gfx #1 section, set the data that should have been detailed on the blocklist bug.
# In the Blocklist Gfx #1 section, set the data that should have been detailed on the blocklist bug.


===XML Examples===
===Staging===
<pre><gfxBlacklistEntry  blockID="g95">
# Click on '''staging bucket''' :: '''gfx'''
  <os>WINNT 6.1</os>
# Click on "Create" (or edit/delete icons if you need to change an existing record)
  <vendor>0x1002</vendor>
# Enter in the appropriate fields, which should be detailed in the bug report. Example below (see the current list<sup>1</sup> for more examples)
  <devices>
#* Keep the '''Enabled checkbox''' checked.
    <device>0x9802</device>
#* The '''name''' and '''bug''' fields are used for internal record keeping and won't be shown to users. '''bug''' should be a Bugzilla URL.
    <device>0x9803</device>
# When done, click on '''Create Record'''. This saves the block in the '''staging''' bucket.
    <device>0x9803</device>
# If you don't need to make more changes to the block, click on '''Request review''' back in the main bucket view. The block should be moved to the '''blocklists-preview''' bucket.
    <device>0x9804</device>
# Notify your reviewer/QA that the block is ready for testing.
    <device>0x9805</device>
 
    <device>0x9806</device>
<sup>1</sup> Data for the blocklist can be found in the [https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/plugins/records public JSON endpoint].
    <device>0x9807</device>
===Testing===
  </devices>
To test a staged block:
   <feature>DIRECT3D_9_LAYERS</feature>
# You must first enable chrome debugging: in <code>about:config</code>, set <code>devtools.chrome.enabled</code> to <code>true</code>.
  <featureStatus>BLOCKED_DEVICE</featureStatus>
# Go to <code>about:config</code>, find the <code>extensions.blocklist.url</code> pref and change its value to https://firefox.settings.services.mozilla.com/v1/preview/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
  <driverVersion>1.0.0.0</driverVersion>
# Open Browser Console (Tools > Web Developer > Browser Console)
  <driverVersionComparator>GREATER_THAN_OR_EQUAL</driverVersionComparator>
#Paste and run this snippet:
</gfxBlacklistEntry></pre>
   Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);
 
===Deploying===
# Click on '''staging bucket''' :: '''gfx'''
# The staged blocks should be shown with an option to Approve.
# Approve :)

Latest revision as of 20:25, 21 February 2017

Blocklist entries are added through the Kinto Web Administration tool. Only authorized members of the Add-ons Team can manipulate the blocklist.

  1. Login via the Kinto admin page (VPN connection is required)
  2. Authentication method: Basic Auth
  3. Username: jdoe@mozilla.com. This is your full LDAP email address.
  4. Password: your_ldap_password

All blocks are first created in the staging bucket, are later moved to the blocklist-preview bucket for testing and review, and then deployed to the final blocklists bucket.

Extension blocks

Staging

  1. Click on staging bucket :: addons
  2. Click on "Create" (or edit/delete icons if you need to change an existing record)
  3. Enter in the appropriate fields. Example below (see the current list1 for more examples)
    • Keep the Enabled checkbox checked.
    • You'll generally want to enter the Add-on ID, Version Range (0 to * to block all versions), and Severity of the block.
    • The OS can be set to any of these, but OS-specific blocks are rarely needed.
    • The Target Application is only necessary for blocks that only target specific applications, which should also be very rare.
    • The Preferences fields are used in case the add-on changed important Firefox preferences that need to be reset.
    • The name, why, who, and bug fields are shown to end users, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name. bug should be a Bugzilla URL.
  4. When done, click on Create Record. This saves the block in the staging bucket.
  5. If you don't need to make more changes to the block, click on Request review back in the main bucket view. The block should be moved to the blocklists-preview bucket.
  6. Notify your reviewer/QA that the block is ready for testing.

1 Data for the blocklist can be found in the public JSON endpoint.

Testing

To test a staged block:

  1. You must first enable chrome debugging: in about:config, set devtools.chrome.enabled to true.
  2. Go to about:config, find the extensions.blocklist.url pref and change its value to https://firefox.settings.services.mozilla.com/v1/preview/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
  3. Open Browser Console (Tools > Web Developer > Browser Console)
  4. Paste and run this snippet:
 Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

JSON Example

{
   "guid":"{de71f09a-3342-48c5-95c1-4b0f17567554}",
   "blockID":"i1493",
   "enabled":true,
   "last_modified":1484867614757,
   "details":{
      "who":"All users who have this add-on installed.",
      "created":"2017-01-12T22:17:59Z",
      "bug":"https://bugzilla.mozilla.org/show_bug.cgi?id=1329654",
      "name":"Search for Firefox Convertor (malware)",
      "why":"This is a malicious add-on that is installed using a fake name. It changes search and homepage settings."
   },
   "versionRange":[
      {
         "targetApplication":[

         ],
         "minVersion":"0",
         "maxVersion":"1.3.9",
         "severity":3
      }
   ],
   "prefs":[

   ],
   "id":"d6ec9f54-9945-088e-ba68-40117eaba24e",
   "schema":1484335370642
}

Deploying

  1. Click on staging bucket :: addons
  2. The staged blocks should be shown with an option to Approve.
  3. Approve :)

Plugin blocks

Staging

  1. Click on staging bucket :: plugins
  2. Click on "Create" (or edit/delete icons if you need to change an existing record)
  3. Enter in the appropriate fields. Example below (see the current list1 for more examples)
    • Keep the Enabled checkbox checked.
    • Plugins are usually identified by their Filename. Name and Description regular expression matches are used when the Filename doesn't work. Regexp Pal is a good tool for testing regular expression blocks.
    • The OS can be set to any of these. It's generally only needed for Linux blocks, since Linux and Android distributions use the same filename and plugins are never blocked on Android.
    • The Version Range should always be set (0 to * to block all versions).
    • The Severity should always be set to 0 (click to activate).
    • The Vulnerability status should be set depending on whether the latest version is being blocked or not.
    • The OS can be set to any of these, but OS-specific blocks are rarely needed.
    • The Target Application is only necessary for blocks that only target specific applications, which should be very rare.
    • The name, why, who, and bug fields are shown to end users, so they need to be clear as to why the block was put in place and what options are available. bug should be a Bugzilla URL.
  4. When done, click on Create Record. This saves the block in the staging bucket.
  5. If you don't need to make more changes to the block, click on Request review back in the main bucket view. The block should be moved to the blocklists-preview bucket.
  6. Notify your reviewer/QA that the block is ready for testing.

1 Data for the blocklist can be found in the public JSON endpoint.

Testing

To test a staged block:

  1. You must first enable chrome debugging: in about:config, set devtools.chrome.enabled to true.
  2. Go to about:config, find the extensions.blocklist.url pref and change its value to https://firefox.settings.services.mozilla.com/v1/preview/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
  3. Open Browser Console (Tools > Web Developer > Browser Console)
  4. Paste and run this snippet:
 Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

Deploying

  1. Click on staging bucket :: plugins
  2. The staged blocks should be shown with an option to Approve.
  3. Approve :)

Graphics card blocks

  1. Go to the blocklist detail page and click on Add blocklist detail.
  2. Enter a name and descriptions for the block. These detail pages aren't exposed to users, so these descriptions aren't very important.
  3. Set the Bug field to the blocklist bug.
  4. In the Blocklist Gfx #1 section, set the data that should have been detailed on the blocklist bug.

Staging

  1. Click on staging bucket :: gfx
  2. Click on "Create" (or edit/delete icons if you need to change an existing record)
  3. Enter in the appropriate fields, which should be detailed in the bug report. Example below (see the current list1 for more examples)
    • Keep the Enabled checkbox checked.
    • The name and bug fields are used for internal record keeping and won't be shown to users. bug should be a Bugzilla URL.
  4. When done, click on Create Record. This saves the block in the staging bucket.
  5. If you don't need to make more changes to the block, click on Request review back in the main bucket view. The block should be moved to the blocklists-preview bucket.
  6. Notify your reviewer/QA that the block is ready for testing.

1 Data for the blocklist can be found in the public JSON endpoint.

Testing

To test a staged block:

  1. You must first enable chrome debugging: in about:config, set devtools.chrome.enabled to true.
  2. Go to about:config, find the extensions.blocklist.url pref and change its value to https://firefox.settings.services.mozilla.com/v1/preview/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
  3. Open Browser Console (Tools > Web Developer > Browser Console)
  4. Paste and run this snippet:
 Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

Deploying

  1. Click on staging bucket :: gfx
  2. The staged blocks should be shown with an option to Approve.
  3. Approve :)
Retrieved from "https://wiki.allizom.org/index.php?title=Blocklisting/Admin&oldid=1163482"