Blocklisting/Admin

Blocklist entries are added through the AMO Admin Tools. Only authorized members of the Add-ons Team can manipulate the blocklist.

Extension blocks

1. Go to the blocklist detail page and click on Add blocklist detail.
2. Enter a clear name and descriptions for the block. End users will read these, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name.
   • See the Blocked Add-ons page for examples.
3. Set the Bug field to the blocklist bug. The bug should also have instructions for end users if the extension is heavily used.
4. In the Blocklist Item #1 section, set the add-on GUID, version range (0 to * to cover all versions) OS and Severity.
   • The OS can be set to any of these.
   • The Severity should be 1 for soft blocks and 3 for hard blocks. A severity set to 2 (reserved for a medium block), or no severity will also produce a hard block. To avoid ambiguity, these options shouldn't be used. Hard blocks should be limited to malware.

To limit a block to a specific application versions, the detail can be added with a Severity set to 0, or an invalid GUID, to keep it temporarily disabled. Then you can add a blocklist app item and link it to the detail item. Once that's done, the Severity or GUID can be set to their real values.

XML Examples

This is how the different block types look in blocklist.xml.

Soft block:

<emItem  blockID="i20" id="{AB2CE124-6272-4b12-94A9-7303C7397BD1}">
  <versionRange  minVersion="0.1" maxVersion="5.2.0.7164" severity="1">
  </versionRange>
</emItem>

Soft block with target application:

<emItem  blockID="i23" id="firefox@bandoo.com">
  <versionRange  minVersion="5.0" maxVersion="5.0" severity="1">
    <targetApplication  id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
      <versionRange  minVersion="3.7a1pre" maxVersion="*" />
    </targetApplication>
  </versionRange>
</emItem>

Hard block:

<emItem  blockID="i73" id="a1g0a9g219d@a1.com">
  <versionRange  minVersion="0" maxVersion="*" severity="3">
  </versionRange>
</emItem>

Extension blocks (DRAFT KINTO VERSION)

1. Login via the Kinto admin page (VPN is required)
   1. Server: https://settings-writer.prod.mozaws.net/v1/admin/
   2. Authentication method: Basic Auth
   3. Username: jdoe@mozilla.com //this is your full LDAP email address
   4. Password: your_ldap_password
2. Click on blocklist bucket :: addons
3. Click on "Create" (or edit/delete icons if you need to change an existing record)
4. Enter in the appropriate fields. Example below (see the current list¹ for more examples)
   1. guid:
   2. id:
   3. versionRange: The Firefox version range this should hit (0 to * to cover all versions)
   4. who: All users who have Savogram version 1.3.2 installed[...]
   5. bug: "https://bugzilla.mozilla.org/show_bug.cgi?id=1328594"
   6. name: Savogram 1.3.2
   7. why: Version 1.3.2 of this add-on loads remote code and performs DOM injection in an unsafe manner.
5. Information on the workflow funnel goes here
6. Information on publishing goes here

¹ Data for the blocklist can be found in the public JSON endpoint, or on addons.mozilla.org.

² [Still valid?] To limit a block to a specific application versions, the detail can be added with a Severity set to 0, or an invalid GUID, to keep it temporarily disabled. Then you can add a blocklist app item and link it to the detail item. Once that's done, the Severity or GUID can be set to their real values.

JSON Example

{
   "guid":"{de71f09a-3342-48c5-95c1-4b0f17567554}",
   "blockID":"i1493",
   "enabled":true,
   "last_modified":1484867614757,
   "details":{
      "who":"All users who have this add-on installed.",
      "created":"2017-01-12T22:17:59Z",
      "bug":"https://bugzilla.mozilla.org/show_bug.cgi?id=1329654",
      "name":"Search for Firefox Convertor (malware)",
      "why":"This is a malicious add-on that is installed using a fake name. It changes search and homepage settings."
   },
   "versionRange":[
      {
         "targetApplication":[

         ],
         "minVersion":"0",
         "maxVersion":"1.3.9",
         "severity":3
      }
   ],
   "prefs":[

   ],
   "id":"d6ec9f54-9945-088e-ba68-40117eaba24e",
   "schema":1484335370642
}

Plugin blocks

1. Go to the blocklist detail page and click on Add blocklist detail.
2. Enter a clear name and descriptions for the block. End users will read these, so they need to be clear as to why the block was put in place and what options are available. If the extension being blocked is malware, add " (malware)" at the end of the name.
   • See the Blocked Add-ons page for examples.
3. Set the Bug field to the blocklist bug. The bug should also have instructions for end users if the plugin is heavily used.
4. In the Blocklist Plugin #1 section, set the identification criteria and Severity.
   • Plugins rarely have a GUID, so we use the filename field to identify plugins. Since filenames are OS-specific, the OS field is usually redundant.
   • The OS can be set to any of these.
   • Plugin version numbers can also be tricky and inconsistent, specially on Linux, where the version number isn't properly detected. We generally use regular expressions in the Name or Descriptions to identify the versions to block.
   • Regular expressions in plugins should be meticulously tested. Regexp Pal is a good tool for this.
   • The Severity should be 1 for soft blocks and 3 for hard blocks. A severity set to 2 (reserved for a medium block), or no severity will also produce a hard block. To avoid ambiguity, these options shouldn't be used. Hard blocks should be limited to malware.
   • A Severity set to 0 has different meanings depending on the vulnerability status value. If not set, it is an update prompt block. If set to 1 or 2, it means it's a click-to-play block (1 when there's a known fixed update, 2 when there isn't).

To limit a block to a specific application versions, the detail can be added with an invalid filename, to keep it temporarily disabled. Then you can add a blocklist app item and link it to the detail item. Once that's done, the Severity or GUID can be set to their real values.

XML Examples

This is how the different block types look in blocklist.xml.

Soft block on Mac OS (where version numbers work correctly):

<pluginItem  blockID="p85">
  <match name="filename" exp="JavaPlugin2_NPAPI\.plugin" />
  <versionRange  minVersion="0" maxVersion="13.6.0" severity="1">
  </versionRange>
</pluginItem>

Update prompt block:

<pluginItem  blockID="p134">
  <match name="name" exp="Java\(TM\) Platform SE 7 U[5-6](\s[^\d\._U]|$)" />
  <match name="filename" exp="npjp2\.dll" />
  <versionRange  severity="0">
  </versionRange>
</pluginItem>

Hard block with target application:

<pluginItem  blockID="p27">
  <match name="name" exp="QuickTime Plug-in 7[.]1[.]" />
  <match name="filename" exp="npqtplugin.?[.]dll" />
  <versionRange >
    <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
      <versionRange  minVersion="3.0a1" maxVersion="3.*" />
    </targetApplication>
  </versionRange>
</pluginItem>

Graphics card blocks

1. Go to the blocklist detail page and click on Add blocklist detail.
2. Enter a name and descriptions for the block. These detail pages aren't exposed to users, so these descriptions aren't very important.
3. Set the Bug field to the blocklist bug.
4. In the Blocklist Gfx #1 section, set the data that should have been detailed on the blocklist bug.

XML Examples

<gfxBlacklistEntry  blockID="g95">
  <os>WINNT 6.1</os>
  <vendor>0x1002</vendor>
  <devices>
    <device>0x9802</device>
    <device>0x9803</device>
    <device>0x9803</device>
    <device>0x9804</device>
    <device>0x9805</device>
    <device>0x9806</device>
    <device>0x9807</device>
  </devices>
  <feature>DIRECT3D_9_LAYERS</feature>
  <featureStatus>BLOCKED_DEVICE</featureStatus>
  <driverVersion>1.0.0.0</driverVersion>
  <driverVersionComparator>GREATER_THAN_OR_EQUAL</driverVersionComparator>
</gfxBlacklistEntry>