Closed
Bug 246375
Opened 20 years ago
Closed 18 years ago
Themes should not be required to be whitelisted.
Categories
(Core Graveyard :: Installer: XPInstall Engine, defect)
Core Graveyard
Installer: XPInstall Engine
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: bzjs1, Assigned: dveditz)
Details
(Keywords: fixed-aviary1.0, fixed1.7.5, Whiteboard: reverted in 304931)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 With the addition of the XPInstall whitelist, theme installation from unlisted servers became impossible, even though installing themes through InstallTrigger.installChrome(InstallTrigger.SKIN, ...) is considered safe. Theme installation using this method should be exempt from the whitelist requirement. A workaround for this issue is to package themes as XPIs and have the users install them from the local filesystem. This makes themes dangerous and theme authors should not be tempted to resort to XPIs. Reproducible: Always Steps to Reproduce:
Comment 1•20 years ago
|
||
Are themes really safer than extensions?
(In reply to comment #1) > Are themes really safer than extensions? AFAIK there are two different ways of installing a theme: 1) XPI package with embedded install script 2) JAR package with a call to InstallTrigger.installChrome(InstallTrigger.SKIN, ...) from a webpage Firefox seems to offer another one (extension-manager), but I expect it to be functionally similar to method 2. Method one is clearly not safer and should not be treated differently. An XPI packaged theme is exactly as powerful as any other XPI package. Method two involves no theme-provided scripts. The InstallTrigger.installChrome() function can apparently install dangerous things too, but with InstallTrigger.SKIN as first argument, no theme-provided code will be executed, neither during the install nor later. Themes which are installed this way are marked with c:allowScripts="false" in chrome.rdf. I have not looked at the relevant Mozilla code though, so I may not be aware of all possible ways to have external code executed. Anyways, it _should_ not be possible to introduce code with normal themes. If a theme needs to add code, it can resort to the XPI method and be subjected to whatever security measures are chosen for fully fledged XPI packages.
Comment 3•20 years ago
|
||
Themes can modify UI in pretty much any way they want. For example, a theme could make the XPI dialog look like a normal alert and hide the Cancel button. Themes might be able to introduce chrome JavaScript through XBL, making them exactly as dangerous as XPIs.
(In reply to comment #3) > For example, a theme could make the XPI dialog look > like a normal alert and hide the Cancel button. After a little experimentation, I confirm that this is possible. Security related dialogs should probably not be accessible to themes to avoid two-stage attacks. > Themes might be able to introduce chrome JavaScript through XBL, making them > exactly as dangerous as XPIs. This is not possible due to the c:allowScripts="false" property in chrome.rdf.
Assignee | ||
Updated•20 years ago
|
Assignee: xpi-engine → dveditz
Assignee | ||
Comment 5•20 years ago
|
||
Fixed on trunk plus aviary and 1.7 branches
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0,
fixed1.7.x
Resolution: --- → FIXED
Comment 6•20 years ago
|
||
One consequence of this is that I'm hearing many more reports now of failed Theme installs. Since it's easier for users to try to install themes, they grab a worthless one off some website, and when they switch and reload Firefox they're getting the "Error: No XBL Binding..." message. Security may not be an issue, but these bad themes are giving Firefox a bad name.
Comment 7•20 years ago
|
||
(In reply to comment #3) > Themes might be able to introduce chrome JavaScript through XBL, making them > exactly as dangerous as XPIs. This is my thought as well. I'm thinking spyware in particular. Monitoring URL's visited via getBrowser().currentURI.spec on some action, etc. etc. This is obviously tough to do, but perhaps forming a group to audit extensions, themes before hosting on u.m.o and whitelisting only that is the best solution. Themes scare me a bit. But I'm no security pro.
Comment 8•19 years ago
|
||
See also bug 304931, "Installing theme from website allowed, even though website is not whitelisted".
Assignee | ||
Updated•18 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 9•18 years ago
|
||
Jesse's right, this was undone by bug 304931 and will stay that way. Themes should be considered more like screen savers (active, potentially dangerous content) than images (safe static content).
Status: REOPENED → RESOLVED
Closed: 20 years ago → 18 years ago
Resolution: --- → WONTFIX
Whiteboard: reverted in 304931
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•