Closed Bug 246375 Opened 20 years ago Closed 18 years ago

Themes should not be required to be whitelisted.

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: bzjs1, Assigned: dveditz)

Details

(Keywords: fixed-aviary1.0, fixed1.7.5, Whiteboard: reverted in 304931) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608

With the addition of the XPInstall whitelist, theme installation from unlisted
servers became impossible, even though installing themes through
InstallTrigger.installChrome(InstallTrigger.SKIN, ...) is considered safe.
Theme installation using this method should be exempt from the whitelist
requirement.

A workaround for this issue is to package themes as XPIs and have the users
install them from the local filesystem. This makes themes dangerous and theme
authors should not be tempted to resort to XPIs.

Reproducible: Always
Steps to Reproduce:
Are themes really safer than extensions?
(In reply to comment #1)
> Are themes really safer than extensions?

AFAIK there are two different ways of installing a theme:
1) XPI package with embedded install script
2) JAR package with a call to InstallTrigger.installChrome(InstallTrigger.SKIN,
...) from a webpage

Firefox seems to offer another one (extension-manager), but I expect it to be
functionally similar to method 2.

Method one is clearly not safer and should not be treated differently. An XPI
packaged theme is exactly as powerful as any other XPI package.

Method two involves no theme-provided scripts. The
InstallTrigger.installChrome() function can apparently install dangerous things
too, but with InstallTrigger.SKIN as first argument, no theme-provided code will
be executed, neither during the install nor later. Themes which are installed
this way are marked with c:allowScripts="false" in chrome.rdf.

I have not looked at the relevant Mozilla code though, so I may not be aware of
all possible ways to have external code executed. Anyways, it _should_ not be
possible to introduce code with normal themes. If a theme needs to add code, it
can resort to the XPI method and be subjected to whatever security measures are
chosen for fully fledged XPI packages.
Themes can modify UI in pretty much any way they want.  For example, a theme
could make the XPI dialog look like a normal alert and hide the Cancel button.

Themes might be able to introduce chrome JavaScript through XBL, making them
exactly as dangerous as XPIs.
(In reply to comment #3)
> For example, a theme could make the XPI dialog look
> like a normal alert and hide the Cancel button.

After a little experimentation, I confirm that this is possible. Security
related dialogs should probably not be accessible to themes to avoid two-stage
attacks.


> Themes might be able to introduce chrome JavaScript through XBL, making them
> exactly as dangerous as XPIs.

This is not possible due to the c:allowScripts="false" property in chrome.rdf.
Assignee: xpi-engine → dveditz
Fixed on trunk plus aviary and 1.7 branches
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0, fixed1.7.x
Resolution: --- → FIXED
One consequence of this is that I'm hearing many more reports now of failed
Theme installs.  Since it's easier for users to try to install themes, they grab
a worthless one off some website, and when they switch and reload Firefox
they're getting the "Error: No XBL Binding..." message.

Security may not be an issue, but these bad themes are giving Firefox a bad name.
(In reply to comment #3)
> Themes might be able to introduce chrome JavaScript through XBL, making them
> exactly as dangerous as XPIs.

This is my thought as well.  I'm thinking spyware in particular.  Monitoring
URL's visited via getBrowser().currentURI.spec on some action, etc. etc.  

This is obviously tough to do, but perhaps forming a group to audit extensions,
themes before hosting on u.m.o and whitelisting only that is the best solution.

Themes scare me a bit.  But I'm no security pro.
See also bug 304931, "Installing theme from website allowed, even though website
is not whitelisted".
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Jesse's right, this was undone by bug 304931 and will stay that way. Themes should be considered more like screen savers (active, potentially dangerous content) than images (safe static content).
Status: REOPENED → RESOLVED
Closed: 20 years ago18 years ago
Resolution: --- → WONTFIX
Whiteboard: reverted in 304931
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.