Closed Bug 247768 Opened 20 years ago Closed 20 years ago

Default focus in Theme/Extension install dialog should be "Cancel" (and not "Install") - like it is in Seamonkey

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 240637

People

(Reporter: askwar, Assigned: bugs)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040615 Firefox/0.9 (NESI)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040615 Firefox/0.9

When installing an Extension (or Theme), a dialog window is shown with a warning
text and a timeout. Only after the timeout has elapsed, the user can click on
Install to get the Extension installed.

However, he can also simply press Return, because "Install" has the default
focus in this Extension install window. In Seamonkey 1.7, this is not so.
Pressing return doesn't do anything. This behaviour "must" be duplicated in Fx.

The reason I say "must", is that this can be a security problem for the user.
For instance, take the URL I mentioned . This site tries to trick the user to
install an XPI which will then install a so-called "Dialer". This is a malware
program (for Windows) which resets the dial-up number to some extremely
expensive number. Now, if the user did not pay close attention, he installed
that dialer and thus has to reinstall the OS. While I *do* think that users are
responsible for what they are doing on their computer, Fx should not make it too
easy to have a user shoot himself.




Reproducible: Always
Steps to Reproduce:




The URL I mentioned, is a porn site and thus contains "sexually explicit"
material. In pre-0.9 (and pre-SM-1.7) times, it tried to install the XPI
directly when the user entered the site.

BTW: No, I don't go to such sites. But the site has been mentioned by Heise (a
very large and influential german IT news site -
http://www.heise.de/security/artikel/48349). This commentary by Heise sparked
some very heated discussions in various german newsgroups.
Flags: blocking1.0?
It's pointless to hide a bug reported by the press, should not be
"Security-Sensitive".

Corresponding seamonkey bug is 149478. Problem due to forking?
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #1)
> It's pointless to hide a bug reported by the press, should not be
> "Security-Sensitive".

Well, I do think that it is security related, but I do agree that it should not
be hidden. However, I cannot uncheck that checkbox. I would, if I could.

Should I open another bug without the security check box checked?

> Corresponding seamonkey bug is 149478. 

Yes, this seems to be very much related.

> Problem due to forking?

Don't know. Suppose so.
Unhiding by request of reporter.
Group: security
Is this a duplicate of bug #240637 ?
(In reply to comment #5)
> Is this a duplicate of bug #240637 ?

Yes, I think so.

*** This bug has been marked as a duplicate of 240637 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Flags: blocking-aviary1.0?
Status: RESOLVED → VERIFIED
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.