308056 - Wrong URL being tested against Allowed Sites on XPI install

Status: RESOLVED DUPLICATE of bug 257055

(Firefox :: General, defect)

Description

[Reed Loden [:reed]]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4

On http://www.securityfocus.com/bid/14784/solution:

Mozilla Firefox 1.0.6

    * Mozilla Patch 307259.xpi
      http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.6/patches/
307259.xpi

When I click the above FTP link, I am given a yellow info bar that says "To
protect your computer, Firefox prevented this site (www.securityfocus.com) from
installing software on your computer."

This is wrong. The link does not go to a page on www.securityfocus.com but to a
file on ftp.mozilla.org. It should check "ftp.mozilla.org" against the Allowed
Sites list and NOT www.securityfocus.com.

Reproducible: Always

Steps to Reproduce:
1. Go to http://www.securityfocus.com/bid/14784/solution
2. Click on the link to
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0.6/patches/
307259.xpi under Mozilla Firefox 1.0.6 (Mozilla Patch 307259.xpi).
See incorrect URL in info bar

Actual Results:  
See incorrect URL in info bar

Expected Results:  
The download from "ftp.mozilla.org" should have been checked and let through as
it is in my Allowed Sites list.

This is a fairly major bug as it could cause people to allow the wrong sites
entry into their "Allowed Sites" list even though the site itself might not be
hosting the file.

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

See bug 240552 comment 38.

The whitelist is based on sites linking to the extension, not hosting it. This
is intentional.

*** This bug has been marked as a duplicate of 257055 ***