Closed Bug 414751 Opened 17 years ago Closed 16 years ago

AMO Integration: No need for security/confirmation dialog for installing from AMO

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: u88484, Unassigned)

References

Details

AMO is supposed to be the "only" secure place to install add-ons from and is currently the only whitelisted site, so why are we even showing the security dialog in the AMO Integration panel when installing add-ons?
Blocks: 414752
No longer blocks: 414752
Summary: AMO Integration: No need for security/confirmation dialog for installing from AMO? → AMO Integration: No need for security/confirmation dialog for installing from AMO
Depends on: 414752
Blocks: 414752
No longer depends on: 414752
The security dialog isn't about the site, it's about the software -- what's signed, what's not, etc.  AMO should continue to prompt and warn; a single misclick in the dialog should not install software, even from AMO.

The whitelist used to be for who could _prompt_ to install (not where the code was hosted; a random site couldn't prompt to install from AMO), and was to avoid drive-by installation attempts that were so tragically common and successful with ActiveX.
I still don't think it should be shown or should be reworded somehow.  What new users know any authors?  How are they to trust them?  AMO hosted extensions are not from a random site, reviewed and supposed to be safe.  I know, keyword is *supposed to be*.  

Instead of scarring off users from installing add-ons, we can reword the dialog to tell them that although the add-on was reviewed by Mozilla and should be safe, its not a 100% guarantee. 

I was just playing with this some more and was recommened an add-on, the author was unknown. So why is Mozilla recommending me an add-on when the author is unknown then warn me that I should only install from trusted authors?  Probably should spin that off if this bug is not going to be fixed.
No longer blocks: 414752
Product: Firefox → Toolkit
I don't think that AMO is the only secure place to install add-ons from. I think that Mozilla have good faith with AMO that they do the right things to ensure they deliver nothing evil and that is why it is in the whitelist. I don't think it is impossible that Mozilla might agree with another site to include them in the whitelist assuming we were confident enough in them.

I think perhaps the better thing to do is to improve the dialog and pay attention to whether the site is in the whitelist or not, and other things like bug 310355
Additionally we aren't going to just install add-ons without some kind of check to see if the user wants it. Even if it is from AMO it could be in the sandbox which is potentially risky or it could be that AMO is exploited allowing other sites to start seemingly safe installs.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
Further you can accidentally click on such an add-on and don't have a possibility to cancel the installation. And it hasn't to be in the sandbox.

Verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.