Closed
Bug 537695
Opened 15 years ago
Closed 1 month ago
Extension install confirmation should show the actual URL the xpi is coming from
Categories
(Core Graveyard :: Installer: XPInstall Engine, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: opensource, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.0.15) Gecko/2009102704 Fedora/3.0.15-1.fc10 Firefox/3.0.15 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.6) Gecko/20091216 Fedora/3.5.6-1.fc12 Firefox/3.5.6 When I select to install an add-on, I get an warning with an https URL displayed, e.g.: https://addons.mozilla.org/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api This URL redirects to a non https location: LANG=C wget https://addons.mozilla.org/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api --2010-01-04 15:45:09-- https://addons.mozilla.org/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api Resolving addons.mozilla.org... 63.245.213.91 Connecting to addons.mozilla.org|63.245.213.91|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://addons.mozilla.org/en-US/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api [following] --2010-01-04 15:45:09-- https://addons.mozilla.org/en-US/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api Reusing existing connection to addons.mozilla.org:443. HTTP request sent, awaiting response... 302 Found Location: https://addons.mozilla.org/en-US/firefox/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api [following] --2010-01-04 15:45:09-- https://addons.mozilla.org/en-US/firefox/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api Reusing existing connection to addons.mozilla.org:443. HTTP request sent, awaiting response... 302 Found Location: http://releases.mozilla.org/pub/mozilla.org/addons/12545/greasedlightbox-1.1-fx.xpi [following] --2010-01-04 15:45:09-- http://releases.mozilla.org/pub/mozilla.org/addons/12545/greasedlightbox-1.1-fx.xpi Resolving releases.mozilla.org... 64.50.236.52, 64.50.236.214, 128.61.111.9, ... Connecting to releases.mozilla.org|64.50.236.52|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 29244 (29K) [application/x-xpinstall] Saving to: `greasedlightbox-1.1-fx.xpi' 100%[==========================================================================================================================================>] 29,244 80.5K/s in 0.4s 2010-01-04 15:45:10 (80.5 KB/s) - `greasedlightbox-1.1-fx.xpi' saved [29244/29244] Firefox installs the add-on without further warning that it is not installed from the https secured location. Reproducible: Always Steps to Reproduce: 1. install some addon like greasedlightbox 2. notice the https URL in the installation warning 3. open the URL with wget, notice it forwards to a non https URL 4. install the addon Actual Results: No notification that installation source is quite differen: http instead of https Expected Results: firefox should warn that the add on comes from a non http site and display the real URL It would be even better if the add ons would be provided via https, nevertheless Firefox should at least warn about this and make users of this problem aware.
|
||
Updated•15 years ago
|
Component: General → Installer: XPInstall Engine
Product: Firefox → Core
QA Contact: general → xpi-engine
|
||
Comment 1•15 years ago
|
||
Morphing this slightly. Wherever possible we should show the user the actual URL that the xpi is coming from after any redirects. We should already have this information by the time we display the dialog anyway, assuming the server doesn't re-redirect us when we start the final download.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: add-ons are installed from http without further warning → Extension install confirmation should show the actual URL the xpi is coming from
|
Assignee | |
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•