Closed
Bug 593187
Opened 14 years ago
Closed 14 years ago
Request for authentication for an extension install doesn't focus the correct tab
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
VERIFIED
FIXED
mozilla2.0b7
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: mossop, Assigned: azakai)
References
Details
(Keywords: regression, Whiteboard: [sg:low spoof])
Attachments
(2 files, 3 obsolete files)
2.67 KB,
patch
|
azakai
:
review+
|
Details | Diff | Splinter Review |
3.00 KB,
patch
|
mossop
:
review+
|
Details | Diff | Splinter Review |
If a background tab starts an extension install that requires authentication then the auth dialog should show and the tab in question focused to make it clear where the request is coming from. This is a problem because a website could open a seemingly safe site like Google and make the auth prompt look like it came from there
Reporter | ||
Comment 1•14 years ago
|
||
This is an automated test that tests the problem.
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → betaN+
Reporter | ||
Comment 2•14 years ago
|
||
Attachment #471675 -
Attachment is obsolete: true
Updated•14 years ago
|
Assignee | ||
Comment 3•14 years ago
|
||
To be able to do this properly we need to be able to send window IDs over IPC - content should send an ID inside the current IPC message being sent, and chrome would find the ChromeWindow for that content and bring it to the front. Bug 593025 has a proposed patch for that. Alternatively, we can try the hack Fennec uses with DOMWillOpenModalDialog. I don't know if this would work in Firefox though, and in any case it isn't foolproof (there can be race conditions, so the security problem would be improved but not fixed). So I'd prefer the previous approach.
Depends on: 593025
Assignee | ||
Comment 4•14 years ago
|
||
Patch that manually focuses the proper tab in response to an InstallTrigger message. Passes the automated test in Firefox. Sadly, as mentioned in a comment in the patch, this can't be fixed in a proper way for the IPC case/Fennec. Bug 596109 should make that possible though.
Attachment #475154 -
Flags: review?(dtownsend)
Reporter | ||
Comment 5•14 years ago
|
||
Comment on attachment 475154 [details] [diff] [review] Patch This looks like it focuses the tab before the download even starts. That doesn't seem right at all
Assignee | ||
Comment 6•14 years ago
|
||
Would the proper behavior be to focus it together with showing the auth prompt?
Reporter | ||
Comment 7•14 years ago
|
||
That is what used to happen. The problem is that any delay allows for the possibility that the user (or another website) switches to a different tab in the meantime.
Assignee | ||
Comment 8•14 years ago
|
||
Hmm, sounds like the auth prompt isn't working right then. We used to send a window to the auth prompt, but we stopped doing so in http://hg.mozilla.org/mozilla-central/rev/552065e24bc8 Specifically > return factory.getPrompt(this.window, Ci.nsIAuthPrompt); has been changed in that revision to have null instead of this.window. Why?
Reporter | ||
Comment 9•14 years ago
|
||
(In reply to comment #8) > Hmm, sounds like the auth prompt isn't working right then. > > We used to send a window to the auth prompt, but we stopped doing so in > > http://hg.mozilla.org/mozilla-central/rev/552065e24bc8 > > Specifically > > > return factory.getPrompt(this.window, Ci.nsIAuthPrompt); > > has been changed in that revision to have null instead of this.window. Why? Because that code was broken, this.window is never defined.
Assignee | ||
Comment 10•14 years ago
|
||
Restore this.window, and set it to a proper value.
Attachment #475154 -
Attachment is obsolete: true
Attachment #475287 -
Flags: review?(dtownsend)
Attachment #475154 -
Flags: review?(dtownsend)
Reporter | ||
Comment 11•14 years ago
|
||
Comment on attachment 471689 [details] [diff] [review] automated test Want to do the quick review on this.
Attachment #471689 -
Flags: review?(azakai)
Reporter | ||
Comment 12•14 years ago
|
||
Comment on attachment 475287 [details] [diff] [review] Patch v2 >diff --git a/toolkit/mozapps/extensions/XPIProvider.jsm b/toolkit/mozapps/extensions/XPIProvider.jsm >--- a/toolkit/mozapps/extensions/XPIProvider.jsm >+++ b/toolkit/mozapps/extensions/XPIProvider.jsm >@@ -4080,16 +4080,17 @@ function AddonInstall(aCallback, aInstal > this.installLocation = aInstallLocation; > this.sourceURI = aUrl; > this.releaseNotesURI = aReleaseNotesURI; > this.hash = aHash; > this.loadGroup = aLoadGroup; > this.listeners = []; > this.existingAddon = aExistingAddon; > this.error = 0; >+ this.window = aLoadGroup.notificationCallbacks.getInterface(Ci.nsIDOMWindow); Tests are failing with this patch, I think you need to check that aLoadGroup isn't null here.
Attachment #475287 -
Flags: review?(dtownsend) → review-
Assignee | ||
Comment 13•14 years ago
|
||
Comment on attachment 471689 [details] [diff] [review] automated test Works great. Only nit is some lines are >80 chars, but I guess in tests we don't care about that stuff.
Attachment #471689 -
Flags: review?(azakai) → review+
Assignee | ||
Comment 14•14 years ago
|
||
Added check for aLoadGroup being null. (Sadly on my local machine, some of the extensions tests don't work anyhow, so I can't reliably run those tests. The Ubuntu modifications to Firefox perhaps?)
Attachment #475287 -
Attachment is obsolete: true
Attachment #475336 -
Flags: review?(dtownsend)
Reporter | ||
Comment 15•14 years ago
|
||
Comment on attachment 475336 [details] [diff] [review] Patch v3 Looks good
Attachment #475336 -
Flags: review?(dtownsend) → review+
Reporter | ||
Comment 16•14 years ago
|
||
Landed code and test: http://hg.mozilla.org/mozilla-central/rev/c9c3523a0771 http://hg.mozilla.org/mozilla-central/rev/7b2907b65967
Assignee: nobody → azakai
Flags: in-testsuite+
Flags: in-litmus-
Target Milestone: --- → mozilla2.0b7
Comment 17•14 years ago
|
||
Dave, so we can call it fixed?
Reporter | ||
Comment 18•14 years ago
|
||
Oops, yes
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 19•14 years ago
|
||
Dave, to verify the fix I would have to setup a HTTP Auth protected folder which contains the XPI? When running the test I have to switch to another tab before the auth dialog is fired. Is that correct?
Reporter | ||
Comment 20•14 years ago
|
||
(In reply to comment #19) > Dave, to verify the fix I would have to setup a HTTP Auth protected folder > which contains the XPI? When running the test I have to switch to another tab > before the auth dialog is fired. Is that correct? Yes that is correct.
Updated•14 years ago
|
Group: core-security
Comment 21•13 years ago
|
||
Verified fixed with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b12pre) Gecko/20110209 Firefox/4.0b12pre ID:20110209030359 I setup my own HTTP auth protected folder for the extension: https://www.hskupin.info/mozilla/addons/auth/
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•