Allow ability of Snippet to install add-ons from about:home

NEW
Unassigned

Status

()

Firefox
General
4 years ago
3 years ago

People

(Reporter: Jean Collings (Maternity Leave 4/6/18 - ping Kat Plam for Leanplum, Michele Warther for Snippets), Unassigned)

Tracking

34 Branch
Firefox 35
Points:
---
Dependency tree / graph
Bug Flags:
firefox-backlog +
sec-review ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fxgrowth])

Goals:
We know that users who have add-ons are “sticky” users.  We want to make it easier to install add-ons.  We propose to build a mechanism that allows a user to complete an add-on installation on about:home. 

Potential metrics for success:
-Number of installs 
-Usage for those who installed from about:home

User experience:
Steps include - 

-->User opens Firefox and sees snippet.  They click snippet.  Drop down appears with more information.

-->Users reads additional information and clicks to activate button.  Add-on installation begins.

-->Currently, user is warned about malware. Can we skip this step? Since this is curated by Firefox, we should be able to ensure all add-ons that are being installed are legit.

-->Installation completed. User given a success message.  We’d like this message to display on about:addons (or some other logical spot).  Reasoning - the user should have info on how to uninstall / or find other add-ons that might be of interest.
Flags: firefox-backlog?

Updated

4 years ago
Hardware: x86 → All
Target Milestone: --- → Firefox 35

Updated

4 years ago
Summary: Allow ability of Snippet to activate add-ons from about:home → Allow ability of Snippet to install add-ons from about:home
Flags: firefox-backlog? → firefox-backlog+

Updated

4 years ago
Depends on: 1063418
(In reply to Jean Collings from comment #0)

> -->User opens Firefox and sees snippet.  They click snippet.  Drop down
> appears with more information.
> 
> -->Users reads additional information and clicks to activate button.  Add-on
> installation begins.

What "drop down" is being referenced here? The usual dropdown prompt one sees when starting an add-on install, or something new?

I'm also dubious about the proposal of this bug (clicking something in a Snippet resulting in an add-on being installed), mainly because it seems like short snippets inherently can't provide enough context to inform a user what the addon is about and how to use it. As a contrived example, a snippet like "Want to customize your web? Install Greasemonkey!" would result in a lot of people who install Greasemonkey but have absolutely no clue how to use it or what it even does.

We should also be thinking about if this opens too big of a loophole -- a compromised Snippet server could have disastrous impact if it can install arbitrary software. This could be mitigated by having a whitelist of allowed Snippet-installable addons.

Seems like what we might actually want here is the ability for a snippet to take you to some other landing page, from which one can then easily install an addon. You could sorta do this today just by linking users to the addon's page on AMO -- but that's obviously not a great experience, so we'd want some other new page customized for this purpose. For example, the snippet could link to a page much like https://www.mozilla.org/en-US/lightbeam/, which we'd whitelist to allow a 1-click install (without going though the AMO page as it does now).

> -->Currently, user is warned about malware. Can we skip this step? Since
> this is curated by Firefox, we should be able to ensure all add-ons that are
> being installed are legit.

We have been wanting to do something like this for a long time, there have been... difficulties. :/
(In reply to Justin Dolske [:Dolske] from comment #1)
> (In reply to Jean Collings from comment #0)
> 
> > -->User opens Firefox and sees snippet.  They click snippet.  Drop down
> > appears with more information.
> > 
> > -->Users reads additional information and clicks to activate button.  Add-on
> > installation begins.
> 
> What "drop down" is being referenced here? The usual dropdown prompt one
> sees when starting an add-on install, or something new?
> 
> I'm also dubious about the proposal of this bug (clicking something in a
> Snippet resulting in an add-on being installed), mainly because it seems
> like short snippets inherently can't provide enough context to inform a user
> what the addon is about and how to use it. As a contrived example, a snippet
> like "Want to customize your web? Install Greasemonkey!" would result in a
> lot of people who install Greasemonkey but have absolutely no clue how to
> use it or what it even does.
> 
> We should also be thinking about if this opens too big of a loophole -- a
> compromised Snippet server could have disastrous impact if it can install
> arbitrary software. This could be mitigated by having a whitelist of allowed
> Snippet-installable addons.
> 
> Seems like what we might actually want here is the ability for a snippet to
> take you to some other landing page, from which one can then easily install
> an addon. You could sorta do this today just by linking users to the addon's
> page on AMO -- but that's obviously not a great experience, so we'd want
> some other new page customized for this purpose. For example, the snippet
> could link to a page much like https://www.mozilla.org/en-US/lightbeam/,
> which we'd whitelist to allow a 1-click install (without going though the
> AMO page as it does now).
> 
> > -->Currently, user is warned about malware. Can we skip this step? Since
> > this is curated by Firefox, we should be able to ensure all add-ons that are
> > being installed are legit.
> 
> We have been wanting to do something like this for a long time, there have
> been... difficulties. :/

Hi Justin,
Definitely understand your concern about adding context - hence the reason for the drop down that will provide more information. Please take a look at our suggested user flow: https://docs.google.com/a/mozilla.com/document/d/1l_VPw6t8wMgkKgKKRZPOG1Wge06JN6WXZEBEMjKsU_A/edit
Wow. The security review of snippets and the snippet service was performed under the assumption/limitation that snippets were unpowered and could only do webby things. Adding magic installs that bypass the security dialog (the "malware" warning no one likes) means having to re-evaluate the service end-to-end, not just the client code changes.

I'd love a better-looking install dialog, the one we have looks a lot like the one I implemented in Java for Netscape 4 in the 90s. But there is some comfort to users knowing that there's always a consistent "bail-out" step to installing things, that Firefox has their back and they can't get tricked into installing unwanted things just by clicking on a web page.
Flags: sec-review?

Comment 4

4 years ago
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Wow. The security review of snippets and the snippet service was performed
> under the assumption/limitation that snippets were unpowered and could only
> do webby things. Adding magic installs that bypass the security dialog (the
> "malware" warning no one likes) means having to re-evaluate the service
> end-to-end, not just the client code changes.
> 
> I'd love a better-looking install dialog, the one we have looks a lot like
> the one I implemented in Java for Netscape 4 in the 90s. But there is some
> comfort to users knowing that there's always a consistent "bail-out" step to
> installing things, that Firefox has their back and they can't get tricked
> into installing unwanted things just by clicking on a web page.

We've been able to do add-ons/themes installs via snippets for over 3 years now and the idea isn't anything new. The way we were only able to do it via a snippet loading an iframe's to AMO thus using the same security model and whitelisting that exists with users browsing addons.mozilla.org. This specific request is to build a new model that will allow to add-on/theme snippets without having to use an iframe to a stand-alone HTML page on AMO. 

Snippets already have the ability to install a Social API activations via bug 1054410 and Firefox 33. Also, www.mozilla.org also has the ability to open/close menus in the browser chrome for the launch of Firefox 29. Being able to do add-ons/themes via snippets without jumping through iframe hoops should be technically possible and we should ensure we are doing the engineering that it it doesn't expose any security vulnerability. Thus, I welcome a security review of snippets since we will be doing more and more of this in the future.
(In reply to Chris More [:cmore] from comment #4)
> This specific request is to build a new model that will allow to add-on/theme
> snippets without having to use an iframe to a stand-alone HTML page on AMO. 

My objection was to skipping the security dialog that warns the user an install is about to happen, not to initiating the normal install process.

Comment 6

4 years ago
(In reply to Daniel Veditz [:dveditz] from comment #5)
> (In reply to Chris More [:cmore] from comment #4)
> > This specific request is to build a new model that will allow to add-on/theme
> > snippets without having to use an iframe to a stand-alone HTML page on AMO. 
> 
> My objection was to skipping the security dialog that warns the user an
> install is about to happen, not to initiating the normal install process.

Ah, yeah. I wouldn't want a snippet to bypass any browser-based dialogs for anything that comes from about:home. The dialogs used on social api snippets are the same kind of dialogs you see when activating from activations.mozilla.org. As for add-ons, installing an add-on from about:home should be the same UX as installing an addon from addons.mozilla.org.
(In reply to Chris More [:cmore] from comment #4)

> We've been able to do add-ons/themes installs via snippets for over 3 years
> now and the idea isn't anything new. The way we were only able to do it via
> a snippet loading an iframe's to AMO thus using the same security model and
> whitelisting that exists with users browsing addons.mozilla.org.

What snippets have used this?

I'm curious how that even works, because AMO uses X-Frame-Options to block iframe loads (eg, http://dolske.net/mozilla/tests/misc/amo_iframe.html does not work).

Note that my concern is specifically around add-ons that contain code ("extensions"), not lightweight themes. Themes have greatly lower attack potential, which is why they don't trigger the scary install dialog).

> Snippets already have the ability to install a Social API activations via
> bug 1054410 and Firefox 33.

Social API providers are also a different matter, and not of concern. They were explicitly whitelisted in the past (although I'm not sure if that's still the case), and their security model is not terribly different from web pages. (They can do a bit more than a normal web page, but don't run with chrome privileges, or have the ability to execute native code.)

> Also, www.mozilla.org also has the ability to
> open/close menus in the browser chrome for the launch of Firefox 29.

This also isn't relevant, because we explicitly restricted the set of things UITour exposes to things that have low potential for abuse. For example, UITour can't be used to install an addon. :-)

Comment 8

4 years ago
(In reply to Justin Dolske [:Dolske] from comment #7)
> (In reply to Chris More [:cmore] from comment #4)
> 
> > We've been able to do add-ons/themes installs via snippets for over 3 years
> > now and the idea isn't anything new. The way we were only able to do it via
> > a snippet loading an iframe's to AMO thus using the same security model and
> > whitelisting that exists with users browsing addons.mozilla.org.
> 
> What snippets have used this?

Add-on snippets I believe were before 2011 and maybe before I started. As for theme snippets, I did one back in 2011 and we had the HTML page on AMO before it was transitioned off of SVN.

Maybe the X-Frame-Options hasn't always existed or maybe it had an exception on a specific URL that has long since not existed. We haven't done one of these type of snippets for a long time as the snippets team has been focused on other initiatives. 

This only has been rebooted as a request from Chris Beard to get these interactive snippets that can be activated from about:home back on the deck to something we can do again. The issue is that lots has changed and thus we probably have to use a new strategy.

Updated

4 years ago
Whiteboard: [fxgrowth]
You need to log in before you can comment on or make changes to this bug.