1195389 - Add autoconfig section to about:support

Status: NEW

(Toolkit :: General, defect)

Description

[[:philipp]]

after addon-signing is enforced badware authors will look for other avenues exploiting the browser. i've recently seen evidence that autoconfig is getting used to inject malicious code as well. as we are set up at the moment, this will only be noticed by very advanced users or by chance as it doesn't show in the  troubleshooting information or leave any obvious marks when people are looking for support.
therefore i want to suggest/request that we add a section that indicates the presence of auto-configuration similar as it was done in bug 557738 for a user.js file.

Comment 1

[[:philipp]]

here is an example of malicious code injected through the autoconfig file: http://www.bleepingcomputer.com/forums/t/571984/ads-by-name/page-3#entry3671244
it would probably be overlooked in support during any normal troubleshooting procedure and naturally survives a refresh of firefox as well...

Comment 3

[Daniel Veditz [:dveditz]]

Yup, we should add this. Even beyond the example in comment 1 (being handled in bug 1205779) this will be directly analogous to the user.js case and can cause confusion about what the actual config is.

Comment 4

[Robert Kaiser]

Florian, you said in the other bug as well that this should be done, do you know who we need to flag to get this implemented or at least considered for the work to be done?

Comment 5

[Florian Quèze [:florian]]

(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #4)
> Florian, you said in the other bug as well that this should be done, do you
> know who we need to flag to get this implemented or at least considered for
> the work to be done?

I was considering doing it myself, but it's not near the top of my priorities currently. I don't know who else to ask.

Comment 6

[Mike Kaply [:mkaply]]

I'll take this. I can work on it in January.