Closed
Bug 1403595
Opened 7 years ago
Closed 7 years ago
Original rather than redirected URI shown in extension permission request dialog
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
RESOLVED
DUPLICATE
of bug 1380475
People
(Reporter: nika, Unassigned)
Details
Attachments
(1 file)
35.22 KB,
image/png
|
Details |
STR: Follow a shortlinked link to an XPI: (e.g. Manishearth's https://t.co/QXfFApipCM) Expected Result: The dialog displays that the manishearth.net is trying to install an addon, or mentions that t.co is trying to install an addon from manishearth.net. Actual Result: The dialog displays that t.co is trying to install an addon, and doesn't mention the actual source of the addon at all. In effect, the dialog which is displayed shows the shortlink URL rather than the actual URL of the extension to be installed. -- I worry that this could be used for phishing, as it's not hard to get a URL from t.co or l.facebook.com or similar to redirect to your addon file. See the attached screenshot for what this looks on nightly 58.
Reporter | ||
Comment 1•7 years ago
|
||
Marking as sec bug just in case (forgot to as I filed it)
Group: toolkit-core-security
Comment 2•7 years ago
|
||
ISTR this is intentional because AMO. Or something. Hopefully Dave remembers more of this.
Flags: needinfo?(dtownsend)
Comment 3•7 years ago
|
||
Yeah, we were wondering if it was intentional because if you visit directly it doesn't show the warning at all and instead asks you if you want to install. But it seems pretty misleading regardless?
Comment 4•7 years ago
|
||
This is intentional as it stands due to how twitter's shortlinking works. Basically what we want to show in that dialog is the site that initiated the install, this isn't necessarily the site that the XPI is coming from. So imagine if AMO wasn't special cased, when you click on a link on AMO to install an add-on we want the dialog to tell you that it is AMO attempting to install an add-on, not the CDN that happens to be hosting the XPI file. Yes, we could include the source of the XPI as additional information but I'm not sure it helps the user with the problem at hand. Twitter's shortlinking makes this a bit crazy because they don't use a simple HTTP redirect, instead the shortlink actually loads a page which then includes a <meta> referer to redirect after the load is complete :(
Flags: needinfo?(dtownsend)
Updated•7 years ago
|
Group: toolkit-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•