Open
Bug 1475710
Opened 7 years ago
Updated 2 years ago
consider making prompt to allow sites to trigger add-on installation scarier given its abuse in the wild
Categories
(Toolkit :: Add-ons Manager, defect, P3)
Toolkit
Add-ons Manager
Tracking
()
NEW
People
(Reporter: dbaron, Unassigned)
References
Details
Attachments
(1 file)
562.28 KB,
image/png
|
Details |
In bug 1465318 I reported a situation where the following happened:
* a script, likely within an ad served for the site (I say this since the issue happened intermittently; it was injecting the script in a way that made the debugger no longer show the source of the script that was running) would:
1. check for the presence of a cookie set by an add-on, and if it was present, skip the remaining steps
2. go through the DOM and replace much of the text with garbage text (see the screenshot, where much of the page, normally in Chinese, has been replaced with ������).
3. call InstallTrigger.install() on an XPI hosted on addons.mozilla.org (see below for description of addon)
4. place an overlay above the page darkening all of it out, overlaid with the text "Error 408: Encoding with UTF-16.</br>Install Firefox addon for unicode support.", and a big red arrow pointing to the dropdown triggered by InstallTrigger.install() (see screenshot)
* the addon in question, if the user installed it, would do the following:
1. set a cookie for all pages to make them trigger (1) in the list of steps above
2. log some information to a server, and maybe some other things
Given that this addon, at the time I found it, had a few hundred installs, it seemed like this technique was succeeding at tricking users into installing an addon in order to make the broken web page work.
It seems to me that the current UI (see screenshot) doesn't do a great job of explaining what will happen when the user presses "Allow" or why it might not be a good idea. I think this UI should be improved so that it's harder to trick users into using it.
Comment 1•7 years ago
|
||
Fwd to UX (note: the whole attached image is what the reporter is seeing -- that blue text is not his annotation).
Flags: needinfo?(emanuela)
Priority: -- → P3
Comment 2•6 years ago
|
||
:dbaron: thank you for your feedback and reporting this cases.
I think there is space for improving the messaging here. At the moment the add-ons ux team is pretty busy, but I think we can iterate on this in the next three weeks.
Flags: needinfo?(emanuela)
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•