Extension mechanism is triggered on Reader View
Categories
(Toolkit :: Add-ons Manager, defect, P3)
Tracking
()
People
(Reporter: cage-ml, Unassigned)
Details
(Keywords: reporter-external)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Steps to reproduce:
- Open an page, on WWW, that contains a direct link to a firefox extension (xpi extension file);
- switch to reader mode;
- click on the link to download the extension.
Actual results:
Someway the installation mechanism for the extension is triggered i have briefly seen a popup window that the extension was downloading (after a totally non exhaustive investigation - i just checked the extension does not appears under 'about:addons'- seems that the extension is not installed but i am not sure i checked properly so i am marking this issue as a security one)
Expected results:
Firefox supposed to warn tha a new wxtension is einstalled and asks the conset to the user to do so using a popup window.
Note that the popup appears when not in reader mode.
Updated•3 months ago
|
Comment 1•3 months ago
|
||
Can you provide a link to a page where this reproduces? addons.mozilla.org
pages don't show the reader mode icon for me so it's not trivial to follow the steps in comment 0.
Hi!
Sorry but i forgot to add the link, here's the one where i came across the issue:
https://woltman.com/gnome-bad/
Search for: "I made a Firefox extension to do it for you.".
Hope this hepls!
C.
Comment 3•3 months ago
|
||
On a 3rd party web site there are two prompts: 1) do you want to allow this suspicious site to do downloads at all? and 2) Do you want to install Addon-X with privileges a,b,c?
Reader mode is bypassing prompt 1) because we think it's a "browser page" (internally it is, but in this case that's not great). And then there's a failure before it gets to 2) so nothing gets installed (and it would require a prompt before doing so).
Uncaught (in promise) NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIURI.displayHost]
observe chrome://browser/content/browser-addons.js:658
installNotifyObservers resource://gre/modules/AddonManager.sys.mjs:2170
_verifyThirdPartyInstall resource://gre/modules/AddonManager.sys.mjs:3251
_verifyThirdPartyInstall resource://gre/modules/AddonManager.sys.mjs:3250
promptHandler resource://gre/modules/AddonManager.sys.mjs:3265
promptHandler resource://gre/modules/AddonManager.sys.mjs:3264
checkPrompt resource://gre/modules/addons/XPIInstall.sys.mjs:1787
checkPrompt resource://gre/modules/addons/XPIInstall.sys.mjs:1812
install resource://gre/modules/addons/XPIInstall.sys.mjs:1386
install resource://gre/modules/addons/XPIInstall.sys.mjs:2386
downloadCompleted resource://gre/modules/addons/XPIInstall.sys.mjs:2776
The error isn't the right way to handle it: for example we might not be cleaning up the download from the failed install. But if we fix the error then we have to decide if it's OK to let the reader-mode version of any site be able to prompt for an install. At least they won't be able to do so from script, like a normal web page could. Users would have to click on an actual link to a .xpi download.
nothing gets installed (and it would require a prompt before doing so).
And that is a relief! :)
Thanks for your work!
C.
Updated•3 months ago
|
Description
•