Open Bug 1916285 Opened 3 months ago Updated 3 months ago

Extension mechanism is triggered on Reader View

Categories

(Toolkit :: Add-ons Manager, defect, P3)

defect

Tracking

()

People

(Reporter: cage-ml, Unassigned)

Details

(Keywords: reporter-external)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

  • Open an page, on WWW, that contains a direct link to a firefox extension (xpi extension file);
  • switch to reader mode;
  • click on the link to download the extension.

Actual results:

Someway the installation mechanism for the extension is triggered i have briefly seen a popup window that the extension was downloading (after a totally non exhaustive investigation - i just checked the extension does not appears under 'about:addons'- seems that the extension is not installed but i am not sure i checked properly so i am marking this issue as a security one)

Expected results:

Firefox supposed to warn tha a new wxtension is einstalled and asks the conset to the user to do so using a popup window.

Note that the popup appears when not in reader mode.

Can you provide a link to a page where this reproduces? addons.mozilla.org pages don't show the reader mode icon for me so it's not trivial to follow the steps in comment 0.

Flags: needinfo?(cage-ml)
Product: Firefox → WebExtensions

Hi!

Sorry but i forgot to add the link, here's the one where i came across the issue:

https://woltman.com/gnome-bad/

Search for: "I made a Firefox extension to do it for you.".

Hope this hepls!

C.

Flags: needinfo?(cage-ml)

On a 3rd party web site there are two prompts: 1) do you want to allow this suspicious site to do downloads at all? and 2) Do you want to install Addon-X with privileges a,b,c?

Reader mode is bypassing prompt 1) because we think it's a "browser page" (internally it is, but in this case that's not great). And then there's a failure before it gets to 2) so nothing gets installed (and it would require a prompt before doing so).

 Uncaught (in promise) NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIURI.displayHost]
    observe chrome://browser/content/browser-addons.js:658
    installNotifyObservers resource://gre/modules/AddonManager.sys.mjs:2170
    _verifyThirdPartyInstall resource://gre/modules/AddonManager.sys.mjs:3251
    _verifyThirdPartyInstall resource://gre/modules/AddonManager.sys.mjs:3250
    promptHandler resource://gre/modules/AddonManager.sys.mjs:3265
    promptHandler resource://gre/modules/AddonManager.sys.mjs:3264
    checkPrompt resource://gre/modules/addons/XPIInstall.sys.mjs:1787
    checkPrompt resource://gre/modules/addons/XPIInstall.sys.mjs:1812
    install resource://gre/modules/addons/XPIInstall.sys.mjs:1386
    install resource://gre/modules/addons/XPIInstall.sys.mjs:2386
    downloadCompleted resource://gre/modules/addons/XPIInstall.sys.mjs:2776

The error isn't the right way to handle it: for example we might not be cleaning up the download from the failed install. But if we fix the error then we have to decide if it's OK to let the reader-mode version of any site be able to prompt for an install. At least they won't be able to do so from script, like a normal web page could. Users would have to click on an actual link to a .xpi download.

Group: firefox-core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Add-ons Manager
Ever confirmed: true
Product: WebExtensions → Toolkit
Version: other → unspecified

nothing gets installed (and it would require a prompt before doing so).

And that is a relief! :)

Thanks for your work!
C.

Severity: -- → S4
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.