Closed
Bug 234068
Opened 20 years ago
Closed 20 years ago
Software Installation (xpinstall) should be disabled by default.
Categories
(Core Graveyard :: Installer: XPInstall Engine, enhancement)
Core Graveyard
Installer: XPInstall Engine
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: thesh_bugs, Unassigned)
Details
User-Agent: Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 For security reasons, I think xpinstall should be disabled by default. Many people just click "OK" to anything that pops up, and it would be best if this didn't popup unless you specifically enable it. I think a dialogue box should come up when something uses it that looks something like this: Software installations is disabled, etc. [] Don't show this dialogue again. [enable software installation] [ok] Enabling software installation should come up with a comfirm dialogue that quickly explains that what you install can be harmful etc. and then have OK and Cancel buttons. Reproducible: Always Steps to Reproduce:
I agree. I doubt the majority of users will even use extensions. Of course if we look at mozillazine everyone uses extensions, but I dont think the posters on the forums can be viewed as average users. Here are some interesting threads to look at, first XPI spyware found, detailed discussion http://forums.mozillazine.org/viewtopic.php?t=64341 Very recent XPI spyware found http://forums.mozillazine.org/viewtopic.php?t=66531
i think i may have a fairly simple solution how to deal with this issue. How about shipping FireFox & Mozilla with the XPInstall OFF by default. Then when u attempt to install an XPI package You are prompted to turn ON XPInstall via the Options Menu (currently NOTHING HAPPENS if XPInstall in disabled; no warning no install).... Currently there is no GUI for XPInstall Options in FireFox (Unlike Netscape/Moz which does have one)... The original warning prompt can be made sticky or occur only once (much like the check box, to turn off the popup blocking or ssl security warnings forever)... |mockup of preferences| ******************* //XPI package enable/disable user_pref("xpinstall.enabled", false); //Show XPI install enable alert when disabled user_pref("xpinstall.disabled_alert", true); //Show XPI install enable alert only once user_pref("xpinstall.disabled_alert.show_once", false); again we need to remember that we can't prevent people from clicking OK or Install every time they see a dialogue box....
Comment 3•20 years ago
|
||
*** This bug has been marked as a duplicate of 238684 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 4•20 years ago
|
||
Bug 238684 is about blocking unrrequested XPI's. This is about shipping Mozilla with XPInstall disabled and then having a message that explains XPI's and allows you to enable it there.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 5•20 years ago
|
||
Xpinstall should not be disabled by default. That would immediately kill extensions and any other type of install (plugins, patches, other applications, etc.) If you believe users are too dumb to read the current xpinstall dialog, there's no reason to believe they'll be smart enough to read this new one.
Reporter | ||
Comment 6•20 years ago
|
||
For the most part, people won't even be using XPInstall. Yes, there are some that will need it, and that is the point of the dialogue that allows you to enable it at start. I only used it for a few extensions, and that was it. Every plugin I ever wanted had an executable installer, and nothing else has been required by me (or will be by the majority of users). The other option that I have heard over at Mozillazine is to leave it disabled except for certain sites (e.g. mozilla.org and mozdev.org); this would make sure that if mozilla started using patches, it wouldn't be broken. Most extensions could be hosted by Mozdev or other sites, and that way it wouldn't be broken either. XPInstall is starting to being targeted by spyware, and disabling it by default will stop further development of XPI malware.
(In reply to comment #5) > Xpinstall should not be disabled by default. That would immediately kill > extensions and any other type of install (plugins, patches, other applications, I disagree (respectfully). There is a learning curve with Moz/FF and when you XPI disabled by default but Yet STILL have a warning u at least give the (new not neccesarily dumb) user a chance to try to learn a bit about XPI installation before they choose to enable it. > If you believe users are too dumb to read the current xpinstall dialog, > there's no reason to believe they'll be smart enough to read this new one. I agree somewhat but then ther are 2 points to consider 1. User too dumb to use XPI Install Solution: Then user is protected by having XPI Disabled. In the course of figuring out why his/her extensions won't install he/she will (hopefully) get educated 2. (Dumb) User doesn't read and just clicks Solution: Then user is still protected by having XPI Disabled. then wonders his "plugins, patches, other applications" won't install .... see point #1
Comment 8•20 years ago
|
||
See Bug 240552. I doubt that initially disabling xpinstall completely will ever happen.
Comment 9•20 years ago
|
||
WONTFIX for now, the whitelist mechanism effectively does this per site.
Status: REOPENED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → WONTFIX
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•