Closed Bug 236056 Opened 20 years ago Closed 20 years ago

pop up XPInstall dialog when user is about to click

Categories

(Firefox :: General, defect, P1)

Product:
Firefox
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox0.9

People

(Reporter: bugs, Assigned: bugs)

Details

This is the Firefox version of bug 162020 - if the web author creates a page
that encourages the user to quickly double click in random spots on the screen,
and one of those clicks invokes the XPI installation dialog, if the dialog is
opened at the same spot all the time and the "Install" button is enabled the
user can inadvertedly install undesired software.

For Firefox we will disable the button for a short period after the install
confirmation dialog is shown to prevent double-clicks from working.
Taking, targeting. I'll get to it this week.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → Firefox0.9
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
I think this patch doesn't guard against a variant of the attack I alluded to in
bug 162020 comment 0:
1. Open a new window.
2. In the original window, pop up an XPI dialog.
3. Convince the user to double-click somewhere in the new window.
4. On the first click, close the new window, letting the XPI dialog show through.

If the dialog starts without focus or loses focus, it needs to disable the
button and start counting down when the dialog gains focus.  (This will probably
annoy Linux users whose window managers don't focus modal dialogs, but I don't
see an obvious way around that.)
This bug is still marked as security-sensitive because it contains a detailed
description of bug 239411, which is not fixed.
Published bug, removing confidential flag
Group: security
You need to log in before you can comment on or make changes to this bug.