User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 With the addition of the XPInstall whitelist, theme installation from unlisted servers became impossible, even though installing themes through InstallTrigger.installChrome(InstallTrigger.SKIN, ...) is considered safe. Theme installation using this method should be exempt from the whitelist requirement. A workaround for this issue is to package themes as XPIs and have the users install them from the local filesystem. This makes themes dangerous and theme authors should not be tempted to resort to XPIs. Reproducible: Always Steps to Reproduce:
Are themes really safer than extensions?
(In reply to comment #1) > Are themes really safer than extensions? AFAIK there are two different ways of installing a theme: 1) XPI package with embedded install script 2) JAR package with a call to InstallTrigger.installChrome(InstallTrigger.SKIN, ...) from a webpage Firefox seems to offer another one (extension-manager), but I expect it to be functionally similar to method 2. Method one is clearly not safer and should not be treated differently. An XPI packaged theme is exactly as powerful as any other XPI package. Method two involves no theme-provided scripts. The InstallTrigger.installChrome() function can apparently install dangerous things too, but with InstallTrigger.SKIN as first argument, no theme-provided code will be executed, neither during the install nor later. Themes which are installed this way are marked with c:allowScripts="false" in chrome.rdf. I have not looked at the relevant Mozilla code though, so I may not be aware of all possible ways to have external code executed. Anyways, it _should_ not be possible to introduce code with normal themes. If a theme needs to add code, it can resort to the XPI method and be subjected to whatever security measures are chosen for fully fledged XPI packages.
Fixed on trunk plus aviary and 1.7 branches
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Keywords: fixed-aviary1.0, fixed1.7.x
Resolution: --- → FIXED
One consequence of this is that I'm hearing many more reports now of failed Theme installs. Since it's easier for users to try to install themes, they grab a worthless one off some website, and when they switch and reload Firefox they're getting the "Error: No XBL Binding..." message. Security may not be an issue, but these bad themes are giving Firefox a bad name.
See also bug 304931, "Installing theme from website allowed, even though website is not whitelisted".
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Jesse's right, this was undone by bug 304931 and will stay that way. Themes should be considered more like screen savers (active, potentially dangerous content) than images (safe static content).
Status: REOPENED → RESOLVED
Last Resolved: 14 years ago → 12 years ago
Resolution: --- → WONTFIX
Whiteboard: reverted in 304931
You need to log in before you can comment on or make changes to this bug.