User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040615 Firefox/0.9 (NESI) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040615 Firefox/0.9 When installing an Extension (or Theme), a dialog window is shown with a warning text and a timeout. Only after the timeout has elapsed, the user can click on Install to get the Extension installed. However, he can also simply press Return, because "Install" has the default focus in this Extension install window. In Seamonkey 1.7, this is not so. Pressing return doesn't do anything. This behaviour "must" be duplicated in Fx. The reason I say "must", is that this can be a security problem for the user. For instance, take the URL I mentioned . This site tries to trick the user to install an XPI which will then install a so-called "Dialer". This is a malware program (for Windows) which resets the dial-up number to some extremely expensive number. Now, if the user did not pay close attention, he installed that dialer and thus has to reinstall the OS. While I *do* think that users are responsible for what they are doing on their computer, Fx should not make it too easy to have a user shoot himself. Reproducible: Always Steps to Reproduce: The URL I mentioned, is a porn site and thus contains "sexually explicit" material. In pre-0.9 (and pre-SM-1.7) times, it tried to install the XPI directly when the user entered the site. BTW: No, I don't go to such sites. But the site has been mentioned by Heise (a very large and influential german IT news site - http://www.heise.de/security/artikel/48349). This commentary by Heise sparked some very heated discussions in various german newsgroups.
It's pointless to hide a bug reported by the press, should not be "Security-Sensitive". Corresponding seamonkey bug is 149478. Problem due to forking?
(In reply to comment #1) > It's pointless to hide a bug reported by the press, should not be > "Security-Sensitive". Well, I do think that it is security related, but I do agree that it should not be hidden. However, I cannot uncheck that checkbox. I would, if I could. Should I open another bug without the security check box checked? > Corresponding seamonkey bug is 149478. Yes, this seems to be very much related. > Problem due to forking? Don't know. Suppose so.
Unhiding by request of reporter.
I think the place to fix this is here: http://lxr.mozilla.org/mozilla/source/toolkit/mozapps/xpinstall/content/xpinstallConfirm.js#44
Is this a duplicate of bug #240637 ?
(In reply to comment #5) > Is this a duplicate of bug #240637 ? Yes, I think so. *** This bug has been marked as a duplicate of 240637 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.