Default focus in Theme/Extension install dialog should be "Cancel" (and not "Install") - like it is in Seamonkey

VERIFIED DUPLICATE of bug 240637

Status

()

Toolkit
Add-ons Manager
--
major
VERIFIED DUPLICATE of bug 240637
14 years ago
10 years ago

People

(Reporter: Alexander Skwar, Assigned: Ben Goodger (use ben at mozilla dot org for email))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040615 Firefox/0.9 (NESI)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040615 Firefox/0.9

When installing an Extension (or Theme), a dialog window is shown with a warning
text and a timeout. Only after the timeout has elapsed, the user can click on
Install to get the Extension installed.

However, he can also simply press Return, because "Install" has the default
focus in this Extension install window. In Seamonkey 1.7, this is not so.
Pressing return doesn't do anything. This behaviour "must" be duplicated in Fx.

The reason I say "must", is that this can be a security problem for the user.
For instance, take the URL I mentioned . This site tries to trick the user to
install an XPI which will then install a so-called "Dialer". This is a malware
program (for Windows) which resets the dial-up number to some extremely
expensive number. Now, if the user did not pay close attention, he installed
that dialer and thus has to reinstall the OS. While I *do* think that users are
responsible for what they are doing on their computer, Fx should not make it too
easy to have a user shoot himself.




Reproducible: Always
Steps to Reproduce:




The URL I mentioned, is a porn site and thus contains "sexually explicit"
material. In pre-0.9 (and pre-SM-1.7) times, it tried to install the XPI
directly when the user entered the site.

BTW: No, I don't go to such sites. But the site has been mentioned by Heise (a
very large and influential german IT news site -
http://www.heise.de/security/artikel/48349). This commentary by Heise sparked
some very heated discussions in various german newsgroups.
(Reporter)

Updated

14 years ago
Flags: blocking1.0?

Comment 1

14 years ago
It's pointless to hide a bug reported by the press, should not be
"Security-Sensitive".

Corresponding seamonkey bug is 149478. Problem due to forking?

Updated

14 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 2

14 years ago
(In reply to comment #1)
> It's pointless to hide a bug reported by the press, should not be
> "Security-Sensitive".

Well, I do think that it is security related, but I do agree that it should not
be hidden. However, I cannot uncheck that checkbox. I would, if I could.

Should I open another bug without the security check box checked?

> Corresponding seamonkey bug is 149478. 

Yes, this seems to be very much related.

> Problem due to forking?

Don't know. Suppose so.

Comment 3

14 years ago
Unhiding by request of reporter.
Group: security

Comment 4

14 years ago
I think the place to fix this is here:

http://lxr.mozilla.org/mozilla/source/toolkit/mozapps/xpinstall/content/xpinstallConfirm.js#44

Comment 5

14 years ago
Is this a duplicate of bug #240637 ?
(Reporter)

Comment 6

14 years ago
(In reply to comment #5)
> Is this a duplicate of bug #240637 ?

Yes, I think so.

*** This bug has been marked as a duplicate of 240637 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE

Updated

14 years ago
Flags: blocking-aviary1.0?

Updated

14 years ago
Status: RESOLVED → VERIFIED
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.