"disabled" should be default for "allow websites to install software"




Add-ons Manager
14 years ago
10 years ago


(Reporter: Daniel Convissor, Assigned: Ben Goodger (use ben at mozilla dot org for email))


Firefox Tracking Flags

(Not tracked)




14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a) Gecko/20040510
Build Identifier: 

I just installed 0.9 on a friends machine who had been using 0.7 for a while
now.  I noticed the new version has "allow websites to install software" enabled
by default.

It would be nice if Firefox is secure by default.  This way, we can
unconditionally recommend Firefox to our non-technical friends, clients, family
members, etc.  Allowing websites to install extensions can subvert security. 
Therefore, having this feature enabled by default will lead to problems that
will give Firefox a bad reputation.

This issue was even mentioned in Security Focus's "Time to Dump Internet
Explorer" article, http://www.securityfocus.com/columnists/249.

I mean, look at Look at the countless IE issues due to their poor security
stance, in particular Active X.

Please don't let this great browser fall into this trap.

Reproducible: Always
Steps to Reproduce:
this will work in conjunction with an allowed sites whitelist, which current
stands at three sites.  This is necessary for extensions and themes to operate,
and forcing users to enable core features is a bad design decision.  Even with
this checked, the user must still agree to the installation prompt after the
delay.  Making using themes/extensions more onerous for users is a false economy
when it comes to security.  

If there is an actual exploit to the XPI install process, it should be fixed,
not wallpapered over by disabling a core feature.
Last Resolved: 14 years ago
Resolution: --- → WONTFIX

Comment 2

14 years ago
Thanks for the clarification on what the operating procedures will be for
installing extensions.  For those who come across this bug before seeing other
documentation and "bugs" on this, check out the following:

* http://plugindoc.mozdev.org/faqs/xpinstall.html
* Make nsInstallTrigger::UpdateEnabled check with permission manager
  (bug 240552)
* XPInstall Permission Manager UI (bug 241705)
* Indicator/dialog for blocked XPIs (bug 246131)
* Themes should not be required to be whitelisted (bug 246375)
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.