User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a) Gecko/20040510 Build Identifier: I just installed 0.9 on a friends machine who had been using 0.7 for a while now. I noticed the new version has "allow websites to install software" enabled by default. It would be nice if Firefox is secure by default. This way, we can unconditionally recommend Firefox to our non-technical friends, clients, family members, etc. Allowing websites to install extensions can subvert security. Therefore, having this feature enabled by default will lead to problems that will give Firefox a bad reputation. This issue was even mentioned in Security Focus's "Time to Dump Internet Explorer" article, http://www.securityfocus.com/columnists/249. I mean, look at Look at the countless IE issues due to their poor security stance, in particular Active X. Please don't let this great browser fall into this trap. Reproducible: Always Steps to Reproduce:
this will work in conjunction with an allowed sites whitelist, which current stands at three sites. This is necessary for extensions and themes to operate, and forcing users to enable core features is a bad design decision. Even with this checked, the user must still agree to the installation prompt after the delay. Making using themes/extensions more onerous for users is a false economy when it comes to security. If there is an actual exploit to the XPI install process, it should be fixed, not wallpapered over by disabling a core feature.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → WONTFIX
Thanks for the clarification on what the operating procedures will be for installing extensions. For those who come across this bug before seeing other documentation and "bugs" on this, check out the following: * http://plugindoc.mozdev.org/faqs/xpinstall.html * Make nsInstallTrigger::UpdateEnabled check with permission manager (bug 240552) * XPInstall Permission Manager UI (bug 241705) * Indicator/dialog for blocked XPIs (bug 246131) * Themes should not be required to be whitelisted (bug 246375)
You need to log in before you can comment on or make changes to this bug.