Closed
Bug 248922
Opened 20 years ago
Closed 20 years ago
"disabled" should be default for "allow websites to install software"
Categories
(Toolkit :: Add-ons Manager, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: danielc, Assigned: bugs)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a) Gecko/20040510 Build Identifier: I just installed 0.9 on a friends machine who had been using 0.7 for a while now. I noticed the new version has "allow websites to install software" enabled by default. It would be nice if Firefox is secure by default. This way, we can unconditionally recommend Firefox to our non-technical friends, clients, family members, etc. Allowing websites to install extensions can subvert security. Therefore, having this feature enabled by default will lead to problems that will give Firefox a bad reputation. This issue was even mentioned in Security Focus's "Time to Dump Internet Explorer" article, http://www.securityfocus.com/columnists/249. I mean, look at Look at the countless IE issues due to their poor security stance, in particular Active X. Please don't let this great browser fall into this trap. Reproducible: Always Steps to Reproduce:
Comment 1•20 years ago
|
||
this will work in conjunction with an allowed sites whitelist, which current stands at three sites. This is necessary for extensions and themes to operate, and forcing users to enable core features is a bad design decision. Even with this checked, the user must still agree to the installation prompt after the delay. Making using themes/extensions more onerous for users is a false economy when it comes to security. If there is an actual exploit to the XPI install process, it should be fixed, not wallpapered over by disabling a core feature.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 2•20 years ago
|
||
Thanks for the clarification on what the operating procedures will be for installing extensions. For those who come across this bug before seeing other documentation and "bugs" on this, check out the following: * http://plugindoc.mozdev.org/faqs/xpinstall.html * Make nsInstallTrigger::UpdateEnabled check with permission manager (bug 240552) * XPInstall Permission Manager UI (bug 241705) * Indicator/dialog for blocked XPIs (bug 246131) * Themes should not be required to be whitelisted (bug 246375)
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•