Closed
Bug 257055
Opened 20 years ago
Closed 20 years ago
XPinstall whitelist: incorrect site shown if xpi is hosted on another site
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
VERIFIED
INVALID
People
(Reporter: amotohiko_mozillafirebird, Assigned: bugzilla)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; ja-JP; rv:1.7.2) Gecko/20040826 Firefox/0.9.3+
Build Identifier: Mozilla/5.0 (Windows; U; Win 9x 4.90; ja-JP; rv:1.7.2) Gecko/20040826 Firefox/0.9.1+
If XPI files are hosted on another site, clicking XPI's link says
web page's site is not added in the XPInstall whitelist.
This should be the XPI's hosted site.
Reproducible: Always
Steps to Reproduce:
1. visit http://www.geocities.co.jp/SiliconValley-SanJose/9076/offline/index.en.html
2. click on the XPI's link.
3.
Actual Results:
Firefox will say "To protect your computer, Firefox prevented this site
(www.geocities.co.jp) from installing software on your computer.".
Expected Results:
The site in notification bar should be "www1.ttcn.ne.jp".
|
||
Comment 1•20 years ago
|
||
See bug 240552 comment 38.
http://bugzilla.mozilla.org/show_bug.cgi?id=240552#c38
The whitelist is based on sites linking to the extension, not hosting it. This
is intentional.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
|
Reporter | |
Comment 2•20 years ago
|
||
(In reply to comment #1)
> See bug 240552 comment 38.
> http://bugzilla.mozilla.org/show_bug.cgi?id=240552#c38
Thank you.
Sending HTTP-referrer is needed if XPI is placed in another site.
We must notice it because some firewall software (e.g. Norton
Internet Security) removes all referrer by default.
|
||
Comment 3•20 years ago
|
||
*** Bug 261056 has been marked as a duplicate of this bug. ***
|
||
Comment 4•20 years ago
|
||
A possible exploit of this behavior is that if a hacker creates an bad
extension, he may just have to post a link to it in several likely to be trusted
sites like update.mozilla.org (through comments), mozillazine, mozdev, etc and
his chances to fool a user would increase severely. So a black list would be a
nice complement to whitelisting.
Anyway, the purpose of the whitelist is misleading. It says: "Allowed websites
to install software". And this terms are ambiguous at best, and technically
incorrect since the site actually "installing" the extension is the linked host.
Only harm I see in having a whitelist based on XPI urls is the chance of getting
to an extension aggregation site that links to several dozens of remotely hosted
XPI's. That would be annoying, but more secure for sure.
There could also be an additional setting to explicitely ask the user if he
wants to allow any software, even remotely hosted to be allowed for the current
website, with a big warning. I feel after setting a whitelist, users may pay
less attention to the url presented in the confirmation dialog. Users may think:
"Ok I agreed to that mozdev.org site that friend of mine told me, from now on
Firefox should take care, so this whatever should be OK." They won't necessarily
think that the linked site is different than a trusted site. And the risk is
big we know.
|
|
||
Comment 5•20 years ago
|
||
*** Bug 267741 has been marked as a duplicate of this bug. ***
|
|
||
Comment 6•20 years ago
|
||
*** Bug 266794 has been marked as a duplicate of this bug. ***
|
|
||
Comment 7•20 years ago
|
||
*** Bug 298079 has been marked as a duplicate of this bug. ***
|
|
||
Updated•20 years ago
|
Status: RESOLVED → VERIFIED
OS: Windows ME → All
Hardware: PC → All
Version: unspecified → Trunk
|
|
||
Comment 8•19 years ago
|
||
*** Bug 308056 has been marked as a duplicate of this bug. ***
|
||
Updated•2 months ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•