261056 - Allowing a site to install extensions, allows linked extensions even from other non trusted sites

Status: VERIFIED DUPLICATE of bug 257055

(Toolkit :: Add-ons Manager, defect)

Description

[Percy Cabello]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10

Visited planet.mozilla.org and there was a link to Phil Ringnalda's live
bookmark this extension (http://philringnalda.com/mozilla/livemarkthis.xpi).
Extension manager blocked it, I allow planet.mozilla.org. Then it allow the
extension to be installed even when the extension is in another non trusted site.

The other way is also a bug: I set this test
http://nostalsong.com/images/test.html with a link to an update.mozilla.org
extension. Firefox blocks the extension even when the extension is served by
u.m.o, a trusted site.

Reproducible: Always
Steps to Reproduce:
1.On report date, go to planet.mozilla.org
2. Click on Phil Ringnalda's link to his extension (pointing to his website)
3. If planet.mozilla.org is already in your trusted list of sites, it will allow
the installation of the extension.

Actual Results:  
If the link is in a trusted site, the extension linked is also allowed.
If the link is in an untrusted site, the extension is also blocked even when the
linked extension is ina trusted site.

Expected Results:  
Extensions whouls be blocked /allowed according to the .XPI not the link location.

Comment 1

[Asa Dotzler [:asa]]

This was by design, and is a duplicate of bug 257055

*** This bug has been marked as a duplicate of 257055 ***

Comment 2

[Daniel Veditz [:dveditz]]

NB: it does *NOT* allow the installation of the extension, it allows the site to
*ask* if you want to install it. At that point you can see where it's really
from and decide. Other sites are not trusted even to *ask* in a non-abusive way.