Closed Bug 267741 Opened 20 years ago Closed 20 years ago

With foo.com linking to an .xpi on bar.com, "edit options" adds foo.com and then allows bar.com to install xpis

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 257055

People

(Reporter: doronr, Assigned: bugs)

Details

(Whiteboard: [sg:nse])

Example: try installing venkman from http://weblogs.mozillazine.org/asa/archives/006187.html. The link links to http://silver.warwickcompsoc.co.uk/temp/venkman-0.9.84.xpi, yet pressing "edit options" when I get the xpi blocked message bar says weblogs.mozillazine.org. Adding that to the allow list, I then click on the link again, and it will install http://silver.warwickcompsoc.co.uk/temp/venkman-0.9.84.xpi. Maybe this is done on purpose, but it seems like a potential cause for toruble. Verified it happens on rc2 and latest aviary cvs.
This is expected behavior. The feature was designed such that you whitelist the site linking to the XPI, not the host of the XPI. I believe this is a duplicate of an invalid or wontfix public bug.
so there are no concerns that trusted sites host comments that link to evil.com xpis?
Before whitelisting we had an install prompt that shows you where the .xpi lives, and the user had to decide if that was a site they trusted or not. If it's a different site than the one they're on they might be suspicious, or maybe not. We added whitelisting, which simply blocks the ability of sites to bombard or coerce you into installing by holding you hostage with modal dialogs. If you add a site to the whitelist you are saying you trust that site will prompt you to install only at responsible times (such as in response to a link click). You still need to decide if you trust the site the software was installed on, or whether you trust the author of the text including that link. What you really want is bug 252830, the ability to let a single install through without having to add the referring site to the whitelist permanently. *** This bug has been marked as a duplicate of 252830 ***
Group: security
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:nse]
I wouldn't have said that was at all what this bug was about: the root bug seems to me to be that the infobar completely misrepresents what it is doing, to the point that even Doron thought it was an install blocker, not a dialog blocker. Click Asa's link, and you should be told "To prevent sites from annoying you, Firefox stopped this site (weblogs.mozillazine.org) from prompting you to install software" not "To protect your computer, Firefox prevented this site (weblogs.mozillazine.org) from installing software on your computer."
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
See bug 240552 comment 38. *** This bug has been marked as a duplicate of 257055 ***
Status: REOPENED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.