Closed Bug 271097 Opened 20 years ago Closed 19 years ago

searchplugin auto update should ask user

Categories

(Firefox :: Search, defect)

Product:
Firefox
Component:
Search
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: axel, Assigned: torisugari)

Details

(Keywords: privacy, Whiteboard: [sg:fix][l10n impact])

Attachments

(2 files, 2 obsolete files)

UI patch for Firefox
5.62 KB, patch
mconnor
: review+
mconnor
: approval1.8b4+
Details | Diff | Splinter Review
Patch for Core (no l10n impact)
1.34 KB, patch
cbeard
: review+
cbeard
: approval1.8b4+
Details | Diff | Splinter Review
Currently, searchplugins automatically update without getting a confirmation for that download and install from the user. This raises some privacy concerns, as the updated searchplugin could send user data to a different server which could gather userdata that way. There are at least two ways to do this. One would be by adding a third line to Extras - Preferences - Extended - Software Update like [ ] searchplugins and check that pref before updating. The next one would be to pop up a dialog, or a toolbar or something, if a update is available, and ask a "do you want to do now, not, [] don't ask again" standard UI dialog.
One advantage for the global pref, from a privacy perspective, is that it would stop any server pings that are not user-initiated. If a paranoid user turned it off then only explicitly initiated searches would go to the search server (which, as we've recently found, has its own privacy issues). For the per-update dialog to be bearable it'd have to come up after we've already checked and found an update available. Asking every 3 days whether we can check for updates (times number of plugins) would quickly get the dialog turned off, in which case there's not much point. I guess the truly paranoid could simply remove the search plugins to stop the pings, after they find out that's what we're doing. The global option would be easier to implement, and easier for users to fit into a consistent mental model of "things that check themselves for updates". Or maybe we have to do both.
Keywords: privacy
Whiteboard: [sg:fix]
Apart from privacy issues, there is another point in asking for update confirmation. I edited one of the search plugins to better suit my needs and today I found out to my surprize that it got overwritten by the original version. (I cannot tell how happy I was.) It is the more strange, as the searchplugin itself was not updated on mozdev.org for more than 8 months. Next time I will rename the src file, but can I be sure that nobody will come up with the same name for some future plugin?!?
OK, i got it, please disregard previous post. If user is nosy enough to modify plugins, he better remove the Update, UpdateIcon, and UpdateCheckDays entries from the BROWSER section as well.
I agree, User permission should be required. I had modified not the src files, but the gif files (so I could tell the different google plugins apart by the icon) and they replaced themselves with the originals yesterday.
Who can own this issue? We really should fix it for 1.1
Flags: blocking-aviary1.1+
(In reply to comment #5) > Who can own this issue? We really should fix it for 1.1 Agreed; this issue of self-updating software is infuriating, especially with extensions, but this is such a simple thing (on the face of it), and to overwrite local customisations is unforgiveable.
Assignee: p_ch → nobody
IMHO, the ultimate blocker of this bug would be bug 191642 And if I (or somebody else) put the pref under [Tools] > [Options] > [Advanced] > [Update], it might be misunderstanding to some extent. A third party search plugin author can distribute his/her plugin as a xpi package, but that pref has nothing to do with Software Update nor Extension/Theme Update...
Attached patch Patch (obsolete) — Splinter Review
checkbox whether or not to send ping.
Attachment #190943 - Flags: review?(mconnor)
Mike+Mike: we need to decide what, if anything, we do with this in 1.5. One thing we want to think about is how behaviour is different between user-installed search plugins (through the low-privilege installSearchPlugin interface) and those that are pre-installed by us/localizers or by extensions.
Assignee: nobody → mconnor
I'm inclined to agree with the reporter. There's two UE problems here: 1) we don't tell users anywhere in the UI that we update these things 2) we don't give them a place to control that behaviour Adding a confirmation dialog would be both irritating (and thus just ignored quickly) and inconsistent with how we do other forms of updates. There's a single area in the prefs for handling All Things Updating, and it seems that's the best place for a direct control of this sort of thing. Default should be set to "on". Here's some ASCII art: .---------------------------------------------------------------. |General|Update|Security| | |-------| |------------------------------------------------| | | | Automatically check for updates to | | [x] Firefox [ Check now ...] | | [x] Installed extensions & themes [ Check now ...] | | [x] Installed search engines [ Check now ...] | | | | When updates to Firefox are found, | | ( ) Ask me what I want to do | | (o) Automatically download and install the update | | [x] Warn me if this will disable extensions or themes | | | | [Show Update History] | '---------------------------------------------------------------' This doesn't cover the manual update of a searchplugin case, but IMO that's pretty consistent with how we update anything (ie: extensions & themes.) note: mconnor and I have a list of things we want to do to better manage search and searchplugins for 2.0, and this has been added to it.
Blocks: 304100
I'm happy with separating updates to the Firefox core from updates to extensions, but I don't see why search plugins are treated differently from other extensions. For instance, why is it acceptable to install search plugins from any site, but other extensions require whitelisting? I appreciate the different level of access to the OS that search plugins have, but in terms of potential for abuse of privacy, its just as concerning, and this issue is all about privacy. Treat them the same, call them all extensions, then there could be an option for each installed extension to autoupdate built in to the FF core. With those extensions I trust (or am interested in bleeding edge) I can enable autoupdate, for others, I won't.
(In reply to comment #11) > I'm happy with separating updates to the Firefox core from updates to > extensions, but I don't see why search plugins are treated differently from > other extensions. For instance, why is it acceptable to install search plugins Because they're not extensions, and aren't managed by the Extension Manager, which as I mentioned about is a known problem but not fully containable for 1.5. We can't simply equate them with extensions without doing a bunch of work to give them proper treatment in the extension manager, and even then, it gets confusing when you consider that searchplugins can be packaged as extensions. Better searchplugin management to get it on par with themes & extensions is something mconnor and I will be looking at for the next release.
Flags: blocking-aviary1.5+ → blocking1.8b4+
Comment on attachment 190943 [details] [diff] [review] Patch >+<!ENTITY enableSearchUpdate.label "Search Plugins"> >+<!ENTITY enableSearchUpdate.accesskey "P"> I guess Search Engines is better here, beltzner? > InternetSearchDataSource::validateEngine(nsIRDFResource *engine) > { > nsresult rv; > >+ // confirm whether the user wants to update plugins. >+ PRBool userAllowed = PR_TRUE; >+ nsCOMPtr<nsIPrefBranch> >+ prefBranch(do_GetService(NS_PREFSERVICE_CONTRACTID, &rv)); >+ NS_ENSURE_SUCCESS(rv, rv); >+ >+ rv = prefBranch->GetBoolPref("browser.search.update", &userAllowed); >+ // if the pref value is not set or wrong type, don't stop here. >+ NS_ENSURE_TRUE((NS_FAILED(rv) || userAllowed), NS_OK); >+ Please move the PRBool decl after getting the prefbranch. I really don't think we want a noisy return just because someone disables the pref, so please change the NS_ENSURE_TRUE. What I think we want is: if (NS_SUCCEEDED(rv) && !userAllowed) return NS_OK;
Attachment #190943 - Flags: review?(mconnor) → review-
Attached patch UI patch for Firefox (obsolete) — Splinter Review
This patch has l10n impact. Should I write a patch for "Check Now"? It's hard, if possible, to be in 1.5, imho.
Attachment #190943 - Attachment is obsolete: true
Comment on attachment 192383 [details] [diff] [review] UI patch for Firefox Oops, accesskey confilct. Sorry for bug spam.
Attachment #192383 - Attachment is obsolete: true
Whiteboard: [sg:fix] → [sg:fix][l10n impact]
Every char in "Search Engines" other than "h" and "i" is already assinged. And according to http://www.mozilla.org/access/keyboard/accesskey , both don't seem good accesskeys. However, -> "h"
Attachment #192389 - Flags: review?(mconnor)
Attachment #192389 - Flags: review?(mconnor) → review+
Attachment #192389 - Flags: approval1.8b4?
(In reply to comment #14) > Should I write a patch for "Check Now"? > It's hard, if possible, to be in 1.5, imho. If you can make it for 1.5, it'd be great to have for the sake of consistency. Not *required* for this patch to land, though, IMO. Just kinda looks less professional without it.
Check now would be nice, but the current service isn't set up to do that, and the value is outweighed by the size/risk of a patch to make the service do that. Another log for the "Burn search to the ground" fire.
Is the update for the searchplugins kicked off only by the periodic update check, or is it part of the extensions & themes check? One option is to do something like: Automatically check for updates to [x] Firefox [ Check now ...] [x] Installed extensions & themes [ Check now ...] [x] including search engines (But I think that only makes sense / ends up making for better UI if the search engines are part of the extension update, as otherwise we end up saying that searchplugins are more closely associated with the core app than with extensions .. ugh)
comment #13 addressed.
Attachment #192395 - Flags: review?(mconnor)
(In reply to comment #19) > Is the update for the searchplugins kicked off only by the periodic > update check, or is it part of the extensions & themes check? It has nothing to do with the extension update, at the moment. But we can install search plugin via extension manager (this is a new feature in 1.5). In that case, double update check would be held, as they are completely independent from each other.
(In reply to comment #21) > It has nothing to do with the extension update, at the moment. OK, forget it, then. Let's go with what we have.
Comment on attachment 192395 [details] [diff] [review] Patch for Core (no l10n impact) r=shaver
Attachment #192395 - Flags: review?(mconnor)
Attachment #192395 - Flags: review+
Attachment #192395 - Flags: approval1.8b4+
Assignee: mconnor → torisugari
Attachment #192389 - Flags: approval1.8b4? → approval1.8b4+
bug 304100 is not really related to this issue, and the current updateURL is mozilla.org anyway. both patches landed, marking FIXED, thanks!
No longer blocks: 304100
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: