Closed Bug 275545 Opened 20 years ago Closed 20 years ago

Firefox allows any web site to install .xpi extensions if the file URL is written manually in the address bar

Categories

(Firefox :: Installer, defect)

Product:
Firefox
Component:
Installer
Version:
1.0 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: razvan.cosma, Assigned: bugs)

References

(
URL
)

Details

One of the issues listed in said blog refers to the Flashblock extension which
installs if the URL (http://mozdev.xmundo.net/flashblock/flashblock-1.2.5.xpi)
is written in the address bar although the site is not in the allowed list. This
is not related to just one extension, of course. User interaction is required,
and I couldn't figure any way to trick the browser via javascript, but who knows..
As-designed: if users manually type addresses into the URL bar we assume they
really, really, mean it and ignore whitelisting blocks for that install request.
Whitelisting is a mechanism to prevent sites from abusing users with modal
dialogs in an attempt to coerce them into giving up and clicking "Install", and
that's not the case for a manually entered URL.

The user is still presented with the install confirmation dialog.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
QA Contact: bugzilla → installer
You need to log in before you can comment on or make changes to this bug.