Closed Bug 278315 Opened 20 years ago Closed 20 years ago

URL of XPI clicked from ChatZilla not blocking install

Categories

(Other Applications :: ChatZilla, defect)

Product:
Other Applications
Component:
ChatZilla
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: thib+mozilla, Assigned: bugs)

Details

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Chatzilla 0.9.67 [Firefox 1.0/20041107]

When clicking on an XPI from Firefox, the installation is blocked if the origin
is not trusted. But when the URL is clicked from ChatZilla, the installation
dialog appears with the usual countdown-warning and lets me install, seemingly
without checking the origin.

Steps to reproduce:
1. In Firefox, go to http://www.hacksrus.com/~ginda/chatzilla/ and click on a
ChatZilla version, for instance the one that points to
http://www.hacksrus.com/~ginda/chatzilla/xpi/chatzilla-0.9.67.xpi
2. In ChatZilla, say
http://www.hacksrus.com/~ginda/chatzilla/xpi/chatzilla-0.9.67.xpi in a channel
and click the resulting link.

Actual results:
1. Firefox says it is protecting my computer by not letting hacksrus.com install
software.
2. The extension installation dialog shows up, with the warning (ironically)
that malicious software can damage my computer, and lets me install after the
countdown is over.

Expected results:
2. should be the same as 1.

My whitelist is empty, if there's one. I've tried this with Firefox open at a
"trusted" page and open at an "untrusted" page.
Even though it's not entirely obvious (since it lies by saying it protected your
computer by stopping installation, when in fact it means it protected your
sanity by stopping asking for permission to install), the whole purpose of the
installation whitelist and the infobar is to prevent websites from badgering you
into installing an extension by throwing up the installation dialog, and then
throwing it up again and again if you cancel it. When you add a site to the
whitelist, you are saying that you trust it to not be annoying about asking for
installs, not that you trust its judgement about what installs are safe. So
unless Chatzilla will let someone send you a link with JavaScript handlers to
track whether or not you cancelled the install, there's no bug (except the
continuing one of needing to somehow better explain what the XPInstall whitelist
is actually whitelisting).
Unlike a webpage Chatzilla logs can't hide links and can't script content loads.
There's no need for the extra whitelist blocking, the original XPInstall
confirmation dialog is protection enough against unwanted installs.

Currently chrome: apps are effectively whitelisted. If one of them is going to
be abusive they could just download and install files in the background. There's
no point in preventing well-intensioned extensions from doing it the easy way,
at least goes through the standard UI and gives users a chance to cancel. If we
block that extensions would invent different mechanisms for updating things
which gives us a whole bunch more potential attack vectors we'd have to secure.
Granted a link in a chatzilla log isn't that kind of intentional update feature,
but it's all a package deal.

I'm going to WONTFIX this (rather than INVALID/as-designed). If you find a way
to abuse install attempts in chatzilla there are probably things we could do (in
chatzilla code, changing product of bug) to give XPInstall enough hints to be
able to distinguish and thus block them.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Component: Extension/Theme Manager → ChatZilla
Product: Firefox → Other Applications
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.