Closed Bug 289164 Opened 20 years ago Closed 20 years ago

Whitelist confuses Google with actual XPI source

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: dlw, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

After finding flashblock.xpi in Google, Firefox 1.02 blocks the download. The
whitelist manager window then offers to add www.google.com to the whitelist, not
the actual location where flashblock.xpi was found.

This is probably not the desired behavior; if the user whitelists Google, and
Firefox regards Google as the source of anything found through Google, then any
XPI subsequently found through Google will be installed.

Reproducible: Always

Steps to Reproduce:
1.Search for "flashblock.xpi" in Google.
2.Click on http://downloads.mozdev.org/flashblock/flashblock.xpi, presently the
second search result.
3.

Actual Results:  
Blocked the download, and offered to add www.google.com to the whitelist.

Expected Results:  
Blocked the download, and offered to add downloads.mozdev.org to the whitelist.
Assignee: bugs → xpi-engine
Status: UNCONFIRMED → NEW
Component: Extension/Theme Manager → Installer: XPInstall Engine
Ever confirmed: true
Product: Firefox → Core
QA Contact: bugs
Version: unspecified → 1.7 Branch
The whitelist is to prevent sites from annoying you with popups. If you trust
Google.com that means you trust google to be well behaved and only show you the
install prompt in response to some action on your part. That's a safe enough bet.

Example: If I stumble on a warez site I don't want it popping up install dialogs
at me, even if they want me to download something from normally-trusted
addons.mozilla.org -- maybe they found an extension with an exploitable bug and
 they want me to expose myself for them.

Example: I'm surfing Asa's blog, he links to some cool extension. It might be
evil, but if it sounds interesting I trust that Asa has at least run it and not
found anything bad. I might as well whitelist Asa's blog and make the call on a
case by case basis, because I know I won't get a popup unless I click on something.

Whitelisting says nothing about the trustworthyness of the install source
itself, *that* you need to do when the install prompt comes up.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.