User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050422 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050422 Firefox/1.0+ I found a way to get around the list of exceptions for web sites allowed to install software. See the url above. Basically I have a PHP script like this: $file = file_get_contents($_GET['file']); $mime = 'application/x-xpinstall'; header("Content-Type: $mime"); echo $file; Reproducible: Always Steps to Reproduce: 1. Go to the test url Actual Results: It won't be blocked but the confirmation dialog will come up. Expected Results: You would expect the regular "To protect your computer, Browser prevented this site from installing software..." I'm marking this as a security bug just in case. Better safe than sorry.
Clicking the link on this bug made the warning come up for me. Does it not for you? Where did you click the link originally when you were testing?
"It won't be blocked but the confirmation dialog will come up." When I go to the link the confirmation dialog appears asking whether or not I really want to install this software because it could be malicious. The only this bug does is circumvent the white list. Whether or not that is really bad or not I don't know.
My Firefox 1.0.3 (Mandrake Linux 10.0) gave me the yellow bar, as I would expect for a site not on the whitelist. Gerv
I did *not* get the bar, but that's because I had whitelisted bugzilla (not a great idea, but I know what I'm doing). If I take bugzilla out of my whitelist I get the infobar. Where the link is doesn't matter, what matters is the page from which you launch the install. We don't want a malicious site pestering you to install legit stuff from ftp.mozilla.org, for example, and if you trust a particular blogger and want to whitelist them there's no reason to block their links no matter where the xpi is -- you're trusting the recommendation, you probably know nothing more about the source than that. So... what page contained the above link that managed to get around the whitelist? If you mean the link in bugzilla above, have you whitelisted bugzilla.mozilla.org or mozilla.org ?
/Feeling kind of crazy right now./ This is not a bug or problem after all. Because I had simply typed the url in the location bar and then pressed enter. I never actually clicked on a link to get to the url. No wonder the whitelist had no effect. Sorry about wasting your time.
The code in question seems to be in nsInstallTrigger::HandleContent, which makes decisions based on the referrer: http://lxr.mozilla.org/seamonkey/source/xpinstall/src/nsInstallTrigger.cpp#195
Typing a xpi link directly into the URL bar (or from a bookmark) is intended to bypass the whitelist -- it's assumed the user really meant it, and if not then they'll get a chance to cancel on the confirmation dialog.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → INVALID
Daniel, is that always a good idea? Opening xpi links in tabs bypasses the whitelist (you just have to press enter on the new tab addressbar). Couldn't the user do that accidentally?
You need to log in before you can comment on or make changes to this bug.