298079 - A link to an XPI on another site asks if the current site should install software

Status: RESOLVED DUPLICATE of bug 257055

(Toolkit :: Add-ons Manager, defect)

Description

[Kyle Hamilton]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

When you click a link on a web page to an XPI file, the bar will reflect the
currently-loaded site name, not the actual site that the extension is coming from.

Reproducible: Always

Steps to Reproduce:
1. Go to a web site that links to an XPI hosted on another site -- such as the
URL I listed above.
2. Click the link to the XPI.
3. Verify the site name in the "blocked the site" pop-up bar.

Actual Results:  
The extension-manager blocker said "Firefox has prevented the site
www.livejournal.com from installing additional software."  The actual XPI was
located at http://downloads.mozdev.org/adblock/adblock-0.5-dev.xpi .

Expected Results:  
The blocker should have said "downloads.mozdev.org", not www.livejournal.com.

Comment 1

[Daniel Veditz [:dveditz]]

That's correct: it is the livejournal site that is initiating the install. Let's
say we based it on the xpi site instead. People are going to trust
ftp.mozilla.org or downloads.mozdev.org, right? So anywhere you go on the web
sites could be popping up install dialogs in your face.

If you trust the site that's trying to annoy you with an install, the install
confirmation dialog tells you where the software itself is coming from at which
point you can decide if you trust *that* site.

Comment 2

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Reopening to dupe to bug 257055.

Comment 3

[:Gavin Sharp [email: gavin@gavinsharp.com]]

*** This bug has been marked as a duplicate of 257055 ***