Closed Bug 300082 Opened 19 years ago Closed 19 years ago

Firefox allows toolbar.google.com to install software without permission

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: hubert+bmo, Unassigned)

References

(
URL
)

Details

Attachments

(3 files)

My white list
4.50 KB, image/png
Details
Software Installation window - signed
6.18 KB, image/png
Details
Software Installation window - unsigned
6.30 KB, image/png
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Firefox doesn't block software installation from toolbar.google.com. I had
tested it on new profile (default Allowed Sites: addons.mozilla.org,
update.mozilla.org).

Reproducible: Always

Steps to Reproduce:
1. Go to http://toolbar.google.com/firefox/install.html
2. Click on "Agree and Install" button

Actual Results:  
Firefox displays "Software Instalation" window.

Expected Results:  
Firefox should show message: "To protect your computer Firefox prevented this
site (google.com) from installing software on your computer" and doesn't display
"Software Instalation" window.

Strange thing on toolbar.google.com: sometimes I see in "Sofware Installation"
window: "Unsigned", sometimes "Google, Inc."
Attached image My white list 

  

  



    
    

    
  


  

  

  



    
  

        Attachment #188673 -
        Attachment description: Software Installation window - unsigned → Software Installation window - signed

    
    

    
  


  

  

  



    
    

    
  
not a bug. the page that triggers the install is actually hosted at
addons.mozilla.org which is whitelisted. Google simply iframes one of AMO's pages.

  

  


Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID

    
    

    
  
(In reply to comment #4)
> not a bug. the page that triggers the install is actually hosted at
> addons.mozilla.org which is whitelisted. Google simply iframes one of AMO's pages.

I'm sorry, I didn't see this:
https://addons.mozilla.org/google/google_toolbar.html (but "from:
http://toolbar.google.com/firefox/extensions/toolbar/google-toolbar.xpi" in
Software Installation window looks strange)

PS. Should I report a problem with signed/unsigned ext. (sometimes extension is
signed, sometimes is unsigned) in new bug? Is it Firefox or Google bug?

  

  


Status: RESOLVED → VERIFIED

    
    

    
  
(In reply to comment #5)
> PS. Should I report a problem with signed/unsigned ext. (sometimes extension is
> signed, sometimes is unsigned) in new bug? Is it Firefox or Google bug?

If you mean the same extension sometimes appear signed, sometimes not, there is
already a bug filed for that (and iirc a patch).

  

  


Group: security
Product: Firefox → Toolkit

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: