300257 - Allowed software to install BYPASS (google suggest)

Status: RESOLVED INVALID

(Toolkit :: Add-ons Manager, defect)

Description

[grgrtgtrgtr]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

When installing the new Google Suggest Extension for FF, It seems to bypass to
Allow Software to Install feature. This is the only extension that can be found
to bypass the Allow Software to install feature. I checked if google.com was in
the allow software list, it was not in there but I was still able to install
Google Suggest. Very Bad

Reproducible: Didn't try

Actual Results:  
n/a

Expected Results:  
The software should have displayed a windows stating Firefox has blocked this
site from installing software and at the top right should of diplayed a Edit
options button in which when I click I could add
http://toolbar.google.com/firefox/extensions/suggest/install.html to install the
software.

Comment 1

[Hixie (not reading bugmail)]

What are the steps required to reproduce?

Comment 2

[grgrtgtrgtr]

(In reply to comment #1)
> What are the steps required to reproduce?

First go to Tools, Options, web features then click Allowed Sites button next to
Allow web sites to install software. Make sure the domain Google is Not present.

Next go to http://toolbar.google.com/firefox/extensions/suggest/install.html and
click Agree and Install.

When you click Agree and Install, a yellow bar, which appears below the address
bar should appear and say, Firfox has blocked this website from installing
software. 

At the top right corner should have an Edit Options button which when clicked
would allow me to add the domain Google to install software, but all that
appears when I click Agree and install, is a window with the subject: Software
Installation and Body: A website is requesting to install the following software
which is named google-suggest.xpi, then gives me two options Install or cancel.

Now I checked an rechecked if google was in the Allowed list to install software
and it is not, So basically it has BYPASSED the allow software to install
feature without actually having the domain google in the Allowed list.

Comment 3

[Daniel Veditz [:dveditz]]

Addons.mozilla.org is hosting the install for Google's toolbar, and Google is
(by agreement) framing the launch page on our site. This is conceptually similar
to installing trusted 3rd party plugins from the plugin-finder and the technique
will probably be adopted for other trusted tool providers.

This is not a security problem. Several people are surprised by this behavior
(and some unhappy) but complaints need to be addressed at a mozilla.org policy
level not as low-level "bugs".

Comment 4

[Hixie (not reading bugmail)]

Google seems to have stopped framing the site. I got the yellow bar.

Comment 5

[grgrtgtrgtr]

(In reply to comment #4)
> Google seems to have stopped framing the site. I got the yellow bar.

Well i checked and rechecked again and i still cann't produce the yellow bar.

Comment 6

[Jon Smith]

Suppose you didn't have "addons.mozilla.org" in your whitelist.  If you click on "Agree and Install" from a Google extension page, the message you get at the top of Firebox is:

"To protect your computer, Firefox prevented this site (www.google.com) from installing software on your computer." 

along with the Edit Options button on the right.  There's no indication based off that message that the extension comes from addons.mozilla.org.  Reading 
that, a reasonable person would conclude that www.google.com is the site that
is doing the installing.  If you actually click "Edit Options", then it shows "addons.mozilla.org" as the site to be added, but a reasonable person might
not notice the name being different in the whitelist menu than in the message
that just flashed atop their screen.  That's a bug, not a feature, and it has nothing to do with mozilla.org in particular.