306000 - Allowed sites dialog refers to site hosting the link, not the extension

Status: RESOLVED DUPLICATE of bug 294450

(Toolkit :: Add-ons Manager, defect)

Description

[bren]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050712 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050712 Firefox/1.0+

There is a link here,
http://greaseblog.blogspot.com/2005/08/greasemonkey-051-final.html, which refers
to an extension (Greasemonkey) hosted on ftp.mozilla.org. To allow it to
install, greaseblog.blogspot.com has to be in the list of allowed sites, not
ftp.mozilla.org. I think this could be a potential security problem; any link on
a trusted site, even if it is say the forums on mozillazine.org where anybody
can post, is allowed to install software by default, even if that link is to
www.dodgysitewithextensionthatwillstealyourcreditcardnumber.com. Or say,
www.gator.com.

Reproducible: Always

Steps to Reproduce:
1. Go to http://greaseblog.blogspot.com/2005/08/greasemonkey-051-final.html
2. Click on greasemonkey final link (hosted on ftp.mozilla.org)
3. Prompt asks you to allow greasemonkey.blogspot.com to install software

Actual Results:  
The 'Allow sites to install software' prompt asks me to allow
greasemonkey.blogspot.com to install software.

Expected Results:  
It should ask me to allow ftp.mozilla.org to install software. Or at least point
out the extension is hosted on a different site. And if ftp.mozilla.org is
allowed, as it was in my case initially,  maybe it should just go ahead with the
install extension prompt.

Comment 1

[Jesse Ruderman]

This behavior is intentional.  I think this bug is a dup.

Comment 2

[Jesse Ruderman]

*** This bug has been marked as a duplicate of 294450 ***