Closed Bug 308974 Opened 19 years ago Closed 19 years ago

extension hosted at remote site but install is still allowed even though remote site is not added to allowed sites

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: foilspam-misc, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

the extension is not hosted at extensionroom.mozdev.org, but install is still
allowed, after extensionroom.mozdev.org is added into allowed sites.

1) if extensionroom.mozdev.org is not in allowed sites under preferences,
firefox will popup the dialog and upon clicking it will show
extensionroom.mozdev.org as the url to add to allowed sites. after url is added,
install of extension is allowed.

2) if extensionroom.mozdev.org is already in allowed sites, extension will
simply install.

Reproducible: Always

Steps to Reproduce:
1. if extensionroom.mozdev.org is not in allowed sites, add it. extension
install will then be allowed.

2. if extensionroom.mozdev.org is already in allowed sites, extension install
will be allowed.
3.

Actual Results:  
extension hosted elsewhere installed.

Expected Results:  
perhaps warn that extension is not hosted on same server or at least attempt to
add the correct url, karmatics.com (which should tell people it's not on the
same server), into allowed sites.
This is as designed. You're trusting the site that prompts the installation, not
the location of the file. 
The security precaution is the installation prompt, which lists where the
software comes from. You need to carefully decide if you trust software from the
site in that dialog. The whitelisting is more of a popup-blocker, allowing or
preventing sites from triggering the installation prompt.

Example: you trust software from mozilla.org, but you don't want http://evil.com
prompting you to install old versions that might contain security holes that
evil.com wants to exploit. Doing so just allows evil.com to annoy you.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.