Closed
Bug 322697
Opened 19 years ago
Closed 19 years ago
Extension install is initiated even on sites that are not whitelisted if path to extension xpi is used
Categories
(Core Graveyard :: Installer: XPInstall Engine, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: volkmarkostka, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060107 Firefox/1.6a1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060107 Firefox/1.6a1 Open the following path: http://www.trashmail.net/plugins/firefox/trashmail-firefox-0_9.xpi It will ask if you want to install that extension but the domain http://www.trashmail.net/ is not in the white list. Going to the domain and selecting the extension there gives the expected message. See here: http://forums.mozillazine.org/viewtopic.php?t=364530 Reproducible: Always Steps to Reproduce: 1. Open http://www.trashmail.net/plugins/firefox/trashmail-firefox-0_9.xpi Actual Results: FF asks if you want to download. Expected Results: Message that domain is not on white list. I regard this not a major bug but the bug makes the white list ineffective and bad websites can fool an user to install a bad extension.
Comment 1•19 years ago
|
||
Confirmed also in branch builds: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060107 Firefox/1.5 ID:2006010703
Comment 2•19 years ago
|
||
Robert, I looked for a dupe, and couldn't find one (big supprise). We shouldn't treat an url.xpi in the locationbar like a local file (allways trusted)
Status: UNCONFIRMED → NEW
Component: Security → Extension/Theme Manager
Ever confirmed: true
Updated•19 years ago
|
Flags: blocking1.8.0.1?
Comment 3•19 years ago
|
||
(In reply to comment #2) > Robert, I looked for a dupe, and couldn't find one (big supprise). > We shouldn't treat an url.xpi in the locationbar like a local file (allways > trusted) One difference is the location bar being a user inititiated action vs. the web page having the ability to initiate an install. What ever the case the Extension Manager does not manage this - it is xpinstall that handles this before handing it off to the Extension Manager. I'm quite sure that this is a dupe and that dveditz provides a thorough explanation of how and why this works the way it does in a couple of the dupes. I'll try to find a couple of the dupes later if no one beats me to it.
Reporter | ||
Comment 4•19 years ago
|
||
In respect to comment 3: This happens not only if pasted to the location bar also if directly clicked on another page. I seems that not the url is checked but the page the link originates. If i click the link here on the bugzilla page i get the expected answer. If i click it in the mozillazine forum - as mentioned in the original post - the extension manager starts up. Maybe some sort of cross site linking problem.
Comment 5•19 years ago
|
||
Hence why I stated "one" difference and there are several... dveditz is better at addressing these questions than I am so changing component and cc'ing him. Also, one key difference as I understand it is it being user initiated vs. site initiated.
Assignee: nobody → xpi-engine
Component: Extension/Theme Manager → Installer: XPInstall Engine
Product: Firefox → Core
QA Contact: firefox
Version: unspecified → 1.0 Branch
Updated•19 years ago
|
Version: 1.0 Branch → 1.8 Branch
Updated•19 years ago
|
Summary: Download an extension succeeds even on not authorized page if full path is used. → Extension install is initiated even on sites that are not whitelisted if path to extension xpi is used
Comment 6•19 years ago
|
||
btw: there are a couple of ways to get an install started for a non-whitelisted site. You can also drag and drop a link into the Extension Manager and this is by design.
Comment 7•19 years ago
|
||
See bug 259670 and bug 240552 (especially bug 240552, comment 38) for an explanation.
Comment 8•19 years ago
|
||
This is invalid. The extension whitelist is intended to prevent sites from using abusive tactics against users to coerce them into installing software. If you initiate the action somehow (via copy/paste, directly typing the URL, or drag and drop to a tab/Go button/extension manager) then the actual install dialog is considered sufficient to warn and inform the user.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 9•19 years ago
|
||
To Comment 8: The original poster in the mozillazine forum has not done anything manually or it did not show upin his/her post. Please see the thread. The problem is that if an url of an extension is posted on a white-listed site, the url goes to the extension manager even if the site hosting the extension is not white listed. This is covered in [url=https://bugzilla.mozilla.org/show_bug.cgi?id=240552#c38]bug 240552, comment 38[/url] but i find it irritating. For myself i did assume the the white list refers to sites hosting the extensions not the links.
Updated•19 years ago
|
Flags: blocking1.8.0.1?
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•