Closed Bug 322697 Opened 19 years ago Closed 19 years ago

Extension install is initiated even on sites that are not whitelisted if path to extension xpi is used

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Version:
1.8 Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: volkmarkostka, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060107 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060107 Firefox/1.6a1

Open the following path:
http://www.trashmail.net/plugins/firefox/trashmail-firefox-0_9.xpi

It will ask if you want to install that extension but the domain http://www.trashmail.net/ is not in the white list.
Going to the domain and selecting the extension there gives the expected message.
See here: http://forums.mozillazine.org/viewtopic.php?t=364530

Reproducible: Always

Steps to Reproduce:
1. Open http://www.trashmail.net/plugins/firefox/trashmail-firefox-0_9.xpi


Actual Results:  
FF asks if you want to download.

Expected Results:  
Message that domain is not on white list.

I regard this not a major bug but the bug makes the white list ineffective and bad websites can fool an user to install a bad extension.
Confirmed also in branch builds: 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060107 Firefox/1.5 ID:2006010703
Robert, I looked for a dupe, and couldn't find one (big supprise).
We shouldn't treat an url.xpi in the locationbar like a local file (allways trusted)
Status: UNCONFIRMED → NEW
Component: Security → Extension/Theme Manager
Ever confirmed: true
Flags: blocking1.8.0.1?
(In reply to comment #2)
> Robert, I looked for a dupe, and couldn't find one (big supprise).
> We shouldn't treat an url.xpi in the locationbar like a local file (allways
> trusted)
One difference is the location bar being a user inititiated action vs. the web page having the ability to initiate an install. What ever the case the Extension Manager does not manage this - it is xpinstall that handles this before handing it off to the Extension Manager. I'm quite sure that this is a dupe and that dveditz provides a thorough explanation of how and why this works the way it does in a couple of the dupes. I'll try to find a couple of the dupes later if no one beats me to it.
In respect to comment 3:
This happens not only if pasted to the location bar also if directly clicked on another page. I seems that not the url is checked but the page the link originates. If i click the link here on the bugzilla page i get the expected answer. If i click it in the mozillazine forum - as mentioned in the original post - the extension manager starts up. Maybe some sort of cross site linking problem.
Hence why I stated "one" difference and there are several... dveditz is better at addressing these questions than I am so changing component and cc'ing him. Also, one key difference as I understand it is it being user initiated vs. site initiated.
Assignee: nobody → xpi-engine
Component: Extension/Theme Manager → Installer: XPInstall Engine
Product: Firefox → Core
QA Contact: firefox
Version: unspecified → 1.0 Branch
Version: 1.0 Branch → 1.8 Branch
Summary: Download an extension succeeds even on not authorized page if full path is used. → Extension install is initiated even on sites that are not whitelisted if path to extension xpi is used
btw: there are a couple of ways to get an install started for a non-whitelisted site. You can also drag and drop a link into the Extension Manager and this is by design.
This is invalid.  The extension whitelist is intended to prevent sites from using abusive tactics against users to coerce them into installing software.  If you initiate the action somehow (via copy/paste, directly typing the URL, or drag and drop to a tab/Go button/extension manager) then the actual install dialog is considered sufficient to warn and inform the user.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
To Comment 8:
The original poster in the mozillazine forum has not done anything manually or it did not show upin his/her post. Please see the thread. The problem is that if an url of an extension is posted on a white-listed site, the url goes to the extension manager even if the site hosting the extension is not white listed. This is covered in [url=https://bugzilla.mozilla.org/show_bug.cgi?id=240552#c38]bug 240552, comment 38[/url] but i find it irritating. For myself i did assume the the white list refers to sites hosting the extensions not the links.
Flags: blocking1.8.0.1?
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.