373716 - XPI install bypassing the 'Allowed sites' list

Status: RESOLVED DUPLICATE of bug 259670

(Core Graveyard :: Installer: XPInstall Engine, defect)

Description

[Nicolás (Zona Firefox)]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a3pre) Gecko/20070301 Minefield/3.0a3pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a3pre) Gecko/20070301 Minefield/3.0a3pre

Normally when i try to install an extension from an non-allowed site, Firefox blocks the installation showing the following message at the top of the page:

'Firefox prevented this site (...) from asking you to install software on your computer'.

But if i drag with the mouse the link to any open tab (including the active tab), or the 'New tab' button, the installer starts without any alert. So, is no necessary to add the site to the 'Allowed sites' list. 



Reproducible: Always

Steps to Reproduce:
1.Drag any XPI installer link to any tab
2.
3.

Comment 1

[Benjamin Smedberg]

I believe this is by design. The whitelist is mainly to prevent sites from popping up the xpinstall dialog. If you drag a link to a tab, we presume you had a clue what you were doing.

Comment 3

[Daniel Veditz [:dveditz]]

This is indeed by design. The whitelist is to prevent sites from annoying you with the install dialog in an attempt to bully you into saying "OK", it's not meant to stop people from getting what they want and dragging a link is a pretty intentional act. If you didn't know it was an install link then the confirmation dialog will let you know about that.

Dragging a link is preferable to permanently whitelisting a site just to get one thing. I wish more people knew about it.