Closed Bug 424621 Opened 17 years ago Closed 8 months ago

Incorrect domain name shown in extension installation warning message

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: johnblackbourn, Unassigned)

References

(Depends on 1 open bug,
URL
)

Details

(Keywords: regression)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4 When Firefox prevents a website from asking you to install software, the domain name shown in the notification bar is incorrect if the page has a referer. It shows the referer's domain instead of the current page's domain. Opens up the possibility of an XSRF. Screenshot: http://farm3.static.flickr.com/2057/2354146514_66d64c84a7_o.png Reproducible: Always Steps to Reproduce: 1. Ensure you do *not* have the iMacros extension for Firefox installed and that you have not whitelisted imacros.net as being allowed to ask to install software. 2. Visit http://del.icio.us/imacros/imacro . 3. Click on any of the imacros listed and wait for the page to load. Actual Results: Observe that the notification bar on the next page shows 'del.icio.us' as the site that has been prevented from asking you to install software. Expected Results: The correct domain name 'run.imacros.net' should be shown instead. Fresh install of Fx3b4.
Firefox 2 correctly identifies the site in the notification bar, but Firefox trunk shows the buggy behavior as described in comment 0. (I had to alter my trunk UA to say "Firefox" rather than "Minefield", fwiw.) The site uses <meta http-equiv="refresh" content="1;url=http://www.iopus.com/download/imacros.xpi" /> My guess is this is just bug 358266, and something changed between Firefox 2 and trunk that affects the referrer when meta-refresh is involved.
Status: UNCONFIRMED → NEW
Depends on: 358266
Ever confirmed: true
Keywords: regression
Component: Extension/Theme Manager → Installer: XPInstall Engine
Product: Firefox → Core
QA Contact: extension.manager → xpi-engine
Version: unspecified → Trunk
From a quick glance, this may be intentional? http://mxr.mozilla.org/mozilla/source/xpinstall/src/nsInstallTrigger.cpp#190 dveditz' comment there seems to imply that using the referrer (when available) is the desired approach. I can get my head around this argument since it was, in this case, del.icio.us that tried to get us to install something, regardless of where it's hosted. But I would still like to hear from dveditz, because there's a lot of comment there in the referrer/no-referrer cases, so I suspect this has rich context. The actual prompting in browser happens here: http://mxr.mozilla.org/mozilla/source/browser/base/content/browser.js#640 but I think we'd want to change this in xpinstall for all consumers, if we decided it was the wrong approach. CC'ng dtownsend too - maybe this was an accidental regression from some of the xpinstall removals?
Hrm - reading bug 358266 in more detail I now understand Jesse's comment better - that this is really just that bug, possibly with some meta-refresh special sauce thrown into the mix. Apologies for not building up all the context sooner.
Product: Core → Core Graveyard
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.