Open Bug 432532 Opened 16 years ago Updated 2 years ago

Permission manager should check URI scheme for extension install


(Core :: Security, defect)





(Reporter: mozilla, Unassigned)




It should be possible to have the permission manager whitelist an https:// URI for a particular permission, and not the http:// version of that URI with the same host. Right now, nsPermissionManager::TestPermission does not check the scheme, only the host.

One example of where it would be helpful to check the scheme is the extensions install whitelist. Since both and host all their content over HTTPS, it would be safer to whitelist only and That way, a network attacker (e.g. malicious wireless router) masquerading as would have a harder time installing malware.

The permission manager is also used for offline apps, popup blocking, image blocking, and cookie prompts, some of which may not care about the scheme. It's not used for saved passwords.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.