Open
Bug 432532
Opened 17 years ago
Updated 2 years ago
Permission manager should check URI scheme for extension install
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
NEW
People
(Reporter: mozilla, Unassigned)
References
()
Details
It should be possible to have the permission manager whitelist an https:// URI for a particular permission, and not the http:// version of that URI with the same host. Right now, nsPermissionManager::TestPermission does not check the scheme, only the host.
One example of where it would be helpful to check the scheme is the extensions install whitelist. Since both addons.mozilla.org and update.mozilla.org host all their content over HTTPS, it would be safer to whitelist only https://addons.mozilla.org and https://update.mozilla.org. That way, a network attacker (e.g. malicious wireless router) masquerading as http://addons.mozilla.org would have a harder time installing malware.
The permission manager is also used for offline apps, popup blocking, image blocking, and cookie prompts, some of which may not care about the scheme. It's not used for saved passwords.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•