Open Bug 432532 Opened 16 years ago Updated 2 years ago

Permission manager should check URI scheme for extension install

Tracking

()

Status:

NEW

People

(Reporter: mozilla, Unassigned)

References

(
URL
)

Details

Collin Jackson

Reporter

Description

•

16 years ago

It should be possible to have the permission manager whitelist an https:// URI for a particular permission, and not the http:// version of that URI with the same host. Right now, nsPermissionManager::TestPermission does not check the scheme, only the host.

One example of where it would be helpful to check the scheme is the extensions install whitelist. Since both addons.mozilla.org and update.mozilla.org host all their content over HTTPS, it would be safer to whitelist only https://addons.mozilla.org and https://update.mozilla.org. That way, a network attacker (e.g. malicious wireless router) masquerading as http://addons.mozilla.org would have a harder time installing malware.

The permission manager is also used for offline apps, popup blocking, image blocking, and cookie prompts, some of which may not care about the scheme. It's not used for saved passwords.

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Permission manager should check URI scheme for extension install

Categories

(Core :: Security, defect)

Tracking

()

People

(Reporter: mozilla, Unassigned)

References

(
URL
)

Details

Crash Data

Security

(public)

User Story

Description

Updated