Block xpi file links in comments

VERIFIED INVALID

Status

--
enhancement
VERIFIED INVALID
10 years ago
3 years ago

People

(Reporter: aryx, Unassigned)

Tracking

Details

Please block xpi file links in comments, especially if the add-on is incompatible with the current version, some (most?) users trend to install it without thinking about the vulnerabilites which could be in it.

Often, these are simply version bumped files or with a few lines modified. A warning box above the comment (if it contains an xpi link) is also a possible solution.

Comment 1

10 years ago
I am not sure if this would be effective? What if people point to an xpi through tinyurl?
This has been discussed before and was the main reason we stalled on allowing developers to use HTML or autolink URLs 2 years ago. The only solution we came up with was pointing all external URLs through a redirector I think.
Yeha, the file could also be rewritten, so not sure how much a redirector would help unless it downloaded the link first or checked its mimetype before redirecting the user?

The easiest thing to do would probably be to move public pages onto a new domain and whitelist that domain in the install API or something similar.  Like addons.mozilla.com or something?
You can't add links to comments, ->invalid
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
Well, either the people have extensions like Linkification installed or will open the url manually.
(In reply to comment #5)
> Well, either the people have extensions like Linkification installed or will
> open the url manually.

It's true, people might do that, but the chances are pretty slim.
Status: RESOLVED → VERIFIED
(Assignee)

Updated

3 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.