Using direct links to install xpi files circumvents web site policy check



11 years ago
3 years ago


(Reporter: whimboo, Unassigned)


Firefox Tracking Flags

(Not tracked)



Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/2008090704 GranParadiso/3.0.3pre ID:2008090704

The installation of Add-ons should only be enabled for authorized web sites. For a fresh profile and will be authorized. If users decide to allow other sites they have to explicitly add these sites to the exception list.

If a XPI installation is triggered from a non-authorized site the notification bar appears and asks the user to allow the installation. He can agree and click on Allow to initiate the installation. Clicking the close button cancels the installation. This works fine for e.g.

But the problem is that everyone can circumvent this policy check by simply let the user open the direct link. Whatever external application (instant messenger, e-mail client) is used, Firefox has only to be set as the systems default browser. The XPI installation dialog is shown and automatically sets the focus to the installation button after the countdown has finished. An accidentally click will cause the installation of a probably non-secure Add-on from a untrusted web site.

The following steps show the problem:
1. Create a fresh profile
2. Copy the following URL to your clipboard
3. Open a new tab and paste the URL into the locationbar
4. Hit Enter


Instead of warning the user that an Add-on from an untrusted web site will be installed the installation dialog pops-up and wants to install the Add-on.

If the given URL is opened by clicking on it, the notification bar appears as expected.

The described behavior can be seen with each version of Firefox back to Firefox 2 and on all Platforms/OS.

No idea how confidential this issue is so I'll set the security flag.
Flags: blocking1.9.1?

Comment 1

11 years ago
not sure if Henrik meant to cc me, or Sam Sidler, so adding him.

Comment 2

11 years ago
I think this bug is WONTFIX: the purpose of the whitelist is to prevent websites from being annoying or pushing extensions without sufficient user awareness. If you click on an XPI link from a third-party application, you at least get the "you are installing software" dialog. Is that insufficient?


11 years ago
Group: core-security
This is as-designed.

The whitelist prevents a website from abusing a user with install requests, but a user typing (or bookmarking) an install link shows intent on the user's part. The actual security check is the install confirmation dialog just in case the user didn't realize the link was an installer.

There might be a problem if an external app can abusively call firefox with install links, but that would be abusive behavior even if it were safe web content links.
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 322697


10 years ago
Flags: blocking1.9.1?
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.