Extension install confirmation should show the actual URL the xpi is coming from

NEW
Unassigned

Status

Core Graveyard
Installer: XPInstall Engine
--
major
8 years ago
2 years ago

People

(Reporter: Till Maas, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.0.15) Gecko/2009102704 Fedora/3.0.15-1.fc10 Firefox/3.0.15
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.6) Gecko/20091216 Fedora/3.5.6-1.fc12 Firefox/3.5.6

When I select to install an add-on, I get an warning with an https URL displayed, e.g.:
https://addons.mozilla.org/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api
This URL redirects to a non https location:
LANG=C wget https://addons.mozilla.org/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api
--2010-01-04 15:45:09--  https://addons.mozilla.org/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api
Resolving addons.mozilla.org... 63.245.213.91
Connecting to addons.mozilla.org|63.245.213.91|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://addons.mozilla.org/en-US/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api [following]
--2010-01-04 15:45:09--  https://addons.mozilla.org/en-US/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api
Reusing existing connection to addons.mozilla.org:443.
HTTP request sent, awaiting response... 302 Found
Location: https://addons.mozilla.org/en-US/firefox/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api [following]
--2010-01-04 15:45:09--  https://addons.mozilla.org/en-US/firefox/downloads/file/66381/greasedlightbox-1.1-fx.xpi?src=api
Reusing existing connection to addons.mozilla.org:443.
HTTP request sent, awaiting response... 302 Found
Location: http://releases.mozilla.org/pub/mozilla.org/addons/12545/greasedlightbox-1.1-fx.xpi [following]
--2010-01-04 15:45:09--  http://releases.mozilla.org/pub/mozilla.org/addons/12545/greasedlightbox-1.1-fx.xpi
Resolving releases.mozilla.org... 64.50.236.52, 64.50.236.214, 128.61.111.9, ...
Connecting to releases.mozilla.org|64.50.236.52|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 29244 (29K) [application/x-xpinstall]
Saving to: `greasedlightbox-1.1-fx.xpi'

100%[==========================================================================================================================================>] 29,244      80.5K/s   in 0.4s

2010-01-04 15:45:10 (80.5 KB/s) - `greasedlightbox-1.1-fx.xpi' saved [29244/29244]

Firefox installs the add-on without further warning that it is not installed from the https secured location.

Reproducible: Always

Steps to Reproduce:
1. install some addon like greasedlightbox
2. notice the https URL in the installation warning
3. open the URL with wget, notice it forwards to a non https URL
4. install the addon
Actual Results:  
No notification that installation source is quite differen: http instead of https

Expected Results:  
firefox should warn that the add on comes from a non http site and display the real URL

It would be even better if the add ons would be provided via https, nevertheless Firefox should at least warn about this and make users of this problem aware.
Component: General → Installer: XPInstall Engine
Product: Firefox → Core
QA Contact: general → xpi-engine
Morphing this slightly. Wherever possible we should show the user the actual URL that the xpi is coming from after any redirects. We should already have this information by the time we display the dialog anyway, assuming the server doesn't re-redirect us when we start the final download.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: add-ons are installed from http without further warning → Extension install confirmation should show the actual URL the xpi is coming from
(Assignee)

Updated

2 years ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.