Closed Bug 545904 Opened 10 years ago Closed 2 years ago

Do we need a "We don't know why you crashed" dialog in the Crash Report Helper addon?

Categories

(Firefox :: Extension Compatibility, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED WONTFIX

People

(Reporter: chofmann, Unassigned)

Details

Attachments

(1 file)

I was pretty surprised to discover the pop under shown in the attachment and didn't know we were doing such things as part of 3.6.

a couple of things came to mind

1) as it was buried under other windows discoverability of the infomation wasn't very easy.

2) the actual content provided in my case wasn't really valuable.  it just reminded me that I crashed, but no information was provided about I might do to protect against that crash or future crashes.  (this will probably be the default for most users.  we have recommendations on only a handful of the various 20k-30k signatures that receive each day.   this made me wonder if we are really achiving anything by the pop under.

3) the pop under looks very my like any other spoofable content window.  I could imagine evil sites replicating the message in the window and getting users to click on links in the window to direct traffic or do other more evil things.
Attached image "you crashed" pop under
also had questions about what the process is to get messages into this stream when we do have valuable information about how to defend against some crashes like

the "you need to update the yslow addon to avoid the crash you just had"  
see:
https://bugzilla.mozilla.org/show_bug.cgi?id=543646
https://bugzilla.mozilla.org/show_bug.cgi?id=542203
1. This isn't part of Session Restore.
2. Are you sure this is even part of the product? None of those strings are showing up in MXR. Could it be an extension like NTT?
ah, that's it.  I installed https://addons.mozilla.org/en-US/firefox/addon/11217 a few weeks ago to check it out, but forgot about it.  I think this is the first time I might have crashed since installing.
Component: Session Restore → Add-on Security
Product: Firefox → addons.mozilla.org
QA Contact: session.restore → security
Summary: Do we need a "We don't know why you crashed" dialog? → Do we need a "We don't know why you crashed" dialog in the Crash Report Helper addon?
Version: 3.5 Branch → unspecified
moved to a non-firefox component.

not sure addon-security is the right place but I'll park it there.  this really shouldn't be a possible spoofing security problem unless the addon starts to get high usage.
Component: Add-on Security → Extension Compatibility
Product: addons.mozilla.org → Firefox
QA Contact: security → extension.compatibility
Why is this filed in Bugzilla and not just reported to the author?

Moved out of Add-on Security, as this isn't a security issue, and I'd prefer not to pollute that component.
(In reply to comment #0)
> I was pretty surprised to discover the pop under shown in the attachment and
> didn't know we were doing such things as part of 3.6.

Kinda flattering to have one of my extensions mistaken of as part of Firefox itself. ;)

> 1) as it was buried under other windows discoverability of the infomation
> wasn't very easy.

Not sure what did that. You're the first to report it not showing in focus. I'll change it to explicitly focus the dialog on loading.

> 2) the actual content provided in my case wasn't really valuable.  it just
> reminded me that I crashed, but no information was provided about I might do to
> protect against that crash or future crashes.

The dialog is disable-able for advanced users by the checkbox in the screenshot. It'll just have a passive info bar instead. The dialog is primarily for less knowledgeable users who installed the extension to diagnose an issue and need direct feedback. It's far more useful when it actually detects an addon as the cause, in which case it'll tell you which one and give you the option of disabling it directly.

I'd been considering showing the dialog in fewer instances for OOPP (which isn't supported yet). Not showing it for non-diagnosed crashes or at least useless reports may also be a good way to go.

> 3) the pop under looks very my like any other spoofable content window.  I
> could imagine evil sites replicating the message in the window and getting
> users to click on links in the window to direct traffic or do other more evil
> things.

I don't see how it could be considered spoofable. There's nothing that really makes it confusable with a normal content window or an alert. If this is considered easily spoofable then pretty much any XUL dialog is.
The dialog is spoofable because it appears on top of the content area.  I don't think that's a problem for this addon.
Ah, you mean by having something that's not even a window but looks like one, not making a window that looks like it. I see.

A much better route for this kind of information would be doorhanger notifications, whenever it gets implemented fully. I'll probably be one of the first people to try out using it in an extension. Of course, a very large portion of the extension will be obsolete by then. (though, that's a good thing)
(In reply to comment #6)
> Why is this filed in Bugzilla and not just reported to the author?
> 
> Moved out of Add-on Security, as this isn't a security issue, and I'd prefer
> not to pollute that component.

attacks against firefox though addon functionally, or spoofing agaist firefox + popular addon functionality are attacks against a lot of firefox users.

welcome to a new decade reed.

Dave,  thanks for looking at this and helping to figure out if there is anything we can do to reduce risk.

As I mentioned in the addon feedback commment this is also a valuable mechansim to get information out to users.  any ideas on how we could set up feeds of information for the case in comment 2 were we really did have an interesting and simple work around?
For addons which it diagnoses, it wouldn't be too hard to check for or offer to check for an update automatically. This is all currently restricted to plugins and extensions' binary modules though, so if it's crashing in JS it's not going to be able to tell it apart from anything else.

A bit back Jesse had suggested using bug 511789 when it's available, which I think would be the simplest route to point users to better support. If this search also was given a simple JSON output of some kind, then for signatures which return an exact result it could show a summary to the user with a link to more information on SUMO.
there is some discussion about doing something similar to comment 11 within session restore over in Bug 347680.   that recommends just throwing people into safe mode.  I think like the idea of offering updates to addons better than just turning them off as a way out of an addon compat problem.
Extension binary module crashes are uncommon in comparison to plugins in many cases, and this extension was written pre-plugin-checker so offering to disable was the best route at the time. It's overdue for an update in a few other areas too. I plan to work on it whenever I finish with Flagfox 4.0.
Currently I'm working on a patch to automatically launch in Safe Mode after 3 subsequent crashes over in bug 347680.

We could use a part of all this to differentiate different areas of crashes, because not all crashes are fixed using Safe Mode. Also we should be as much help to the user as possible, i.e. providing information about the crash.
(In reply to comment #2)
> also had questions about what the process is to get messages into this
> stream

Even though we discovered this is not part of Firefox, I'd be very happy if we had a stream like that available (probably done in a different way, though)... ;-)
Mass-closing old Extension Compatibility bugs that relate to legacy add-ons or NPAPI plug-ins. If you think this bug is still valid, please reopen or comment.

Sorry for the bug spam, and happy Friday!
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.