Closed Bug 652896 Opened 10 years ago Closed 3 years ago
Allow AMO to show extension install dialog before downloading XPI
The current flow (click Install, wait for download, confirm intent to install) causes numerous usability and security problems. We should allow AMO to give us the information for the dialog up-front, as part of the InstallTrigger call. (If the information shown in the dialog does not match what is extracted from the extension, we'd need to bail, but this shouldn't happen on AMO.) Then we can download the XPI in parallel with the user seeing and reading the dialog, which will make the installation process much smoother overall. I think this is the most important part of the plan to reduce extension installation security-dialog pain (https://wiki.mozilla.org/Security/Add-Ons_Discussion).
(In reply to comment #0) > The current flow (click Install, wait for download, confirm intent to install) > causes numerous usability and security problems. Could you elaborate on what these problems are for the uninitiated?
Having the dialog after the download forces users to wait twice, and might predispose them to click Install. It raises questions of what happens if you click AMO's green Install button and then switch tabs, with the most obvious answer being to interrupt users with a security dialog (always bad).
Slight elaboration: We currently download an add-on's .xpi file before the user is asked permission to install it. While it's roughly understandable enough for users to navigate through, the order is backwards compared to the vast majority of similar installation flows. Installing a file before asking both flies in the face of user expectation, and gives the impression at first that we will be installing an add-on without asking permission at all (see: Windows Vista). This may cause users to prematurely cancel an installation on the onset. If we can ask the user's permission first - even with imperfect add-on data - and then download the file, we'll be following a very well expected and utilized model (in computing and in life) of asking for permission and then completing the action once it is obtained.
I don't know, whether it is the right place to ask a question like this (and I beg you to correct me if it is not), but: Why not download the .xpi in the background while asking for permission and discard it in the case the user denies to install it? This reduces the time the user has to wait for his extension, and just downloading the .xpi wouldn't hurt from a security perspective, or would it?
That's the plan :) "Then we can download the XPI in parallel..."
Looks like this will be part of my work in bug 643020.
Assignee: nobody → bmcbride
Status: NEW → ASSIGNED
OS: Mac OS X → All
Hardware: x86 → All
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.