Install addons reports host name of current page, not site hosting addon

RESOLVED DUPLICATE of bug 358266

Status

()

Firefox
Security
RESOLVED DUPLICATE of bug 358266
6 years ago
6 years ago

People

(Reporter: colinmkeith, Unassigned)

Tracking

6 Branch
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 557477 [details]
ffbug.png

User Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0
Build ID: 20110811165603

Steps to reproduce:

When clicking on a link to install an add-on, the warning message displays the name of the site hosting the link, not the name of the site hosting the actual add-on.

For example to install the latest Firebug beta there is a link in http://blog.getfirebug.com/ to the add-on which is on the site http://getfirebug.com/. FFx prompts you to allow "blog.getfirebug.com".

This is potentially a security issue since users are being prompted to trust the site that is referring you to the add-on, not the site actually hosting the add-on.

This seems similar to the report in bug 294450. The answer there was that issue was an intentional design, but I don't see a good reason why you would intentionally ask a user to trust a site when the software is actually coming from a different site. Tested on FFx 6.0.1 / Win7 and FFx 6.0.1 / Kubuntu 11.04


Actual results:

I was prompted to trust blog.getfirebug.com, the referring site, not getfirebug.com, the site actually hosting the add-on


Expected results:

I should have been prompted to trust the site that is actually hosting the add-on, getfirebug.com, not the site that is referring me there.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 358266
You need to log in before you can comment on or make changes to this bug.