Closed Bug 683880 Opened 13 years ago Closed 13 years ago

Install addons reports host name of current page, not site hosting addon

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
6 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 358266

People

(Reporter: colinmkeith, Unassigned)

Details

Attachments

(1 file)

ffbug.png
48.83 KB, image/png
Details
Attached image ffbug.png 
User Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0
Build ID: 20110811165603

Steps to reproduce:

When clicking on a link to install an add-on, the warning message displays the name of the site hosting the link, not the name of the site hosting the actual add-on.

For example to install the latest Firebug beta there is a link in http://blog.getfirebug.com/ to the add-on which is on the site http://getfirebug.com/. FFx prompts you to allow "blog.getfirebug.com".

This is potentially a security issue since users are being prompted to trust the site that is referring you to the add-on, not the site actually hosting the add-on.

This seems similar to the report in bug 294450. The answer there was that issue was an intentional design, but I don't see a good reason why you would intentionally ask a user to trust a site when the software is actually coming from a different site. Tested on FFx 6.0.1 / Win7 and FFx 6.0.1 / Kubuntu 11.04


Actual results:

I was prompted to trust blog.getfirebug.com, the referring site, not getfirebug.com, the site actually hosting the add-on


Expected results:

I should have been prompted to trust the site that is actually hosting the add-on, getfirebug.com, not the site that is referring me there.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: