Closed Bug 906402 Opened 6 years ago Closed 6 years ago
security exception when checking signature of favicon (?)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release) Build ID: 20130803215302 Steps to reproduce: Searched websites with "startpage (SSL)" add-on installed. Clicked on any search result. Actual results: Logcat shows security exceptions with every website loading. Expected results: On the surface everything works as expected. I just worry about the exceptions.
Do you see these when you disable "Startpage (SSL)" ?
Hi Aaron! I disabled every add-on and the culprit is "adblock plus". How can I provide further information? Should I contact the developer of "adblock plus"? Greetz Martin
It is suggested to file a bug-report over at https://adblockplus.org/forum/viewforum.php?f=11; if the case be that it's an issue on our end discovered in comment, I would imagine we could re-open this.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
I had filed this previously ... sounds like a dup and we should close that too https://bugzilla.mozilla.org/show_bug.cgi?id=901939
(In reply to Aaron Train [:aaronmt] from comment #3) > It is suggested to file a bug-report over at > https://adblockplus.org/forum/viewforum.php?f=11; I disagree - this isn't an Adblock Plus bug. Adblock Plus has been signed correctly but that's not really the point. The problem here is rather that Firefox shouldn't attempt to validate the signature when displaying the extension icon. For reference, the corresponding bug in the desktop Firefox version is bug 726125 which has been resolved a while ago. Note that my comment is based on the description from bug 901939 which has been resolved as a duplicate of this one - there isn't much of a description here.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
If you're saying that we can assume extension icons are trusted sources, we can bypass the security check done in Java and provide a working patch for consideration this way.
Comment on attachment 820696 [details] [diff] [review] bug906402 (v0) Ping mfinkle for feedback, not sure who to check with otherwise
new version tightens it up a bit
Assignee: nobody → markcapella
Status: REOPENED → ASSIGNED
Attachment #821632 - Flags: review?(mark.finkle)
Comment on attachment 821632 [details] [diff] [review] bug906402 (v1) >+ // Addons, extensions, etc Let's make the comment a bit more descriptive: // Don't attempt to validate the JAR signature when loading an add-on icon
Attachment #821632 - Flags: review?(mark.finkle) → review+
TRY is nice and green: https://tbpl.mozilla.org/?tree=Try&rev=83e7ed66547f
And on we go https://hg.mozilla.org/integration/fx-team/rev/06e480dedcb0 Adblock plus icons for everyone
Status: ASSIGNED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 28
You need to log in before you can comment on or make changes to this bug.