Closed Bug 964994 Opened 11 years ago Closed 11 years ago

No indication that installing an untrusted extension could be harmful

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Version:
26 Branch
Platform:
All
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox26 affected, firefox27 affected, firefox28 affected, firefox29 affected, fennec+)

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox26 --- affected
firefox27 --- affected
firefox28 --- affected
firefox29 --- affected
fennec + ---

People

(Reporter: mfburdett, Assigned: wesj)

Details

Attachments

(1 file)

Patch
1.13 KB, patch
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/31.0.1650.63 Chrome/31.0.1650.63 Safari/537.36 Steps to reproduce: Installed an extension from a URL Actual results: There was no warning that installing an extension could be harmful to me. Expected results: I would expect some warning dialog not simply asking if I want the extension installed, but informing me that I should only install it if I trust the extension's source.
I take it this wasn't an extension you were installing from https://addons.mozilla.org ?
If I manually type the URL for an add-on, an "Installing Add-on" dialog pops up with Cancel or Install buttons. Ideally it would have some additional verbage to warn users about malware like "Installing an add-on may be harmful unless you trust its source!"
tracking-fennec: --- → ?
Ian, any ideas on how we could indicate that to users?
tracking-fennec: ? → +
Flags: needinfo?(ibarlow)
We should be displaying a Doorhanger for "Allow installing add-on from this page?" If we are not, then we need to check the code. Only whitelisted sites, like AMO, should skip that Doorhanger.
The code works if you follow a link in Fx Android. This breaks down if the user enters a url via the address bar or launches a link from the intent. We should try and fix this for 28. Comment 4 addresses the needinfo. Asking for sec review to rate this bug.
Status: UNCONFIRMED → NEW
tracking-fennec: + → ?
status-firefox26: --- → affected
status-firefox27: --- → affected
status-firefox28: --- → affected
status-firefox29: --- → affected
Ever confirmed: true
Flags: needinfo?(ibarlow) → sec-review?(mgoodwin)
OS: Linux → Android
Hardware: x86_64 → All
Assignee: nobody → wjohnston
tracking-fennec: ? → +
Attached patch PatchSplinter Review
I see this same behavior on desktop as well. The issue is that we use the referrer to determine if install is allowed from a link: http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/amContentHandler.js#71 If you type the extension in (or copy paste it) you don't have a referrer anymore. This falls back to the normal uri if that's the case.
Attachment #8377747 - Flags: review?(dtownsend+bugmail)
URLs entered directly into the address bar by the user have always intentionally bypassed the whitelist (In reply to Wesley Johnston (:wesj) from comment #6) > Created attachment 8377747 [details] [diff] [review] > Patch > > I see this same behavior on desktop as well. The issue is that we use the > referrer to determine if install is allowed from a link: On desktop I correctly see the install dialog pop up warning you not to install extensions from untrusted sources. This seems correct to me, do you not see that?
Yeah. We get the install dialog. Just not the "untrusted" popup. I'm fine not having it here. I'll close this WONTFX.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Attachment #8377747 - Flags: review?(dtownsend+bugmail)
Flags: sec-review?(mgoodwin)
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: