- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 30 Jul 2009 17:18:33 -0400
Maciej Stachowiak wrote: > I'm not sure if I'd be totally comfortable with putting something as > streamlined as the Firefox extensions model. As presented on > <http://addons.mozilla.org/>, it seems fine - the extensions posted > there are centrally vetted and reviewed, the user has to take a clear > explicit step to start the install, and there is a revocation model. > > But the fact that third party pages can trigger automated extension > install seems problematic. For example, just visiting > <http://gears.google.com/download.html> in Firefox, I am immediately > faced with an alert dialog where the default button will install native > code that runs in my browser. That particular page does so by loading https://addons.mozilla.org/google/google_gears_linux.html (or the equivalent for mac and Windows) in an iframe. So this is treated just like any extension install from addons.mozilla.org by the browser. If you try doing an install of an XPI that's not on a site on the extension install whitelist, all that happens is a notification bar that says something like: Firefox prevented this site (foo.com) from asking you to install software on your computer. and has an Allow button if the user wants to allow the install. If you click that button, then you get the dialog you see on the gears page. None of this adds the site to the whitelist, so if you go to install another extension from the same site again you have to explicitly allow it again. > If any page can do that, then browsing > with Firefox puts you one "enter" keystroke away from running native > code (well, once Firefox restarts, anyway). I'm not really sure why > Mozilla thinks that is ok. I hope the above helps. -Boris
Received on Thursday, 30 July 2009 14:18:33 UTC