[whatwg] Security risks of persistent background content (Re: Installed Apps)

[Boris Zbarsky]

Maciej Stachowiak wrote:
> I'm not sure if I'd be totally comfortable with putting something as 
> streamlined as the Firefox extensions model. As presented on 
> <http://addons.mozilla.org/>, it seems fine - the extensions posted 
> there are centrally vetted and reviewed, the user has to take a clear 
> explicit step to start the install, and there is a revocation model.
> 
> But the fact that third party pages can trigger automated extension 
> install seems problematic. For example, just visiting 
> <http://gears.google.com/download.html> in Firefox, I am immediately 
> faced with an alert dialog where the default button will install native 
> code that runs in my browser.

That particular page does so by loading 
https://addons.mozilla.org/google/google_gears_linux.html (or the 
equivalent for mac and Windows) in an iframe.

So this is treated just like any extension install from 
addons.mozilla.org by the browser.

If you try doing an install of an XPI that's not on a site on the 
extension install whitelist, all that happens is a notification bar that 
says something like:

   Firefox prevented this site (foo.com) from asking you to install
   software on your computer.

and has an Allow button if the user wants to allow the install.  If you 
click that button, then you get the dialog you see on the gears page. 
None of this adds the site to the whitelist, so if you go to install 
another extension from the same site again you have to explicitly allow 
it again.

> If any page can do that, then browsing 
> with Firefox puts you one "enter" keystroke away from running native 
> code (well, once Firefox restarts, anyway). I'm not really sure why 
> Mozilla thinks that is ok.

I hope the above helps.

-Boris