[whatwg] Security risks of persistent background content (Re: Installed Apps)
bzbarsky at MIT.EDU
Thu Jul 30 14:18:33 PDT 2009
Maciej Stachowiak wrote:
> I'm not sure if I'd be totally comfortable with putting something as
> streamlined as the Firefox extensions model. As presented on
> <http://addons.mozilla.org/>, it seems fine - the extensions posted
> there are centrally vetted and reviewed, the user has to take a clear
> explicit step to start the install, and there is a revocation model.
> But the fact that third party pages can trigger automated extension
> install seems problematic. For example, just visiting
> <http://gears.google.com/download.html> in Firefox, I am immediately
> faced with an alert dialog where the default button will install native
> code that runs in my browser.
That particular page does so by loading
https://addons.mozilla.org/google/google_gears_linux.html (or the
equivalent for mac and Windows) in an iframe.
So this is treated just like any extension install from
addons.mozilla.org by the browser.
If you try doing an install of an XPI that's not on a site on the
extension install whitelist, all that happens is a notification bar that
says something like:
Firefox prevented this site (foo.com) from asking you to install
software on your computer.
and has an Allow button if the user wants to allow the install. If you
click that button, then you get the dialog you see on the gears page.
None of this adds the site to the whitelist, so if you go to install
another extension from the same site again you have to explicitly allow
> If any page can do that, then browsing
> with Firefox puts you one "enter" keystroke away from running native
> code (well, once Firefox restarts, anyway). I'm not really sure why
> Mozilla thinks that is ok.
I hope the above helps.
More information about the whatwg