After all, an XPI usually contains privileged javascript which could wreak all kinds of havoc if it were installed. It would not be hard to craft some JS to take down a machine, add a trojan or steal files through the XPCOM objects it has access to. And the situation is even worse than ActiveX because I have yet to see a single XPI package which is signed, so there is no trust model at the moment.
Shouldn't Mozilla / Firebird ship with secure by default settings? These settings should *require* XPI files be signed. If the user disables the settings then that's their own business, but by default the settings should enforce at least some security.
I suppose part of the problem with signing XPI files is where do you get the cert from? They cost a fortune and the model doesn't lend itself well to individual developers.
Maybe Mozilla.org should itself issue certs for a $100 deposit to anyone who wants one. It would certainly be in the ideal position to revoke them if an extension turned out to be bad.
Thoughts? _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
