Dirk wrote:
a website tries to install the following software
http://www2.flingstone.com/cab/sbc_netscape.xpi
if you d/l the xpi and expand the zip file your anti virus program will alert you with something like... "keylog-briss" Trojan horse detected
We've noticed attempts like this recently and are taking steps to address it. As a first stop-gap, sites are no longer be able to launch installs during page load (easy to work around, but a quick band-aid to specific abuses we've seen). This is already in recent nightlies of Firefox and Mozilla. Second, at the cost of greatly reducing the usefulness of XPInstall, we're restricting its use to whitelisted sites or else people can explicitly download the file and then launch it (as they can do with an .exe install).
So this is why in newest rc's of Mozilla and firefox I am not able to install any .xpi files? Coworker told me that he gets immediate "user cancel" in installation script.
Up to now we had behavior that is consistent with ActiveX installation under IE, and even XP SP2 shows nice and wisible warning when it blocks ActiveX control (so that the user knows what's going on and can easily allow it for that specific site, we are ok with that), with newest Firefox it just silently fails. Is there any way aroud this?
If not how to differentiate between Mozilla browsers that do it the old way and the new ones?
You can turn the software installation off on Mozilla but not in the FireFox preferences.
you can turn it off manually through about:config, and I believe UI is being added as part of the new "Extension Manager" interface going into 0.9
Is it possible to check that setting from JavaScript on webpage? FireFox users are generally much more educated when it goes to browser config than IE users but it would still be nice if I could somehow inform them what specific setting prevents automatic xpi installation. If it just fails without warning or info of any kind it's quite a problem for me (my company develops online gaming portal with currently _tens_ of xpi game plugins).
I think most people believe they have no virus problems with Mozilla/FireFox but that's not true...
This still requires the user to agree to install something on their machine so it's not exactly a virus or worm, but probably too many people could fooled into installing it. That's why we're changing things.
-Dan Veditz
_______________________________________________ Mozilla-xpinstall mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-xpinstall
