Here is an interesting idea from someone on Get Satisfaction for one way this feature could be implemented.
http://getsatisfaction.com/mozilla/topics/command_subscription_page_feature_to_warn_users_to_install_ubiquity On May 8, 4:46 pm, Blair McBride <[email protected]> wrote: > Great info and links - thanks! > > I think this is an important topic that needs to be considered when > adding code that somehow touches content-space. Thankfully, there have > been some really smart people looking into this already, so Ubiquity > (and other addons) can learn from previous mistakes and research. > > It also shows that while these type of information leaks are getting > fixed on the Firefox platform (eg, chrome:// URLs are no longer > accessable unless whitelisted), its often up to extension authors to do > things sensibly and with forethought. > > Whether or not this type of leak can be used malliciously or not is > beside the point - if its not explicitly wanted (and expected) by the > user, then its a security bug that needs fixing. > > - Blair > > On 8/5/09 4:30 PM, esquifit wrote: > > > There was some talk about this topic some time ago, see the links > > below. I don't know how vulnerable Firefox is these days. The same > > question arose repeatedly in the context of the Greasemonkey extension. > > The GM developers eventually implemented some protection measures that > > (I think) are now somehow handled by Firefox itself. Anthony > > Lieuallen's Karma Blocker extension [1] was also very helpful against > > this vulnerability. > > > [1]https://addons.mozilla.org/en-US/firefox/addon/5230 > > > There were essentially two approaches: > > 1) When a message bar is displayed as a result of a script being > > installed/discovered, the page can detect the vertical displacement > > caused by the bar. For example a page could include the <link> tag > > pointing to some (possible non existent) ubiuity script and check for > > the vertical shift caused by the Ubiquity bar prompting for installation. > > 2) Including a extension's chrome:// image resource from the web page. > > Depending on whether the extension was installed or not, the included > > image would have length 0 or greater than 0 and would thus affect the > > width of some other element in the page. This could be measured by > > javascript code. I think newer versions of Firefox disallow inclusion of > > chrome:// images from web content. > > > Here some interesting links: > > > Detecting FireFox Extentions ha.ckers.org <http://ha.ckers.org> web > > application security lab > >http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/ > > > Jeremiah Grossman: I know what you've got (Firefox Extensions) > >http://jeremiahgrossman.blogspot.com/2006/08/i-know-what-youve-got-fi... > > > Greasemonkey Detect > >http://wearehugh.com/public/2006/07/detect-greasemonkey.html > > > Greasemonkey Detectable? - greasemonkey-users | Grups de Google > >http://groups.google.com/group/greasemonkey-users/browse_thread/threa... > > <http://groups.google.com/group/greasemonkey-users/browse_thread/threa...> > > > On Sat, May 9, 2009 at 1:05 AM, Blair McBride <[email protected] > > <mailto:[email protected]>> wrote: > > > This would be a security bug if it were possible - it should never be > > possible for web content to detect which extensions a user is running. > > > - Blair > > > On 4/5/09 1:42 PM, Alphawolf wrote: > > > > Hey there, > > > > is it possible to check with javascript if Ubiquity is installed in a > > > user's Firefox? I'd like to display some install instructions to > > those > > > only who have it installed already. > > > > Regards, > > > Oliver --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "ubiquity-firefox" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/ubiquity-firefox?hl=en -~----------~----~----~----~------~----~------~--~---
