Maciej Stachowiak wrote:
I'm not sure if I'd be totally comfortable with putting something as
streamlined as the Firefox extensions model. As presented on
<http://addons.mozilla.org/>, it seems fine - the extensions posted
there are centrally vetted and reviewed, the user has to take a clear
explicit step to start the install, and there is a revocation model.
But the fact that third party pages can trigger automated extension
install seems problematic. For example, just visiting
<http://gears.google.com/download.html> in Firefox, I am immediately
faced with an alert dialog where the default button will install native
code that runs in my browser.
That particular page does so by loading
https://addons.mozilla.org/google/google_gears_linux.html (or the
equivalent for mac and Windows) in an iframe.
So this is treated just like any extension install from
addons.mozilla.org by the browser.
If you try doing an install of an XPI that's not on a site on the
extension install whitelist, all that happens is a notification bar that
says something like:
Firefox prevented this site (foo.com) from asking you to install
software on your computer.
and has an Allow button if the user wants to allow the install. If you
click that button, then you get the dialog you see on the gears page.
None of this adds the site to the whitelist, so if you go to install
another extension from the same site again you have to explicitly allow
it again.
If any page can do that, then browsing
with Firefox puts you one "enter" keystroke away from running native
code (well, once Firefox restarts, anyway). I'm not really sure why
Mozilla thinks that is ok.
I hope the above helps.
-Boris
