Robert Mohr wrote:
mrhappy wrote:
It would be really good if there was a default setting of silent ignore for xpi's
It's not the default and never will be, but you can set 'xpinstall.enabled' to false in about:config.
It is not now the default, but never say never--we may very well be changing it. More likely we'll add per-site permissions (probably defaulting to off for unset sites) and leave the global switch "on".
Figuring out an appropriate UI and security model is tough. When sites offered .exe downloads we used to force people to explicitly save them and launch them using the OS. This was to discourage stu^H^H^Hinexperienced people from running any malware they ran across, with a barrier easily overcome by anyone who knew what they were doing. Plus launching the thing from the OS window was a CYA step, the browser clearly didn't infect the computer, the user explicitly ran something using the same OS UI used to run other programs. Surely they'd understand what running a program meant, right?
The fundamental difference between exe files and xpinstall files is that, from a user point of view, xpinstall is only a mechanism for installing stuff into the browser. Granted, it *could* be leveraged for more general installs but typically it isn't. We haven't even had any sucess in getting people like Marcomedia to package up flash as an XPI.
That means we already have a good idea of which sites are offering legitimate XPIs for download (at least, we have an idea of where the central repositories are) whereas we have no idea which sites are offering legitimate exes. This is significant because it means that whitelisting is a viable option for XPIs. In general, I would expect popular addons to be listed in the standard repositories so that the only people who need to turn off the whitelist are power users who are unafraid to try new extensions. This is an important part of the model because it is only by experienced users tesing extensions that we can move legitimate XPIs to the trusted repository.
Personally I believe that the impact that whitelisting would have on the typical user experience is negligible compared to the damage that Firefox will suffer if it becomes just as easy to be infected with ad/spyware through firefox as it currently is through IE. The supposed better security of Firefox is one of the prmary reasons that people are switching browsers and, if we fail to protect that reputation, then people are much less likely to make the effort to switch.
_______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
