James Graham wrote: > The fundamental difference between exe files and xpinstall files is > that, from a user point of view, xpinstall is only a mechanism for > installing stuff into the browser.
Then we need to change the impression: XPInstall is a general purpose install engine, originally designed for adding binary components like plugins and whatever companion software the Netscape marketing folks thought they could push to drive traffic back to netscape.com. The rise of XUL made the creation of chrome-only add-ons possible, but those aren't any safer than binary code. Mozilla and Firebird themselves are installed using the XPInstall engine (but, of course, users don't know that). > We haven't even had any > sucess in getting people like Marcomedia to package up flash as an XPI. flash packaged in a XPI ftp://ftp.netscape.com/pub/netscape7/english/7.1/windows/win32/jgksyc/flash.xpi Sun's JVM as a XPI http://java.sun.com/update/1.4.2/j2re-1_4_2_02-windows-i586.xpi but yeah, in general you're right. Gecko-based browsers don't have the marketshare to make creating a completely different install package worthwhile, especially when their standard .exe install works just fine. > Personally I believe that the impact that whitelisting would have on the > typical user experience is negligible compared to the damage that > Firefox will suffer if it becomes just as easy to be infected with > ad/spyware through firefox as it currently is through IE. Firefox will have whitelisting, Ben has spoken. -Dan Veditz _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security