Hi, It occured to me that most of the extensions that I install for firefox and thunderbird, I simply do it on trust. But can't someone do something malicious with it (like, rm -f my home directory. etc)?
Yes, an extension can do anything that firefox can do (which is pretty much anything).
What are the potential security risks associated with the xpi based installation mechanism?
Don't install extensions from untrusted sources. Period.
What steps are being taken to reduce this risk?
We now have a whitelist mechanism for the more automated XPI install (you only get one warning dialog for sites such as texturizer.net that are on the whitelist). For untrusted sites, you have to save the XPI to disk, *then* open/install it.
--BDS _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
