User.js: Website auto-installing Firefox extension?

Created on 16 Jan 2021  路  6Comments  路  Source: arkenfox/user.js

This could be dangerous, so don't try at home!

Tested in Firefox 84.0.2

  1. Visit: https://www.google.com/search?q=vpn.prismamp.com

  2. Click the first result in Google (vpn.prismamp.com)

  3. This website will download an try to install extension in your browser automatically.

  4. Fortunately I got this message: "The add-on downloaded from this site could not be installed because it appears to be corrupt."

Is this really happening and how to prevent it?

enhancement
Source
picture Just-me-ghacks

Most helpful comment

how to prevent it?

try setting extensions.postDownloadThirdPartyPrompt to false.
If that fixes it, I think we should add this pref to the user.js because it's fucking stupid anyways to allow the addon download before asking to install it. And in some cases it apparently didn't trigger the install prompt at all!
IDK WTH they thought this is a good idea, or in any way acceptable or even desirable behavior!

https://bugzilla.mozilla.org/show_bug.cgi?id=1659530

picture earthlng on 16 Jan 2021
👍31 🎉1

All 6 comments

Is this really happening

  • yes
  • site permission for the site is install add-ons at default = always ask
  • options > privacy & security > permissions > warn you when websites try to install add-ons is checked
  • ^^ exceptions only contains two mozilla domains (by default)

how to prevent it

  • don't go to the site /s
  • i've pinged a couple of moz devs: one from sec, one from web-ext
Thorin-Oakenpants picture Thorin-Oakenpants on 16 Jan 2021

how to prevent it?

try setting extensions.postDownloadThirdPartyPrompt to false.
If that fixes it, I think we should add this pref to the user.js because it's fucking stupid anyways to allow the addon download before asking to install it. And in some cases it apparently didn't trigger the install prompt at all!
IDK WTH they thought this is a good idea, or in any way acceptable or even desirable behavior!

https://bugzilla.mozilla.org/show_bug.cgi?id=1659530

earthlng picture earthlng on 16 Jan 2021
👍31 🎉1

In my case:

  • site permissions to install add-ons = always ask
  • warn you when websites try to install add-ons = checked (no exceptions)

Yet, it didn't trigger the install prompt at all! Absolute madness!

Thanks, earthlng! This pref does help - there is a prompt now. I will add it to my prefs. It's vital.

Just-me-ghacks picture Just-me-ghacks on 16 Jan 2021

It's only supposed to treat "recommended addons" differently and I don't see a prism VPN addon in the list of recommended a's.
So yeah, apparently there's more wrong with this than just the things they already knew about when they did their limited and lousy testing and they went ahead with it anyways. Absolute madness sounds about right

earthlng picture earthlng on 16 Jan 2021

IDK if this is the number/section to use: seems right to me

/* 2625: disable bypassing 3rd party extension install prompts [FF82+]
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/
user_pref("extensions.postDownloadThirdPartyPrompt", false);

My question is, how would this affect privileged extensions: IDK exactly what privileged here means: system extensions will update when you update the app, and the search ones are in omni.ja ... so I'm guessing these are experiments or something

Thorin-Oakenpants picture Thorin-Oakenpants on 16 Jan 2021
👍2

how would this affect privileged extensions

2 birds with 1 stone as far as I'm concerned ;)

earthlng picture earthlng on 17 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

crssi picture crssi  路  4Comments
Thorin-Oakenpants picture Thorin-Oakenpants  路  7Comments
Thorin-Oakenpants picture Thorin-Oakenpants  路  3Comments
kaliostro2 picture kaliostro2  路  7Comments
Thorin-Oakenpants picture Thorin-Oakenpants  路  5Comments