User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4 When Firefox prevents a website from asking you to install software, the domain name shown in the notification bar is incorrect if the page has a referer. It shows the referer's domain instead of the current page's domain. Opens up the possibility of an XSRF. Screenshot: http://farm3.static.flickr.com/2057/2354146514_66d64c84a7_o.png Reproducible: Always Steps to Reproduce: 1. Ensure you do *not* have the iMacros extension for Firefox installed and that you have not whitelisted imacros.net as being allowed to ask to install software. 2. Visit http://del.icio.us/imacros/imacro . 3. Click on any of the imacros listed and wait for the page to load. Actual Results: Observe that the notification bar on the next page shows 'del.icio.us' as the site that has been prevented from asking you to install software. Expected Results: The correct domain name 'run.imacros.net' should be shown instead. Fresh install of Fx3b4.

Firefox 2 correctly identifies the site in the notification bar, but Firefox trunk shows the buggy behavior as described in comment 0. (I had to alter my trunk UA to say "Firefox" rather than "Minefield", fwiw.) The site uses <meta http-equiv="refresh" content="1;url=http://www.iopus.com/download/imacros.xpi" /> My guess is this is just bug 358266, and something changed between Firefox 2 and trunk that affects the referrer when meta-refresh is involved.

From a quick glance, this may be intentional? http://mxr.mozilla.org/mozilla/source/xpinstall/src/nsInstallTrigger.cpp#190 dveditz' comment there seems to imply that using the referrer (when available) is the desired approach. I can get my head around this argument since it was, in this case, del.icio.us that tried to get us to install something, regardless of where it's hosted. But I would still like to hear from dveditz, because there's a lot of comment there in the referrer/no-referrer cases, so I suspect this has rich context. The actual prompting in browser happens here: http://mxr.mozilla.org/mozilla/source/browser/base/content/browser.js#640 but I think we'd want to change this in xpinstall for all consumers, if we decided it was the wrong approach. CC'ng dtownsend too - maybe this was an accidental regression from some of the xpinstall removals?

Hrm - reading bug 358266 in more detail I now understand Jesse's comment better - that this is really just that bug, possibly with some meta-refresh special sauce thrown into the mix. Apologies for not building up all the context sooner.