User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090113 Minefield/3.1b2pre ( LIKE Firefox/3.0 ) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090113 Minefield/3.1b2pre ( LIKE Firefox/3.0 ) When an XPI is linked to for installation in Firefox, the infobar informs the user of the location of the current document, instead of the location of the file to be installed. Since install instructions are just simple http links, which are usually assumed to be harmless by many service providers (facebook and so on), anybody able to post a link can exploit a victim's trust in that provider in order to get him/her to install a dangerous XPI hosted on an entirely different location. The next dialog (the actual install dialog) displays the correct location, but at this time the user has already seen the other location and is very likely to not check the location again. Reproducible: Always Steps to Reproduce: 1. Go to the linked page 2. Click on "installed" Actual Results: An infobar pops up "Minefield prevented this site (tapper-ware.net) from asking you to install software on this computer." Expected Results: An infobar should pop up "Minefield prevented this site (tapper-ware.net) from asking you to install software from people.mozilla.org on this computer." Maybe it would even be a good idea to get rid of the "this site (tapper-ware.net)" part entirely, as it doesn't really convey any information adding to the user's security. As links are allowed on many pages, it doesn't really say anything about the risk associated with this installation.

The second dialog is the security dialog, and it shows the real location of the software. If people aren't reading it then they are going to end up in trouble. The infobar thing is like the popup blocker, an anti-annoyance feature. Users can turn the install blocking off, just as they can turn off the popup blocker. They cannot turn off the installation confirmation (security) dialog. The site that originated the request can be important info, though. If one page is framing another site (or two different sites), which one was trying to install something?

I've talked with a couple of users, and while the idea might have been that it was only an anti-annoyance feature, that's not how users see it. They see it as a confirmation dialog, like pretty much anything that has a button. About the originating page: Security wise it's not helpful at all and probably even irritating, as this location is not reliable either (hidden iframes, clickjacking, forwarding you name it). The only scenario where I could imagine it being useful would be if multiple good-natured pages where loaded into a frameset, but that sound like a pretty artificial scenario to me.

(In reply to comment #2) > About the originating page: Security wise it's not helpful at all and probably > even irritating, as this location is not reliable either (hidden iframes, > clickjacking, forwarding you name it). If you think you're on mysocial.com and the infobar says hackrs.ru is trying to install something (because there's a hidden frame) or even google.com is trying to install something (because of clickjacking) that ought to be suspicious. The fact that the .xpi itself comes from addons.mozilla.org (for instance) doesn't necessarily means it's OK, what if it's an old version specifically chosen by an attack so they could take advantage of a security hole?