Today I was reading Firefox XPI Install Prevention Bypass (http://www.0x000000.com/?i=329) and while it's not what it promised to be (there is no Install Prevention Bypass) it contained useful informations that helped me elaborate two distinct thoughts.
The author published the header needed to tell Firefox that the downloaded package is an XPI for both .htaccess and php header() function (
AddType application/x-xpinstall .xpi) and then posted the url to the XPI in plain text instead of a link. Readers pointed him that this is the default Firefox behavior and there is no "Bypass" in the strict meaning.
The security warning is shown when user follows a link, a script uses the InstallTrigger or, even worse, an XPI is automatically navigated via IFrame.
Otherwise, if user explicitely types XPI's URL or even drags a link on the location bar, the whitelist is bypassed by design.
Notice that the whitelist is taken so seriously for links, scripts and autonavigation that a special "internal referrer" is checked instead of the XPI's URL or the regular referrer, in order to track back the original initiating page, see http://lxr.mozilla.org/seamonkey/source/docshell/base/nsDocShell.cpp#6906
The first thought is that while it's not possible to install an XPI automatically this can be accomplished with very low user interaction, the whitelist check is not triggered when: (a) manually tiping the string in the urlbar, (b) copying the string and pasting it in the urlbar, (c) dragging a link to the urlbar, (d) right clicking on an image and selecting the "View image" entry from the contextual menu, (e) dragging an image in the urlbar.
[FUN] I'm sure that with some basic CSS and XHTML almost everybody is able to build a page that explains to the user how to install the media player required to view the promised porn video. User it's simple! Just drag and drop the 140x140, fancy and 64bit color depth, icon to the urlbar. And look there's also the SSL lock, this is a really safe web site![/FUN]
There is a good reference about InstallTrigger on XULplanet (http://www.xulplanet.com/references/elemref/ref_InstallTrigger.html), the suggested code is the following.
xpi["Calculator"] = "calc.xpi"; xpi["PictureViewer"] = "pict.xpi"; InstallTrigger.install(xpi , myCallbackFunction);
The second thought is about the whitelist itself, the Testbed tries to install an XPI that is located on a different domain but the user is prompted for the inclusion of the "www_ush_it" domain. This means that the url of the calling page is checked against the white list but not the domain where the XPI itself is hosted!
This is the how-to I hope you are happy now! :)
Frencesco `ascii` Ongaro