Security improvement: avoid installing an XPI

[Aspirant]

In NoScript 2.1.4 and earlier, NoScript installed as a folder under
C:\Users\user_name\AppData\Roaming\Mozilla\Firefox\Profiles\profile_name\extensions\

Starting with NoScript 2.1.5, NoScript installs an XPI archive in the same location. The problem with the new NoScript structure is that it prevents other security programs from blocking reads of XPI files. Normally, I disallow Firefox reading XPI files on the standard user account (which is used by an inexperienced user). This prevents the Firefox from installing an extension downloaded by malware (outside of Firefox) on the standard user account. Starting with NoScript 2.1.5, I can't use this security rule.

My suggestion is to return NoScript to the earlier structure -- installing as a folder.

[therube]

(Now what would happen if the malware installed as a folder instead of an XPI?)

[Giorgio Maone]

Also, reverting to the exploded folder form is unfeasible because on Firefox 4 and above there's a performance penalty.

[Aspirant]

(Now what would happen if the malware installed as a folder instead of an XPI?)

Since the external security software prevents Firefox from reading XPI extension files on the standard user account, the standard user cannot install a malware extension from Firefox.

Also, reverting to the exploded folder form is unfeasible because on Firefox 4 and above there's a performance penalty.

With 6 extensions installed in Firefox, NoScript is the only one that installs as an XPI archive. Do you have information suggesting that other extensions (like Adblock Plus and Add-on Compatibility Reporter) will likely change in the future to use the installed XPI method?

Users who value speed above all else will choose Chrome/Chromium/Comodo Dragon over Firefox. Users who value security highly, but don't want the inconvenience or learning curve of NoScript, will choose Chrome/Chromium/Comodo Dragon over Firefox. This is due to Chromium-based browsers having a separate process for each tab, which reduces cross-tab/site vulnerabilities. See:
http://www.e-junkie.info/2011/10/google ... refox.html
http://blog.sudobits.com/2011/06/23/fir ... chrome-12/

Thus, users (like me) who value security above all else will choose Firefox with NoScript. Therefore, I propose that a little loss in performance is worth the improvement in security for NoScript users. My wife and I are very happy with the speed of Firefox 7 with NoScript 2.1.4. However, we don't want to miss bug fixes and improvements in NoScript as it evolves.

[al_9x]

Not unpacking XPIs has been the default since Fx 4.0. Most extensions (not just NS) do not explicitly request unpacking, however you can force it with the "extensions.alwaysUnpack" pref.

Also, you should know that if you are blocking xpi read by file extension, this can be bypassed by giving a local xpi a different extension and browsing for it from the add-ons manager (install add-on from file).

[Aspirant]

Thanks al_9x. I will try that about:config preference. I guess that my other extensions remain unpacked because I haven't upgraded them since upgrading Firefox from 3.6 directly to 7.0.

Now that I have NoScript installed packed, if I set extensions.alwaysUnpack=True and install NoScript again, will Firefox correctly uninstall the packed NoScript?

[GµårÐïåñ]

Now that I have NoScript installed packed, if I set extensions.alwaysUnpack=True and install NoScript again, will Firefox correctly uninstall the packed NoScript?

It "should" yes.

[Aspirant]

Setting extensions.alwaysUnpack=True in about:config solved my problem for NoScript today, and it will prevent the same problem for other extensions. No change to NoScript is needed. Thanks again al_9x.

[JoeSmall]

Where do we put the extensions.alwaysUnpack pref?

[therube]

It's already there.
Just toggle its value in about:config.