So Google’s recent Browser Sync tool is pretty neat. It allows you to sync your Firefox sessions between computers, which is pretty nice for a guy that frequently moves between 3-4 computers. The only curious thing I noticed when I installed it, was that it installed from dl.google.com even though I hadn’t added that to my list of exceptions - photographic evidence here:
My current list of exceptions:
The browser sync install dialog:
So how did Google achieve this? I was quite suspicious at first, but it turns out it’s simply a little collaboration with Mozilla. There is a browser sync page on the Mozilla addons site, but all it does is redirect the user to Google’s xpi for installation, which allows Google to still host the browser sync install file, but not require the user to add their servers to the exceptions. Here’s the content of the Google Browser Sync addon page:
<html> <body onload="window.location.href='http://toolbar.google.com/firefox/extensions/toolbar/google-browsersync.xpi'"> </body> </html>
Cute, huh? I haven’t decided yet whether I’m upset by this or not. They haven’t bypassed the Firefox security restrictions, but they have definitely misled me…
Update: Yea, RSnake is right (see 2nd comment). Combined with an XSS on a site that’s in your trusted exception list, this could probably allow an attacker to install XPI’s from arbitrary sites if they so desired. Roxor. I’m curious if the Mozilla addon page allows JavaScript for developers - I’m assuming not, but you what assuming does…