Why does Firefox force a 3 second delay before installing add-ons?
I presume there is a security benefit to Firefox's delay before installing add-ons, but for the life of me I can't figure out what it is. (Yes, I know you can disable the delay.)
If you answer this question, please provide references from Firefox mailing lists or commit logs.
Solution 1:
Why?
- Because they want you to think about what you're doing
- Because it prevents accidental installations
- Because it prevents maliciously triggered installations
How can you maliciously trigger an installation?
Here's an interesting article about race conditions in security dialogs by Jesse Ruderman:
Another form of the attack involves convincing the user to double-click a certain spot on the screen. This spot happens to be the location where the 'Yes' button will appear. The first click triggers the dialog; the second click lands on the 'Yes' button. I made a demo of this attack for Firefox and Mozilla.
Firefox's solution, from bug 162020, is to delay enabling the "Yes"/"Install" buttons until three seconds after the dialog appears. I believe that this is the only possible fix other than completely denying untrusted content the ability to pose the dialog. Unfortunately, this fix is frustrating for users who install extensions often.
Basically, it all comes down to predicting when a user would click and then intercepting that click within an installation dialog. Ruderman explained a more concise game situation like this in his bug report from Firefox, which ultimately led to the inclusion of the delay period.
To summarize again, his main point was:
If I can control or predict when and where a user will click, I can get them to install software.
Any alternatives to the delay period?
The delay period was certainly only one way of dealing with this. Another one could have been shuffling the buttons for "Install", "Cancel" every time you would install something. This is something used very often, but it confuses the user more than it helps.
Another idea would be moving the window location randomly for every dialog. This has the same result as shuffling the buttons, namely confusing the user.
Also, introducing randomness is not the ultimate solution. If there are keyboard shortcuts for the buttons, you could intercept keypresses as well. That all being said, it seems more like a legacy feature today, as most plugins are installed from the official Firefox add-on website anyway.