Installation changes - new security defaults, without lock-in
By Charles McCathieNevilechaals. Friday, June 22, 2012 11:47:00 AM
One part of this is making the normal installation go through addons.opera.com by default. Here is what we are planning...
We know there are many extensions hosted on third-party sites (although it is impossible to know how many). We don't want to make it impossible to do this, because there are good reasons why people choose it. Inside Opera we ourselves have extensions designed to improve the efficiency of working with internal systems. We are not able to make these public, so they are hosted on intranet servers.
At the same time, a simple dialog about security that lets a user click to install malware isn't enough protection for the average user. Both anecdotal evidence and formal studies continually report that many users will simply accept whatever risk they don't understand, and even if it applies to a minority it is still a lot of actual people at risk. And we have found people trying to use the power of Opera's extensions framework as a vehicle to construct malware.
So we are going to change the default procedure to install extensions. For users who understand the risks we will require explicitly white-listing sites before you can install extensions from them. By default, addons.opera.com will be whitelisted. We will also maintain developer mode - dragging a config.xml from an unzipped extension, so testing and prototyping is easy.
We're letting you know the direction we are going to avoid surprises, and will keep you informed as we implement the changes in the browser. We understand that this could be inconvenient for some, but we think this is the best compromise we can make between maintaining an open platform that leaves you in control, and offering the level of security that Opera users expect (and which we want them to continue to enjoy).