Closed Bug 1242182 Opened 9 years ago Closed 9 years ago

Add-on signing: add-on permanently disabled if first startup happens offline

Categories

(Toolkit :: Add-ons Manager, defect)

43 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: beneficentone, Unassigned)

Details

Steps to reproduce: Upgrade from Fx 42 to 43 and start it with an existing add-on (in this case NoScript 2.7, signed) while not connected to internet. Add-on is disabled, with no accompanying link to check for updates (only a cog icon top of screen that must be clicked to reveal choices). Restarting Firefox with an active connection to the internet does not retry verification, and the add-on remains disabled. Expected: The verification process should warn the user if it requires an internet connection and/or there should be a user-friendly way to retry the process. Extension signing is intended to protect the user from net nasties. However, they could potentially be left with a *less* safe experience online as a result of this bug if they leave a security add-on (perhaps installed by a more experienced user on their behalf) disabled.
Severity: major → normal
Component: Extension Compatibility → Add-ons Manager
Product: Firefox → Toolkit
Firefox doesn't need an internet connection in order to verify the signature of signed add-ons. What does the add-ons manager say next to the add-on when it is disabled?
Flags: needinfo?(beneficentone)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
‘[Add-on] could not be verified for use in Firefox and has been disabled.’ It may have been NoScript 2.6.8.5 that Firefox disabled, which would count as intended behaviour as that version is unsigned. Am therefore marking bug invalid. However, there are several related issues probably warranting bugs of their own: If Firefox is blocking an add-on for being unsigned it is effectively incompatible; the plug-in check on first start-up after upgrading doesn’t take that into account, ie it doesn’t check for a new version of an add-on it is blocking. That check happens once and fails silently if there’s no internet connection. The user experience for blocked add-ons is horrible, as mentioned in Comment #0 above (including a button at the top that doesn’t look like a button). There should be a way to override the block without rummaging around in about:config. After all, this is an add-on they’re *already using*. There may be a bug in the compatibility check, as NoScript 2.6.8.5 was found ‘incompatible’ running as a Limited Windows user but not under Admin privileges.
Flags: needinfo?(beneficentone)
Resolution: INCOMPLETE → INVALID
You need to log in before you can comment on or make changes to this bug.