Closed
Bug 1396462
Opened 7 years ago
Closed 3 years ago
The @testpilot- ID prefix should not be used to grant additional privileges
Categories
(Core :: SVG, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1523980
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fix-optional |
| firefox58 | --- | affected |
People
(Reporter: kmag, Unassigned)
References
Details
+++ This bug was initially created as a clone of Bug #1388907 +++ Bug 1388907 added IDs prefixed with "@testpilot-" to the set of IDs that are allowed to use "context-fill". I approved the @mozilla.org suffix for this purpose because that suffix is controlled by AMO, and only Mozilla accounts are allowed to upload add-ons that use it. There are no such controls for the "@testpilot-" prefix, which means that anyone who wants those extra privileges can simply create an add-on ID with that prefix.
|
||
Updated•7 years ago
|
Component: Theme → SVG
Product: Firefox → Core
|
||
Comment 1•7 years ago
|
||
I think this only affects @testpilot-addon (Test Pilot itself) and @testpilot-containers (containers). John -- do you know if those still use this? (I checked the graduated Containers add-on on AMO and they are still using the @testpilot-containers ID) @kmag - you said @mozilla.org in comment 0 but you mean @mozilla.com for the suffix, right? I'm pretty sure it's .com
|
||
Comment 2•7 years ago
|
||
I think Will is right in that it will only impact those two extensions (Although my Test pilot extension appears to be back to being dark grey for some reason). Containers would be impacted and there isn't a functionality to migrate id's either. Can we postpone this until we get a resolution on the context-fill for all extensions? (Perhaps we could prevent other extensions using this prefix).
|
Reporter | |
Comment 3•7 years ago
|
||
(In reply to Wil Clouser [:clouserw] from comment #1) > @kmag - you said @mozilla.org in comment 0 but you mean @mozilla.com for the > suffix, right? I'm pretty sure it's .com The @mozilla.org suffix is the one that's protected on AMO. Only users with @mozilla.com email addresses can submit add-ons that use it. Although, really, we should protect @mozilla.com too. (In reply to Jonathan Kingston [:jkt] from comment #2) > Containers would be impacted and there isn't a functionality to migrate id's > either. > Can we postpone this until we get a resolution on the context-fill for all > extensions? (Perhaps we could prevent other extensions using this prefix). We can whitelist specific IDs that are already controlled by Mozilla accounts. We can't whitelist entire prefixes or suffixes that we don't already control.
|
||
Updated•7 years ago
|
|
||
Comment 4•7 years ago
|
||
Per :kmag's comments. Test Pilot's full ID is @testpilot-addon. Would be great to remain white listed.
|
||
Comment 5•3 years ago
|
||
Closing as a duplicate of Bug 1523980 (which removed the addon-id prefix whilelist originally introduced in Bug 1388907, along with some other special handling conditioned on the test pilot extensions addon ids).
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•