Closed Bug 1553168 Opened 6 years ago Closed 6 years ago

add lockwise.firefox.com (and lockbox.firefox.com) to extensions.webextensions.restrictedDomains

Categories

(WebExtensions :: General, defect)

Product:
WebExtensions
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: pauljt, Unassigned)

Details

The lockwise extension updates from a https://lockwise.firefox.com/addon/updates.json. Does this need to be added to the restrictedDomains blocklist, or is this not a risk since updates happen as "system requests" and as such, a web extension could not interfere with this domain.

Or to say this another way - does lockwise.firefox.com (or lockbox.firefox.com) have any privileges that warrant us adding these domains to the restrictedDomains blocklist?

I don't see any reason we need to do this. Extension update requests are already treated as system requests, so extensions can't interfere with them.

Unless we give this domain any other special privileges, I don't see a reason to add additional restrictions.

Why does this have its own update endpoint rather than going through the well-tested and managed AMO or System-Addon update points?

The priority flag is not set for this bug.
:ddurst, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(ddurst)

dveditz's question is still a good one, but I'm closing this based on #c1.

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(ddurst)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.