Closed Bug 1624177 Opened 5 years ago Closed 5 years ago

Allow webRequest to intercept addon update checks

Categories

(WebExtensions :: Request Handling, enhancement)

Product:
WebExtensions
Component:
Request Handling
Version:
76 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: tblodt, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

I'm writing a Firefox extension that installs Chrome extensions. I'd like to be able to intercept and handle the update checks for those extensions and make it get updates from the Chrome store. Unfortunately the update checks are made using ServiceRequest which isn't exposed to the webRequest API. Would it be possible to change that? If there's some other way to do what I want without having to install anything outside of Firefox, I'd be happy to do that instead.

Component: Untriaged → Request Handling
Product: Firefox → WebExtensions

This was discussed previously, though I can't find the duplicate at the moment. There would be substantial potential for abuse if this was implemented. If your extension is creating a modified version of a Chrome extension, it can rewrite the update_url.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX

I can rewrite the update URL, but what would I rewrite it to? moz-extension URLs can't be updated easily, an http URL would require a remote server which feels excessive, and a localhost URL would require installing something outside of firefox and also feels excessive. I was hoping to be able to rewrite to something like example.com and use webRequest to make that go where I want.

You want an extension to programaticaly handle updates either for itself or for other extensions? That sound problematic for multiple reasons: security but also simply robustness in the face of buggy extension code.

That's what I'd like to do (not for all extensions, just extensions that have been installed by the main extension). I think I've found a way to do it using a stateless remote server as a proxy between Firefox and the extension. This is inelegant and requires you to trust a remote server, so I'd like to have a way to do it entirely within the extension.

The problems you mention (security, robustness) are sort of intrinsic to any code that does updates; you have to trust the update code, but that's not new. To me, having third party code do extension updates is better than not getting any Chrome extension updates at all.

The problems you mention (security, robustness) are sort of intrinsic to any code that does updates; you have to trust the update code, but that's not new.

One difference is that if you have an extension trying to handle update requests and it has a bug that breaks updates, any profile with that extension becomes stranded and no extension can be automatically updated! If updates are handled on a web server and there's a bug, you don't get updates as long as the bug is present. But after the bug is fixed, updates start working again.

I don't think it's that bad since the extension wouldn't be intercepting its own updates, those would come from AMO as usual. (IIRC an extension can't get host permissions for addons.mozilla.org, which would/should mean there's no way to intercept those update requests.) So if updating is broken I can push an update through AMO to fix it.

You need to log in before you can comment on or make changes to this bug.