Open Bug 1753276 Opened 3 years ago Updated 2 months ago

Sign Dictionary Add-On types and require new addon types to be signed

Tracking

()

Status:

NEW

People

(Reporter: tjr, Unassigned)

References

Details

(Keywords: sec-want, Whiteboard: [addons-jira])

Tom Ritter [:tjr]

Reporter

Description

•

3 years ago

Dictionary add-on types are missing from SIGNED_TYPES - it would be good to revisit this decision, consider signing them, and in general require all new add-on types to be signed via an explicit opt-out list instead of opt-in.

Rob Wu [:robwu]

Comment 1

•

3 years ago

To determine the feasibility of enforcing this, we need to know whether there are unsigned dictionaries in use. This information is available in telemetry with bug 1751516.

Before that fix I only saw "extension" and "service" types, now there are more: https://sql.telemetry.mozilla.org/queries/83975/source

Updated

•

3 years ago

Severity: -- → N/A

Priority: -- → P2

Whiteboard: addons-jira

Luca Greco [:rpl] [:luca] [:lgreco]

Updated

•

3 years ago

Whiteboard: addons-jira → [addons-jira]

Jira Integration Bot

Updated

•

3 years ago

See Also: → https://mozilla-hub.atlassian.net/browse/WEBEXT-418

William Durand [:willdurand]

Comment 2

•

2 years ago

(In reply to Tom Ritter [:tjr] from comment #0)

[...] consider signing them, and in general require all new add-on types to be signed via an explicit opt-out list instead of opt-in.

Note that AMO signs all add-ons nowadays.

Rob Wu [:robwu]

Updated

•

2 years ago

Bugzilla

Sign Dictionary Add-On types and require new addon types to be signed

Categories

(Toolkit :: Add-ons Manager, enhancement, P2)

Tracking

()

People

(Reporter: tjr, Unassigned)

References

Details

(Keywords: sec-want, Whiteboard: [addons-jira])

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Updated

Updated

Comment 2

Updated