Closed Bug 265358 Opened 20 years ago Closed 18 years ago

Default XPI whitelist should have https://update.mozilla.org/ (not http)

Categories

(Toolkit :: Add-ons Manager, enhancement)

Product:
Toolkit
Component:
Add-ons Manager
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jruderman, Assigned: bugs)

References

Details

The default XPI whitelist should have https://update.mozilla.org/ (not http) to
help prevent man-in-the-middle attacks.  This depends on several other bugs.
Whitelisting is done using the shared permission manager which does not support
distinctions by scheme. I'm not going to roll my own permission manager just for
xpinstall so this would need to depend on an enhancement to the permission manager.

But is this really all that useful? The bug on requiring signed installs seems
more to the point.
"The bug on requiring signed installs seems more to the point."

Care to elaborate what this is all about? Bug number as a starter?

*** This bug has been marked as a duplicate of 238960 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Not a dup, especially since addons.mozilla.org will soon be able to include cryptographic hashes in its links to extension XPIs on FTP mirrors.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Nothing has to be done to the EM to support this - the EM never touches the whitelist. If / when bug 265356 is fixed and the whitelist itself is updated on the clients this will just work. Resolving -> invalid.
Status: REOPENED → RESOLVED
Closed: 19 years ago18 years ago
Resolution: --- → INVALID
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.