Default XPI whitelist should have https://update.mozilla.org/ (not http)

RESOLVED INVALID

Status

()

enhancement
RESOLVED INVALID
15 years ago
11 years ago

People

(Reporter: jruderman, Assigned: bugs)

Tracking

(Depends on 1 bug)

1.7 Branch
x86
Windows XP
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

15 years ago
The default XPI whitelist should have https://update.mozilla.org/ (not http) to
help prevent man-in-the-middle attacks.  This depends on several other bugs.
Whitelisting is done using the shared permission manager which does not support
distinctions by scheme. I'm not going to roll my own permission manager just for
xpinstall so this would need to depend on an enhancement to the permission manager.

But is this really all that useful? The bug on requiring signed installs seems
more to the point.

Comment 2

15 years ago
"The bug on requiring signed installs seems more to the point."

Care to elaborate what this is all about? Bug number as a starter?

Comment 3

14 years ago

*** This bug has been marked as a duplicate of 238960 ***
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Reporter

Comment 4

14 years ago
Not a dup, especially since addons.mozilla.org will soon be able to include cryptographic hashes in its links to extension XPIs on FTP mirrors.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Nothing has to be done to the EM to support this - the EM never touches the whitelist. If / when bug 265356 is fixed and the whitelist itself is updated on the clients this will just work. Resolving -> invalid.
Status: REOPENED → RESOLVED
Closed: 14 years ago13 years ago
Resolution: --- → INVALID
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.