The default XPI whitelist should have https://update.mozilla.org/ (not http) to help prevent man-in-the-middle attacks. This depends on several other bugs.
Whitelisting is done using the shared permission manager which does not support distinctions by scheme. I'm not going to roll my own permission manager just for xpinstall so this would need to depend on an enhancement to the permission manager. But is this really all that useful? The bug on requiring signed installs seems more to the point.
"The bug on requiring signed installs seems more to the point." Care to elaborate what this is all about? Bug number as a starter?
*** This bug has been marked as a duplicate of 238960 ***
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Not a dup, especially since addons.mozilla.org will soon be able to include cryptographic hashes in its links to extension XPIs on FTP mirrors.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Nothing has to be done to the EM to support this - the EM never touches the whitelist. If / when bug 265356 is fixed and the whitelist itself is updated on the clients this will just work. Resolving -> invalid.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.