397553 - no secure update on exception? it is a local directory!

Status: RESOLVED INVALID

(Toolkit :: Add-ons Manager, defect)

Description

[Ray Kiddy]

I have an extension I am developing. It will not load in these nightlies:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a9pre) Gecko/2007092204 Minefield/3.0a9pre

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a8pre) Gecko/2007090804 Minefield/3.0a8pre

There is a big "!" and it says: "Does not provide secure updates." Is this really preventing load?

This is a directory-based extension. In other words, there is a file in the extensions directory that has text in it that specifies a local path.

It does not need a secure update method. It certainly does not need one while it is being developed. FF is being a bit too helpful here, to put it mildly....

Comment 1

[Dave Townsend [:mossop]]

If you have specified an insecure update method (most likely a http url in the updateURL entry in install.rdf) then it doesn't matter whether it is a directory based extension or not, you have still told Firefox to update it insecurely.

Comment 2

[Ray Kiddy]

Well, on the positive side, if I put in a https url, it loads the extension.

Of course, if there is something wrong with the update URL, maybe it should not update. As opposed to not load at all....

Or if it cares that it is a https URL, should it not check that the URL points to a server with a valid certificate? If not, why require the https?

Requiring a https URL, taking an action based on that, but then not actually checking that the https URL seems bogus.

Comment 3

[Dave Townsend [:mossop]]

Just don't include an updateURL. If you are in development Im sure you don't want update checking anyway. And we do check the https update, on update, yes it'd be nice to do it on extension install, maybe I should file a bug to do that. But as stands this bug is invalid, i.e. expected behaviour.