405066 - Don't use localized prefs for "Get (extensions|themes)" URLs

Status: RESOLVED FIXED

(Composer Graveyard :: Preferences, defect)

Description

[Phil Ringnalda (:philor)]

Attachment: Fix v.1

+++ This bug was initially created as a clone of Bug #405039 +++

Composer "uses" (though I couldn't persuade it to actually work) the localized versions of extensions.getMoreExtensionsURL and extensions.getMoreThemesURL in toolkit/locales/en-US/chrome/mozapps/extensions/extensions.properties. Firefox and Thunderbird both switched to using a formatted https://%LOCALE%.add-ons.mozilla.com/%LOCALE%/%APP%/%VERSION%/extensions/ URL in their preferences before their 2.0 versions, so the only place anyone ever sees the value of those localized properties is in Sunbird and Composer.

That doesn't do a thing for the quality of the (pointless) localization - they are a random assortment of various old versions of the AMO URLs, but what's most significant is that they are randomly http or https, making some locales vulnerable to bug 384897 man-in-the-middle attacks. Since there's no need to have them localized (no locale is going to use a different URL, and if they do you don't want them to), and even if you did want them localized you wouldn't want that localization shared with every toolkit consumer, so you would need an app-specific .properties file, the best (as in, likely to actually land) way to fix bug 384897 is just for Sunbird (bug 405039) and Composer to switch to a non-localized URL in prefs, so we can remove the localized version.

Comment 1

[Daniel Glazman (:glazou) (not active in Mozilla any more)]

Comment on attachment 289893 [details] [diff] [review]
Fix v.1

go ahead, r/moa=me

Comment 2

[Phil Ringnalda (:philor)]

composer/app/profile/composer-prefs.js 1.3