Enable FD addon to retrieve an XPI from a URL and bootstrap it

RESOLVED FIXED

Status

Mozilla Labs Graveyard
FlightDeck
P1
critical
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: dbuc, Assigned: atul)

Tracking

Details

(Reporter)

Description

8 years ago
FlightDeck will construct an XPI and give it a URL on the FlightDeck server. The FD add-on will be notified and should retrieve the XPI then load it into FF without a restart via its super-boot-strappish auto-magic abilities!
(Reporter)

Updated

8 years ago
Severity: normal → critical
OS: Windows 7 → All
Priority: -- → P1
Hardware: x86 → All
(Assignee)

Comment 1

8 years ago
Ok, I've got a simple prototype working.

First, try getting this XPI and installing it in Firefox 3.6:

  https://secure.toolness.com/xpi/flightdeck.xpi

Then, view this page:

  http://hg.mozilla.org/users/avarma_mozilla.com/atul-packages/raw-file/5a07d72fd105/packages/flightdeck/sample-web-page/index.html

You should be able to push the buttons to temporarily install/uninstall one of two addons without restarting. Installing one will uninstall the other, if it's currently installed. If you ever quit Firefox, any installed addon will effectively be uninstalled.

Try viewing the source of the index.html page to see how the page communicates with Firefox.

Note that this prototype effectively exposes a massive security hole in Firefox, as it allows any website to install a Jetpack-based XPI on your computer without your permission. This will obviously need to change. :)
(Assignee)

Comment 2

8 years ago
Oh, I should probably mention what the Jetpack-based addons actually do, so you can make sure the dynamic install/uninstall works. :)

"Facebook Acquaintances" modifies Facebook by replacing every occurrence of the word "friend" with "acquaintance".

"Cuddlefish Lab" adds an eponymous entry to the "Tools" menu of Firefox; selecting it opens a tab that allows you to play with the Jetpack API in a way that's reminiscent of the Jetpack Prototype.

Source code for both of these addons is located at http://hg.mozilla.org/users/avarma_mozilla.com/atul-packages.
(Assignee)

Comment 3

8 years ago
Just filed bug 552195, about a malformed ZIP/XPI file hard-crashing FF if the FD addon tries opening it.
(Assignee)

Comment 4

8 years ago
Also just filed bug 552197 -  FlightDeck addon needs to only accept XPIs from trusted sources.
Thanks!

It's working on http://flightdeck.zalewa.info/
It's still "old" jetpack-sdk, so no Modules allowed.
(Assignee)

Comment 6

8 years ago
I'm marking this as fixed.  The only remaining blocker for a public beta of FlightDeck from the addon-side now appears to be bug 552197.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Updated

8 years ago
Component: FlightDeck → FlightDeck
Product: Mozilla Labs → Mozilla Labs Graveyard
You need to log in before you can comment on or make changes to this bug.