Closed Bug 552197 Opened 16 years ago Closed 15 years ago

FlightDeck addon needs to only accept XPIs from trusted sources

Categories

(Mozilla Labs Graveyard :: FlightDeck, defect, P1)

Product:
Mozilla Labs Graveyard
Component:
FlightDeck
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: avarma, Assigned: avarma)

References

Details

Right now the FD addon accepts XPIs from any website that sends it the proper message; need to change this so we only accept such messages if they come from a trusted domain and over HTTPS, at the very least.
I believe this is the only remaining blocker to releasing a public beta of FlightDeck.
Assignee: nobody → avarma
Severity: normal → critical
Status: NEW → ASSIGNED
Priority: -- → P1
Since bugs 562819 and 542385 sort of supersede this, I'm not sure if the FlightDeck XPI and this bug are things we'll still need to address. At the very least I'm bumping the priority of this down from 'critical' to 'normal'.
Severity: critical → normal
Fixed at the github repo: http://github.com/toolness/addons-builder-helper I am not super pleased w/ the implementation, particularly not sure how it'll impact the performance of Firefox for all page loads, but it'll do for a first round.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Product: Mozilla Labs → Mozilla Labs Graveyard
You need to log in before you can comment on or make changes to this bug.