Personas should not require an https URL for updates

RESOLVED WONTFIX

Status

()

Toolkit
Add-ons Manager
--
enhancement
RESOLVED WONTFIX
7 years ago
3 years ago

People

(Reporter: mkaply, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
Personas currently require an https URL for updates.

This is unnecessary.

Personas don't involve any executable code.

All this does is prevent someone with a regular website from hosting a persona on their site.
In bug 520346 comment 39 review was denied because of allowing insecure updates. I'm not sure what has changed that would make us go back on that.
(Reporter)

Comment 2

7 years ago
Themes do not contain executable code.

I understand this comment for addons, but it doesn't make sense for pulling down some JSON from a URL.

Dan, what attack surface do you see here?

> sr-minus primarily because daily update checks over an insecure channel is too
tempting a target -- please restrict the updateURLs to https (whether or not we
restrict it to whitelisted hosts). I also think the whitelisted host
restriction would be a good idea, but I'm OK leaving that argument in the other
bug.

My problem is that the entire lightweight themes infrastructure is designed to only work with Mozilla and mozilla domains.

From using XPI permissions for install to https URLs to using an ID infrastructure that really depends on getpersonas.com/AMO.

It seems there was a concerted effort to not allow third party sites to have Personas.

I'm trying very hard to not have to rewrite the entire lightweight theming infrastructure in order to do cool things with personas, but it's quite challenging.

Without a handful of change to personas, it would be a much more open platform for addons to interact with.
(Reporter)

Comment 3

7 years ago
s/Without a handful/With just a handful
(Reporter)

Comment 4

7 years ago
Dan,

Could you explain why you think JSON used for theming is an attack target?
(Reporter)

Comment 5

3 years ago
Adding a need info for Dan.
Flags: needinfo?(dveditz)
I don't want every Firefox in the local starbucks to suddenly spout dick picks. If you want to host insecure web content that's fine (though the tide is against you), but an insecure theme makes Firefox itself look insecure. In 2015 an https website is an even smaller hurdle than it was in 2011. Nothing's changed since bug 520346 comment 39
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(dveditz)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.