Personas currently require an https URL for updates. This is unnecessary. Personas don't involve any executable code. All this does is prevent someone with a regular website from hosting a persona on their site.
In bug 520346 comment 39 review was denied because of allowing insecure updates. I'm not sure what has changed that would make us go back on that.
Themes do not contain executable code. I understand this comment for addons, but it doesn't make sense for pulling down some JSON from a URL. Dan, what attack surface do you see here? > sr-minus primarily because daily update checks over an insecure channel is too tempting a target -- please restrict the updateURLs to https (whether or not we restrict it to whitelisted hosts). I also think the whitelisted host restriction would be a good idea, but I'm OK leaving that argument in the other bug. My problem is that the entire lightweight themes infrastructure is designed to only work with Mozilla and mozilla domains. From using XPI permissions for install to https URLs to using an ID infrastructure that really depends on getpersonas.com/AMO. It seems there was a concerted effort to not allow third party sites to have Personas. I'm trying very hard to not have to rewrite the entire lightweight theming infrastructure in order to do cool things with personas, but it's quite challenging. Without a handful of change to personas, it would be a much more open platform for addons to interact with.
s/Without a handful/With just a handful
Dan, Could you explain why you think JSON used for theming is an attack target?
Adding a need info for Dan.
I don't want every Firefox in the local starbucks to suddenly spout dick picks. If you want to host insecure web content that's fine (though the tide is against you), but an insecure theme makes Firefox itself look insecure. In 2015 an https website is an even smaller hurdle than it was in 2011. Nothing's changed since bug 520346 comment 39