Addons that introduce mixed content into pages should not be allowed on AMO

RESOLVED WORKSFORME

Status

defect
RESOLVED WORKSFORME
6 years ago
3 years ago

People

(Reporter: briansmith, Unassigned)

Tracking

(Blocks 1 bug)

Details

Many extensions inject HTML into pages, including sometimes <script src=http://example.org/some-script.js>. When a non-HTTPS script reference is injected into an HTTPS document like this, the security of the affected page's origin is significantly reduced, since it becomes vulnerable to a MITM replacing the benign insecure script with malicious code.

Consequently, we should block addons that attempt to inject references to insecure resources (including <script>, <link rel=stylesheet>, font-src, etc.) into HTTPS pages.

When such an issue is found in an addon, we should let the addon author know about free ways to obtain an SSL certificate. E.g., refer them to http://www.godaddy.com/ssl/ssl-open-source.aspx and http://www.startcom.org/?app=14&rel=10.
We already have policies against injected insecure content in secure pages, and injected scripts in general. If you find any cases of add-ons on AMO that don't follow these policies, please let us know.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Component: Add-on Validation → Policy
Resolution: --- → WORKSFORME
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.