Closed
Bug 265358
Opened 20 years ago
Closed 19 years ago
Default XPI whitelist should have https://update.mozilla.org/ (not http)
Categories
(Toolkit :: Add-ons Manager, enhancement)
Tracking
()
RESOLVED
INVALID
People
(Reporter: jruderman, Assigned: bugs)
References
(Depends on 1 open bug)
Details
The default XPI whitelist should have https://update.mozilla.org/ (not http) to
help prevent man-in-the-middle attacks. This depends on several other bugs.
Comment 1•20 years ago
|
||
Whitelisting is done using the shared permission manager which does not support
distinctions by scheme. I'm not going to roll my own permission manager just for
xpinstall so this would need to depend on an enhancement to the permission manager.
But is this really all that useful? The bug on requiring signed installs seems
more to the point.
"The bug on requiring signed installs seems more to the point."
Care to elaborate what this is all about? Bug number as a starter?
Comment 3•19 years ago
|
||
*** This bug has been marked as a duplicate of 238960 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 4•19 years ago
|
||
Not a dup, especially since addons.mozilla.org will soon be able to include cryptographic hashes in its links to extension XPIs on FTP mirrors.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 5•19 years ago
|
||
Nothing has to be done to the EM to support this - the EM never touches the whitelist. If / when bug 265356 is fixed and the whitelist itself is updated on the clients this will just work. Resolving -> invalid.
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → INVALID
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•