Add-on Security Restrictions Landed

I have just checked in Bug 378216, and wanted to give a quick heads up on it.

What this means is that we are now enforcing a security restriction on all add-ons. To be specific, if an add-on does not provide a secure method of auto-updating then by default Firefox will refuse to install the add-on. If you have add-ons already installed that are insecure in this way then they will be automatically disabled.

The good news is that addons.mozilla.org already uses SSL for it’s updates, so any add-ons you have installed from there will be unaffected by this change. Equally any add-on authors who use SSL on their site, their add-ons will be unaffected. Personally I found 2 of my add-ons were disabled by it, that’s 2 out of nearly 20, so hopefully you won’t see a major impact.

For add-on authors there is an alternate way to provide secure updates without investing in an SSL key involving digital signatures, unfortunately we’ve had to hold off on providing the software to make that possible until the backend changes were complete and reviewed. I hope to have something usable available not too long after M8 is released. Keep an eye on this blog for an update on that.

If you want to see more of the specifics the best place to look is probably at the wiki page. This is all based around the discussions I started on various forums and newsgroups. Hopefully it’s not too much of a surprise to the add-on authors out there, if it is then I apologise, I tried to get the word out as best I could.

2 thoughts on “Add-on Security Restrictions Landed”

  1. Please don’t hate me but I’m not sure this approach is correct for poor extension’s authors like me.

    AMO doesn’t publish my extensions because Remora app uses the ugly sandbox model.

    – Many extensions live in sandbox for eternity so I can’t use the AMO security trust

    – I’ve my site on sourceforge the best free FOSS web space but I haven’t SSL support

    So I must buy HTTPS space and buy a certificate.

    The self signed key seems the only way possibile for poor programmers.

    Why disabling extension?? Should be simpler disable *only* update so user know he/she must check for new version.

    I understand this can be awful but user can continue to use extensions

    thanks

    dafi

Comments are closed.