CODEWITHSUNDEEP
javascriptfirefoxfirefox-addonfirefox-addon-webextensionsbrowser-extension
decho
decho

Reputation: 895

Can I self-distribute a Firefox web extension on an insecure server

I've written an addon and lets say it contains some sensitive information and I only want to share it with a group of people, while also maintaining the ability to distribute updates for it.

Before I can self-distribute it, it needs to be uploaded to addons.mozilla.org in order to be signed and it needs to point out to an a update manifest file, whenever a new version or update is available.

My update file looks like this:

{
  "addons": {
    "[email protected]": {
      "updates": [
        { "version": "0.1",
          "update_link" : "http://example.com/addon_update_v_0.1.xpi",
          "update_hash" : "sha256:0FEE5D33C13546A599A54085DA6AC28FBF3D1678"
        },
        { "version": "0.2",
          "update_link" : "http://example.com/addon_update_v_0.2.xpi",
          "update_hash" : "sha256:C7C067E755B51A0D09BEB25B463CD25CCE26C92C"
        },
      ]
    }
  }
}

So far so good. But my main addon manifest file contains an update_url which leads to an insecure address, so therefor addon verification is rejected:

"applications": {
    "gecko": {
        "id": "[email protected]",
        "update_url": "http://example.com/addon_update.json"
    }
}

Error on Mozilla addons page:

"/applications/gecko/update_url" should match format "secureUrl"

Error: Your JSON file could not be parsed.

I understand why this error is happening, but I am looking for a workaround. Is it only possible to self-distribute your addon only if you have a secure server at your disposal?

Upvotes: 1

Views: 587

Answers (2)

adjagu
adjagu

Reputation: 11

There is the option to use an insecure update_url if you also provide update_hash.

A cryptographic hash of the file pointed to by update_link. This must be provided if update_link is not a secure URL. If present, this must be a string beginning with either sha256: or sha512:, followed by the hexadecimal-encoded hash of the matching type.

More information: https://developer.mozilla.org/en-US/Add-ons/Updates

Upvotes: 1

Andrew Swan
Andrew Swan

Reputation: 1343

Is it only possible to self-distribute your addon only if you have a secure server at your disposal?

yes

Upvotes: 0

Related Questions