Firefox 37 – Domain whitelisting disabled for non-HTTPS pages

If you have installed add-ons from sites other than AMO, you might be familiar with the domain whitelist. When you try to install an add-on from a third party site, you’ll see a doorhanger notification asking you if you want to allow that site to install software. The domain whitelist in Firefox allows you remove that notification for specific domains, which is useful if you install add-ons frequently from those domains.

A recent security bug fix in Firefox changed the way the whitelist works. Starting with Firefox  37 (to be released on March 31st), the doorhanger notification will always show up if you try to install an add-on from a page that is loaded with a plain HTTP connection. In other words, the domain whitelist will only work if the page the add-on is installed from is HTTPS. The URL to the XPI can still be plain HTTP, but the page that triggers the installation must be HTTPS.

The “extensions.install.requireSecureOrigin” preference can be set to false in order to revert this change. Also, this doesn’t affect automatic add-on updates in any way, even if they happen over plain HTTP.

5 responses

  1. Michael Kaply wrote on :

    What security bug fix did this and why?

    1. Jorge Villalobos wrote on :

      Bug 1128126, which has restricted access. It’s meant to prevent man-in-the-middle attacks, but I don’t think I can get into much detail.

  2. Michael Kaply wrote on :

    And will this be changed on the ESR?

    1. Jorge Villalobos wrote on :

      I’ll get back to you on this.

    2. Jorge Villalobos wrote on :

      It won’t be pushed to ESR 31, but you can expect it for 38.