> I think this is a great idea, and I strongly support the necessary APIs for > self-healing. Misbehaving addons have a huge impact on Firefox security. Even > though the blocklist ping supports disabling misbehaving addons, being able > to revert hijacked preferences (such as search) would be a huge benefit. > > With the multitude of 0-days that come out on a regular basis, it would be > great to have more options way to prevent users from getting owned by making > it more difficult to ignore updates, as well.
Some OS's install addons from a repo and so they are more secure because they are signed and not modifiable due to root write permissions being required and not being stored in the users profile directory. If you deslect them in the repo you can the install via firefox add-on manager. Users may also want to lock down the profile. So whilst it is a good thing to do these things should be considered at the same time unless firefox could handle this even more securely (hardcoded checksum at runtime), which I very much doubt is practical as an urgent update would require a firefox update? -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
