> To Kevin's point about hardcoding known badd addons, I don't think that works > given the length of the release cycle (up to 4 months to get from Nightly to > stable), and that would be much less responsive than the blocklist ping > already offers. Looking at bugzilla, input.mozilla.org I see many instances > of pain caused by misbehaving addons.
I assume the blocker for doing this in memory authenticated by a hard coded or admin installed public key (perhaps the current firefox releases updates auth system) is that extensions start on reboot. So I guess you could either require all updates to require a restart or have firefox check on boot and reload with extensions enabled? Even if addons are locked down and not installable being able to harness this feature upon user request (like the current are plugins out of date) to check the installed addons would be ace. A user could then have extra auth or update in controlled environment and then lock down. Or get addons check them and then move to the area that recreates the profile upon each start. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security