-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Production Firefox extension will not install from local .xpi file #316
Comments
Hello, The short answer is that you can't install a locally-built production Firefox extension locally at the moment via "Install add-on from file". The main issue you'll run into is that the extension won't be signed. We sign our add-ons as part of the build process so the solution will be for us to provide a signed version that you can download. There is a way to disable that check, but it won't get it working because there are some other issues that need to be resolved:
You can get around issue 1 by loading the locally built extension as if you were developing it using the "Load Temporary Add-on" option at |
Due to the signing issue mentioned above, we're never going to "fix" this issue so that loading a locally-built .xpi file just works in an unmodified Firefox. However when we resolve issues (1) and (2) above, which we'll have to do anyway in order to make a signed XPI work, that would make "Install add-on from file" work if you were to download the signed XPI from us and install that locally. If that worked, we could close this issue. |
Hi, Robert. I understand that the OAuth server seems to respond with a fixed "origin" parameter depending on the client_id sent by the client. That is, "https://hypothes.is" for the bookmarklet client ID, "chrome-ext://" for the Chrome extension client ID, and "moz-extension://32492fee-2d9f-49fe-b268-fe213f7019f0" for the Firefox extension client ID. |
Yes, exactly. This is normal practice with OAuth for this reason. This is a fairly common need (you'll need it if you write an extension that uses Twitter, Facebook, Dropbox or Google APIs for example) so I'd guess there is a standard solution for this in the Chrome/WebExtension APIs, in which case its a case of figuring out how that works and how the Hypothesis browser extension can use it. |
Hi, Robert. Thanks for answering. Please let me know if you think I should open a separate issue for this. I understand the Hypothesis client would fall under the category of "Public" client type, "user-agent based application", according to RFC 6749, section 2.1. I understand that what we are trying to avoid here would be "Client Impersonation", which is somehow covered in section 10.2 of the RFC. However, client impersonation seems to be something difficult to prevent in Public clients (because they cannot use Client Secrets), and the RFC is quite vague as of how the authorization server should "protect resource owners [end-users] from such potentially malicious clients", and ultimately places responsibility on the user by advising that "the authorization server can engage the resource owner to assist in identifying the client and its origin". The same assumption is expressed in:
The Hypothesis client uses the Web Message Response Mode, which I understand is still a draft, and its Security Consideration section has not been finished yet. However, it does say that the authorization server must only return white-listed target origins (section 5.2), which seems similar to what the Hypothesis server is doing (returning a fixed Target Origin value). However, even this is easily circumventable. For example, I understand that a developer could come up with a malicious (unpublished) Chrome extension with the same extension id by declaring the same manifest key value. Or the Target Origin value in the Authorization Response could be easily tampered with by userscript managers (e.g., Greasemonkey) before window.opener.postMessage() is run. Therefore, should it be accepted that client identity cannot be reliably verified, and hence have the authorization server return a Target Origin matching the Target Origin sent by the client, at least when client id is Firefox extension's? Thanks! |
Broadly speaking, the origin (protocol + host + port) is the fundamental boundary of the web's security model. This applies to many web APIs (eg. local storage, cookies, permissions, sending messages between iframes), not just OAuth. As a web developer who is prepared to enable "Developer mode" in Chrome, bypass security warnings and manipulate their system in other ways (eg. changing DNS resolution, installing custom SSL certificates system-wide), yes you can get around origin-based restrictions if you need to. However these options are not available to normal users who haven't taken these special measures (leaving aside phishing attacks, which it is considered the browser/OS's job to defend against, rather than the web application). So for our purposes, we consider a redirect to a pre-registered URL or a From some brief searching, it looks like Chrome extensions / Firefox extensions have an API that exists specifically for the purpose of handling OAuth 2 login flows with a note that the redirect URL is designed to be suitable for pre-registering. I guess that we'll probably need to make use of that. |
Hey, Robert. Thank you very much for providing such a detailed and informative response. I am really enthusiastic about Web Annotation and the Hypothesis' approach to it, which I have been following for the past year or so. I would like to contribute more to it, but sometimes lack of time (and of knowledge) get on the way. I apologize for having taken some of your time. I learned about the API that you mentioned a few days ago and it looks promising. I understand this is not a priority for the Hypothesis team right now, so I will try to find some time in the following weeks to try something and share it with you. |
No need to apologise 🙂. Its quite a useful exercise for me to think about and write down a response to this kind of question because you're not the only person to ask. |
A fix has been proposed here, and implemented in an unofficial extension (see discussion here) until an official extension is released. |
I am receiving the following when trying to install my Firefox extension build.
Steps to Reproduce:
Clone repo at commit ea8fa71.
On Win 10, using MINGW64 shell provided by
git bash
(with administrative permissions), use Chocolatey to install make tools via the commandchoco install make
git checkout -b my-branch
in order to make a new local branch.Delete all files in
build
folder.Commit changes locally on
my-branch
.Make with command
make SETTINGS_FILE=settings/firefox-prod.json
. Output appears to be successful:Zip all files in build directory into
build.zip
Attempt install of the file from the previous step on
about:addons
page.I'm happy to include the zip file here, but did not want to accidentally pass on any sensitive data inside it.
The text was updated successfully, but these errors were encountered: