Talk:Extension Manager:Addon Update Security: Difference between revisions

Talk:Extension Manager:Addon Update Security (view source)

240 bytes added , 9 July 2007

12

edits

@@ Line 21: / Line 21: @@
 . Suppose install.rdf contains an em:updateURL of http://foo.com/update.rdf. When FF retrieves the resource at http://foo.com/update.rdf, if the resource does not contain an em:updateHash element or the value of the em:updateHash element is incorrect, the update is not installed.
 * That is correct. However in order for the updateURL to be used at all it must be digitally signed. --[[User:Mossop|Mossop]]
+**So the resource at http://foo.com/update.rdf would never be retrieved? In other words, both https:// URLs in install.rdf [b]and[/b] em:updateHash values in update.rdf are required? --[[User:Grimholtz|Grimholtz]] 12:35, 9 July 2007 (PDT)
 . Suppose install.rdf contains an em:updateURL of https://foo.com/update.rdf. When FF retrieves the resource at https://foo.com/update.rdf, FF will install the update even if no em:updateHash element exists (assuming there are no problems with the certificate for foo.com). If, however, em:updateHash does exist, it is checked for validity against the update.