How to sign Firefox addon after editing it? - firefox

So the story is like this. I debug a site which throws a lot of warnings:
Strict-Transport-Security: The connection to the site is
untrustworthy, so the specified header was ignored.
That is because there is no proper certificate for localhost. But that is very annoying and I was not able to find option to filter out firebug console. So I decided to go into code. I found that firebug is inside ~/.mozilla/firefox/blablabla.bla/extensions/firebug#software.joehewitt.com.xpi and that is zip which I could open with Vim and got to content/firebug/console/errrors.js, find there a variable pointlessErrors and append my message to it.
Firefox ignores changes but after I restart it, it gives me message that firebug was not verified and was disabled. I's probably good, because it will protect me from lot's of risks, but I'm sure in my changes.
How to tell firefox that? Or how to properly make changes to plugins?
Or is there some option for Firefox to shut up about Strict-Transport-Security? (I know, I know, too many questions in one question, but I want to find best solution).

The answer to your question's title can be found in the Mozilla wiki:
There it says:
How do I get my add-ons signed if they are not hosted on addons.mozilla.org (AMO)?
You will need to create an AMO account and submit your add-on. There will be an option where you indicate the add-on won't be listed
on AMO, and you'll be able to submit your add-on files without having
them published on the site. Please read the Distribution Policy for
more details.
You can also use the jpm sign command to generate a signed XPI that can be self-hosted.
There is an API you can use for signing.
Having said that, there are easier alternatives to signing the extension:
Go to about:config and set xpinstall.signatures.required to false.
Install the Nightly, Developer Edition or unbranded version of Firefox
Here's the related answer from the wiki:
What are my options if I want to install unsigned extensions in Firefox?
The Developer Edition and Nightly versions of Firefox will have a setting to disable signature enforcement. There will also be
special unbranded versions of Release and Beta that will have this
setting, so that add-on developers can work on their add-ons without
having to sign every build. To disable signature checks, you will need
to set the xpinstall.signatures.required preference to "false".
type about:config into the URL bar in Firefox
in the Search box type xpinstall.signatures.required
double-click the preference, or right-click and selected "Toggle", to set it to false.
Regarding the question about getting rid of the warning regarding Strict Transport Security I see a few other possible solutions:
Access your localhost via HTTP instead of HTTPS.
Suppress sending the Strict-Transport-Security header on localhost.
Install a proper certificate.
Note that this warning is shown for security purposes, so there is some risk in disabling it generally.

Related

Install a personal firefox web extension permanently

Previously, I could write an addon for personal usage packed as something.xpi and I clicked on it to install it.
After a while, mozilla introduced xpinstall.signatures.required which you could still get around it.
However, it did not stop stabbing developers who are interested to have a personal addon isolated from the world. Today, only web extensions are working and my XUL based addon is thrown away. The tutorials only talk about temporary installation of a web extension while I want my one runs on firefox forever.
Beside whether I can use web extension to write into files or create a GUI in an independent page, I have a bigger challenge:
How can I install a local web extension permanently without creating a Mozilla account for personal usage?
Navigate to the folder where your extension is located. You can build it in the usual way using web-ext:
web-ext build
You can install this ZIP file permanently in Firefox by going to about:addons and dragging this file into the tab.
In order for this to work, you need to set xpinstall.signatures.required to false in about:config (works only for Nightly and maybe Developer Edition).
Apart from setting xpinstall.signatures.required to false, you need to add this to your manifest.json:
"browser_specific_settings": {
"gecko": {
"id": "some-name#example.org"
}
}
Found on https://www.reddit.com/r/firefox/comments/blqffs/how_to_permanently_add_temporary_addon/exh2u3o/, thanks to "alexherbo2".
You need a "blueish" Firefox -- Developer Edition (effectively beta) or Nightly (unstable, updated every night).
You can get them from https://mozilla.org/firefox/channel/desktop/.
Then xpinstall.signatures.required will work again.
(As for permissions--you can create a GUI in a tab or a popup, but I don't think you can do it in a separate window (unless you do a webpage-style popup window). You won't be able to write to arbitrary files anywhere on the system--which is a good thing! You can write to the Downloads folder, and read/write some sort of internal storage, but that may not expose the actual files involved. For more information see https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Working_with_files.)
What you should be looking for is having your extension signed by Mozilla as Unlisted.
See Mixing Listed and Unlisted Add-ons on addons.mozilla.org blog post for an overview.
That way, AMO does not host nor (normally) review your extension; it simply runs some basic automated checks and immediately signs your extension so that it can be privately distributed as an XPI.
For those interested in developing/running an extension from a local directory without having to package or load it manually via "Load Temporary Addon..." from about:debuggin#/runtime/this-firefox please go to this github repository.
From the README.md:
The procedure involves a few steps, but it needs to be done only once.
First you need to enable AutoConfig aka userchrome.js by copying the file config-prefs.js to [Your Firefox install directory]/defaults/pref
Note: For best security, on Windows it is best to leave your Firefox install in "c:\Program Files" so that your config-prefs.js and userChrome.js can only be modified when you are in root/admin mode.
Then you need to edit the file userChrome.js and modify the function installUnpackedExtensions() to reflect the locations of your own addons.
The modified userChrome.js then must be copied to your Firefox installation directory. For example on Windows this is usually "c:\Program Files (x86)\Mozilla Firefox" for the 32-bit version of Firefox. You can rename the file, but remember to modify the corresponding line pref("general.config.filename", "userChrome.js") in defaults/pref/config-prefs.js
Now your addons from your local directories will be loaded automaticaly whenever Firefox starts. After editing your code remember to reload it from about:debuggin. You can also get there via the menu by selecting "More Tools", then "Remote Debugging", and click on "This Firefox" on the left side (but the quickiest way is to bookmark it and then add a bookmark keyword such as "dbg" for quick access.)
Please note that this is an automated install of the extension every time Firefox starts, so it is not quite the same as a "permenent install". That is, this procedure has exactly the same effect as clicking on "Load Temporary Addon..." from the about:debuggin page, just that the process is now automated via userChrome.js. This means that if you have code that does something after the installation of the extension such as browser.runtime.onInstalled.addListener(details => { if (details.reason == "install") { ...do something after install... }); then this code will be called every time Firefox is launched.
You can try setting the preference extensions.legacy.enabled (this will only work in Nightly or Dev Edition).

Firefox 40 does not allow the extension even after signing

I am Using Firefox 40 and followed Signing an XPI article to sign an XPI. Used certutil to sign the XPI, imported the X509.cacert in firefox Certificate Manager (Authorities tab) every step completed as mentioned in the article. Now if I install the XPI , I get popup.
Caution: This site would like to install an unverified add-on in Firefox
After installation the extension is working correctly.
However if I set the flag: xpinstall.signature.required to true and then try to install it . I get popup telling
This add-on could not be installed as it appears to be corrupt.
Followed the steps in the article multiple times just to make sure I din't miss anything ..but still the same issue. Would appreciate any pointers to where to look for the problem.
Extensions now have to be signed by mozilla unless you're using nightly/dev edition or a special unbranded release/beta builds.
See this page for further information.
If you want to distribute them yourself AMO should have an option to submit extensions for signing without listing them.

Does code signing help avoid the red SmartScreen banner in IE 9/10?

We've released a new application but we're getting reports that when users try and download it in Internet Explorer, they get a red error message after they choose to save or run the EXE file:
What we want to know is, how can we stop this red version of the banner appearing for IE users? Will code signing persuade IE to instead show the yellow banner which gives the users the option to run or save the file? And if so, is it possible to get a temporarily/trial certificate (not self signed) to test this with? Self signing doesn't seem to help.
Edit:
I've also noticed Google Chrome has a similar banner and effectively the same problem that the users will be scared off installing the file.
This behavior is entirely controlled by SmartScreen Filter from IE. You cannot control it when creating the setup packages, not matter the tool you use to author them. Here are more details:
http://windows.microsoft.com/en-US/windows7/SmartScreen-Filter-frequently-asked-questions-IE9
http://windows.microsoft.com/en-US/windows7/When-to-trust-a-software-publisher-IE9
What I can recommend is to use the same name of the setup file for future versions, i.e. do not change it for every version and digitally sign the package using a code signing certificate. When more users will download the package the browsers will gather statistics and start trusting your file.

Setting default firefox preferences

Our continuous integration process uses Selenium, and twice in the last few months it has been knocked out of action thanks to firefox updating itself (either on developer machines or the CI server).
We have therefore installed the previous firefox version alongside the later one (this time in a directory called firefox-16), until Selenium catches up.
The problem is, the app.update.auto setting (in about:config) is set to true by default - meaning that sooner or later it will update itself to 17 and selenium will break. We therefore installed an all-no-update.js file in the /usr/lib/firefox-16/defaults/pref folder containing
user_pref("app.update.auto", false);
which (according to MDN) should override any other values. Unfortunately it doesn't work - the about:config page still shows auto-update as app.update.auto as true. This MDN page says:
All Mozilla-based applications read (application directory)/defaults/preferences/*.js
but unfortunately that doesn't work either - the value stays unchanged.
I've trawled the Bugzilla database but can't find anything relevant (other than the fact that an all.js file gets deleted by an upgrade so be sure to use all-*.js file).
Does anyone know enough about the workings of Mozilla Firefox to tell me how to set this preference value? (please don't say "click on the about:config page" - it needs to be automatically to ensure the build is repeatable and stable).
Thanks, James
Edit:
Sorry if the above isn't clear: I can create default preferences, for newly created profiles, just fine. But as users already have a profile this won't have any effect. I could possibly create a new profile on every machine, for every user, that has this setting disabled - but it is a lot of overhead. Sysadmins all over the world must be using this functionality somehow, surely: a way to override a given preference with a centrally-set one?
The most likely reason is using user_pref() function - as the name already says, this one is reserved for user's preferences (in user's profile), default preferences should use pref() instead.
You also have to consider that whatever you put into this directory are default preferences, they can be overridden in the browser profile (in the file prefs.js there). If you aren't using a clean profile the preference can already be set there and the default won't have any effect then.
For reference: A brief guide to Mozilla preferences
From MDN: Enterprise Deployment (Configuration)
Some config items require lockPref to be set, such as app.update.enabled. It will not work if it set with just pref.
Suspect this may apply to app.update.auto as well. Although I can find no obvious (i.e. named update) configuration option in about:config that is specific to any given add-on. So I don't even know if the per-add-on setting is a pref?

Download file not working on internet explorer 6 (only for certain people)

I am working on an ASP.NET MVC3 webapplication.
I have a button "Download" that downloads a file from the server.
<input type="button" onclick="window.location.href='#Url.Action("DownloadFile", "Home")';" value="Download"/>
In the HomeController I call the Action "DownloadFile" that returns the file
return File(fileToReturn, Path.GetFileName(fileToReturn));
This is working normally on all browsers.
however some people report that the download does not work on Internet Explorer 6.
I installed IE6 and tested the website on it and it was working normally.
So this is my question:
What may have cause the download to not work for certain IE6 but work on others?
First I thought it was a security option in IE. But then I tested on my IE6 for different security option, When I cannot download due to security reason I get a message Your current security settings does not allow this file to be downloaded But they are not getting this (the file just does not download without anything happening)
What may be causing this? I am unable to reproduce it in order to fix it.
Thanks a lot for any help
I had a similar problem once and managed to fix it by following these steps:
In Internet Explorer, click Tools, and then click Internet Options.
Click the Security tab.
There are four security zones listed: Internet, Local intranet, Trusted sites, Restricted sites. Click the zone your website is in (when you navigate to your site, the current zone is displayed in the status bar at the bottom of IE's window).
Under Security level for this zone, click Custom Level.
Under Downloads, under Automatic prompting for file downloads, click Enable, and then click OK two times.
You say you've checked that it isn't browser security settings, but it might be security settings on their network, not just the browser.
If their network firewall is configured to prevent certain types of files from being downloaded, then there may be nothing you can do to get around that, short of changing the file type you're sending. (or talking very nicely to their network operator).
Given the security risks involved in running IE6 these days, I imagine most companies still using IE6 would have pretty paranoid network security settings, so this is quite a likely explanation.

Resources