Skip to content

Draft: Bug 40062: HTTPS Everywhere is not shown as installed

Alex Catarineu requested to merge acat/fenix:40062 into tor-browser-81.1.1-10.0-1

This loads the list of allowed addons from a file in assets instead of fetching it from Mozilla's endpoint.

This file is fetched with:

curl https://addons.mozilla.org/api/v4/accounts/account/mozilla/collections/3204bb44a6ef44d39ee34917f28055/addons/ | jq > allowed_addons.json

For simplicity, the patch currently always writes the allowed_addons.json file to the cache when calling getAvailableAddons. This might become too slow if the list grows bigger, so we probably want to check for some version, which we could bump when modifying allowed_addons.json (or maybe just use the app version for this).

The icons are still fetched from the respective icon_url fields in allowed_addons.json. We could avoid this by changing the icon_url fields into data URIs, but I'm not sure how much bigger the resulting file would be.

The patch also makes sure https-everywhere-eff is in this list instead of https-everywhere, so that the former is shown as installed and the latter is not shown.

Note that by hardcoding this list it is likely that some addon in it will become out of date with respect to the AMO version. If this is an issue, we could either:

  1. Reduce the time between addon updates checks (currently 1 day).
  2. Check addon updates right after installing them (or before, and make sure the most recent XPI is installed instead).

We could also continue fetching the list from Mozilla, but I think in that case we should also make sure that they cannot force NoScript being disabled just by removing it from their endpoint.

Edited by Alex Catarineu

Merge request reports

Loading