Tor Browser-specific NoScript update channel
The problem
The Tor Browser currently ships with the official AMO stable release of the NoScript extension, which therefore is updated from Mozilla's servers.
Per Mozilla's policy, each update of this kind requires a manual review from AMO's editorial staff to be signed and published, which can take several days.
Without Mozilla's signature, extensions cannot be installed in the Tor Browser.
This situation becomes problematic when we need to ship a security update, possibly for a problem which is already known.
Proposed solution
Since self-hosted extensions (i.e. extensions which specify their own non-Mozilla update URL) get signed by Mozilla after an automated validation process which takes minutes, we can self-host a parallel version of latest NoScript stable with an update URL pointing to TPO infrastructure.
We would need to serve
- an
update.xml
file with the update info, which would get about 1 ping per day per Tor Browser user - the ~1MB
xpi
file of the latest NoScript to be downloaded if the ping determines the currently installed one is outdated
We would also need a mean to update both the xml
and the xpi
files.