Hacker News new | past | comments | ask | show | jobs | submit login

That's why you uncheck "update add-ons automatiocally' in the add-on manager.



Standard users would have no idea they can do that or even bother. Extensions are risky additions to the browser because it's 3rd party code that can read your web pages and local storage values.


Yes, but I didn't talk about standard users.

Also, most of my extensions are not 3rd party code and I want them to have full access.

For the rest I update them once in a while and go check

    ~/.mozilla/**/*.xpi
for changes with something like this.

    find -maxdepth 1 -mindepth 1 -type d ! -name .git -print0 | xargs -0r rm -rf

    for f in ../extensions/*.xpi ; do
            unzip "$f" -d "$(basename "${f%.xpi}")"
    done

    git add -Af .
    git commit -m "Changes"


This risks using a known-vulnerable extension unless you monitor releases another way


Vulnerable extensions are exploited when you access websites that can abuse the holes in the extension (XSS for example). You have to visit the site that the extension targets that has the attack payload for the extension.

I think that risking this by updating manually is more acceptable than getting the mallicious code directly auto-installed as soon as it's released by the attacker no matter what you do.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: