Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plug-n-Hack add-on issues #2069

Closed
afeld opened this issue Nov 20, 2015 · 16 comments
Closed

Plug-n-Hack add-on issues #2069

afeld opened this issue Nov 20, 2015 · 16 comments

Comments

@afeld
Copy link

@afeld afeld commented Nov 20, 2015

...due to be unverified. Using:

  • OWASP ZAP 2.4.2
  • OSX 10.11.1
  • Firefox 43.0b4

Steps to reproduce:

  1. Start ZAP.
  2. Click "Plug-n-Hack" from the Quick Start tab.
  3. In Firefox, click "Click to setup!", then "Add to Firefox".
  4. Click "Allow" in the modal that pops up.

The add-on seems to be unverified:

Firefox has prevented this site from installing an unverified add-on

Are there any special instructions that need to be added to the wiki or the /pnh/ page? Sorry if I'm missing something!

@kingthorin
Copy link
Member

@kingthorin kingthorin commented Dec 21, 2015

As of Firefox 43 it is no longer possible to load unsigned extensions such as fx_pnh.xpi without altering settings in about:config in Firefox 44 there will be no option to bypass the requirement for all extensions to be signed.

https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/plugnhack/resources/fx_pnh.xpi

Will need to be updated with a signature, or we're going to have to state quite clearly that pnh functionality is only supported when using Firefox Developer Edition (or nightly build).

Further discussion here:
#2149

Further reference info here:
https://wiki.mozilla.org/Add-ons/Extension_Signing
https://developer.mozilla.org/en-US/docs/Signing_an_extension
https://developer.mozilla.org/en-US/docs/Signing_a_XPI

@kingthorin
Copy link
Member

@kingthorin kingthorin commented Feb 12, 2016

@mozmark any news on getting PnH signed?

@kingthorin
Copy link
Member

@kingthorin kingthorin commented Apr 8, 2016

Is there actually any hope for plug n hack?

@ipatrol
Copy link

@ipatrol ipatrol commented Apr 9, 2016

Supposedly Mozilla was onboard with the development of the idea. I'd think it would end up very embarrassing for them if they don't sign this.

@psiinon
Copy link
Member

@psiinon psiinon commented Apr 12, 2016

Well, pnh was developed by myself and @mozmark and we are both employed by Mozilla. Unfortunately I dont think @mozmark has been able to spend any time on pnh, and I dont have the knowledge necessary to work on the Firefox side. I'm proposing that we disable pnh until it can be fixed. Any objections?

@kingthorin
Copy link
Member

@kingthorin kingthorin commented Apr 12, 2016

Seems ok to me. I don't think the extension itself needs any changes, just need to get it through the Mozilla signing process (however that works 🤷).

@thc202
Copy link
Member

@thc202 thc202 commented Apr 13, 2016

I'm ok with that.

@mozmark
Copy link

@mozmark mozmark commented Apr 13, 2016

I'm also OK with that - though I should clarify it isn't just signing that needs addressing: There have been (fairly major) changes to the way Firefox addons need to operate due to the recent multi-process work (e10s). If it is still the case that the addon runs in release versions of Firefox, please be aware that changes are coming that will cause (more) breakage.

I'd love to see this working again. If anyone else is interested in picking up this work, I'd be happy to assist.

@kingthorin
Copy link
Member

@kingthorin kingthorin commented Apr 13, 2016

@mozmark thanks for the update. If someone is available to work through the e10s changes are you able to get it signed?

@mozmark
Copy link

@mozmark mozmark commented Apr 13, 2016

I should be able to help through the process - I'm not in a position to approve signing requests, though.

@thc202 thc202 changed the title Plug-n-Hack add-on installation fails Plug-n-Hack add-on issues Apr 13, 2016
@tuxayo
Copy link

@tuxayo tuxayo commented Apr 15, 2016

If it is still the case that the addon runs in release versions of Firefox please be aware that changes are coming that will cause (more) breakage.

I confirm that the add-on works with stable 45 and fails with Developer Edition 47 with e10s enabled.

@thc202
Copy link
Member

@thc202 thc202 commented Nov 24, 2016

@andreicristianpetcu
Copy link

@andreicristianpetcu andreicristianpetcu commented Dec 9, 2016

As of Firefox 43 it is no longer possible to load unsigned extensions such as fx_pnh.xpi without altering settings in about:config in Firefox 44 there will be no option to bypass the requirement for all extensions to be signed.

@kingthorin You can sign it and load the addon yourself.

Here is the addon signed by me. Enjoy! :)

You should not disable addon signing in about:config. This is a security issue unless you are an addon dev.

Here's how to sign it yourself

If you have any issues signing this addon please ping me :)

thc202 added a commit to zaproxy/zap-admin that referenced this issue Jun 20, 2017
The Plug-n-Hack Configuration add-on is not working correctly (e.g. ZAP
binary incompatible changes, Firefox plugin not signed).

Issue zaproxy/zaproxy#2069 - Plug-n-Hack add-on issues
thc202 added a commit to zaproxy/zap-admin that referenced this issue Jun 20, 2017
The newer version addresses the binary incompatible changes introduced
in latest ZAP version (allowing to use other PnH features, for example,
intercept and change postMessages). The Firefox plugin is not yet
signed.

Issue zaproxy/zaproxy#2069 - Plug-n-Hack add-on issues
@kingthorin
Copy link
Member

@kingthorin kingthorin commented Jun 15, 2019

@psiinon should we just close this? Browser launch seems to simplify browser setup sufficiently (for my 2 cents).

@psiinon psiinon added the historic label Jun 16, 2019
@psiinon
Copy link
Member

@psiinon psiinon commented Jun 16, 2019

Yeah, plug-n-hack was a good idea at the time but is now no longer practical.

@psiinon psiinon closed this Jun 16, 2019
@lock
Copy link

@lock lock bot commented Oct 31, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Oct 31, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants