New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plug-n-Hack add-on issues #2069

Open
afeld opened this Issue Nov 20, 2015 · 13 comments

Comments

Projects
None yet
8 participants
@afeld

afeld commented Nov 20, 2015

...due to be unverified. Using:

  • OWASP ZAP 2.4.2
  • OSX 10.11.1
  • Firefox 43.0b4

Steps to reproduce:

  1. Start ZAP.
  2. Click "Plug-n-Hack" from the Quick Start tab.
  3. In Firefox, click "Click to setup!", then "Add to Firefox".
  4. Click "Allow" in the modal that pops up.

The add-on seems to be unverified:

Firefox has prevented this site from installing an unverified add-on

Are there any special instructions that need to be added to the wiki or the /pnh/ page? Sorry if I'm missing something!

@kingthorin

This comment has been minimized.

Member

kingthorin commented Dec 21, 2015

As of Firefox 43 it is no longer possible to load unsigned extensions such as fx_pnh.xpi without altering settings in about:config in Firefox 44 there will be no option to bypass the requirement for all extensions to be signed.

https://github.com/zaproxy/zap-extensions/blob/beta/src/org/zaproxy/zap/extension/plugnhack/resources/fx_pnh.xpi

Will need to be updated with a signature, or we're going to have to state quite clearly that pnh functionality is only supported when using Firefox Developer Edition (or nightly build).

Further discussion here:
#2149

Further reference info here:
https://wiki.mozilla.org/Add-ons/Extension_Signing
https://developer.mozilla.org/en-US/docs/Signing_an_extension
https://developer.mozilla.org/en-US/docs/Signing_a_XPI

@kingthorin

This comment has been minimized.

Member

kingthorin commented Feb 12, 2016

@mozmark any news on getting PnH signed?

@kingthorin

This comment has been minimized.

Member

kingthorin commented Apr 8, 2016

Is there actually any hope for plug n hack?

@ipatrol

This comment has been minimized.

ipatrol commented Apr 9, 2016

Supposedly Mozilla was onboard with the development of the idea. I'd think it would end up very embarrassing for them if they don't sign this.

@psiinon

This comment has been minimized.

Member

psiinon commented Apr 12, 2016

Well, pnh was developed by myself and @mozmark and we are both employed by Mozilla. Unfortunately I dont think @mozmark has been able to spend any time on pnh, and I dont have the knowledge necessary to work on the Firefox side. I'm proposing that we disable pnh until it can be fixed. Any objections?

@kingthorin

This comment has been minimized.

Member

kingthorin commented Apr 12, 2016

Seems ok to me. I don't think the extension itself needs any changes, just need to get it through the Mozilla signing process (however that works :shrug:).

@thc202

This comment has been minimized.

Member

thc202 commented Apr 13, 2016

I'm ok with that.

@mozmark

This comment has been minimized.

mozmark commented Apr 13, 2016

I'm also OK with that - though I should clarify it isn't just signing that needs addressing: There have been (fairly major) changes to the way Firefox addons need to operate due to the recent multi-process work (e10s). If it is still the case that the addon runs in release versions of Firefox, please be aware that changes are coming that will cause (more) breakage.

I'd love to see this working again. If anyone else is interested in picking up this work, I'd be happy to assist.

@kingthorin

This comment has been minimized.

Member

kingthorin commented Apr 13, 2016

@mozmark thanks for the update. If someone is available to work through the e10s changes are you able to get it signed?

@mozmark

This comment has been minimized.

mozmark commented Apr 13, 2016

I should be able to help through the process - I'm not in a position to approve signing requests, though.

@thc202 thc202 changed the title from Plug-n-Hack add-on installation fails to Plug-n-Hack add-on issues Apr 13, 2016

@tuxayo

This comment has been minimized.

tuxayo commented Apr 15, 2016

If it is still the case that the addon runs in release versions of Firefox please be aware that changes are coming that will cause (more) breakage.

I confirm that the add-on works with stable 45 and fails with Developer Edition 47 with e10s enabled.

@thc202

This comment has been minimized.

Member

thc202 commented Nov 24, 2016

@andreicristianpetcu

This comment has been minimized.

andreicristianpetcu commented Dec 9, 2016

As of Firefox 43 it is no longer possible to load unsigned extensions such as fx_pnh.xpi without altering settings in about:config in Firefox 44 there will be no option to bypass the requirement for all extensions to be signed.

@kingthorin You can sign it and load the addon yourself.

Here is the addon signed by me. Enjoy! :)

You should not disable addon signing in about:config. This is a security issue unless you are an addon dev.

Here's how to sign it yourself

If you have any issues signing this addon please ping me :)

thc202 added a commit to zaproxy/zap-admin that referenced this issue Jun 20, 2017

plugnhack: remove from marketplace
The Plug-n-Hack Configuration add-on is not working correctly (e.g. ZAP
binary incompatible changes, Firefox plugin not signed).

Issue zaproxy/zaproxy#2069 - Plug-n-Hack add-on issues

thc202 added a commit to zaproxy/zap-admin that referenced this issue Jun 20, 2017

plugnhack: release version 10
The newer version addresses the binary incompatible changes introduced
in latest ZAP version (allowing to use other PnH features, for example,
intercept and change postMessages). The Firefox plugin is not yet
signed.

Issue zaproxy/zaproxy#2069 - Plug-n-Hack add-on issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment