Make the extension whitelist public key cryptography based.
If/when the Tor Browser people decide to do the sensible thing and start signing all of the XPIs bundled with Tor Browser, the extension whitelist can be made more resilient to Tor Browser changes by validating XPI signatures with it's own copies of the public key.
Till then it will be somewhat fragile, though new extensions don't get added very often, so it's "merely" a matter of keeping in sync with the browser.