
Writing Extensions for Firefox Is Barely Worth the Trouble - timr
http://omniref.com/blog/blog/2014/09/08/writing-extensions-for-firefox-is-barely-worth-the-trouble/
======
shock
> You need to re-examine your review policies, and figure out why Chrome can
> manage to approve extensions in a few days, when you take weeks to review
> the same code.

AFAIK Chrome extensions don't go through a review process. That's why I know
of two Chrome extensions that were spying on their users and submitted the
visited urls to third party servers (Smooth Gestures and a Diigo extension
having something to do with screenshots).

So while it's important to be able to iterate quickly, I don't think the
Chrome team have made the best choice. The damn spying by extensions is the
primary reason I recommend Firefox instead of Chrome to anyone who asks.

~~~
general_failure
I disagree. Reviewing should never have been part of software culture but
sadly is becoming a norm.

Just because some extensions are bad, don't make everyone suffer and provide a
bad experience. Maybe provide a proper review system where people can downvote
and moderators can ban such extensions. They are so many choices available
instead of a highly dramatized review process.

~~~
smacktoward
But how is the general user supposed to be able to evaluate technical
questions like whether their new extension is spying on them? If it appears to
be doing what it said it would do, they aren't going to pop the hood and see
if it's doing anything else. All you'll get is 10,000 variations of "I
downloaded the More Smilies extension and got a bunch of smilies! 5 stars."

~~~
general_failure
If the problem is spying specifically, then build a proper sandbox for network
traffic. Make sure the user knows if they want the sandbox disabled (or
extensions seek specific permissions).

Like I said, there are many options here. Approval process should just do some
automated scans but that's about it.

~~~
shock
> then build a proper sandbox for network traffic

Such a sandbox can't be done for this use case. How would the sandbox know
what is legitimate traffic for that extension and what is traffic related to
spying?

------
bkolobara
As somebody who works right now on a Firefox extension I can't agree more.

The documentation is a mess. Right now there exist 3 different ways of
developing your extensions. Even if you decide you are going to use the
official Addon SDK it is not clear if you should be using the CFX tool like
described in their main repository[1] or JPM[2] which according to this blog
post[3] is now the official tool. If you decide to go with the new tool you
will find out that there is no documentation how the import system works,
except another blog post[4] that just says they are now using npm. Good luck
with figuring out all the details.

But I think the main problem with Firefox is that once the Addon is inside the
browser there is no sandboxing. The Addon has the same privileges as the
Firefox process, including the potential to modify other Addons at runtime.
That's why the review process is taking such a long time, they basically need
to hand check all of your source code to catch if you are doing something
nasty. If you don't ask in Chrome for some permission you will just not have
access to this API, but not in Firefox. No permissions, always full access.
This is an enormous security risk, because it is impossible to check all
corner cases of big Addons and be sure that the Addon will not get code from
outside and just eval it.

[1] [https://github.com/mozilla/addon-sdk](https://github.com/mozilla/addon-
sdk) [2] [https://github.com/mozilla/jpm](https://github.com/mozilla/jpm) [3]
[https://blog.mozilla.org/addons/2014/08/19/announcing-add-
on...](https://blog.mozilla.org/addons/2014/08/19/announcing-add-on-sdk-1-17/)
[4] [http://work.erikvold.com/jetpack/2014/08/07/cfx-to-
jpm.html](http://work.erikvold.com/jetpack/2014/08/07/cfx-to-jpm.html)

~~~
gozala
Statement that firefox Add-ons inside the broweser don't have a sandboxing is
false. All the add-on SDK built add-ons load in sandboxed in a less privileged
JS sandbox, although it is true that there is an escape hatch via
`require("chrome")` as some add-ons just want to make modifications that are
not even possible elsewhere. This is also reflected on reviews add-ons that do
not use `require("chrome")` go through a faster review process while add-on's
that do use `require("chrome")` get more thorough reviews.

Your criticism in regards to tooling is valid, but it ignores a bigger
picture. Two of the the three different ways of writing add-ons have existed
long before chrome was even announced and made great add-ons like firebug
possible. The fact that there is already a three different ways to write
firefox add-ons is outcome of constant improvement of the firefox add-on
platform. While this makes things little confusing for newcomers, it still
necessary to keep old add-on systems in place, as this keeps people's add-on's
alive and subsequently make users using those add-on happy.

You also misreading blog posts about JPM, as it is not a new official tool
yet, but we are working hard to get there. As of reason why, add-on SDK was
designed with commonjs modules in mind as we saw it becoming de facto
standard. Back then node was not announced yet, needles to mention npm and
tons of packages published to it. There for toolchain named CFX was written in
python. Now that node became a standard tool in the JS toolchain and npm is
where js libraries get published we are working to refresh our toolchain and
embrace all this, subsequently making thousands of packages available in npm
available to an add-on authors.

~~~
Padding
> While this makes things little confusing for newcomers,

A "little confusing" is way off the mark here. If it weren't for Google Search
working its magic, it would be practically insurmountable.

> it still necessary to keep old add-on systems in place,

I don't think anyone is asking to scrape the old APIs. Just clearly mark the
APIs as depracated and link to the new corresponding bits of documentation ..
that is after writing them first.

As it stands, writing a Firefox extension is somewhat of an arcane art
currently.

------
sroussey
Five years ago or so, you could debug extensions with Chromebug, based on
Firebug. It is what we used to debug Firebug itself. But when Mozilla decided
to go and split out its own DevTools about three years ago, the writing was on
the wall, and the lead developer John left. Unfortunately, he was the only one
that really understood Chromebug, and Mozilla kept changing things that broke
it with each new version of Firefox.

If you think debugging your extension is hard, imagine debugging Firebug. We
built our own tracing/logging extension a long time ago to help, and I think
it predates Chromebug. But it is not the same.

Fact is, Mozilla extensions are going to have some issues when e10s ships in
final form. It can give then the opportunity to redo things. I'm not a fan of
JetPack, btw, as I think python is a requirement. And not the version I have
on my machine. Talk about a non-starter.

At least the built in tools are finally getting to a useable state. They are
made for e10s. They have some nice features. I haven't noticed them breaking
sites that you debug by being them being turned on (my fault for waiting so
long to file a bug). They have some great UI choices (yet some bad ones).
Overall, they are shaping up.

BTW, the debugging of extensions only works for _some_ extensions. Sadly not
mine. :/

~~~
mikeratcliffe
Steve, the browser debugger should work with all extensions... what isn't
working for you?

------
Afforess
I've written Firefox extensions, and I gave up on the official Mozilla
extension store. It is far easier to host the extension xpi yourself and
provide the update configuration in your extension manifest for your own
webserver. This lets you auto-update your extension yourself. The only
downside is you have to learn how to sign the extension with either the
command line or an eccentric GUI program on windows.

All of the problems detailed in this blog are true. But I feel like the author
missed one thing that bugs me. Whenever you install a Firefox addon, you might
notice that little text saying "author not verified". Why is that? Because the
verification process for authorship is above and beyond the normal extension
process and insane.

Author signing process: [https://www.mozdevgroup.com/docs/pete/Signing-an-
XPI.html](https://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html)

Automatic Firefox extension updates (without Moz store):
[http://www.borngeek.com/firefox/automatic-firefox-
extension-...](http://www.borngeek.com/firefox/automatic-firefox-extension-
updates/)

~~~
pbhjpbhj
Moving OT a little - it seems that signing things should be a [more] central
part of all major OS nowadays. Our OS should be signing the docs we send for
us, signing our emails for us, signing pics we send to family so they can see
they haven't had any changes made in transit, etc., etc..

I can see problems with peoples systems being hacked and made to sign stuff,
but surely having the signing system in the first place leads to enough gains
overall - provided it can be made simple, clear and useful for the common
user.

/uninformed rant

------
anaran
Which versions of Chrome and Firefox did you compare to come to these
conclusions?

Firefox has an Addon Debugger.

Also [https://addons.mozilla.org](https://addons.mozilla.org) (AMO) has much
more accountable guidelines than
[https://chrome.google.com/webstore/](https://chrome.google.com/webstore/)
(cws).

cws has a lot of issues with lengthy reviews as well
[https://groups.google.com/a/chromium.org/forum/#!searchin/ch...](https://groups.google.com/a/chromium.org/forum/#!searchin/chromium-
extensions/review$20for$20weeks)

Over at AMO you can monitor the review queue position of your addon, and there
is even IRC channels #amo-editors and #amo to talk to.

Review mails have specific feedback about issues they find.

Google extension reviews, bug reports (e.g. Chrome or Android bugs[1]),
googlecode site support[2], are an ever growing super massive black hole.

[1] e.g.
[https://code.google.com/p/android/issues/list?can=2&q=blueto...](https://code.google.com/p/android/issues/list?can=2&q=bluetooth+voice+dial&colspec=ID+Type+Status+Owner+Summary+Stars&cells=tiles)
[2]
[https://code.google.com/p/support/issues/list](https://code.google.com/p/support/issues/list)

------
lucb1e
> When I tell other coders that I try to do web development in Firefox, they
> give me sad, withering looks

I don't know what environment you live in, but despite the at least 2/3rd
adoption rate of Chrome (note, not Chromium but really Google Chrome) over
Firefox there is no hate here at all. It's a choice depending on personal
preference, and in my case also for FOSS. It's not like Firefox has already
lost, which is how you put it.

In fact I've used Chrome for months when I disagreed with Firefox 4's design.
In the end I couldn't stand the way Chrome worked and reverted. Besides FOSS,
it really is a preference.

I might agree on the topic of making add-ons, though the last time I looked
into that (and quickly gave up) for any browser I was maybe 16, which is now 5
years ago. Userscripts is the way I and everyone I know takes, and there
Firefox is better than Chrome as far as I know (Chrome requires some tricks
because it only accepts scripts from the store these days).

~~~
duaneb
I don't hate Firefox, I use it as my primary browser, but its developer tools
are terrible compared to chrome. If you have the network console open while a
large page loads, good luck interacting with the chrome until it's finished.

~~~
Someone1234
Firefox's developer tools are terrible even compared to Internet Explorer
10/11 (which are actually surprisingly good). But at least Firefox as 3D
doodads, because that's important...

But that all being said, if ANY developer addon lets me manually edit cookies
then I will happily use it. Right now they all only let you delete, not alter,
cookies. So it is hard[er] to test your site's security against malformed or
malicious cookie issues.

~~~
lucb1e
Tamper Data.

> Firefox's developer tools are terrible even compared to Internet Explorer
> 10/11

Wow what, care to elaborate? I've attempted to use them once and couldn't do
the most basic of tasks, went straight to getfirefox.com. Not sure what I
tried to do, probably something network related or maybe css modifying.

------
__david__
If you think Firefox is bad, try writing an extension for Thunderbird. All the
docs talk about old XUL based extensions and new Jetpack ones, and there's
even articles on their dev site about building Thunderbird extensions with
Jetpack, but the truth is that Thunderbird support was removed from Jetpack. I
had to check git logs to find this out!

To get a restartless "Hello World" Thunderbird add-on running I had to bang my
head against a wall for a solid week. It was not pleasant, to say the least.
In the end the code itself wasn't bad (especially after I decided to just use
Browserify and bypass their require() mechanisms completely), but finding the
right incantations was horrific.

The debugger situation was very bad, but looked like it was improving a
little. I was able to get my Firefox beta to connect to my Thunderbird beta
and remote debug. Except that it couldn't reliable set breakpoints, or step in
and out of privileged code. And my console.log() message only went to the
global debug console. Oh, and I had to write console.log()—extensions don't
get that by default.

Sadly in the end I discovered that the part I wanted to override was deep in
the bowels of the C++ code, making it more or less impossible. It's an XPCOM
component, so there's a small chance I could make a replacement component in
Javascript and forward all but the functions I want to override through to the
real one, but I got overwhelmed and stopped working on the project. :-(

~~~
tangue
The way Mozilla treats is own supporters (Thunderbird users and developers )
is disheartening... Sure it's less glamorous than mobile, datajournalism or
<insert buzzword here>, but we need a quality FOSS email reader and I'm
seriously considering switching to 19 years old Mutt

~~~
ta0967
"Mutt 1.5.20 was released on June 14, 2009."

but seriously, "19 years old Mutt" rings hollow. Linux is 23 years old, BSDs
are older still, etc etc. software age in itself means little.

Edit: "Mutt 1.5.23 was released on March 12, 2014." not sure how the 1.5.20
thing sneaked in.

------
fidotron
The fundamental problem is Mozilla has drifted further out of touch with
reality as the funding it receives is not attached to incentivisation of the
correct course of action. At this point they look like a social justice
movement masquerading as software development organisation, with the net
result being a greater appeal to the social justice movement than software
developers.

This is just one manifestation of that, and the resulting misallocation of
resources. Firefox used to succeed by being better, not by having an ideology.
That at one point it had both is a happy accident.

~~~
ianbicking
I think there is some truth to your critique, but I'm not sure the conclusion
should be that Mozilla should be focusing on software developers, as software
developers are not the bulk of its users.

But the original article doesn't just point to a problem with Firefox for
developers, but also a problem that makes it hard for developers to create
extensions, which can mean a worse experience for Firefox users.

Mozilla's ideology does have the the potential to be focused on user value.
Mozilla is, according to its formal and written mission, dedicated to the
"open web" ([https://www.mozilla.org/en-
US/mission/](https://www.mozilla.org/en-US/mission/)), not to all Good Things.
And Mozilla has succeeded in ways because it has consistently held faith in
the web, when others have not. Microsoft gave up on browsers and Mozilla
didn't, which was Firefox's first big win. Google gets distracted by Dart and
(P)NaCL, while Mozilla sticks with Javascript and creates something like
ASM.js. Or compare Android and iOS to Firefox OS – Mozilla is really sticking
its neck out to support the open web in this case. Firefox OS isn't about
social justice, that is a product being created to defend an ideology focused
on the open web, and it's a huge allocation of resources by Mozilla.

Extensions actually fit in kind of poorly here, which is perhaps why things
are rough. Extensions aren't the open web, and while there's value in
Extensions for Firefox-the-product it doesn't have good mission alignment.

All that said, I'd agree that Mozilla, like many mission-led organizations,
has a real challenge distinguishing its aspirations from the work that really
defines its contribution to the world.

------
smacktoward
Two thoughts:

1) You're absolutely right that writing extensions for Firefox is harder than
writing extensions for Chrome. But that's in no small part because Firefox has
been around for something like twice as long as Chrome has; and really,
Firefox's add-on infrastructure goes back even further, all the way back to
the original Mozilla suite. Which means Firefox is carting around something
like 15+ years' worth of legacy infrastructure with it. There are lots of bits
of technology that Made Sense At The Time™ (XUL and RDF manifests, for
instance) that just seem needlessly baroque today.

It's possible to imagine them ripping all that out and starting from a clean
sheet of paper, but that wouldn't necessarily be an unalloyed good for
developers. After all, backwards compatibility is a Good Thing for developers
too; just for developers who have already gotten into the platform, rather
than those seeking to get in now.

Rather than have a Great Break and throw out all those years' worth of
extension developers' work, Mozilla has instead been making incremental
improvements to extension development -- creating things like bootstrapped
extensions ([https://developer.mozilla.org/en-US/Add-
ons/Bootstrapped_ext...](https://developer.mozilla.org/en-US/Add-
ons/Bootstrapped_extensions)) and reducing the dependency on things like RDF
that nobody wants to work with anymore. This is a pragmatic approach, but it
will require a very long time for it to get Firefox to a place where it can
compete directly with Chrome on this front.

Which leads me to point 2...

2) Imagine that Firefox _didn 't_ have to worry about all that legacy support,
and really could start from a clean sheet of paper.

Would it be worth it?

My personal sense is that browser extensions _in general_ are a technology
that's on the far side of the adoption bell curve. As the Web itself becomes a
more capable platform, many scenarios that used to require an extension can
now be handled quite well by sites on their own. And anecdotally, I see a lot
less interest in extensions among the "normal users" I interact with these
days than I did, say, 10 years ago.

So, if you're Mozilla, maybe you _could_ make extension development cleaner,
but it's just not worth the effort to do so. Why plow developer time into
improving something that few people care about today and fewer will care about
tomorrow? Maybe it's best to just remove the most obnoxious problems by
tweaking around the edges, and let time take care of the rest.

Which, come to think of it, sounds a lot like what they are already doing...

~~~
phloxicon
Maybe Servo will be their clean slate. I know it's an experimental browser
created to help test a language and parallelism in web APIs, but if it does
well, it could come to replace Firefox. This is unlikely and years away at
best but it's possible.

~~~
vsviridov
Servo is not even a browser. It's a layout/rendering engine. It has nothing
else beyond that.

~~~
valarauca1
Gecko is not even a browser, its a layout/render engine.

Its currently a research project, but the hope is the project will mature to
the point that it can be incorporated. It also allows for Rust Developers to
see immediate uses and usability issues with changes to the Rust language.

------
mikeratcliffe
So, you are frustrated because:

1\. Mozilla are improving the extension architecture and developer tools too
quickly for you to keep up with and that leads to lots of documentation.

2\. Because Mozilla don't want people to use their extensions to sell a users
information, spy on them, advertise to them etc. the review process takes
longer than Google's.

------
spindritf
It does seem like disarray is creeping into Firefox. The little things like
reviews, docs, Aurora PPA[1] (ok, I'm squeezing my personal problem in here a
bit) are falling behind.

To be fair, they also have a mobile operating system and LGBT advocacy to tend
to.

[1] [https://launchpad.net/~ubuntu-mozilla-
daily/+archive/ubuntu/...](https://launchpad.net/~ubuntu-mozilla-
daily/+archive/ubuntu/firefox-aurora)

~~~
kbrosnan
Ubuntu controls the PPA. Ubuntu has reassigned the developer that largely lead
the Ubuntu Mozilla integration. There is little we as Mozilla can do to
control this. If you need this resolved complain to Canonical management or
find someone from the Ubuntu community of Nightly/Aurora users who wants to
own keeping the PPA running.

There are precompiled tarballs available at nightly.mozilla.org and
aurora.mozilla.org I have used these on just about every major distro and
several of the smaller ones without issue.

------
kev6168
The documentation for writing add-ons is really bad.

I challenge anyone to locate a one-page official documentation which walks you
through a "hello world" add-on creation process? Right now there are a
thousand pages talking about add-on, but each one of them also has a thousand
links in it to make you jump to other places, then again to jump to more
places.

If someone with knowledge of the latest development can put a _complete_ walk-
through for a basic "hello world" add-on in ___ONE___ page, it will be greatly
appreciated. If there is a date stamp on the page (so readers know if it's
still compatible with newer version of Firefox), that would be the greatest
thing in the world.

Had the documentation been better, I could have turned maybe a dozen ideas
into add-ons which might be useful not just to myself but other users as well.
More useful add-ons are definitely helpful to the Firefox movement.

I am a strong believer of Mozilla's mission ("open web"), will continue to use
Firefox exclusively for web browsing. Plus, Vimperator/Pentadactyl are
indispensable. Writing more add-ons is another way for me to support the
mission.

------
drivingmenuts
There are two bright points to using Firefox: 1) Firebug and 2) it isn't
Chrome.

The first one is a personal preference - Inspector seems weird to me and while
it may have most of the needed functionality, it doesn't feel like it does.

The second is because there isn't any way I know of to have Chrome start in
clean mode (with no bookmarks, etc. from personal use). So, I test and debug
in FF and only use Chrome for news, apps, etc.

~~~
4mnt
> The second is because there isn't any way I know of to have Chrome start in
> clean mode (with no bookmarks, etc. from personal use).

Chrome has user profiles [1], which are even easier to use than what Firefox
uses.

[1]: chrome://settings/createProfile

~~~
DanSmooth
You can also start Chrome with command line options[1], like "\--bswi", which
is the clean slate.

[1]: [http://peter.sh/experiments/chromium-command-line-
switches/#...](http://peter.sh/experiments/chromium-command-line-
switches/#bwsi)

------
charlesism
I'm very pleased to see Omniref write this article, as I wanted to write the
same article myself after my experience porting my extension from Chrome.
Everything they complain about is true - the Firefox Add-on SDK is a pain, and
the approvals process is a pain. The only thing this article leaves out is how
much of a royal pain Mozilla's Add-on documentation is. It doesn't help that
ten years of changes to the extension workflow mean there's a whole lot of
jargon to absorb (Bootstrapped extensions? Jetpack? XUL?). If I release
further updates to my Chrome extension, I'm not sure I'll bother with Firefox.

------
passfree
I have also experienced this sad situation with Firefox. XUL was my biggest
disappointment because mozilla was not willing to invest any time to make it
better. Instead they shipped this monstrosity called addon-sdk. You need
python to develop JS applications? This is stupid.

I would love to see firefox converging with NodeJS but given mozilla's
attitude towards developers lately I seriously doubt that it will ever happen.

Firefox has a very rich history and the technology is fantastic but sadly it
is not made to be easy to the developer.

~~~
anaran
Paul already pointed you to nodejs based jpm, which will fully replace cfx
soon.

Another great thing with the addon-sdk is it works with Firefox for Android as
well (with some limitations).

Does Chrome for Android even have extensions yet?

------
Grue3
You don't even have to submit anything to Mozilla. Firefox is able to sideload
extensions just fine (unlike Chrome). Just make it available for download
straight from your website.

------
cosmeen
Had the same issue and decided to upload it on the main site and just link to
the extension. At least until they approve your extension.

Also, those sidebar images with links are really bugging me. See screenshot:
[http://i.imgur.com/6hbFTqm.png](http://i.imgur.com/6hbFTqm.png) .

Just add the following one-liner to the main stylesheet and to fix it: .meta
img { max-width: 100%; height:auto;}

~~~
timr
Yeah, someone else just pointed that out. Hadn't observed it in any of my
local browsers.

Pushing out a fix now. Thanks for the heads up.

------
sireat
Slightly offtopic, but are there plain fast browsers which only do HTML, CSS
and Javascript no plugins, nothing else?

I believe it was Jamie Zawinski who said that there are plenty of those
browsers, which are fast but do not do anything unlike Netscape which did
everything. However that must have been 15 years ago.

I suppose one could cook up a simple browser just importing webkit, but why
reinvent the wheel?

~~~
strcat
There are countless of WebKit-based browsers like Epiphany (GNOME Web),
Midori, dwb and surf.

------
ArtDev
Firebug. Chrome doesn't have anything as responsive. However, Firebug STILL
does not support source maps. I have been jumping between tools for this
reason alone. Usually, Firefox is my primary browser for dev work.

------
brianbreslin
As someone who has had a semi popular Firefox plugin going on 8 years now, I
agree 100%. We are trying to figure out how to dump our main plugin, but so
far no buyers exist. Maybe I should just sunset it. :-/

~~~
KNoureen
You could always ask here if someone would like to take over the maintenance.

------
reitanqild
Sometimes I try to find the most important extensions on Chrome.

So far I haven't been able to find neither treetabs or scrapbook. I gave
concluded that creating real extensions (not just wrappers etc) is impossible
in chrome.

------
ldng
Left me wondering what could that mean for FirefoxOS apps.

~~~
valarauca1
FireFoxOS apps are basically webpages (not extensions). Completely written in
HTML5/CSS/Javascript. They nearly have nothing to do with this.

You really can't extend the gecko engine on mobile like you can on desktop,
since the gecko engine _is your userland_.

~~~
ianbicking
The critique of the development process doesn't really apply. But the review
process does to a degree – there are high-privilege APIs in Firefox OS that
require review to ensure they are used responsibly. Distributing apps that use
those APIs requires approval.

------
Sarkie
It took me 2 weeks to get to grips with an FF extension.

It took me 2 hours for Chrome and was just easier to debug and did everything
I wanted.

------
JohnDoe365
So it looks like a frustrated developer whines about a fast moving target.
Sorry about that.

