Basically, the work to adapt NoScript and correspondingly expand the WebExtensions API has been going on for years, the original plan was to have a smooth transition when Firefox 57 came out, but there were some delays in the final days leading up to the release. Not recommended to stay on Firefox 56 because it won't get security patches; move to 52 ESR instead.
As far as I know, yes. Firefox has already decided to transaction away from XUL, so the extensions will break eventually. It's just a question of when the particular APIs your extension relies on get removed.
I upgraded to Firefox 57 only to find all 4 of my extensions missing... I can live without others, but being without NoScript felt like walking on streets naked. So the first thing I did was downgrade to Firefox ESR, then I started looking for alternatives. Turns out that uMatrix fills this role perfectly (for me of course). Not only can I block/allow JS, CSS and similar resources, but I can do it based on domain / 3rd party domain matrix... Nice, I always hated that when I allow `gstatic.com` in NoScript for some domain it is allowed globally (for all domains). I will test uMatrix for a few more days just to see if I feel comfortable without NoScript, then I'll upgrade back to FF 57. It looks like this might have a silver lining after all. :)
(for the record: I hate it that they broke compatibility with older extensions, and I hate that they changed UI, but if that gives FF greater market share, then I'm all for it)
Killing the old extension API is a painful, but important, step.
From a security standpoint, WebExtensions are a lot better, since they are sandboxed and require explicit permissions to be granted for many things.
From a developer standpoint, they are easier to deal with, being JavaScript, and since Chrome and Edge support similar APIs, developers will no longer need multiple codebases to support their extensions on multiple browsers.
They also work better with a highly concurrent browser. They use asynchronous APIs that don't directly call into browser APIs. FFs old extensions were known for leaking memory, which is a lot less of an issue with WebExtensions.
Compatibility is another huge thing. With old Firefox extensions, compatibility was just an extension author saying, "Yep, the APIs still work the way I'm using them." They often broke in subtle ways and you could get them partially working by overriding the versions supported in the extension manifest. Not so great imo. WebExtension APIs are more or less like JavaScript APIs and compatibility is mostly going to be limited by support for capabilities. Like, I'm sure Firefox does not support the USB API that Chrome does.
There's so much to be gained from getting rid of the old extension system for concurrency, extension compatibility, and the health of the ecosystem and individual browser installations. Many will be angry and stick to ESRs and others will be mildly upset but I think in the long run this will have been one of the better Mozilla decisions that make Quantum a success.
> There's so much to be gained from getting rid of the old extension system for concurrency, extension compatibility, and the health of the ecosystem and individual browser installations.
I personally think that while it's clearly great for security and possibly good for Firefox in general, it's also terrible for the extension ecosystem. The set of possible extensions is being reduced from "literally anything computable" to "what the API supports." Sure, (some) popular extensions are basically being grandfathered in by having APIs added just for them, but that doesn't help the extensions that aren't written yet and will now never be written.
Essentially, a major selling point of Firefox has been sacrificed in the hope that the increased security, better perf, and greater development velocity leads to greater marketshare. Well, I hope so, but I think the jury will be out on that for a while.
Other than that, Quantum seems great. I did lose all my tabs when it updated (boo - that's never happened before), and I think the whole-window-width address bar dropdown is bizarre and ugly, but other than that it's great. I suppose the only long-term concern is that default merger of the address bar and search bar - configurable options have a habit of eventually being dropped, and I think a world of omnibars is less usable and less privacy-conscious.
After reading these comments, I basically don't want to upgrade. I've been running Classic Theme Restorer for years to get rid of whatever the latest craze in GUI design is. I like my address bar for addresses and my search bar for searches. I love my tree style tabs. I like having a fair amount of control over my browser.
For a few years now, I've had the feeling that Firefox was actively trying to get rid of me as a user. With every new version, the user is less and less in control. It claims to be privacy-conscious, but runs Google Analytics. It tries to gather data behind my back. It's missing so many switches and toggles that I had to install a Privacy Settings extension simply to make the thing behave.
This is kind of the feeling I have too. I remember firefox in the 2.x and 3.x days when you could do practically anything XUL and XPCOM. I also remember that firefox was dead slow back then. Although I am kind of dissapointed that so much functionality was removed it is inevitable that, in order to get a better and safer browser, some inconveniences are to be expected. I wish there were some kind of middle ground to accomodate power users as well. But Mozilla is not after power users, they can't afford it. It is kind of a shame though.
I also lost my window, but it was in the "recently closed windows" menu, so no big deal. Most of the (all?) changes that you got with Classic Theme Restorer can still be accomplished with userChrome.css. Check this[1] github repo for the quickest way to set it back up the way you like it.
From a usability standpoint, WebExtensions have a lot less control of the browser and some use cases are completely closed off. The Webex version of Tree Style Tabs, for instance, requires you to have a redundant tab bar on top because it's not allowed to hide the main one. Pentadactyl can't have it's sub-buffer anymore. Download managers/scrapers like DownThemAll can't even do their main function anymore. On and on and on.
Part of security is availability - the most secure system is one that is unplugged and unusable. Mozilla has taken the step of putting covers on all the outlets (damn those who want to plug something in), bubble-wrapping all the knives (damn those who want to cut something), and essentially baby proofing the browser (damn those who are adults), making it far less usable in the process.
Firefox was the extensible browser. That was its differentiation. Now it's yet another Chrome clone (hang the technical differences, those are not what I refer to) with an extension system to match, but it's not made by Google, so that's a positive, I guess?
If I sound upset, it's because Mozilla took what was a big part of my daily life, an amazing and infinitely versatile tool that I'd grown with and customized over the years until it was like a comfortable pair of shoes and just completely fucked it in the most thorough way possible. Sure, an extension broke every upgrade or two, but it was survivable. This? This is not.
Okay, it's faster. Neat. Whatever. I didn't use Firefox because of it's blazing speed.
As of this moment, there are no good browsers. There is nothing out there that matches what Firefox was. (And ESR is just prolonging the inevitable).
This is legitimately saddening for me and many others - and no amount of insisting this is better despite the many more important ways its worse will change that. Mozilla's target user at some point stopped being me and started being someone else . I can accept that. What I can't accept is this constant, infuriating, paternalistic posturing that it's for my own good.
I agree that I'm very disappointed with the transition to Web Extensions. In addition to the items you mentioned, Vimium can no longer be used while on a built-in page such as the about: pages or the start page. This is really frustrating since it requires different commands depending on context and leads to breaks in my flow.
I am hopeful that over time we will see an expansion of the current API to include a lot of the functionality that we are currently missing, but Firefox may never achieve the same level of useability that it has had until this point.
You can hide the tab bar manually. Supposedly the plug-in should be able to hide it but they claim there is a bug currently in 57 preventing it from working.
> From a security standpoint, WebExtensions are a lot better, since they are sandboxed
In a sandbox even I, as the owner of the computer, can't let them out of. That's not cool.
> From a developer standpoint, they are easier to deal with, being JavaScript, and since Chrome and Edge support similar APIs, developers will no longer need multiple codebases to support their extensions on multiple browsers.
In the sense that it's no longer possible to do the things one could do with a Firefox codebase.
I own my computer, and my browser; Mozilla have taken away the ability for me to extend my computing environment (without reïmplementing it all myself).
>In a sandbox even I, as the owner of the computer, can't let them out of. That's not cool.
Good software doesn't easily let you shoot yourself in the foot. It turns out if you allow it, people will do it. There exists software that does let you shoot yourself in the foot, but Firefox is designed for the mass market, not a specific niche. It's the only serious competitor to Chrome.
NPAPI is also gone. Not behind a flag, the code to support it is gone. It was broken, and so was the old extension API. It's about time for the majority of users to move on.
>In the sense that it's no longer possible to do the things one could do with a Firefox codebase.
This doesn't make any sense. You can do the same things you could do with the Firefox codebase before: download it, modify it, redistribute it. The runtime is what you're thinking of, and you were never guaranteed any abilities with regards to the runtime; you just got used to them, then they changed. This happened a few times with Firefox before, so it's not really clear how this update is much different.
>I own my computer, and my browser; Mozilla have taken away the ability for me to extend my computing environment (without reïmplementing it all myself).
Firefox is not your "computing environment." You're free to remove Firefox from your computing environment, or use an ESR release of Firefox and still get security updates with your old extensions, or use a fork of Firefox, of which there are a few to choose from.
Even so, it's depressing that every time a breaking change happens, even one like this that's 2 years in the making, the same responses happen: weird arguments about entitlement and a lot of looking toward the past.
Why not look toward the future? If you relied on an extension and now it's not possible with WebExtensions, it would help a lot of people out if bugs were filed and features were requested to bridge the gap. It's clear that there's overwhelming reasons to continue down the WebExtensions path, and whether people like it or not it's definitely going to be the only option in the browser you use in a few short years. So it's in our best interests to push for WebExtensions to meet the needs of extensions rather than make pointless arguments for decisions that were made a long time ago and have no chance of being reverted.
> In a sandbox even I, as the owner of the computer, can't let them out of. That's not cool.
Yes you can. Extensions can talk to processes running on your machine; meaning you can run a daemon that acts as a backend for your extension. It's how KeePassHttp-Connector works, for example.
> In a sandbox even I, as the owner of the computer, can't let them out of. That's not cool.
If you want unsandboxed extensions, you can install Nightly or Dev Edition and flip the extensions.legacy.preference. The basic problem with providing a simpler escape hatch on release Firefox is that if you compare the number of users who are equipped to make an informed choice about allowing extension X arbitrary access to browser internals versus the number of users who will be tricked into letting malware do terrible things, the second number is multiple orders of magnitude larger than the first. I understand why folks are unsatisfied with the "use Nightly or Dev Edition with the preference flipped" solution but I am certain that it is the least bad option.
Yeah, when I saw the title and that the link was to the noscript site, I thought there must be some bad blood or something between Mozilla and noscript. Instead it’s just a polite “hey everyone, working hard!”. Which is great, but not really what the title indicates.
I thought about making the title something like that, but I didn't want it to seem as if the author should be maligned for not having it finished yet and I felt that it would have that connotation. I thought the title as written would be more neutral in that respect.
I personally consider NoScript an absolute must for security reasons, so I am not updating most of my machines until it is available. I thought that would be newsworthy for other people who have a similar mindset.
uMatrix is a replacement extension from the creator, and compatible with, uBlock. uMatrix migrated to Quantum leveraging the existing Chrome codebase already about a month ago: https://github.com/gorhill/uMatrix
Some learning curve is required compared to NoScript since uMatrix allows even finer grained control (not just scripts, but images, cookies, iframes and XHR as well), but I personally migrated about a year ago successfully. Very happy with uMatrix so far with the latest Firefox.
> uMatrix is a replacement extension from the creator, and compatible with, uBlock.
To avoid any confusion, I think the parent means, 'from the creator of ... uBlock'. uMatrix is not by the creator of NoScript.
Also, blocking just JavaScript is quicker and easier in uMatrix (at least easier than the current NoScript; I don't know about the upcoming version). The UI is far more efficient, and you configure it by origin/remote pairs (e.g., on foo.example.com allow googleapis.com; on other example.com hosts, block it; on example.org allow it everywhere).
But NoScript does far more than block JavaScript; it's a sophisticated firewall, in some ways. Look through the options menus and lookup the features, such as ABE; it's impressive. uMatrix doesn't replace much of that functionality.
For me personally, #1 reason for using NoScript was controlling which domains can execute JS. uMatrix delivers that superbly, and more.
Sadly, ever since NoScript started pushing malware[1] to users with every update, I lost all confidence with the author for securing my browsing experience.
The plugin breakage is the only downside of the new Firefox, the rest is just awesome.
I'm still looking for a new auto form filler that can have multiple profiles and fills in all fields at once with a hotkey. This is useful for filling in bugzilla bug reports where some fields always get the same data.
Yes for awesome, and the new Web Extension API which now breaks things will make cross-browser browser extension development possible (as far as I have read!). I can very well live in default-land for a couple of weeks for that.
Also, this extension-breakage taking place right now seems to be mostly the extension developers' fault, since they've known well in advance that this is coming. (Not judging, just saying -- many/most extensions are probably hobby projects, and porting them appears to take a non-trivial effort.)
EDIT: removed a word from a wrong place :) Definitely not a spelling mistake, not wording either, hmm, what should I write here.
I have a small extension (~100 users) that I forgot to upgrade until 57 landed and broke it. I hastily threw together a WebExt version and pushed on Wednesday night, but forgot to set the strict_min_version flag correctly (which was, unfortunately, Firefox 57).
The new version worked fine for people on 57, but for anyone that was on ESR or a slightly out-of-date version of firefox and updated they got a broken WebExtension that I couldn't push another update to to fix it - Firefox doesn't let you "downgrade" from a WebExtension to a native extension. Thankfully a user emailed me about it and I had it fixed in less than 48 hours, but it was still a mess. All I could do was add a note to the addon description and disable the bad versions and anyone that got broke had to manually downgrade.
The new Webextensions are nice, but it was definitely easy to shoot yourself in the foot with the transition. I know that NoScript also needs the same API that I was using (the ability to inspect response bodies), FWIW.
"The only downside"
Sure. Aside from the number of other extensions that simply won't work in new Firefox. And the lack of any user control to make the browser not work like or look like Chrome.
And the fact that today was the first time I have seen Firefox crash after 3+ years of heavy everyday usage. Luckily I didn't "upgrade" Firefox on my main machine. I'm staying away from 57 until they get it together.
> And the lack of any user control to make the browser not work like or look like Chrome.
How is that? The omnibox is toggle-able. The entire browser UI is drag-n-drop customizable. I literally don't know of a single thing that is less customizable in 57 than 56, but I'm curious to hear more about what you're referring to?
And downvoted for asking someone to explain their handwaving false criticisms. Hope this place never changes.
Can do that with Lastpass fwiw, but being as it's not a primary feature it's probably a bit clunkier than a dedicated tool. Mostly intended for filling in mailing addresses.
I've always used YesScript, it has a much simpler UI -> basically a single button which remembers if JS is on/off for a given site. It's always been puzzling to me why YesScript is less popular... And yes, it's available for the latest FF as YesScript2 [1]
"YesScript" is significantly less secure and powerful.
Most importantly, with NoScript I can block tracking and ad-related javascript while still running the page's first-party javascript.
With yesscript, I don't get that granularity.
Perhaps that's why it's less popular. I also believe that it came out later and thus hasn't had the time to gather such a following as noscript has (though who would use a worse version of noscript instead?)
Hi, I'm the developer of YesScript2 and I've just released a new version with 3 state blocking that makes it even better alternative I believe because you have 3 options: 1) no blocking (grey icon) 2) half blocking (allowing internal scripts and blocking external, blue icon, so you can allow now first-party Javascript as you mentioned) and full blocking (blocking internal and external scripts too, red icon).
While I can understand that the switch to the new system was necessary, I hope they improve the new extension functionality a bit further.
One negative thing that I noticed that extensions don't seem to be able to interact with the tabs before those have largely (or completely?) loaded - for instance I can't use mouse gestures in a tab that's currently loading or interact with the vimperator replacement (Vim Vixen). Is that inherent to the new system with the extension system having lower priority than the page rendering or is it just those specific extensions I use?
Another thing that would be nice to fix is extensions (at least those that I have tested) seemingly not working in Firefox-internal pages like about:addons.
Anyone know if xmarks is going to end up working with it? It works in Chrome and has for a long time, so it should be pretty straightforward to port, though xmarks doesn't get a lot of development at all (not even sure it needs it).
If not is there an alternative sync bookmarks between chrome and firefox solution anyone can recommend?
BTW, is anyone here knowledgeable enough about NoScript's development to know whether their "until the end of this week" prediction is solid or if it is more vague like ValveTime?
I've used NoScript for quite a while, and was sad to let it go when I switched to Quantum in Beta a while back.
I tried using uMatrix, which is from the same folks that made uBlock Origin, and I have to say I'm supperr happy with it. It applies the same heuristics that I usually apply manually (namely, allow 1st-party scripts automatically, allow 3rd-party manually as required).
I'm going to install NoScript when the WebExt version comes out, mainly for the excellent XSS/Canvas/misc. support. It remains to be seen which I'll use for blocking scripts, but I'm glad to have options.
I use also UBlock Origin and there is really clear difference. With NoScript you can Browse most of the Sites without Javascript-Gimmicks like Parallax-News-Scrolling (for example Bloomberg) or On-Site-Embeded-Advertisemet (no JS no Ads). UBlock is nice but without NoScript it is not good enough for my personal taste.
I use UBlock on mobile hardware where I want more aggressive filtering and Ghostery on the desktop. Both work in FF 57. I used NoScript in Chrome for many years and for a long time it worked very well, but the web evolved and I found myself forever wading through blocked scripts and unblocking or disabling NoScript altogether to get sites to function properly.
The utility of the long tail of Firefox plugins was what gave it its value. I've been using a hybrid of Pale Moon and Firefox since the last round of losing plugins and now don't see a reason to keep Firefox at all.
While I definitely see where you’re coming from, I certainly prefer building for better peformance as opposed to supporting everything forever. Analogous to Windows, supporting all the old things gave them a strong edge in their business, but they also paid a very hefty price on it (performance issues, security loopholes, BSODs to name a few).
In one sentence, the move to more aggressive multithreading and sandboxing. The old extension model conflicts with the boundaries that had to be established for both these things.
Part of the breakage is precisely due to the explicit intention to drop all the legacy APIs and the respective shims that have become too much of a burden to maintain over time.
One major technical change would be the deprecation plan of XUL/XBL (the toolkit used to build the interface, which could be freely accessed by addons) in favor of a wholly HTML future.
AFAIK, the old add-ons could interface with Firefox in any way they wanted; they had carte blanche. You can imagine the dependency hell and security risks; it's not desirable to duplicate that.
> You can imagine the dependency hell and security risks; it's not desirable to duplicate that.
I really disagree with the 'security risk' angle: it's my browser, and I've chosen to install the extension. That extension executes with my authority. Crippling what extensions can do because one doesn't trust me to run software on my machine is just crazy.
It's not crazy, it's what you do when you make software that's intended for lay users and is a big target for criminal activity. Us "power users" are not the people that are the primary concern.
That did used to be Firefox - Firefox became so popular because it strongly appealed to power users, who then evangelized it to friends and family.
Over the years, Mozilla has increasingly targeted the mass market. That's well and good, though I don't know how they can compete with being the default browser (Safari, IE, Edge, Chrome) or with massive advertising and heavy pushing on Google's homepage or in auto-installers like Chrome, no matter how good they make the browser. But what happens to power users now?
Brave Browser has "Shield" mechanism where you can block ads/trackers and JS. It's built-in feature, you can set it up to be enabled by default or per-domain.
"A few days" is an understatement. Extension developers have known for months that these changes would break. If they hadn't created compatible versions by now, they certainly won't be able to do some in just a couple of days.
People stuck with Firefox because of the old, potent, extension framework.
Now they have no reason to stick with Firefox because the extension framework is just another Chrome clone, so why not switch to an actual Chrome clone?
Seems like it is available, just in the old extension format.
From the noscript site:
> Please be patient: if you feel naked while you're waiting for the "brand new" NoScript, you can still use the "regular" NoScript 5.x (and all the other extensions of yours) on Firefox 52 ESR, which will receive security updates until June 2018. See you soon!
Edit: my statement is incorrect, the noscript page refers to the ESR version of firefox.
> authors suggest to use ESR, which is Extended Support Release, not the latest firefox.
Latest Firefox is 57.0 "Quantum", for which it's not available, as in the title.
I feel the way addons were handled in the upgrade was wrong, most of mine were just removed rather than being listed and marked as "incompatible". That seems wrong to me.
https://hackademix.net/2017/11/14/double-noscript/
Basically, the work to adapt NoScript and correspondingly expand the WebExtensions API has been going on for years, the original plan was to have a smooth transition when Firefox 57 came out, but there were some delays in the final days leading up to the release. Not recommended to stay on Firefox 56 because it won't get security patches; move to 52 ESR instead.