Apparently they're luring everyone into accepting this abomination by starting with an empty list, but what in the world is the motivation for this feature, and which domains do they intend to add??? "We don't know, we just thought it would be a good idea" is no explanation or justification.
People are going to talk about "security" and "banking", but that's a load of crap. Just wait until your bank disables password autofill and paste on their site, and no extension can override it.
I have no problem with letting the user control the domains that an extension can access, but giving Mozilla remote control? No way.
> We need to have ability to set the list of quarantined domains remotely. [...] Filing as confidential for now, until we ship the system addon.
A few questions:
* Why would this be confidential? Was it compelled? Is it tied to a commercial deal?
* If you ship a facility like this, does that lower the bar to being ordered to use it? (No excuse that it would be difficult/time-consuming/expensive to do, because it's already there, and the list can be updated easily?)
* Can changes to this list be done quietly, or with less scrutiny than code changes? And by whom?
* Can this be used in a way that targets individual people?
It's actually ok for you to feel that way! It's also ok for Mozilla to do this, because Mozilla aims to use this to protect users! The internet is already a yard full of rakes for folks, I appreciate things that make it easier for users to protect themselves online.
Yes, the feature can be abused, but frankly, at least Firefox is an open source project, and there are methods that can be used to disable this feature, up to and including using or creating a new Firefox fork.
Nah, it was meant as preachy, but not necessarily condescending.
It's absolutely important to challenge Mozilla and other open source projects, especially in this era of enshittification[1]; Mozilla and Firefox operate in a position of trust on behalf of their users.
That said, the parent post positioned this as an abomination of a feature, but acknowledged it makes sense as a user feature. The ability to disable add-ons by domain is a great feature for user control, but it's functionally useless on it's own as a mechanism to protect users.
In order for that feature to actually protect users, you need a mechanism to turn it on and off remotely so that if a new threat is identified (or there is a serious regression in Firefox that makes specific extensions higher risk), that users don't need to act to do the right thing.
This isn't a meaningful loss of user control, and I already said elsewhere that Mozilla should have communicated more about this new feature, but ultimately it's the right kind of feature.
Browser extensions have been an unmitigated security train wreck. Not a single person is actually auditing the source code of every extension they use before installation and before each update. And if you are, you should have no issues recompiling firefox without this change.
Moreover, even if your claim were true, which it's not, then this new Firefox feature wouldn't actually do much, because it only disables extensions on a select list of sites, currently empty.
Given you can just go override Firefox and enable disabled extensions, I'm not sure I understand the outrage. Then again, Mozilla does seem to attract a remarkable level of vitriol despite being one of the true stewards of an open internet...
> Given you can just go override Firefox and enable disabled extensions
No, _you_ can just go override Firefox and enable disabled extensions. The average user can not do that.
_I_ can bore out a V-8 0.030 over, choose a proper cam, match all my bearing clearances, assemble the thing balanced, and then tune 30% more power out of it than it came with from the factory. But not all automobile drivers can do that.
I'm gonna wager by far the majority of people who will actually get affected or outraged by this have the technical wherewithal to click a little gear icon and re-enable an extension.
Everyone else is running maybe uBlock and a privacy extension that their kid installed for them, and those will be whitelisted.
This is a tempest in a teapot, just like every other "controversy" that Firefox finds themselves embroiled in.
> I'm gonna wager by far the majority of people who will actually get affected
We have no idea who will be affected, because Mozilla hasn't specified their plans for this "feature".
> Everyone else is running maybe uBlock and a privacy extension that their kid installed for them, and those will be whitelisted.
I'm an extension developer myself. I'm not ok with a world where a tiny number of lucky extensions get whitelisted, while my extension and everyone else's extensions get silently, remotely disabled by Firefox.
They literally wrote a blog post about how they're going to use this feature. In what way have they not "specified their plans"?
> I'm an extension developer myself. I'm not ok with a world where a tiny number of lucky extensions get whitelisted, while my extension and everyone else's extensions get silently, remotely disabled by Firefox
Ah, now I see the real concern.
Honestly, I'm not that sympathetic. Extensions have always been a potential security liability and anything that protects less savvy users when accessing online banking or other sensitive services is a good thing.
Heavy extension use is the hallmark of a power user. Power users can configure Firefox to enable these extensions (Mozilla has specifically said they plan to deliver more user controls in 116), so I personally don't see the problem.
Cool, so two examples, both more than five years old, one of which--the now eight-year-old Pocket integration--has in the long run been a complete non-event.
(I'll grant you that Mr. Robot thing six years ago was pretty damn stupid, though)
You'll forgive me if I don't find myself moved to outrage.
They also artificially shut down the apparently fully functional extension ecosystem on Android for no given reason, despite repeatedly stating that they would not do so. There still is one purposefully complicated workaround to use all store extensions, so we know it's about power, not compatibility. The crucial ability to use non-store extensions was entirely axed during that transition, also no reason given. This is how they were able to ice out anti paywall extensions recently.
Mozilla management has a history of consistently steering Firefox towards being less and less of a user agent.
This is why I think that if you trust Mozilla as a steward of the Firefox browser, you have not spent much time following their behavior.
I’m not trying to “move you to outrage”. I’m not the person you asked nor a Firefox user, I have no stake on what you think about Mozilla. But you did ask what Mozilla has pulled that would get someone to distrust them.
Perhaps you trust Mozilla to the end of the world, but for some people all it takes is one particularly bad incident to completely lose faith. You have your own threshold, other people have theirs.
Just like you probably dismissed the significance of banning unsigned addons until Mozilla forgot to update the certs and we had that worldwide extension outage?
The margin between users who can't figure out how to re-enable the extension, and users who would have imagined the existence of a password-paste-enabling-on-bank-site extension and then sought out and installed it in the first place, has to be vanishingly small. I bet we are talking about tens of people worldwide.
If you actually read the linked bug report (https://bugzilla.mozilla.org/show_bug.cgi?id=1745823) they talk about making the list user configurable. I actually agree that having a per extension list for disabling on some websites would be nice (some websites break with extensions, e.g. I use tridactyl for Vim like Navigation, but if I work on e.g. Overleaf things get into the way of each other and so I turn it off via mode ignore)
> they talk about making the list user configurable.
As I said, "I have no problem with letting the user control the domains that an extension can access". Indeed, Safari already has this feature.
Funny how Mozilla implemented the remote kill switch before they implemented the user control, though. Also, AFAIK neither Safari nor Chrome has a remote domain list kill switch, so it's unclear what "security" problem it's supposed to solve.
AFAIK, Safari and Chrome extensions are far less powerful than Firefox extensions, so it makes sense that they would be less worried about malicious ones.
How are Chrome extensions less powerful than Firefox extensions?
Also, Safari extensions are perfectly capable of reading and stealing your password on banking websites, which is what everyone seems to be concerned about. In fact, there's a warning about that in the Safari extensions user interface: "Can read sensitive information from webpages, including passwords, phone numbers, and credit cards."
>If one or more extensions installed in your web browser have been blocked by this new feature and you want to use those extensions, you can disable the new feature and re-enable those disabled extensions in Firefox.
> Just wait until your bank disables password autofill and paste on their site, and no extension can override it
that would be a fantastic day because autofill based on html/js hackery by extensions is one of the biggest security risks there is. It's why Extensions like Bitwarden caution you to have autofill turned on. Tavis Ormandy (security researcher) demonstrated this last year in a blog post
This feature stems from an attempt at disallowing extensions with have rights to all websites on certain websites[1]. Version 116 will have an UI for users to control this.[2]
Preventing the random extension I installed from hijacking my bank login page is good! Giving Mozilla the ability to disable my adblocker or NoScript on an arbitrary domain list that they can update remotely is scary!
A blog post with Mozilla's plans for the feature, what they're implementing to limit abuse on Mozilla's side, and how users can opt out would make this a non-issue. It's nuts that the mozilla bug tracker is the best source for laypeople to get info on this.
> Preventing the random extension I installed from hijacking my bank login page is good! Giving Mozilla the ability to disable my adblocker or NoScript on an arbitrary domain list that they can update remotely is scary!
So the ability for the web browser to arbitrarily add and remove features from the browser is scary? Just asking because there is a massive security trade-off and the intersection of a number of threat models in this comment.
Do you trust the platform you use to download and execute arbitrary code (that is, web content) to automatically update itself?
If not, how do you balance the lack of automated updates against the need to keep software up to date to prevent exploit of known vulnerabilities?
If so, how do you distinguish the ability to download and execute new code that could remove or suppress the features you choose from the ability to enable and disable add-ons/extensions?
There could have been better communication on this, but describing the feature as scary tells me you don't really understand the threat model around your use of a web browser, and may not be asking the right questions or considering the actual threats.
I think we can all agree that restricting uBlock from working on YouTube probably isn't going to happen, and you might want some restrictions on addons accessing all data on a banking website.
But where did they draw the line? Is someone still allowed to publish an addon which fixes the interface of an absolutely broken banking website, or which allows you to liberate your own data? Will that only be allowed through vetting? What about things like Dark Mode addons which have access to all websites? Is it possible to explicitly request to be included in the allowlist?
I am not against it on principle, but we're missing a loooot of information right now to decide whether this is actually a good thing.
Looks like there will be a UI to control this 116, and the block list is empty in 115.
I’m pretty stoked for this. Every time I install an extension I wonder what’s going to happen to my banking info if an update ever gets hijacked. This is a much better solution than turning all my extensions off and on when I visit financial websites.
> Every time I install an extension I wonder what’s going to happen to my banking info if an update ever gets hijacked. This is a much better solution than turning all my extensions off and on when I visit financial websites.
Extensions already contain a whitelist of what domains they are allowed to interact with. It's shown when you first install the extension and at any time you can see it later by looking at the extension in the settings.
And a better version of this feature would involve a UI where you can select which extensions can access which pages, like Safari (and Orion, which is based on WebKit) does.
Because by then it will be too late, letting the enemy take ground before mounting a defense is completely foolish. Maybe you're lacking some context so I'll clue you in: Mozilla already burned all their trust. This incident isn't occurring in a vacuum.
And why did they mark this matter as employee confidential, if they're not plotting something shady?
Mozilla could at any time release a new version that does the nefarious things you're concerned about, and they could do it in a much more secretive way. The way they've approached this is consistent with their stated goals for this feature. I don't consider Mozilla to be the "enemy" and I have no idea what you mean by them burning their trust, but if you distrust them, I'd advise not using their software.
I’d be 100% on-board if they changed this from a list of URL’s they define to a list I define. Web extensions sound great until you realize how much power you’re handing to arbitrary code once you allow it reading and writing to the DOM. They can forward anything to anywhere, sandboxing goes out the window
> you might want some restrictions on addons accessing all data on a banking website
I might want to be control of that myself rather than having Mozilla trying to index all banking websites in the world and not being able to use accessibility tools on those they found
If an extension that fixed an online banking website (non malicious and bug-free) got popular enough for them to notice, I'd expect some hamfisted effort on the bank's part to stop you using it. Probably taking out many other extensions/browsers with it.
> If you are aware of the associated risk and still wish to allow the add-ons that have been disallowed on a website by Mozilla, you can do it from the configuration editor (about:config)
The "quarantined domains" are the contents of extensions.quarantinedDomains.list, which defaults to empty. So, this has to be some sort of enterprise feature.
With the exception of addressing critical security issues, why does an organization who positions themselves as a leader of open source software make so many user-unfriendly decisions behind closed doors?
The reverse of this would be even more useful to me, i.e. a list where the extension _is_ allowed. So many developers hit the "ALL THE THINGS" button out of laziness.
It does, and lists it again when you install the extension :) What I was getting at was that there are so many developers that just put in "*" out of laziness, when their extension might need access to only a handful of domains, or even just one.
Safari actually handles this pretty well. By default you will be prompted per-site which domain you want the extension to run on, or you can set your allow or deny all except your whitelist.
If I install a ceiling fan for someone with multiple speeds, forward/reverse, and a dimmable light but I take the remote with me and leave just a basic on/off switch that's still taking away control.
Give me full control of all features or I go elsewhere.
If you install a fancy ceiling fan for someone and the remote is on backorder, and you're going to bring it to them next week, I don't think you've done them any major disservice.
That's what's happening here. A feature for which the UX is still in development, and until then, interested users can manage it via the about:config page.
They started disabling extensions installed by user on some websites without clear explanation why and when it will happen and intentionally hided settings to disable this functionality.
Should I read their own post again?
Why not ask user first? "Do you want to disable add-on not monitored by Mozilla on this specific site?".
Also, how many times users asks about this functionality? "I want Mozilla to monitor add-ons installed on my browser and disable it on some websites, when Mozilly want it" - surelly most of the users wants this.
I searched a bit through the documentation and code, and these were my findings. I thought I'd share them for others that are interested and for future reference.
EDIT: Seems like there are many settings that already get automatically set via AMRemoteSettings (including search-engine configs, cert revocations, dns over https providers, password rules for specific domains, top-sites, URL tracking parameters to clean, etc.). We will see how this new setting will be used, it can be easily disabled (https://support.mozilla.org/en-US/kb/quarantined-domains) and you will get a warning if an Add-On is blocked from accessing the site. Also seems like there will be a UI for this in v116 (https://bugzilla.mozilla.org/show_bug.cgi?id=1837670), where you can configure this better than just disabling this feature completely.
On 115.0b9 on macOS the list is empty (`extensions.quarantinedDomains.list`), guessing it's intended to be set by school/company IT for their managed devices
I believe the list will be configurable, it might be empty by default. Looking at the inter-bug linkage, this feature seems built for IT departments to blanket-ban extensions from domains that the company deems sensitive.
That purpose doesn't really make sense for me. Any IT department that wants to shut down unverified code on their intranet sites will just disable add-ons completely. I mean, it's a noble idea, to allow users to install their own preferred add-ons while still blocking them on intranet sites, but for IT it's much easier to just lock it down completely.
I think the feature's simply not finished yet, and that in the future this list is going to come pre-loaded with government and banking domains.
I understand the paranoia but that scenario would make no sense, as long as about:config is accessible - which it will always be, for any FF user except managed-IT ones.
Oh, I'm not saying that it's some sort of plot to force us to disable our extensions or anything. I'm saying it's going to be a feature aimed at out-of-the-box security, which advanced users are free to tinker with as they wish. The reality is unfortunately that many less-advanced users are much more likely to install random unvetted add-ons, and sane defaults for that list (pre-loading it with gov and bank domains) will prevent hostile add-ons from doing serious damage.
It's probably for "managed firefox", which is when your IT department sets firefox as the default browser. It lets them, for example, disable adblock on the internal company portal
That would make perfect sense, but to be clear the primary motivation wouldn't be to specifically disable adblockers on the internal network. Rather, it would be to disable any extension on internal company domains, as an information security precaution.
uBlock Origin is specifically one of the whitelisted extensions, and you can disable this feature by setting extensions.quarantinedDomains.enabled to false (in about:config)
Yeah, the average user will figure that out. It's still defined as a win for advertisers because not every users will know to do this and also when this happens... They'll be able to post record profits on quarterly earnings.
Apparently they're luring everyone into accepting this abomination by starting with an empty list, but what in the world is the motivation for this feature, and which domains do they intend to add??? "We don't know, we just thought it would be a good idea" is no explanation or justification.
People are going to talk about "security" and "banking", but that's a load of crap. Just wait until your bank disables password autofill and paste on their site, and no extension can override it.
I have no problem with letting the user control the domains that an extension can access, but giving Mozilla remote control? No way.