MozillaZine

Webextesions Privacy vs Xul

User Help for Mozilla Firefox
steevz016
 
Posts: 18
Joined: July 5th, 2008, 6:21 pm

Post Posted November 21st, 2020, 8:12 am

Finally getting around to posting these questions.

A. Are webextensions better, the same, or less privacy wise than the old xul extensions?

The reason for asking is from the descriptions that list what permissions a webextension can do.

B. Does the creator of the extension have access to the data that the permissions give?

This would be all the data accessed by the extension that is NOT specifically stated in the description that may be
sent back to the creator or some web site, by choice or not.

jscher2000

User avatar
 
Posts: 11095
Joined: December 19th, 2004, 12:26 am
Location: Silicon Valley, CA USA

Post Posted November 21st, 2020, 11:40 am

A. XUL extensions had the full run of your system and the web. That was extremely convenient and very dangerous. As one sign of what a minefield it was, Firefox started enforcing a requirement that all extensions be signed by Mozilla starting in Firefox 48. XUL extensions were difficult to write, and could only run in Firefox, so there were fewer people targeting Firefox users back in the day. Now that Firefox can run most extensions written for Chrome (with minor changes), there is more risk of getting a bad one, but it can't do as much damage.

B. If the extension can access data, it often can exfiltrate it to a web address. Mozilla policy definitely requires disclosure of data gathering and probably requires that the user opt-in, but with mostly automated code review, it is difficult to enforce the policy. So you need to consider how important the functionality is to you, and how much you trust the developer based on what you can learn about the extension.

By the way, you can trust the extensions I wrote. I do not want your data! :-)

steevz016
 
Posts: 18
Joined: July 5th, 2008, 6:21 pm

Post Posted November 22nd, 2020, 9:26 am

jscher2000 wrote:A. XUL extensions had the full run of your system and the web.


Thank you for the info. Here is a follow up for you and everybody.

Take NoScript for example. On the addon page it states:

Code: Select all
This add-on needs to:

Access browser tabs
Store unlimited amount of client-side data
Access browser activity during navigation
Access your data for all websites


Is a user to assume that this data is local only and it not sent anywhere? If any of were to be sent out, it "should" be stated in the description?

jscher2000

User avatar
 
Posts: 11095
Joined: December 19th, 2004, 12:26 am
Location: Silicon Valley, CA USA

Post Posted November 22nd, 2020, 10:22 am

There is not a specific permission for making web connections, whether that is to add an external image to a page, or to post form data to a different website.

Mozilla uses automated code review for most extension updates, but some get manual review on ALL updates. They should have either a "Recommended" or "Verified" badge on the Add-ons site, and you can feel better about the safety of these extensions. https://support.mozilla.org/kb/add-on-badges

morat
 
Posts: 4104
Joined: February 3rd, 2009, 6:29 pm

Post Posted November 22nd, 2020, 10:26 am

Permission request messages for Firefox extensions
http://support.mozilla.org/kb/permissio ... extensions

Return to Firefox Support


Who is online

Users browsing this forum: Bing [Bot] and 9 guests