MozillaZine

Advantages of WebExtensions

Discussion of general topics about Mozilla Firefox
Frank Lion

User avatar
 
Posts: 20106
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted August 17th, 2018, 1:04 pm

I recall, a couple of years back, Mozilla droning on at the 'legacy' extension/theme devs about their exciting new plans for webextensions - https://blog.mozilla.org/addons/2016/03 ... evelopers/

Some Mozilla toady wrote:More Secure Extensions

Because (legacy) extensions built with the Add-on SDK can request XPCOM privileges, they could still introduce unintentional security and stability issues into Firefox. Even add-ons written by well-meaning developers can accidentally introduce vulnerabilities that could allow malicious code to execute with the full privileges of the browser. WebExtensions uses its manifest.json to mitigate this by requiring add-on authors to declare up front which permissions their code will need to operate. Unlike the Add-on SDK, WebExtensions does not allow arbitrary XUL/XPCOM access, so even insecure/vulnerable code is limited to its whitelisted subset of functionality. This vastly reduces the vulnerability surface of a WebExtension, leading to faster review times and a more stable browser.


We pointed out, at the time, that not only was Chrome's webextension store like the Wild West, but that many app devs there do not have the Open Source ethics of legacy devs.

You see, for over 12 years Firefox extensions and themes were written, primarily, by Open Source devs, who not only wrote safe stuff for users, but were also reviewing other people's stuff on AMO. It was also legacy devs who were reporting extensions that were felt to have in some way slipped through the net. Some may recall how we unleashed fire and brimstone onto Mozilla's head for allowing a huge bunch of unscrupulous toolbars?

Obviously, all of this fell on deaf ears with Mozilla, who knew better.

Which brings us up to today - http://www.dailymail.co.uk/sciencetech/ ... users.html

https://www.ghacks.net/2018/08/17/mozil ... xtensions/

As you all know, only Firefox is allowed to snoop on Firefox users (some may recall my thoughts on the 'telemetry' gathered) - https://www.ghacks.net/2018/08/07/firef ... -browsing/

Well done, Mozilla, no one ever saw that one coming. :P

Now, at this point, I was going to post the 'Smug Mrs Doyle Face' gif, but after searching for it, to be honest, I found this much more amusing. So here it is instead - https://www.youtube.com/watch?v=ogrfAgbIfFo
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Brummelchen
 
Posts: 3899
Joined: March 19th, 2005, 10:51 am

Post Posted August 17th, 2018, 1:54 pm

I dont like brinkman and his articles on ghacks. Only little informational and scratching the surface, and forums can fix the culprits. Its like german computerbild.

Extension system was never secure, but they try. A short list:
https://www.camp-firefox.de/forum/viewt ... 4&t=125831

Usage of webextensions is a quest without experience.

mightyglydd

User avatar
 
Posts: 9271
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Post Posted August 17th, 2018, 2:11 pm

Brummelchen wrote:I dont like brinkman and his articles on ghacks.

Hmm I wonder why. :-k

Image
#KeepFightingMichael

frg
 
Posts: 657
Joined: December 15th, 2015, 1:20 pm

Post Posted August 17th, 2018, 2:31 pm

The only secure system is an unusable one. Firefox is working on this :)

If Martin Brinkmann is Computerbild then camp firefox is probably toilet paper but to each his own.

I think porting the web extension api was a good idea for interoperability. Killing classic extensions with no suitable replacement was a bad one. Same for themes. How the api was implemented is also a unclean mess.

Looking now at the amount of proprietary stuff like nodejs and Rust going into Firefox this will end in Firefox being an endless Firefox construction camp. It won't help security in the long run. Too many different coding styles and libraries each having its own security problems. No more standards for coding ui and other stuff forcing everyone to reinvent the wheel. Toss in webrender where they will find out just how bad slightly older graphics drivers are and it will become interesting.

therube

User avatar
 
Posts: 19201
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted August 17th, 2018, 4:34 pm

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

mightyglydd

User avatar
 
Posts: 9271
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Post Posted August 17th, 2018, 4:39 pm

Frank Lion wrote: Some may recall how we unleashed fire and brimstone onto Mozilla's head for allowing a huge bunch of unscrupulous toolbars?

I reckon that was the beginning of their systematic withdrawal to behind the cone of silence. We do not tolerate dissent.
@ I see they're lawyering up, https://blog.mozilla.org/blog/2018/08/1 ... ign=buffer I wonder why. Heh..

Time for some Bodizzle themes I reckon....... :P
#KeepFightingMichael

Brummelchen
 
Posts: 3899
Joined: March 19th, 2005, 10:51 am

Post Posted August 18th, 2018, 1:56 am

Therube - news like thise are a running fire, but it wont raise importance that way, general copy and paste.

Ghacks, kuketz (was linked) - kuketz is just another bs blog... News portals with a technical background. Ghacks is spreading informations but dont care about consequences. Computerbild closes forums because it dont earn money but spread it silly tips where forums like mz or camp can try to fix th issues. And there is a big difference between ghacks, cb and camp. There are news at camp but no bs tips.

Concerning mozilla and security - some keep an eye on it. Nevertheless mozilla is THE browser supplier which is obeying privacy more than other.

One of their latest joiners
http://cyberlaw.stanford.edu/about/peop ... hall-erwin

Frank Lion

User avatar
 
Posts: 20106
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted August 18th, 2018, 4:43 am

Brummelchen wrote:I dont like brinkman and his articles on ghacks. Only little informational and scra

Irrelevant, I could have used one of a dozen links. Information, providing it is accurate and complete, is neither bolstered nor diminished by where it is reported. The important part is the information itself. I would have thought that last part was pretty self-evident.

Brummelchen wrote:Concerning mozilla and security - some keep an eye on it. Nevertheless mozilla is THE browser supplier which is obeying privacy more than other.

The definition of best is not the least worst of the worst.

Telemetry, data-mining and 'phoning home' have no place even being in the same sentence as the word privacy. You want user privacy then don't collect user data, it really is that simple. Anything else is a con job.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

Brummelchen
 
Posts: 3899
Joined: March 19th, 2005, 10:51 am

Post Posted August 18th, 2018, 8:22 am

its called "telemetry" when user data is collected, whatever this would mean. since ages - and none complained, why now?
i can accept it for firefox more than on windows 10 or 8 or 7 - all do. but i refuse to any of those 4. not because i dont like it, because i can do^^
i cant do this for chromium, there dont exist similar switches. (currently my UA is chromium)
I could have used one of a dozen link

ofc, spreading news. bleeping one day ahead than ghacks.
I would have thought that last part was pretty self-evident.

your or his conclusion?
Well done, Mozilla, no one ever saw that one coming.

it should have come, sooner or later. this is what Wu discovered:
All of these extensions used subtle code obfuscation

from my view - i knew that. and i avoid extensions with crypted or obfuscated code, although its possible to decrypt it immediately. any of such code has only one goal - to hide suspicious behavior.

i watched webextensions when starting usage of quantum here. i see crap growing, in special those illegal film download offers or online gambling/casino. or copies from known extension with some added code. this automatic code review and release is definitely no fortune although i appreciated it for my own private builds get signed.

i could complain about mozilla but there is nothing for me to complain. but the next point would be the integration of default system extensions into omni.ja. i think mozilla has found out that some people deactivate those and want to prevent a) for purpose b) maybe for security reason, i am still not sure. some claimed that there exist switches for system extension but i am not sure if they work like deactivation.

some asked about "more security" and webextensions. they offer more security because the direct impacts on firefox have been reduced dramatically - no more changing in prefs, no hidden downloads or loading locale files.

Return to Firefox General


Who is online

Users browsing this forum: No registered users and 5 guests