Finally getting around to posting these questions.
A. Are webextensions better, the same, or less privacy wise than the old xul extensions?
The reason for asking is from the descriptions that list what permissions a webextension can do.
B. Does the creator of the extension have access to the data that the permissions give?
This would be all the data accessed by the extension that is NOT specifically stated in the description that may be
sent back to the creator or some web site, by choice or not.
Webextesions Privacy vs Xul
- jscher2000
- Posts: 11772
- Joined: December 19th, 2004, 12:26 am
- Location: Silicon Valley, CA USA
- Contact:
Re: Webextesions Privacy vs Xul
A. XUL extensions had the full run of your system and the web. That was extremely convenient and very dangerous. As one sign of what a minefield it was, Firefox started enforcing a requirement that all extensions be signed by Mozilla starting in Firefox 48. XUL extensions were difficult to write, and could only run in Firefox, so there were fewer people targeting Firefox users back in the day. Now that Firefox can run most extensions written for Chrome (with minor changes), there is more risk of getting a bad one, but it can't do as much damage.
B. If the extension can access data, it often can exfiltrate it to a web address. Mozilla policy definitely requires disclosure of data gathering and probably requires that the user opt-in, but with mostly automated code review, it is difficult to enforce the policy. So you need to consider how important the functionality is to you, and how much you trust the developer based on what you can learn about the extension.
By the way, you can trust the extensions I wrote. I do not want your data!
B. If the extension can access data, it often can exfiltrate it to a web address. Mozilla policy definitely requires disclosure of data gathering and probably requires that the user opt-in, but with mostly automated code review, it is difficult to enforce the policy. So you need to consider how important the functionality is to you, and how much you trust the developer based on what you can learn about the extension.
By the way, you can trust the extensions I wrote. I do not want your data!
-
- Posts: 18
- Joined: July 5th, 2008, 6:21 pm
Re: Webextesions Privacy vs Xul
Thank you for the info. Here is a follow up for you and everybody.jscher2000 wrote:A. XUL extensions had the full run of your system and the web.
Take NoScript for example. On the addon page it states:
Code: Select all
This add-on needs to:
Access browser tabs
Store unlimited amount of client-side data
Access browser activity during navigation
Access your data for all websites
- jscher2000
- Posts: 11772
- Joined: December 19th, 2004, 12:26 am
- Location: Silicon Valley, CA USA
- Contact:
Re: Webextesions Privacy vs Xul
There is not a specific permission for making web connections, whether that is to add an external image to a page, or to post form data to a different website.
Mozilla uses automated code review for most extension updates, but some get manual review on ALL updates. They should have either a "Recommended" or "Verified" badge on the Add-ons site, and you can feel better about the safety of these extensions. https://support.mozilla.org/kb/add-on-badges
Mozilla uses automated code review for most extension updates, but some get manual review on ALL updates. They should have either a "Recommended" or "Verified" badge on the Add-ons site, and you can feel better about the safety of these extensions. https://support.mozilla.org/kb/add-on-badges
-
- Posts: 6437
- Joined: February 3rd, 2009, 6:29 pm
Re: Webextesions Privacy vs Xul
Permission request messages for Firefox extensions
http://support.mozilla.org/kb/permissio ... extensions
http://support.mozilla.org/kb/permissio ... extensions