New Firefox Add-On Policies(blog.mozilla.org)

90 pointsby ReadCarlBarks3 days ago7 comments

knowitnone3 days ago
"we encourage developers to link to self-hosted privacy policies"
So now, extensions can change to anything they want at any time they want with our without consent?
- somat3 days ago
  Why do they need to change anything?
  As far as I know a privacy policy has zero legal weight, that is, a company can put anything it wants into the privacy policy, it has no effect on what is actually done.
- bartvk3 days ago
  Yes and this actually is the same when you publish an app in the App Store.
  - Sporktacular3 days ago
    Maybe I'm misunderstanding, but under the previous process, submitting a policy with an update freezes it to a specific version. That holds the developer to account at least for that update.
- arp2423 days ago
  In the end a privacy policy is little more than the proverbial "ink on a piece of paper". It's doesn't actually prevent anything. Where and how it's published seems like a minor detail.
proaralyst3 days ago
> “Closed group” prohibition lifted
This is great: I've wanted a personal extension for a while (roughly to replace my userscripts but with more power and better sync) but was put off by it having to be public or manually installed. Now I can make this!
- sdovan13 days ago
  I have to reinstall my personal extension every time Firefox restarts. It's so annoying that I ended up writing an AutoHotKey script just to automate it (go to about:debugging#/runtime/this-firefox -> load temporary extension -> select manifest.json). Glad to see the announcement!
  - arp2423 days ago
    You can already use web-ext to sign it; it doesn't need to be published (you can keep the extension private). It's just that you need to be logged in to download it and can't really provide a "share link" (but you can of course upload/send that .xpi to anyone).
    I have a few private extensions like this (e.g. for HN, GOG, my own new tab page, etc.). I don't have the exact steps for this at the handy, been meaning to do a write-up at some point, but my mk script is just "$webext sign --channel unlisted --api-key $jwt_issue --api-secret $jwt_secret" – I don't recall if you need to create it the extension in the Mozilla web UI first, but I don't think so(?)
    sdovan12 days ago
    Thanks! I thought this was impossible. Gonna try it out today.
    Edit: I successfully signed the key on AMO. Here are the steps:
    Get an access token from https://addons.mozilla.org/developers/addon/api/key/ In manifest.json, add browser_specific_settings.gecko.id and set it to something like "myext@example.com" Run command: web-ext sign --api-key=<jwt-issuer> --api-secret=<jwt-secret> --channel=unlisted That command will upload your extension to AMO. After an automatic review, you can download the .xpi file from AMO.
    That said, it's not ideal for me since I make extensions for work. Looks like a human reviewer can check your code at any time.
    arp2422 days ago
    > Looks like a human reviewer can check your code at any time.
    Yeah, not entirely sure how this works. I've been doing this for a few years with a bunch of extensions, and thus far it's always just been automatically approved (although that does take a few minutes).
- gruez3 days ago
  >but was put off by it having to be public or manually installed
  Even prior to this there was an option to upload an extension to AMO for "private distribution". Mozilla will sign your extension so it installs without a fuss, but it won't be hosted on AMO. You can still host it on your personal website, or share the .xpi file though.
- qiine3 days ago
  Wow so I can upload my extension to firefox servers privately and without needing review process maybe ? and install it on all my device ? (via autosync I suppose?) Thats handy.
account423 days ago
Add-on policies shouldn't be a thing in the first place - it's my computer, not Mozilla's.
- abraham3 days ago
  > We’ve updated Add-on policies for addons.mozilla.org (AMO).
  Their policy doesn't apply to your computer. Only to developers that want to use Mozilla's infrastructure for distribution.
  - Zak3 days ago
    There are artificial limitations to that. For example, stable versions of Firefox for Android won't install extensions from anywhere but Mozilla's infrastructure.
    I find that limitation bizarre from an open source browser; it's the sort of behavior I'd expect from Apple.
    arp2423 days ago
    I get why they do it; for better or worse, the browser is a major way many people interact with email, banking, etc. etc. A malicious extension would be a world of hurt. Some of that is moving to mobile, but with 5 billion people on the internet, Firefox's "low" market share at 4 or 5% is still over 200 million people, so it's still used by dozens or perhaps even hundreds of millions of people for these high-security tasks.
    When I did IT support I've seen so many people do completely crazy things. I've seen people with 6 or 7 different browser toolbars and they use none of them. People with 3 different virus scanners they never remember installing, and of course ransomware they never recall installing either. etc. etc.
    And honestly, can you really say you'd never click on the wrong "allow this untrusted extension" button when distracted, engaged in something else, tired, or whatnot?
    I agree it can be annoying, but it's not impossible to maintain your private (signed) extensions. And for >99% of people, it's probably a sensible thing to do – this includes most tech people because most tech don't have a bunch of private extensions.
    For everyone else, you can sign your own private extensions (some effort, but fairly minor) or use the Developer Edition, which allows installing unsigned extensions.
- TheCraiggers3 days ago
  And it's their browser, which they have an interest in. If an extension goes rogue and gets in the news, that would be bad for a variety of reasons.
  You're right that it's your computer, and you're free to change and recompile Firefox to do whatever you want, so I don't see what the issue is. The polices are for what extensions they allow on their store not what you can install on your computer. Last I knew, you could make your own extension and load it yourself with the store being involved at all. Go nuts.
  - account422 days ago
    That attitude is exactly the problem. There is zero reason for anyone to use Firefox if its just another company's property and not a free and open piece of software.
    TheCraiggers2 days ago
    Which part, exactly, is the problem with the attitude of my post?
- 3 days ago
  undefined
Melatonic3 days ago
Sounds great - Closed Group extensions could be very useful!
quintu53 days ago
But do they still have an arbitrary 4mb max file size on extension assets?
This makes chunking for any sizable extension an absolute nightmare!
Am4TIfIsER0ppos3 days ago
If you're not removing the DRM on them (code signing) then what do I care?
- _verandaguy3 days ago
  Code signing doesn't stop redistribution of unmodified copies of software, and it allows for cryptographic attestation of its origin (when used properly). If you modify the software, you'll have to re-sign it and make sure your code's consumers trust that signature's chain of trust.
  DRM prevents you from redistributing original media (with varying degrees of effectiveness) and doesn't do much for cryptographic attestation (nominally).
  These are two very different systems for different purposes.
  - Am4TIfIsER0ppos3 days ago
    No both prevent me from using my computer as I want without 3rd party permission or even just after some date.
    _verandaguy3 days ago
    In what way does code signing prevent you from using your computer as you want?
    As far as I know you can run unsigned code pretty easily still (especially, though not uniquely, as a technical user), and the process of stripping attestation/signing information from an executable on most popular platforms is well-documented with freely-available tools in most cases.
    I'm almost certain there are ways to disable code signature checking completely on the major OSes if you really want to, but why you'd want to do that, I don't get.
    Is your argument that running code with an invalid signature should happen with no notice, no hurdles, no nothing, by default?
    Am4TIfIsER0ppos2 days ago
    I cannot place a file in my profile directory and have firefox execute it without having it approved by mozilla. I booted my old PC to check on something recently, opened firefox by opening an html file, and discovered that it had disabled all my extensions making it less secure by allowing every webpage to do RCE had I changed tabs.
    Then there is secure boot which requires MSFT permission to use an OS, cell phones on which you cannot run your own code without manufacturer permission.
    I hope you don't still think the R in DRM stands for rights.
    pabs32 days ago
    When using the Debian builds of Firefox at least, you can just symlink the extension directory into the system Firefox extensions directory, even if the extension is in your home directory somewhere.
- kevingadd3 days ago
  By what standard is code signing DRM? Lots of stuff is codesigned.
akkartik3 days ago
10 years too late. I'm never going back. These days I try to use my browser as vanilla as possible so I don't get my heart broken.
- motorest3 days ago
  > 10 years too late. I'm never going back. These days I try to use my browser as vanilla as possible so I don't get my heart broken.
  Pray tell, which usable browser do you believe provides better assurances than Firefox? Certainly it's not Chrome or Edge, is it?
  - gr4vityWall3 days ago
    > which usable browser do you believe provides better assurances than Firefox?
    I think they meant that they are not going back to publishing Firefox extensions/add-ons. That doesn't imply they started writing extensions for another browser.
  - akkartik3 days ago
    Oh I use a Firefox fork. I just don't develop extensions for it anymore.
    Firefox could have been the chosen one, the hackable browser. But it's just another hermetically sealed product.
    arp2423 days ago
    > It's just another hermetically sealed product.
    Everything is open source, mostly under a fairly permissive license.
    You can still do quite a lot with extensions or various tweaks (more than most programs, including open source ones).
    It's demonstrably not "hermetically sealed".
    akkartik3 days ago
    "Everything is open source" does not contradict "hermetically sealed product".
    I built myself an extension. Just for myself, nobody else. It worked great, then in one of these "policy changes" I couldn't use it anymore. Just for myself. That is a betrayal of trust. If I could use it before, and now I need to hack/mod Firefox by building it on a machine with umpteen hundreds of gigabytes of storage, that is a betrayal of trust. Firefox is "demonstrably" a hermetically sealed product. As demonstrated by my lived experience.
    arp2423 days ago
    You can use private extensions; you just need to use web-ext to sign it. Doesn't need to be published.
    Also the "developer edition" allows installing unsigned extensions. No need to build your own.
    akkartik3 days ago
    Hmm, I'm not familiar with web-ext. I'm not sure it existed 10 years ago, back when Firefox went through their Quantum transition.
    Looks like web-ext came out in 2016: https://blog.mozilla.org/addons/2016/04/29/webextensions-in-.... My extension is at https://github.com/akkartik/spew, and it looks like there might have been a period of a year when I wasn't able to use it.
    When software auto-updates and stops working, we consider that breakage. When software auto-updates and code I wrote stops working, we say "oh, it affects just 0.01% of users." For me, the inescapable lesson is to not write code for extension eco-systems, because they're all too immature for serious use. At least as of the year 2015.
  - msgodel3 days ago
    tbh it's a lot easier to install ad-hoc extensions in Chromium than Firefox.
    3 days ago
    undefined