Apparently they're luring everyone into accepting this abomination by starting with an empty list, but what in the world is the motivation for this feature, and which domains do they intend to add??? "We don't know, we just thought it would be a good idea" is no explanation or justification.
People are going to talk about "security" and "banking", but that's a load of crap. Just wait until your bank disables password autofill and paste on their site, and no extension can override it.
I have no problem with letting the user control the domains that an extension can access, but giving Mozilla remote control? No way.
> We need to have ability to set the list of quarantined domains remotely. [...] Filing as confidential for now, until we ship the system addon.
A few questions:
* Why would this be confidential? Was it compelled? Is it tied to a commercial deal?
* If you ship a facility like this, does that lower the bar to being ordered to use it? (No excuse that it would be difficult/time-consuming/expensive to do, because it's already there, and the list can be updated easily?)
* Can changes to this list be done quietly, or with less scrutiny than code changes? And by whom?
* Can this be used in a way that targets individual people?
It's actually ok for you to feel that way! It's also ok for Mozilla to do this, because Mozilla aims to use this to protect users! The internet is already a yard full of rakes for folks, I appreciate things that make it easier for users to protect themselves online.
Yes, the feature can be abused, but frankly, at least Firefox is an open source project, and there are methods that can be used to disable this feature, up to and including using or creating a new Firefox fork.
Browser extensions have been an unmitigated security train wreck. Not a single person is actually auditing the source code of every extension they use before installation and before each update. And if you are, you should have no issues recompiling firefox without this change.
Given you can just go override Firefox and enable disabled extensions, I'm not sure I understand the outrage. Then again, Mozilla does seem to attract a remarkable level of vitriol despite being one of the true stewards of an open internet...
If you actually read the linked bug report (https://bugzilla.mozilla.org/show_bug.cgi?id=1745823) they talk about making the list user configurable. I actually agree that having a per extension list for disabling on some websites would be nice (some websites break with extensions, e.g. I use tridactyl for Vim like Navigation, but if I work on e.g. Overleaf things get into the way of each other and so I turn it off via mode ignore)
>If one or more extensions installed in your web browser have been blocked by this new feature and you want to use those extensions, you can disable the new feature and re-enable those disabled extensions in Firefox.
> Just wait until your bank disables password autofill and paste on their site, and no extension can override it
that would be a fantastic day because autofill based on html/js hackery by extensions is one of the biggest security risks there is. It's why Extensions like Bitwarden caution you to have autofill turned on. Tavis Ormandy (security researcher) demonstrated this last year in a blog post
This feature stems from an attempt at disallowing extensions with have rights to all websites on certain websites[1]. Version 116 will have an UI for users to control this.[2]
Preventing the random extension I installed from hijacking my bank login page is good! Giving Mozilla the ability to disable my adblocker or NoScript on an arbitrary domain list that they can update remotely is scary!
A blog post with Mozilla's plans for the feature, what they're implementing to limit abuse on Mozilla's side, and how users can opt out would make this a non-issue. It's nuts that the mozilla bug tracker is the best source for laypeople to get info on this.
> Preventing the random extension I installed from hijacking my bank login page is good! Giving Mozilla the ability to disable my adblocker or NoScript on an arbitrary domain list that they can update remotely is scary!
So the ability for the web browser to arbitrarily add and remove features from the browser is scary? Just asking because there is a massive security trade-off and the intersection of a number of threat models in this comment.
Do you trust the platform you use to download and execute arbitrary code (that is, web content) to automatically update itself?
If not, how do you balance the lack of automated updates against the need to keep software up to date to prevent exploit of known vulnerabilities?
If so, how do you distinguish the ability to download and execute new code that could remove or suppress the features you choose from the ability to enable and disable add-ons/extensions?
There could have been better communication on this, but describing the feature as scary tells me you don't really understand the threat model around your use of a web browser, and may not be asking the right questions or considering the actual threats.
I think we can all agree that restricting uBlock from working on YouTube probably isn't going to happen, and you might want some restrictions on addons accessing all data on a banking website.
But where did they draw the line? Is someone still allowed to publish an addon which fixes the interface of an absolutely broken banking website, or which allows you to liberate your own data? Will that only be allowed through vetting? What about things like Dark Mode addons which have access to all websites? Is it possible to explicitly request to be included in the allowlist?
I am not against it on principle, but we're missing a loooot of information right now to decide whether this is actually a good thing.
Looks like there will be a UI to control this 116, and the block list is empty in 115.
I’m pretty stoked for this. Every time I install an extension I wonder what’s going to happen to my banking info if an update ever gets hijacked. This is a much better solution than turning all my extensions off and on when I visit financial websites.
I’d be 100% on-board if they changed this from a list of URL’s they define to a list I define. Web extensions sound great until you realize how much power you’re handing to arbitrary code once you allow it reading and writing to the DOM. They can forward anything to anywhere, sandboxing goes out the window
> you might want some restrictions on addons accessing all data on a banking website
I might want to be control of that myself rather than having Mozilla trying to index all banking websites in the world and not being able to use accessibility tools on those they found
If an extension that fixed an online banking website (non malicious and bug-free) got popular enough for them to notice, I'd expect some hamfisted effort on the bank's part to stop you using it. Probably taking out many other extensions/browsers with it.
> If you are aware of the associated risk and still wish to allow the add-ons that have been disallowed on a website by Mozilla, you can do it from the configuration editor (about:config)
The "quarantined domains" are the contents of extensions.quarantinedDomains.list, which defaults to empty. So, this has to be some sort of enterprise feature.
With the exception of addressing critical security issues, why does an organization who positions themselves as a leader of open source software make so many user-unfriendly decisions behind closed doors?
The reverse of this would be even more useful to me, i.e. a list where the extension _is_ allowed. So many developers hit the "ALL THE THINGS" button out of laziness.
I searched a bit through the documentation and code, and these were my findings. I thought I'd share them for others that are interested and for future reference.
EDIT: Seems like there are many settings that already get automatically set via AMRemoteSettings (including search-engine configs, cert revocations, dns over https providers, password rules for specific domains, top-sites, URL tracking parameters to clean, etc.). We will see how this new setting will be used, it can be easily disabled (https://support.mozilla.org/en-US/kb/quarantined-domains) and you will get a warning if an Add-On is blocked from accessing the site. Also seems like there will be a UI for this in v116 (https://bugzilla.mozilla.org/show_bug.cgi?id=1837670), where you can configure this better than just disabling this feature completely.
On 115.0b9 on macOS the list is empty (`extensions.quarantinedDomains.list`), guessing it's intended to be set by school/company IT for their managed devices
I believe the list will be configurable, it might be empty by default. Looking at the inter-bug linkage, this feature seems built for IT departments to blanket-ban extensions from domains that the company deems sensitive.
It's probably for "managed firefox", which is when your IT department sets firefox as the default browser. It lets them, for example, disable adblock on the internal company portal
[+] [-] lapcat|2 years ago|reply
Apparently they're luring everyone into accepting this abomination by starting with an empty list, but what in the world is the motivation for this feature, and which domains do they intend to add??? "We don't know, we just thought it would be a good idea" is no explanation or justification.
People are going to talk about "security" and "banking", but that's a load of crap. Just wait until your bank disables password autofill and paste on their site, and no extension can override it.
I have no problem with letting the user control the domains that an extension can access, but giving Mozilla remote control? No way.
[+] [-] neilv|2 years ago|reply
> We need to have ability to set the list of quarantined domains remotely. [...] Filing as confidential for now, until we ship the system addon.
A few questions:
* Why would this be confidential? Was it compelled? Is it tied to a commercial deal?
* If you ship a facility like this, does that lower the bar to being ordered to use it? (No excuse that it would be difficult/time-consuming/expensive to do, because it's already there, and the list can be updated easily?)
* Can changes to this list be done quietly, or with less scrutiny than code changes? And by whom?
* Can this be used in a way that targets individual people?
[+] [-] ygjb|2 years ago|reply
Yes, the feature can be abused, but frankly, at least Firefox is an open source project, and there are methods that can be used to disable this feature, up to and including using or creating a new Firefox fork.
[+] [-] Gigachad|2 years ago|reply
[+] [-] BaseballPhysics|2 years ago|reply
[+] [-] cycomanic|2 years ago|reply
[+] [-] ThePowerOfFuet|2 years ago|reply
[+] [-] Barrin92|2 years ago|reply
that would be a fantastic day because autofill based on html/js hackery by extensions is one of the biggest security risks there is. It's why Extensions like Bitwarden caution you to have autofill turned on. Tavis Ormandy (security researcher) demonstrated this last year in a blog post
https://lock.cmpxchg8b.com/passmgrs.html
[+] [-] wasmitnetzen|2 years ago|reply
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1745823 https://bugzilla.mozilla.org/show_bug.cgi?id=1834825
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1837670
[+] [-] Centigonal|2 years ago|reply
Preventing the random extension I installed from hijacking my bank login page is good! Giving Mozilla the ability to disable my adblocker or NoScript on an arbitrary domain list that they can update remotely is scary!
A blog post with Mozilla's plans for the feature, what they're implementing to limit abuse on Mozilla's side, and how users can opt out would make this a non-issue. It's nuts that the mozilla bug tracker is the best source for laypeople to get info on this.
[+] [-] ygjb|2 years ago|reply
So the ability for the web browser to arbitrarily add and remove features from the browser is scary? Just asking because there is a massive security trade-off and the intersection of a number of threat models in this comment.
Do you trust the platform you use to download and execute arbitrary code (that is, web content) to automatically update itself?
If not, how do you balance the lack of automated updates against the need to keep software up to date to prevent exploit of known vulnerabilities?
If so, how do you distinguish the ability to download and execute new code that could remove or suppress the features you choose from the ability to enable and disable add-ons/extensions?
There could have been better communication on this, but describing the feature as scary tells me you don't really understand the threat model around your use of a web browser, and may not be asking the right questions or considering the actual threats.
[+] [-] jwilk|2 years ago|reply
[+] [-] crote|2 years ago|reply
I think we can all agree that restricting uBlock from working on YouTube probably isn't going to happen, and you might want some restrictions on addons accessing all data on a banking website.
But where did they draw the line? Is someone still allowed to publish an addon which fixes the interface of an absolutely broken banking website, or which allows you to liberate your own data? Will that only be allowed through vetting? What about things like Dark Mode addons which have access to all websites? Is it possible to explicitly request to be included in the allowlist?
I am not against it on principle, but we're missing a loooot of information right now to decide whether this is actually a good thing.
[+] [-] icodestuff|2 years ago|reply
I’m pretty stoked for this. Every time I install an extension I wonder what’s going to happen to my banking info if an update ever gets hijacked. This is a much better solution than turning all my extensions off and on when I visit financial websites.
[+] [-] mcpackieh|2 years ago|reply
Mozilla gets paid by Google, and Google is experimenting with blocking adblockers on youtube so... no. I don't agree with you.
[+] [-] cjsawyer|2 years ago|reply
[+] [-] lucb1e|2 years ago|reply
I might want to be control of that myself rather than having Mozilla trying to index all banking websites in the world and not being able to use accessibility tools on those they found
[+] [-] throwawaymobule|2 years ago|reply
[+] [-] zymhan|2 years ago|reply
[+] [-] kevin_b_er|2 years ago|reply
The "quarantined domains" are the contents of extensions.quarantinedDomains.list, which defaults to empty. So, this has to be some sort of enterprise feature.
[+] [-] dTP90pN|2 years ago|reply
There is consideration to allow enterprises to disable this feature though: https://bugzilla.mozilla.org/show_bug.cgi?id=1834985
edit: fixed 2nd link description.
[+] [-] Ycdr4thfdd|2 years ago|reply
With the exception of addressing critical security issues, why does an organization who positions themselves as a leader of open source software make so many user-unfriendly decisions behind closed doors?
[+] [-] ghusto|2 years ago|reply
[+] [-] susanthenerd|2 years ago|reply
[+] [-] indymike|2 years ago|reply
[+] [-] Lariscus|2 years ago|reply
[+] [-] deely3|2 years ago|reply
[+] [-] beebeepka|2 years ago|reply
[+] [-] kevin_b_er|2 years ago|reply
[+] [-] SushiHippie|2 years ago|reply
I searched a bit through the documentation and code, and these were my findings. I thought I'd share them for others that are interested and for future reference.
Currently, there are no domains blocked, they would appear on this API endpoint: https://firefox.settings.services.mozilla.com/v1/buckets/mai...
This is the JSON schema for this API endpoint: https://firefox.settings.services.mozilla.com/v1/buckets/mai...
More information on the remote settings in general: AMRemoteSettings Overview - quarantinedDomains: https://firefox-source-docs.mozilla.org/toolkit/mozapps/exte... Remote Settings documentation: https://remote-settings.readthedocs.io/en/latest/index.html
Remote Settings DevTools - where you can see all the remote settings, that get set: https://github.com/mozilla-extensions/remote-settings-devtoo...
EDIT: Seems like there are many settings that already get automatically set via AMRemoteSettings (including search-engine configs, cert revocations, dns over https providers, password rules for specific domains, top-sites, URL tracking parameters to clean, etc.). We will see how this new setting will be used, it can be easily disabled (https://support.mozilla.org/en-US/kb/quarantined-domains) and you will get a warning if an Add-On is blocked from accessing the site. Also seems like there will be a UI for this in v116 (https://bugzilla.mozilla.org/show_bug.cgi?id=1837670), where you can configure this better than just disabling this feature completely.
[+] [-] anonymousiam|2 years ago|reply
https://www.askvg.com/fix-some-extensions-are-not-allowed-in...
[+] [-] zb3|2 years ago|reply
[+] [-] nammi|2 years ago|reply
[+] [-] toyg|2 years ago|reply
[+] [-] gpvos|2 years ago|reply
[+] [-] parker_mountain|2 years ago|reply
[+] [-] suprjami|2 years ago|reply
[+] [-] baconfromhell|2 years ago|reply
[+] [-] MagicMoonlight|2 years ago|reply
[+] [-] nathants|2 years ago|reply
[+] [-] AshamedCaptain|2 years ago|reply
[+] [-] nerdbert|2 years ago|reply
[+] [-] unethical_ban|2 years ago|reply