This isn’t just their extension, if I am reading this correctly it is any extension(that hasn’t been vetted by Mozilla) is capable of being blocked from running due to this this new quarantined domain list that Firefox 115 has.
However this feature can be disabled, or otherwise overridden at this time by the end user when following the documentation[0].
I can understand the concern here, but this change is being communicated, can be user managed, and the best faith interpretation I can come up with, is in fact for security purposes. It creates restrictions on (at least from Mozilla’s perspective) untrusted extensions. I mean how many extensions are there that do act maliciously? It probably isn’t trivial.
I highly recommend you use a minimum amount of extensions anyway. The OP’s extension is a good one from what I can tell but I really only use uBlock Origin, Bitwarden, and tab containers at this point. I guess whenever I use Gnome I end up having to use their extension too which is frustrating but a different story.
Will have to pay attention to this feature. Thanks for sharing the link.
In the release notes which 95% of users don't read, and in a text label hidden in a toolbar menu. No informed consent or prompt to opt-in. And Mozilla hasn't disclosed their criteria for inclusion of websites, and what they plan to use it for.
"We've taken away your power and hidden it behind a setting that we have no obligation to maintain" seems to have been the Firefox motto for the last ten years, and continues to go strong.
I normally take the good faith interpretation for things like this, but I'm confused by this one.
What security problem would be addressed by this? Why would Mozilla need to disable "untrusted" extensions for only certain websites? Why would a website need to be quarentined from an extension, instead of the other way around?
I would think that the remote kill switch for a specific extension addresses the actual security concerns, or Mozilla just not allow 'untrusted extensions' by default on any website.
I don't think Mozilla is evil for doing this, but I do find the motivation for this confusing.
> I highly recommend you use a minimum amount of extensions anyway.
Given the number of extensions silently purchased by people seeking to spy and push malware, I've minimized the use of extensions that aren't vetted in advance by Mozilla/Firefox.
> Recommended extensions undergo full code review by staff security experts to provide a strong additional security check.
> I highly recommend you use a minimum amount of extensions anyway.
This why Brave has far surpassed Firefox at this point.
- Good privacy defaults
- Adblocking
- The iOS browser actually has ad-blocking (this alone is why I shy every layman away from Firefox, fuck Mozilla for specifically locking those users out in the cold)
- Choose your own blocklists
- Anti-fingerprinting
- Soon cookie auto-delete
- Soon port scan blocking
- WebRTC protection
- HTTPS upgrading (less relevant these days but hey)
- IPFS
- Tor
They also have a viable business model beyond “pay
me off, Google”. And that is not to mention how Mozilla has chosen to soak their entire culture in ultra-progressive nonsense instead of rooting it in tech.
Yes, Brave appending affiliate links was scummy (although not particularly harmful to their users). But that is quite some time ago now.
I was a Mozilla / Firefox stan for a very very very long time. I still love Thunderbird, especially the progress they’re making now. But Firefox (and to a lesser point Mozilla) has completely lost its way.
At this point I'm up to maybe 15-20 about:config + user.js changes to make FF work properly for me. Unfortunately I use FF on multiple computers, is there a good way to keep everything in sync? Not sure how well something like a git repo would work.
That.. is upsetting. Mozilla seems to be determined to ensure that the user base it does have left leave it. I am glad it can be toggled off, but why exactly is there to begin with is the real question.
my worry is that by firefox 225 that option will be gone, or will require modifying some text file in your profile.
I say this because I already have had to modify a text file in my profile to get firefox to do what I want (tree style tabs without dupe tab-bar on top).
also, by "firefox 225" I wonder how easy it will be to arbitrarily modify a 'protected' app/system text file (this is already difficult on smartphones)
> This isn’t just their extension, if I am reading this correctly it is any extension(that hasn’t been vetted by Mozilla) is capable of being blocked from running due to this this new quarantined domain list that Firefox 115 has.
What domains are in this "new quarantined domain list"?
> However this feature can be disabled, or otherwise overridden at this time by the end user when following the documentation[0].
Nefarious features 'enabled by default' is the standard of Firefox. What else have they switched on behind the user's back then?
> I highly recommend you use a minimum amount of extensions anyway. The OP’s extension is a good one from what I can tell but I really only use uBlock Origin, Bitwarden, and tab containers at this point. I guess whenever I use Gnome I end up having to use their extension too which is frustrating but a different story.
You might as well use Brave Browser at this point.
If an extension has been installed on my machine it is by definition trusted. Firefox is not my antivirus solution and it should not try to be. Keep your lane.
> My own extension StopTheMadness stops web sites from disabling your browser's built-in paste and autofill features, a kind of madness commonly implemented by sites that have a misguided, ignorant notion about what makes a login form "secure"
Now, this is an extension I didn't know I needed. I'm baffled that there are some things without which the web is unusable for me. Looking at my extension list, on Firefox I have:
- ClearURLs
- Clickbait remover for YouTube
- Cookie Autodelete
- Firefox Multi-account container
- I don't care about cookies (not updated since bought by Avast)
- Privacy badger
- Tampermonkey
- Tridactyl
- uBlock Origin
I feel like I'm pretty conservative with the add-ons that I install, yet I can't comfortably browse the web if I'm missing one of them. When did everything go so wrong?
Yes, the web is hostile. It's frankly incredible we're still allowed the power to control our user agents like we do. If the web was built today it would be a locked down nightmare controlled 100% by corporate interests.
It's kind of upsetting finding out about stuff like this, that you don't know it could exist.
Adblock is interesting because for adblock to work, you need some engineer hours working to find a good filter to delete ads on websites that don't have active countermeasures, and potentially in websites all over the world in languages as well (I'm bilingual, and I see that ublock origin still works in non-english websites).
Now if you throw in websites with active adblock countermeasures, it seems the proposition that a free, mostly self-governed extension all has that figured out just seems impossible, but it seems to work quite well (albeit with a few notable blocking failures, especially at Facebook which has extremely aggressive anti-adblock features)
Wow, I had ClearURLs installed forever ago and I just totally forgot about it.
I often have to manually delete tracking elements that make my URLs long and nasty, but I just realized that only happens when I copy a link that I haven't visited yet. ClearURL has been on my back this whole time!
The article is right that we've not seen any communication about Mozilla as to how they intend to use this, so we can only speculate about why they might want the feature.
My own speculation is that this is them warding against extension-takeovers, where people sell off their semi-successful extension to some company which then fills it up with spyware. If Mozilla fills up their quarantine list with domains that're easy targets for stealing valuable information (banks, etc), that'd reduce the incentive to do such takeovers.
> My own speculation is that this is them warding against extension-takeovers
I don't buy that. If they learn that an extension has been taken over, then they can just block the extension.
Also, why the domain list? If some extension has started cryptomining, why will Mozilla protect me only when I visit selected domains? And why the tight lips?
Power given to the well-intentioned will get used by their successors.
I haven't tried servo since right after the transition to the Linux foundation. It seemed good for most of my browsing already, but with a bad ui. I looked for any good tickets for new contributors but all I found was something about xml parsing that I am unqualified for, plus I hate xml. If we could throw out weight behind it I think it could be an alternative for everything that shouldn't be a web app or native app.
Wouldn't a better way to deal with extension takeovers B to just turn off the extension instead of blocking the extension from certain websites? Especially since, as the author points out, any such quarantine list of domains is of necessity going to be incomplete?
Basically it's intended to be a user defined middle ground between allowing permissions everywhere vs the developer hand curating a list of allowed sites.
It really makes me sad every time Mozilla pulls stuff like this in Firefox. Firefox is basically the last usable mainstream browser outside of Google's indirect dominion via Chromium, and one of the few somewhat privacy respecting ones as well. I'm glad I project like LibreWolf exists to undo and rip out all of the stuff like this so that I can have a truly private and secure browser that isn't based on chromium instead of having to switch to Brave or something, because as much as I value my privacy and security I also value not giving in to Google's browser monopoly.
Only requiring developers to sign their extensions so that they can run on firefox wasn't enough – as mozilla had already done back in 2015 or so. No, no, no, in the name of safety we need to make sure your extension doesn't run on forbidden sites.
if you have access to their project tracking, it's under WEBEXT-1351 (would love if someone can post the entire reasoning for the feature here, as their conversations are now behind login which i didn't bother to secure)
The code for what the user can see/allow per-domain https://hg.mozilla.org/mozilla-central/rev/4399291987d9 (not released as far as i can tell) you can see the file locally via `resource://gre/modules/ExtensionPermissions.sys.mjs` in your address bar.
this is already how it works on Firefox for android, with NO USER WHITELIST OPTION... the only workaround on android is to add another hidden setting that points to a user-defined collection in addons.mozilla.org, which will be the allowed extension list instead of mozilla's.
edit; HOLY SHIT!!! just updated firefox for android, and they removed access to about:config there in the last version! (ps: they had already removed since 2020 for "regular lowly users" who do not install experimental version, their words. Now it is also removed from f-droid stable build since last version. I didn't see it mentioned on the release notes, so they either strong armed the maintainer or slipped changes past them)
The article isn't clearly stated on this point, but at the current time to block this new behaviour, in about:config create a new boolean named "extensions.quarantinedDomains.enabled" and set the value to false.
It's a shame, because I can see where this will lead to beyond the obvious of just extensions today. The domains list will be tied to country codes. So it will become a situation where "if country X then block politically objectionable domain Y!" where Y can be a site that criticizes the ruling party or the usual crew of copyright carpetbaggers wanting various sites blocked from the browser end, etc. And it will actually cover a lot of scope, you already see some of this beginning where they have started blocking some US states from viewing pornography, but with this method, you can block an entire country from all porn domains at once just by making the browser refer to a master blacklist.
On the bright side, Firefox may be able to soon access the lucrative North Korean market since all domains will be blocked.
Is there a list of all the things for which Firefox now "phones home"? "Sync", "Pocket", Firefox updates, extension updates, the bad site blocklist,
and this. What else?
I can see the need to deactivate some extensions on certain websites. For me that's mostly a "make the site work" workaround than a security feature but anyway.
I can recommend using different browser profiles for specific setups (e.g. banking). Linux Mint has the Web Apps feature (https://www.makeuseof.com/how-to-create-a-web-app-in-linux-m...) that lets you configure different browser profiles and as a bonus it turns the web site into a desktop app.
The downside of it is that each browser profile needs its own config, i.e. you have a lot of repeated overhead and you need to reinstall extensions into every profile. But on the flipside I can control which extensions I want to have in there.
What I really want is extension integration with container tabs, so that I can partition the extensions myself. For example, I probably want my banking container to have no extensions, but my news container to have all of the ad-blockers, link cleaners, etc.
We've almost come full circle with browser extensions, from being rare or non-existent to the zenith of popularity and power in the pre-Quantum Firefox days to now back to being increasingly whitelisted and sandboxed into unpopularity.
I don't think this is new, is it? For at least the last couple of years (maybe longer, that's just how long I've used Firefox on Windows) some sites are hardcoded not to allow extensions to run on them. As an example, add-ons don't run on addons.mozilla.org for security purposes. Is there any reason to think this is a conspiracy about ad blockers? I haven't seen anything that indicates this isn't the same as the addons.mozilla.org situation.
Once more I an happy to use the ESR version of Firefox where stuff like this tends to only land much later. Add on top of that the Debian patches and default settings and it's a fine user-agent again :-)
Edit: oops, looks like 115 is the next ESR version, does that mean it gets this "feature" but for a long time will not get proper UI go control it? :-(
my first thought: they'll collect money from sites to disable adblockers and other ext. I gave up on Mozilla 5 or so years ago because they ARE sneaky about being corporate sellouts and anti privacy. At least the browsers i use now don't PRETEND to be privacy focused.
Put on a tinfoil hat, the Google search contract is up for renewal this year, and YouTube is getting serious about ad blockers. I could see YT domains sliding into this list over time after a new search agreement is reached.
[+] [-] kemotep|2 years ago|reply
However this feature can be disabled, or otherwise overridden at this time by the end user when following the documentation[0].
I can understand the concern here, but this change is being communicated, can be user managed, and the best faith interpretation I can come up with, is in fact for security purposes. It creates restrictions on (at least from Mozilla’s perspective) untrusted extensions. I mean how many extensions are there that do act maliciously? It probably isn’t trivial.
I highly recommend you use a minimum amount of extensions anyway. The OP’s extension is a good one from what I can tell but I really only use uBlock Origin, Bitwarden, and tab containers at this point. I guess whenever I use Gnome I end up having to use their extension too which is frustrating but a different story.
Will have to pay attention to this feature. Thanks for sharing the link.
[0]: https://support.mozilla.org/en-US/kb/quarantined-domains
[+] [-] concinds|2 years ago|reply
In the release notes which 95% of users don't read, and in a text label hidden in a toolbar menu. No informed consent or prompt to opt-in. And Mozilla hasn't disclosed their criteria for inclusion of websites, and what they plan to use it for.
[+] [-] TheRealPomax|2 years ago|reply
[+] [-] madeofpalk|2 years ago|reply
What security problem would be addressed by this? Why would Mozilla need to disable "untrusted" extensions for only certain websites? Why would a website need to be quarentined from an extension, instead of the other way around?
I would think that the remote kill switch for a specific extension addresses the actual security concerns, or Mozilla just not allow 'untrusted extensions' by default on any website.
I don't think Mozilla is evil for doing this, but I do find the motivation for this confusing.
[+] [-] RobotToaster|2 years ago|reply
For now.
You used to be able to install any extension in firefox mobile, but they blocked that without any option to override it.
[+] [-] LegitShady|2 years ago|reply
Key words "at this time". In a few versions maybe they take that away and you can't block ads ok YouTube because Google threatened them.
Building the capability and hiding the options in the about config is opening the door to a lot of bad decisions later on.
[+] [-] GeekyBear|2 years ago|reply
Given the number of extensions silently purchased by people seeking to spy and push malware, I've minimized the use of extensions that aren't vetted in advance by Mozilla/Firefox.
> Recommended extensions undergo full code review by staff security experts to provide a strong additional security check.
https://blog.mozilla.org/en/products/firefox/firefox-recomme...
[+] [-] jorvi|2 years ago|reply
This why Brave has far surpassed Firefox at this point.
- Good privacy defaults
- Adblocking
- The iOS browser actually has ad-blocking (this alone is why I shy every layman away from Firefox, fuck Mozilla for specifically locking those users out in the cold)
- Choose your own blocklists
- Anti-fingerprinting
- Soon cookie auto-delete
- Soon port scan blocking
- WebRTC protection
- HTTPS upgrading (less relevant these days but hey)
- IPFS
- Tor
They also have a viable business model beyond “pay me off, Google”. And that is not to mention how Mozilla has chosen to soak their entire culture in ultra-progressive nonsense instead of rooting it in tech.
Yes, Brave appending affiliate links was scummy (although not particularly harmful to their users). But that is quite some time ago now.
I was a Mozilla / Firefox stan for a very very very long time. I still love Thunderbird, especially the progress they’re making now. But Firefox (and to a lesser point Mozilla) has completely lost its way.
[+] [-] Rebelgecko|2 years ago|reply
[+] [-] nani8ot|2 years ago|reply
This replaces the Gnome Extensions app and the browser extension.
[0]: https://github.com/mjakeman/extension-manager
[+] [-] A4ET8a8uTh0|2 years ago|reply
[+] [-] BSEdlMMldESB|2 years ago|reply
I say this because I already have had to modify a text file in my profile to get firefox to do what I want (tree style tabs without dupe tab-bar on top).
also, by "firefox 225" I wonder how easy it will be to arbitrarily modify a 'protected' app/system text file (this is already difficult on smartphones)
[+] [-] ilyt|2 years ago|reply
[+] [-] FreshStart|2 years ago|reply
[+] [-] tivert|2 years ago|reply
What domains are in this "new quarantined domain list"?
[+] [-] rvz|2 years ago|reply
> However this feature can be disabled, or otherwise overridden at this time by the end user when following the documentation[0].
Nefarious features 'enabled by default' is the standard of Firefox. What else have they switched on behind the user's back then?
> I highly recommend you use a minimum amount of extensions anyway. The OP’s extension is a good one from what I can tell but I really only use uBlock Origin, Bitwarden, and tab containers at this point. I guess whenever I use Gnome I end up having to use their extension too which is frustrating but a different story.
You might as well use Brave Browser at this point.
[+] [-] NooneAtAll3|2 years ago|reply
[+] [-] gaws|2 years ago|reply
> I really only use uBlock Origin, Bitwarden, and tab containers at this point.
Stylus, Privacy, Bypass Paywalls, and OneTab are up there in "essential" extensions.
[+] [-] floomk|2 years ago|reply
[+] [-] RMPR|2 years ago|reply
Now, this is an extension I didn't know I needed. I'm baffled that there are some things without which the web is unusable for me. Looking at my extension list, on Firefox I have:
- ClearURLs - Clickbait remover for YouTube - Cookie Autodelete - Firefox Multi-account container - I don't care about cookies (not updated since bought by Avast) - Privacy badger - Tampermonkey - Tridactyl - uBlock Origin
I feel like I'm pretty conservative with the add-ons that I install, yet I can't comfortably browse the web if I'm missing one of them. When did everything go so wrong?
[+] [-] mostlysimilar|2 years ago|reply
Yes, the web is hostile. It's frankly incredible we're still allowed the power to control our user agents like we do. If the web was built today it would be a locked down nightmare controlled 100% by corporate interests.
[+] [-] kentrf|2 years ago|reply
It is possible to reject consent instead of blindly accepting them with IDCAC... and also the Avast thing
[+] [-] hatsunearu|2 years ago|reply
Adblock is interesting because for adblock to work, you need some engineer hours working to find a good filter to delete ads on websites that don't have active countermeasures, and potentially in websites all over the world in languages as well (I'm bilingual, and I see that ublock origin still works in non-english websites).
Now if you throw in websites with active adblock countermeasures, it seems the proposition that a free, mostly self-governed extension all has that figured out just seems impossible, but it seems to work quite well (albeit with a few notable blocking failures, especially at Facebook which has extremely aggressive anti-adblock features)
[+] [-] hatsunearu|2 years ago|reply
I often have to manually delete tracking elements that make my URLs long and nasty, but I just realized that only happens when I copy a link that I haven't visited yet. ClearURL has been on my back this whole time!
[+] [-] eterm|2 years ago|reply
[+] [-] 93po|2 years ago|reply
[+] [-] BeefWellington|2 years ago|reply
You can disable this behaviour by setting `dom.event.clipboardevents.enabled` to False; However this also disables copy functionality on sites.
[+] [-] mthoms|2 years ago|reply
[+] [-] kemayo|2 years ago|reply
My own speculation is that this is them warding against extension-takeovers, where people sell off their semi-successful extension to some company which then fills it up with spyware. If Mozilla fills up their quarantine list with domains that're easy targets for stealing valuable information (banks, etc), that'd reduce the incentive to do such takeovers.
[+] [-] denton-scratch|2 years ago|reply
I don't buy that. If they learn that an extension has been taken over, then they can just block the extension.
Also, why the domain list? If some extension has started cryptomining, why will Mozilla protect me only when I visit selected domains? And why the tight lips?
[+] [-] galangalalgol|2 years ago|reply
I haven't tried servo since right after the transition to the Linux foundation. It seemed good for most of my browsing already, but with a bad ui. I looked for any good tickets for new contributors but all I found was something about xml parsing that I am unqualified for, plus I hate xml. If we could throw out weight behind it I think it could be an alternative for everything that shouldn't be a web app or native app.
[+] [-] logicprog|2 years ago|reply
[+] [-] londons_explore|2 years ago|reply
[+] [-] DistractionRect|2 years ago|reply
https://news.ycombinator.com/item?id=36591247#36591664
Basically it's intended to be a user defined middle ground between allowing permissions everywhere vs the developer hand curating a list of allowed sites.
[+] [-] logicprog|2 years ago|reply
[+] [-] hexage1814|2 years ago|reply
https://blog.mozilla.org/addons/2015/02/10/extension-signing...
[+] [-] aweirljslfj|2 years ago|reply
all the bugzilla items: https://bugzilla.mozilla.org/buglist.cgi?bug_status=UNCONFIR...
if you have access to their project tracking, it's under WEBEXT-1351 (would love if someone can post the entire reasoning for the feature here, as their conversations are now behind login which i didn't bother to secure)
The code for what the user can see/allow per-domain https://hg.mozilla.org/mozilla-central/rev/4399291987d9 (not released as far as i can tell) you can see the file locally via `resource://gre/modules/ExtensionPermissions.sys.mjs` in your address bar.
and lastly, the dev doc on how to push those values to live user browsers https://firefox-source-docs.mozilla.org/toolkit/mozapps/exte...
this is already how it works on Firefox for android, with NO USER WHITELIST OPTION... the only workaround on android is to add another hidden setting that points to a user-defined collection in addons.mozilla.org, which will be the allowed extension list instead of mozilla's.
edit; HOLY SHIT!!! just updated firefox for android, and they removed access to about:config there in the last version! (ps: they had already removed since 2020 for "regular lowly users" who do not install experimental version, their words. Now it is also removed from f-droid stable build since last version. I didn't see it mentioned on the release notes, so they either strong armed the maintainer or slipped changes past them)
[+] [-] Sunspark|2 years ago|reply
It's a shame, because I can see where this will lead to beyond the obvious of just extensions today. The domains list will be tied to country codes. So it will become a situation where "if country X then block politically objectionable domain Y!" where Y can be a site that criticizes the ruling party or the usual crew of copyright carpetbaggers wanting various sites blocked from the browser end, etc. And it will actually cover a lot of scope, you already see some of this beginning where they have started blocking some US states from viewing pornography, but with this method, you can block an entire country from all porn domains at once just by making the browser refer to a master blacklist.
On the bright side, Firefox may be able to soon access the lucrative North Korean market since all domains will be blocked.
[+] [-] arp242|2 years ago|reply
[+] [-] Animats|2 years ago|reply
[+] [-] sanqui|2 years ago|reply
[+] [-] __fst__|2 years ago|reply
[+] [-] ibejoeb|2 years ago|reply
[+] [-] xanathar|2 years ago|reply
[+] [-] Santosh83|2 years ago|reply
[+] [-] dang|2 years ago|reply
Mozilla restricts extensions on some domains on Firefox 115 - https://news.ycombinator.com/item?id=36591247 - July 2023 (91 comments)
[+] [-] Thissitesucks00|2 years ago|reply
[+] [-] m4lvin|2 years ago|reply
Edit: oops, looks like 115 is the next ESR version, does that mean it gets this "feature" but for a long time will not get proper UI go control it? :-(
[+] [-] Cyder|2 years ago|reply
[+] [-] threesevenths|2 years ago|reply