[HN Gopher] Mozilla restricts extensions on some domains on Fire...
___________________________________________________________________
Mozilla restricts extensions on some domains on Firefox 115
Author : muxator
Score : 65 points
Date : 2023-07-04 19:06 UTC (3 hours ago)
(HTM) web link (www.askvg.com)
(TXT) w3m dump (www.askvg.com)
| ghusto wrote:
| The reverse of this would be even more useful to me, i.e. a list
| where the extension _is_ allowed. So many developers hit the "ALL
| THE THINGS" button out of laziness.
| susanthenerd wrote:
| Last time I checked firefox lists the website an extension has
| permissions on
| ghusto wrote:
| It does, and lists it again when you install the extension :)
| What I was getting at was that there are so many developers
| that just put in "*" out of laziness, when their extension
| might need access to only a handful of domains, or even just
| one.
| kevin_b_er wrote:
| What's the list of quarantined domains?
| deely3 wrote:
| I want to say something good, but it looks like Mozilla continue
| search for a way to take more control from the user.
| beebeepka wrote:
| They aren't taking away control. Read their own post
| rampant_ai wrote:
| If I install a ceiling fan for someone with multiple speeds,
| forward/reverse, and a dimmable light but I take the remote
| with me and leave just a basic on/off switch that's still
| taking away control.
|
| Give me full control of all features or I go elsewhere.
| deely3 wrote:
| They started disabling extensions installed by user on some
| websites without clear explanation why and when it will
| happen and intentionally hided settings to disable this
| functionality.
|
| Should I read their own post again?
|
| Why not ask user first? "Do you want to disable add-on not
| monitored by Mozilla on this specific site?".
|
| Also, how many times users asks about this functionality? "I
| want Mozilla to monitor add-ons installed on my browser and
| disable it on some websites, when Mozilly want it" - surelly
| most of the users wants this.
| woofcat wrote:
| Please do read it again. They've not disabled any extension
| on any website. They've added a option for that to
| potentially do that.
| zb3 wrote:
| Is there a list of these domains?
| nammi wrote:
| On 115.0b9 on macOS the list is empty
| (`extensions.quarantinedDomains.list`), guessing it's intended
| to be set by school/company IT for their managed devices
| dTP90pN wrote:
| ~~While school/company IT as a use case is being
| considered[1], that is not the primary intent for this
| feature.~~
|
| edit: I misread that ticket. It's about allowing
| school/company IT to _disable_ the feature, not to allow them
| to use it.
|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1834985
| toyg wrote:
| I believe the list will be configurable, it might be empty by
| default. Looking at the inter-bug linkage, this feature seems
| built for IT departments to blanket-ban extensions from domains
| that the company deems sensitive.
| detuur wrote:
| That purpose doesn't really make sense for me. Any IT
| department that wants to shut down unverified code on their
| intranet sites will just disable add-ons completely. I mean,
| it's a noble idea, to allow users to install their own
| preferred add-ons while still blocking them on intranet
| sites, but for IT it's much easier to just lock it down
| completely.
|
| I think the feature's simply not finished yet, and that in
| the future this list is going to come pre-loaded with
| government and banking domains.
| toyg wrote:
| I understand the paranoia but that scenario would make no
| sense, as long as about:config is accessible - which it
| will always be, for any FF user _except managed-IT ones_.
| detuur wrote:
| Oh, I'm not saying that it's some sort of plot to force
| us to disable our extensions or anything. I'm saying it's
| going to be a feature aimed at out-of-the-box security,
| which advanced users are free to tinker with as they
| wish. The reality is unfortunately that many less-
| advanced users are much more likely to install random
| unvetted add-ons, and sane defaults for that list (pre-
| loading it with gov and bank domains) will prevent
| hostile add-ons from doing serious damage.
| [deleted]
| Lariscus wrote:
| This is great. I would like to block extensions on certain
| websites. For example, I probably should not run any extensions
| on the website of my bank.
| wasmitnetzen wrote:
| This feature stems from an attempt at disallowing extensions with
| have rights to all websites on certain websites[1]. Version 116
| will have an UI for users to control this.[2]
|
| [1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1745823
| https://bugzilla.mozilla.org/show_bug.cgi?id=1834825
|
| [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1837670
| RobotToaster wrote:
| I wonder if this _mysteriously_ blocks adblockers running on
| certain sites like youtube?
| lyvxh wrote:
| uBlock Origin is specifically one of the whitelisted
| extensions, and you can disable this feature by setting
| extensions.quarantinedDomains.enabled to false (in
| about:config)
| jwilk wrote:
| Looks like blogspam for https://support.mozilla.org/en-
| US/kb/quarantined-domains.
| Centigonal wrote:
| This is a community comms failure.
|
| Preventing the random extension I installed from hijacking my
| bank login page is good! Giving Mozilla the ability to disable my
| adblocker or NoScript on an arbitrary domain list that they can
| update remotely is scary!
|
| A blog post with Mozilla's plans for the feature, what they're
| implementing to limit abuse on Mozilla's side, and how users can
| opt out would make this a non-issue. It's nuts that the mozilla
| bug tracker is the best source for laypeople to get info on this.
| ygjb wrote:
| > Preventing the random extension I installed from hijacking my
| bank login page is good! Giving Mozilla the ability to disable
| my adblocker or NoScript on an arbitrary domain list that they
| can update remotely is scary!
|
| So the ability for the web browser to arbitrarily add and
| remove features from the browser is scary? Just asking because
| there is a massive security trade-off and the intersection of a
| number of threat models in this comment.
|
| Do you trust the platform you use to download and execute
| arbitrary code (that is, web content) to automatically update
| itself?
|
| If not, how do you balance the lack of automated updates
| against the need to keep software up to date to prevent exploit
| of known vulnerabilities?
|
| If so, how do you distinguish the ability to download and
| execute new code that could remove or suppress the features you
| choose from the ability to enable and disable add-
| ons/extensions?
|
| There could have been better communication on this, but
| describing the feature as scary tells me you don't really
| understand the threat model around your use of a web browser,
| and may not be asking the right questions or considering the
| actual threats.
| kevin_b_er wrote:
| Ok I went through the implementation code.
|
| The "quarantined domains" are the contents of
| extensions.quarantinedDomains.list, which defaults to empty. So,
| this has to be some sort of enterprise feature.
| dTP90pN wrote:
| Mozilla can remotely set that pref:
| https://bugzilla.mozilla.org/show_bug.cgi?id=1832791
|
| There is consideration to allow enterprises to _disable_ this
| feature though:
| https://bugzilla.mozilla.org/show_bug.cgi?id=1834985
|
| edit: fixed 2nd link description.
| AshamedCaptain wrote:
| Yet another mechanism for a 3-letter-agency to remotely change
| your browser settings.
| unethical_ban wrote:
| Not at all.
| crote wrote:
| Which extensions and which domains, though?
|
| I think we can all agree that restricting uBlock from working on
| YouTube probably isn't going to happen, and you _might_ want some
| restrictions on addons accessing all data on a banking website.
|
| But where did they draw the line? Is someone still allowed to
| publish an addon which fixes the interface of an absolutely
| broken banking website, or which allows you to liberate your own
| data? Will that only be allowed through vetting? What about
| things like Dark Mode addons which have access to _all_ websites?
| Is it possible to explicitly request to be included in the
| allowlist?
|
| I am not against it on principle, but we're missing a loooot of
| information right now to decide whether this is actually a _good
| thing_.
| zymhan wrote:
| > If you are aware of the associated risk and still wish to
| allow the add-ons that have been disallowed on a website by
| Mozilla, you can do it from the configuration editor
| (about:config)
| mcpackieh wrote:
| > _I think we can all agree that restricting uBlock from
| working on YouTube probably isn 't going to happen,_
|
| Mozilla gets paid by Google, and Google is experimenting with
| blocking adblockers on youtube so... no. I don't agree with
| you.
| cjsawyer wrote:
| I'd be 100% on-board if they changed this from a list of URL's
| they define to a list I define. Web extensions sound great
| until you realize how much power you're handing to arbitrary
| code once you allow it reading and writing to the DOM. They can
| forward anything to anywhere, sandboxing goes out the window
| icodestuff wrote:
| Looks like there will be a UI to control this 116, and the
| block list is empty in 115.
|
| I'm pretty stoked for this. Every time I install an extension I
| wonder what's going to happen to my banking info if an update
| ever gets hijacked. This is a much better solution than turning
| all my extensions off and on when I visit financial websites.
| lucb1e wrote:
| > you _might_ want some restrictions on addons accessing all
| data on a banking website
|
| I _might_ want to be control of that myself rather than having
| Mozilla trying to index all banking websites in the world and
| not being able to use accessibility tools on those they found
| Lariscus wrote:
| Good news, there is a UI in v116.
|
| See: https://bugzilla.mozilla.org/show_bug.cgi?id=1837670
| SushiHippie wrote:
| Reposting my comment about this from the other discussion
| (https://news.ycombinator.com/item?id=36590507):
|
| I searched a bit through the documentation and code, and these
| were my findings. I thought I'd share them for others that are
| interested and for future reference.
|
| Currently, there are no domains blocked, they would appear on
| this API endpoint:
| https://firefox.settings.services.mozilla.com/v1/buckets/mai...
|
| This is the JSON schema for this API endpoint:
| https://firefox.settings.services.mozilla.com/v1/buckets/mai...
|
| More information on the remote settings in general:
| AMRemoteSettings Overview - quarantinedDomains: https://firefox-
| source-docs.mozilla.org/toolkit/mozapps/exte... Remote Settings
| documentation: https://remote-
| settings.readthedocs.io/en/latest/index.html
|
| Remote Settings DevTools - where you can see all the remote
| settings, that get set: https://github.com/mozilla-
| extensions/remote-settings-devtoo...
|
| EDIT: Seems like there are many settings that already get
| automatically set via AMRemoteSettings (including search-engine
| configs, cert revocations, dns over https providers, password
| rules for specific domains, top-sites, URL tracking parameters to
| clean, etc.). We will see how this new setting will be used, it
| can be easily disabled (https://support.mozilla.org/en-
| US/kb/quarantined-domains) and you will get a warning if an Add-
| On is blocked from accessing the site. Also seems like there will
| be a UI for this in v116
| (https://bugzilla.mozilla.org/show_bug.cgi?id=1837670), where you
| can configure this better than just disabling this feature
| completely.
| Ycdr4thfdd wrote:
| > mozilla-employee-confidential
|
| With the exception of addressing critical security issues, why
| does an organization who positions themselves as a leader of open
| source software make so many user-unfriendly decisions behind
| closed doors?
| indymike wrote:
| This would be a nice feature if the user can manage the
| restriction list. This is the kind of feature that will make the
| web a better place.
| MagicMoonlight wrote:
| So how much do I have to pay the foundation in order to make sure
| my ad-funded website can't be adblocked? Google has deep pockets.
| gpvos wrote:
| Mozilla must have introduced this feature for some reason, but
| the article doesn't talk about the possible negative consequences
| of disabling it.
| parker_mountain wrote:
| It's probably for "managed firefox", which is when your IT
| department sets firefox as the default browser. It lets them,
| for example, disable adblock on the internal company portal
| Mordisquitos wrote:
| That would make perfect sense, but to be clear the primary
| motivation wouldn't be to specifically disable adblockers on
| the internal network. Rather, it would be to disable _any_
| extension on internal company domains, as an information
| security precaution.
| suprjami wrote:
| See analysis here:
| https://news.ycombinator.com/item?id=36590507
| xg15 wrote:
| Hang on, so the list of domains is pulled from an API
| endpoint? Meaning, it can change at any time, even without
| requiring an update to the browser?
|
| That would actually be far worse than a static list.
| lapcat wrote:
| This is crazy. Mozilla can remotely disable extensions on any
| domain that Mozilla chooses?
| https://bugzilla.mozilla.org/show_bug.cgi?id=1832791
|
| Apparently they're luring everyone into accepting this
| abomination by starting with an empty list, but what in the world
| is the motivation for this feature, and which domains do they
| intend to add??? "We don't know, we just thought it would be a
| good idea" is no explanation or justification.
|
| People are going to talk about "security" and "banking", but
| that's a load of crap. Just wait until your bank disables
| password autofill and paste on their site, and no extension can
| override it.
|
| I have no problem with letting the _user_ control the domains
| that an extension can access, but giving Mozilla remote control?
| No way.
| neilv wrote:
| Quoting #1832791:
|
| > _We need to have ability to set the list of quarantined
| domains remotely. [...] Filing as confidential for now, until
| we ship the system addon._
|
| A few questions:
|
| * Why would this be confidential? Was it compelled? Is it tied
| to a commercial deal?
|
| * If you ship a facility like this, does that lower the bar to
| being ordered to use it? (No excuse that it would be
| difficult/time-consuming/expensive to do, because it's already
| there, and the list can be updated easily?)
|
| * Can changes to this list be done quietly, or with less
| scrutiny than code changes? And by whom?
|
| * Can this be used in a way that targets individual people?
| BaseballPhysics wrote:
| Given you can just go override Firefox and enable disabled
| extensions, I'm not sure I understand the outrage. Then again,
| Mozilla does seem to attract a remarkable level of vitriol
| despite being one of the true stewards of an open internet...
| dotancohen wrote:
| > Given you can just go override Firefox and enable disabled
| extensions
|
| No, _you_ can just go override Firefox and enable disabled
| extensions. The average user can not do that.
|
| _I_ can bore out a V-8 0.030 over, choose a proper cam, match
| all my bearing clearances, assemble the thing balanced, and
| then tune 30% more power out of it than it came with from the
| factory. But not all automobile drivers can do that.
| BaseballPhysics wrote:
| I'm gonna wager by far the majority of people who will
| actually get affected or outraged by this have the
| technical wherewithal to click a little gear icon and re-
| enable an extension.
|
| Everyone else is running maybe uBlock and a privacy
| extension that their kid installed for them, and those will
| be whitelisted.
|
| This is a tempest in a teapot, just like every other
| "controversy" that Firefox finds themselves embroiled in.
| lapcat wrote:
| > I'm gonna wager by far the majority of people who will
| actually get affected
|
| We have no idea who will be affected, because Mozilla
| hasn't specified their plans for this "feature".
|
| > Everyone else is running maybe uBlock and a privacy
| extension that their kid installed for them, and those
| will be whitelisted.
|
| I'm an extension developer myself. I'm not ok with a
| world where a tiny number of lucky extensions get
| whitelisted, while _my_ extension and everyone else 's
| extensions get silently, remotely disabled by Firefox.
| BaseballPhysics wrote:
| They literally wrote a blog post about how they're going
| to use this feature. In what way have they not "specified
| their plans"?
|
| > I'm an extension developer myself. I'm not ok with a
| world where a tiny number of lucky extensions get
| whitelisted, while my extension and everyone else's
| extensions get silently, remotely disabled by Firefox
|
| Ah, now I see the real concern.
|
| Honestly, I'm not that sympathetic. Extensions have
| always been a potential security liability and anything
| that protects less savvy users when accessing online
| banking or other sensitive services is a good thing.
|
| Heavy extension use is the hallmark of a power user.
| Power users can configure Firefox to enable these
| extensions (Mozilla has specifically said they plan to
| deliver more user controls in 116), so I personally don't
| see the problem.
| lapcat wrote:
| > They literally wrote a blog post about how they're
| going to use this feature. In what way have they not
| "specified their plans"?
|
| Which domains will be quarantined? And which extensions
| will be exempted?
|
| Everyone seems to be assuming "banking" with absolutely
| no evidence whatsoever. Mozilla hasn't said.
|
| There are countless banks in the world. Is Mozilla going
| to maintain a list of every banking web site?
|
| The fact is that nobody knows what the hell Mozilla is
| going to do with the quarantine list.
| BaseballPhysics wrote:
| So you assume the worst because you apparently don't
| trust them.
|
| I assume the best because I believe they have an
| exceptional track record.
|
| I see what they say and assume the best intentions.
|
| You look at what they don't say and assume the worst.
|
| I guess at this point we'll just see how it shakes out.
| thomasjb wrote:
| What's your boring setup?
| Barrin92 wrote:
| > Just wait until your bank disables password autofill and
| paste on their site, and no extension can override it
|
| that would be a fantastic day because autofill based on html/js
| hackery by extensions is one of the biggest security risks
| there is. It's why Extensions like Bitwarden caution you to
| have autofill turned on. Tavis Ormandy (security researcher)
| demonstrated this last year in a blog post
|
| https://lock.cmpxchg8b.com/passmgrs.html
| lapcat wrote:
| > autofill based on html/js hackery by extensions is one of
| the biggest security risks there is
|
| I think you misunderstood. I was talking about sites
| disabling built-in browser features.
| ygjb wrote:
| It's actually ok for you to feel that way! It's also ok for
| Mozilla to do this, because Mozilla aims to use this to protect
| users! The internet is already a yard full of rakes for folks,
| I appreciate things that make it easier for users to protect
| themselves online.
|
| Yes, the feature can be abused, but frankly, at least Firefox
| is an open source project, and there are methods that can be
| used to disable this feature, up to and including using or
| creating a new Firefox fork.
| xcdzvyn wrote:
| I'm happy to presume it wasn't your intent, but I thought I'd
| share that this reply comes across, to me at least, as pretty
| condescending and preachy.
| ygjb wrote:
| Nah, it was meant as preachy, but not necessarily
| condescending.
|
| It's absolutely important to challenge Mozilla and other
| open source projects, especially in this era of
| enshittification[1]; Mozilla and Firefox operate in a
| position of trust on behalf of their users.
|
| That said, the parent post positioned this as an
| abomination of a feature, but acknowledged it makes sense
| as a user feature. The ability to disable add-ons by domain
| is a great feature for user control, but it's functionally
| useless on it's own as a mechanism to protect users.
|
| In order for that feature to actually protect users, you
| need a mechanism to turn it on and off remotely so that if
| a new threat is identified (or there is a serious
| regression in Firefox that makes specific extensions higher
| risk), that users don't need to act to do the right thing.
|
| This isn't a meaningful loss of user control, and I already
| said elsewhere that Mozilla should have communicated more
| about this new feature, but ultimately it's the right kind
| of feature.
|
| [1] https://pluralistic.net/tag/enshittification/
| ThePowerOfFuet wrote:
| >If one or more extensions installed in your web browser have
| been blocked by this new feature and you want to use those
| extensions, you can disable the new feature and re-enable those
| disabled extensions in Firefox.
___________________________________________________________________
(page generated 2023-07-04 23:02 UTC)