Mozilla To Stop Supporting Sideloaded Extensions In Firefox (zdnet.com) 34
An anonymous reader quotes a report from ZDNet: Mozilla has announced today plans to discontinue one of the three methods through which extensions can be installed in Firefox. Starting next year, Firefox users won't be able to install extensions by placing an XPI extension file inside a special folder inside a user's Firefox directory. The method, known as sideloading, was initially created to aid developers of desktop apps. In case they wanted to distribute a Firefox extension with their desktop app, the developers could configure the app's installer to drop a Firefox XPI extension file inside the Firefox browser's folder.
This method has been available to Firefox extension developers since the browser's early days. However, today, Mozilla announced plans to discontinue supporting sideloaded extensions, citing security risks. Mozilla plans to stop supporting this feature next year in a two-phase plan. The first will take place with the release of Firefox 73 in February 2020. Firefox will continue to read sideloaded extensions, but they'll be slowly converted into normal add-ons inside a user's Firefox profile, and made available in the browser's Add-ons section. By March 2020, with the release of Firefox 74, Mozilla plans to completely remove the ability to sideload an extension. By that point, Mozilla hopes that all sideloaded extensions will be moved inside users' Add-ons section.
This method has been available to Firefox extension developers since the browser's early days. However, today, Mozilla announced plans to discontinue supporting sideloaded extensions, citing security risks. Mozilla plans to stop supporting this feature next year in a two-phase plan. The first will take place with the release of Firefox 73 in February 2020. Firefox will continue to read sideloaded extensions, but they'll be slowly converted into normal add-ons inside a user's Firefox profile, and made available in the browser's Add-ons section. By March 2020, with the release of Firefox 74, Mozilla plans to completely remove the ability to sideload an extension. By that point, Mozilla hopes that all sideloaded extensions will be moved inside users' Add-ons section.
Bullshit power grab. (Score:4, Funny)
No, Mozilla. You can't do shit. It's open source. It is MY computer! And you are not our master. You are an asshole. Your for-profit closed-source business origins are showing.
I'm already patching out a lot of your bullshit, which is thankfully very easy on Gentoo. (Just put the patch in /etc/portage/patches/www-client/firefox/.)
I will just adapt my patch which already removes you disabling which extensions I can install.
And the only reason I'm still using Firefox, is because you are the only ones still keeping up with Google's deliberate killer pace, while not being Google.
This changes, when you are just like them.
Re:Bullshit power grab. (Score:5, Insightful)
Slashdot is lying to you (or rather, repeating ZDNet's false headline.) Firefox is not removing sideloading, it's removing a non-obvious way to add extensions that existed only to make things easier to develop certain types of desktop application. So "your patch" isn't going to "remove (Mozilla) disabling which extensions (you) can install".
Re: (Score:2)
I can't figure out what's supposed to be so deceptive and misleading here. This is from the mozilla announcement itself:
Before/After compare (Score:3)
Simple before/after comparison.
New versions / After the change :
- A user can download an web extensions from Mozilla Extensions website .XPI file, that was manually downloaded from a website (e.g.: Github)
- A user can click and open an
Notice how both of the above require user interaction and therefore under user control.
Old versions / Before the change:
(same as above and additionally)
- A software installer can drop a .XPI file in a specific directory and then Firefox will automagical
Re: (Score:2)
Your translation is reasonable, however it's also incomplete.
Sideloading is a common technical term for allowing people to add software to a system without involving the system vendor. For example, sideloading an Android app means downloading an APK and installing it without using the Play store.
Mozilla's announcement is misleading, though not as misleading as the headline to this article. They're using the word "sideloading" as a shorthand for a specific method of sideloading. While this is almost jus
Firefox already blocks "arbitrary" extension insta (Score:2)
So yeah, my patch is already factually removing that "protection".
(It's just a config setting, and the optional removal of the code doing the blocking.)
Re: (Score:2)
this is about extensions which are different to add-ons
Could you please explain to us, then, why the "Extensions" hyperlink on this page by Mozilla [mozilla.org] leads to a page titled "Addons"?
Extensions are native x86 code running inside the browser process, like Flash.
And yet, this other page by Mozilla [mozilla.org] calls them "plugins".
Re: (Score:2)
It's all very confused. I think I was confused actually, they seem to be talking about add-ons but calling them extensions.
I give up.
Re:Bullshit power grab. (Score:5, Informative)
If you load up Firefox you'll find out what the terminology is.
In Firefox, "Add ons" covers both "extensions" and "plug-ins", as well as "themes".
Extensions are those XML bundles that XPI files contain. Adblock Plus, No Script, YouTube Downloader Deluxe Pro Not Malware Edition 7, and Greasemonkey are examples of extensions.
Plug-ins are the binary things you're talking about, like Flash, that Java thing that Slashdotters think is all Java is ever used for, and also Widevine, OpenH264, etc, are examples of plug-ins.
Themes are themes, you know, color schemes. Does anyone use these? I don't.
Anywho, yes, they're talking about extensions which are the XML files in XPI files, not plug-ins.
And none of this changes the fact the GP was fooled by a (deliberately?) false headline by ZDNet that Slashdot mindlessly copied. Firefox is not removing sideloading.
Re:Bullshit power grab. (Score:4, Insightful)
Your points are good ones, but I think you misunderstood Mozilla's terminology. "Add-ons" is a blanket term Mozilla uses for any modular component that can be added to Firefox - examples of add-ons are extensions, plugins, search engines, dictionaries, themes and language packs. The native code objects you're thinking of are termed "plugins", whereas "extensions" are actually the more commonly-used things that you were calling add-ons.
The thing being discussed in the article actually has nothing to do with plugins such as Flash, but rather is about Mozilla removing a specific vector that was being used by other applications to secretly install extensions onto Firefox without the users' permission (and worse - the users can't remove these extensions from the add-on manager). So the removal of sideloading is a good thing. Users can still install their own extensions manually without involving Mozilla (that isn't what "sideloading" refers to in this context) - the change is that other applications running on your computer can't install extensions onto your browser without your consent any more.
Re: (Score:1)
the users can't remove these extensions from the add-on manager
Then why not just make it available for consumers to remove these extensions from the add-on manager? Why get rid of a tool?
Re: (Score:2)
Re: (Score:2)
The app maker can still deliver their code, just through the front door, not through a hacky backdoor.
Re: (Score:3)
First, this is about extensions which are different to add-ons. Extensions are native x86 code running inside the browser process, like Flash. Second, you can still use them, you just won't be able to load them in this particular way. The most common use is for antivirus apps to install some crapware extension that is supposed to protect you but is actually full of security holes. The second most common use is malware. AV software will be better served using add-ons. Flash is dead and the only other extension most people care about is for DRM infected media playback on Netflix etc, which comes installed with the browser anyway.
Please report the above post as a victim of mod abuse. There is nothing about this post that is a Troll If anything it should be modded +1, Informative.
I am weary of extensions. (Score:2)
Having extensions installed from placing a file into a folder, is just scary. It is like IE6 with Active X. Where malware can be installed simply by th
Re: (Score:2)
Re: (Score:2)
Which means if I want to ship an extension via the system's package management, I've got problems, don't I?
In recent years firefox has been on this kick to protect us from our own hard-drives, as though there's something inherently better about trusting crap off of the web.
Re: (Score:2)
Nope. This sentence has nothing to do with what's being proposed here. Again you can load your own XPI files from your own hard drive. What can't happen is a third party application can't insta
Re: (Score:1)
BEFORE ANYONE COMMENTS (Score:5, Informative)
The headline is misleading, if not completely false. They're removing one of two ways to sideload an extension. The way they're removing is the less obvious way, and only existed to help people who wanted to embed Firefox in their desktop applications.
Firefox will continue to have the ability to sideload .XPI files using "Install Add-on From File [extensionworkshop.com] within the extensions manager.
Re: (Score:2)
So I was unable to find at a glance whether I can sign my own XPI if I were so inclined:
"Regardless of the sideloading method used, you must prepare the add-on as follows:"
"Sign the add-on in addons.mozilla.org (AMO)."
The first person to point out this is how they were doing it to desktop deployments was told to use Windows Group Policies, but nothing about OSX or Linux.
They needed to be very crisp about other ways to do it if they have an equivalent.
It was deficient that the extensions would exist without
Re:BEFORE ANYONE COMMENTS (Score:5, Informative)
You can use unsigned XPIs in the developers edition of Firefox, ESR, or the nightlies. You have to flip one flag, xpinstall.signatures.required, in about:config but otherwise the process is pretty good.
The developers edition is almost identical to the regular version, and is updated along the same schedule, so if unsigned XPIs are something you need, it's a good choice.
That said, the signing process for unlisted XPIs is pretty much automated, so it's going to be a fairly obscure set of circumstances in which you must use any of the three versions of Firefox I mentioned.
Re: (Score:2)
Are you able to install your own certificates? In other words, if I had an add-on I wanted to keep *completely* in house without mozilla ever seeing it and sign it myself instead, is it possible?
Firefox ESR for in-house extensions (Score:2)
If you're keeping extensions in house, I'm guessing that Mozilla would recommend that you use Firefox ESR (which gets updated annually instead of every few weeks).
Re: (Score:2)
>"If you're keeping extensions in house, I'm guessing that Mozilla would recommend that you use Firefox ESR (which gets updated annually instead of every few weeks)."
Actually, ESR gets updated almost as much as the other branches. But it doesn't change functionality with those updates. No features are added or removed. So the updates consist only of bug fixes and security patches. The idea is that it isn't constantly breaking compatibility and requiring retesting with stuff.
Re:BEFORE ANYONE COMMENTS (Score:4, Informative)
That isn't the same question! (I have no idea if you can install custom certs for extension signing, I assume not, and Mozilla doesn't document the process) but again, look at my answer. Yes, you can, but you have to use a specific edition of Firefox (Developer or ESR, or a nightly if you're brave.) You can also use unbranded builds.
If you just want them with a browser more or less the same as the one you use, unbranded Firefox might be the way to go [mozilla.org], they're identical to Firefox (yes, release editions are available), but lack Mozilla branding.
There is very little functional difference between Firefox Developer Edition and regular Firefox beyond the former having various flags you can tweak, some additional tools that you can ignore, and it having some features before regular Firefox. You can read more about the differences here [howtogeek.com] and download it here [mozilla.org].
Basically the logic is "You can use Firefox with anything you want, but if you want the defaults, they make it harder for someone to hack your browser, including you." Which seems a reasonable compromise. It feels a little like the "Developer button" on Chromebooks.
Re:BEFORE ANYONE COMMENTS (Score:5, Insightful)
The headline is misleading, if not completely false
This is absolutely correct, this is on purpose misleading just to incite people to get angry for no absolute reason. The method that is being removed is an incredible old method for side-loading that was around shortly after Firefox 4 back when Mozilla was priming for Prism [mozilla.org] and going the way of Firefox OS [wikipedia.org]. That was way back when people thought they would be writing desktop applications using XUL. Side loading by the vast majority of users does not use this method.
Firefox will continue to have the ability to sideload .XPI files using "Install Add-on From File" within the extensions manager.
Exactly. Mozilla is still supporting side loading, just not side loading via this old ass method. The headline for this article is pure bullshit, is completely hyped up to get people angry when they need not to be, and is a fucking disgrace to the term "news". This is complete garbage.
Re: (Score:2)
Exactly. Mozilla is still supporting side loading, just not side loading via this old ass method. The headline for this article is pure bullshit, is completely hyped up to get people angry when they need not to be, and is a fucking disgrace to the term "news". This is complete garbage.
I see you've never heard of clickbait before. Unfortunately, that's what news is these days, just a bunch of hyperbolic shit.
Another block for admin control of their systems (Score:2)
Re: (Score:2)
I seriously doubt any admins are going to lose sleep over this: if anything, it'll be the exact opposite - there's one less vector for malware to infiltrate an organization. I can't imagine why a organization would host a web application that requires a Firefox extension (not even a plugin, an extension!) to be used: that would tie the application to Firefox, which would be an even stranger corporate decision than tying it to Internet Explorer.
The only serious reason I can think of why an admin might not
How does this affect "Dissenter"? (Score:2)
Some time ago, gab.ai (aka "nazi twitter", though that's perhaps unfair) established an addon called "Dissenter". This addon allows people to comment on any article- anyone running the addon will see other comments from other users of the addon.
Dissenter, like Gab, is a free speech platform- meaning that all the rabble that have been kicked out of every other space gather there. Which means you'll find, well, exactly what you expect there. Free speech is absolutely not tolerated by Mozilla and Chrome (or
Re: (Score:2)
Ehhh, I just read more of this. I think you'd still be able to install it by shoving it into your profile directory or something. If that's the case, then I have no such concern. I think the summaries of this I've seen have been overly hyperbolic, unless I'm missing something.
Re: (Score:2)
Merits of Dissenter aside, this move makes no difference whatsoever. You can install any XPI file by going to Hamburger->Add-ons (or CTRL-SHIFT-A), clicking on the gear icon, and selecting "Install Add-on from file".
This announcement, despite the misleading headline, is about preventing third parties from secretly installing extensions by dropping them in a special directory, a feature that was never supposed to exist (for that purpose) but was a side effect of an early Mozilla project to create a ver