Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Firefox Mozilla The Internet

Mozilla To Stop Supporting Sideloaded Extensions In Firefox (zdnet.com) 34

An anonymous reader quotes a report from ZDNet: Mozilla has announced today plans to discontinue one of the three methods through which extensions can be installed in Firefox. Starting next year, Firefox users won't be able to install extensions by placing an XPI extension file inside a special folder inside a user's Firefox directory. The method, known as sideloading, was initially created to aid developers of desktop apps. In case they wanted to distribute a Firefox extension with their desktop app, the developers could configure the app's installer to drop a Firefox XPI extension file inside the Firefox browser's folder.

This method has been available to Firefox extension developers since the browser's early days. However, today, Mozilla announced plans to discontinue supporting sideloaded extensions, citing security risks. Mozilla plans to stop supporting this feature next year in a two-phase plan. The first will take place with the release of Firefox 73 in February 2020. Firefox will continue to read sideloaded extensions, but they'll be slowly converted into normal add-ons inside a user's Firefox profile, and made available in the browser's Add-ons section. By March 2020, with the release of Firefox 74, Mozilla plans to completely remove the ability to sideload an extension. By that point, Mozilla hopes that all sideloaded extensions will be moved inside users' Add-ons section.

This discussion has been archived. No new comments can be posted.

Mozilla To Stop Supporting Sideloaded Extensions In Firefox

Comments Filter:
  • by BAReFO0t ( 6240524 ) on Friday November 01, 2019 @08:16AM (#59369378)

    No, Mozilla. You can't do shit. It's open source. It is MY computer! And you are not our master. You are an asshole. Your for-profit closed-source business origins are showing.

    I'm already patching out a lot of your bullshit, which is thankfully very easy on Gentoo. (Just put the patch in /etc/portage/patches/www-client/firefox/.)

    I will just adapt my patch which already removes you disabling which extensions I can install.

    And the only reason I'm still using Firefox, is because you are the only ones still keeping up with Google's deliberate killer pace, while not being Google.
    This changes, when you are just like them.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Friday November 01, 2019 @08:18AM (#59369384)
      Comment removed based on user account deletion
      • by doom ( 14564 )

        I can't figure out what's supposed to be so deceptive and misleading here. This is from the mozilla announcement itself:

        Sideloading is a method of installing an extension in Firefox by adding an extension file to a special location using an executable application installer. This installs the extension in all Firefox instances on a computer.

        Sideloaded extensions frequently cause issues for users since they did not explicitly choose to install them and are unable to remove them from the Add-ons Manager.

        • Simple before/after comparison.

          New versions / After the change :

          - A user can download an web extensions from Mozilla Extensions website
          - A user can click and open an .XPI file, that was manually downloaded from a website (e.g.: Github)

          Notice how both of the above require user interaction and therefore under user control.

          Old versions / Before the change:
          (same as above and additionally)

          - A software installer can drop a .XPI file in a specific directory and then Firefox will automagical

        • Comment removed based on user account deletion
      • So yeah, my patch is already factually removing that "protection".
        (It's just a config setting, and the optional removal of the code doing the blocking.)

    • They are some good ones out there. Improved spelling and grammar checking, Ad blocking, Basically an extension that works with all web site. However ones I am weary of are ones which allows Firefox to display non-Stanard HTML elements. Flash, Silver Light, and the other security holes in your system. Because a web developer was too lazy to code in HTML 5.

      Having extensions installed from placing a file into a folder, is just scary. It is like IE6 with Active X. Where malware can be installed simply by th
    • They aren't and never were disabling the ability to install extensions you want. What they are disabling is your ability to install extensions without opening the browser. IE by copying them straight to firefox's directory. If you want to load them straight from a website, or add the extension in firefox... go to town. Honestly I fully see why they did this, I'd say it's safe to estimate 99.99% of extensions installed this way, were not installed by choice, rather by some other program that either adds with
      • by doom ( 14564 )

        They aren't and never were disabling the ability to install extensions you want. What they are disabling is your ability to install extensions without opening the browser.

        Which means if I want to ship an extension via the system's package management, I've got problems, don't I?

        In recent years firefox has been on this kick to protect us from our own hard-drives, as though there's something inherently better about trusting crap off of the web.

    • Reading the blog post: "It is about removing an attack vector." What it doesn't say is that the logic behind 'removing all attack vectors' must conclude with : "All plugins verified by Mozilla". Yes, it seems alarmist, but it just the logical conclusion of this perception of the problem. The logic: There are attack vectors, we must eliminate them one by one. I can't conceive another conclusion other than 'in the end, we are the source for truth'. It would be alarmist, except recent history shows that it
  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Friday November 01, 2019 @08:16AM (#59369380)
    Comment removed based on user account deletion
    • by Junta ( 36770 )

      So I was unable to find at a glance whether I can sign my own XPI if I were so inclined:
      "Regardless of the sideloading method used, you must prepare the add-on as follows:"
      "Sign the add-on in addons.mozilla.org (AMO)."

      The first person to point out this is how they were doing it to desktop deployments was told to use Windows Group Policies, but nothing about OSX or Linux.

      They needed to be very crisp about other ways to do it if they have an equivalent.

      It was deficient that the extensions would exist without

      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Friday November 01, 2019 @08:38AM (#59369420)
        Comment removed based on user account deletion
        • by Junta ( 36770 )

          Are you able to install your own certificates? In other words, if I had an add-on I wanted to keep *completely* in house without mozilla ever seeing it and sign it myself instead, is it possible?

          • If you're keeping extensions in house, I'm guessing that Mozilla would recommend that you use Firefox ESR (which gets updated annually instead of every few weeks).

            • >"If you're keeping extensions in house, I'm guessing that Mozilla would recommend that you use Firefox ESR (which gets updated annually instead of every few weeks)."

              Actually, ESR gets updated almost as much as the other branches. But it doesn't change functionality with those updates. No features are added or removed. So the updates consist only of bug fixes and security patches. The idea is that it isn't constantly breaking compatibility and requiring retesting with stuff.

          • Comment removed (Score:4, Informative)

            by account_deleted ( 4530225 ) on Friday November 01, 2019 @09:51AM (#59369550)
            Comment removed based on user account deletion
    • by slack_justyb ( 862874 ) on Friday November 01, 2019 @08:44AM (#59369438)

      The headline is misleading, if not completely false

      This is absolutely correct, this is on purpose misleading just to incite people to get angry for no absolute reason. The method that is being removed is an incredible old method for side-loading that was around shortly after Firefox 4 back when Mozilla was priming for Prism [mozilla.org] and going the way of Firefox OS [wikipedia.org]. That was way back when people thought they would be writing desktop applications using XUL. Side loading by the vast majority of users does not use this method.

      Firefox will continue to have the ability to sideload .XPI files using "Install Add-on From File" within the extensions manager.

      Exactly. Mozilla is still supporting side loading, just not side loading via this old ass method. The headline for this article is pure bullshit, is completely hyped up to get people angry when they need not to be, and is a fucking disgrace to the term "news". This is complete garbage.

      • Exactly. Mozilla is still supporting side loading, just not side loading via this old ass method. The headline for this article is pure bullshit, is completely hyped up to get people angry when they need not to be, and is a fucking disgrace to the term "news". This is complete garbage.

        I see you've never heard of clickbait before. Unfortunately, that's what news is these days, just a bunch of hyperbolic shit.

  • This method was often used for an organization that uses Firefox as an organizational browser and has a base set of required extensions that need to be installed. Previously, admins could just drop an XPI into a well-known place in the filesystem and Firefox would load that XPI for every user that uses firefox. Also, this location would not be non-superuser writeable by default. With the new system, you can only install extensions with user interaction. Now users can choose not to install user required ext
  • Some time ago, gab.ai (aka "nazi twitter", though that's perhaps unfair) established an addon called "Dissenter". This addon allows people to comment on any article- anyone running the addon will see other comments from other users of the addon.

    Dissenter, like Gab, is a free speech platform- meaning that all the rabble that have been kicked out of every other space gather there. Which means you'll find, well, exactly what you expect there. Free speech is absolutely not tolerated by Mozilla and Chrome (or

    • by cfalcon ( 779563 )

      Ehhh, I just read more of this. I think you'd still be able to install it by shoving it into your profile directory or something. If that's the case, then I have no such concern. I think the summaries of this I've seen have been overly hyperbolic, unless I'm missing something.

    • Comment removed based on user account deletion

Avoid strange women and temporary variables.

Working...