Apparently they're luring everyone into accepting this abomination by starting with an empty list, but what in the world is the motivation for this feature, and which domains do they intend to add??? "We don't know, we just thought it would be a good idea" is no explanation or justification.
People are going to talk about "security" and "banking", but that's a load of crap. Just wait until your bank disables password autofill and paste on their site, and no extension can override it.
I have no problem with letting the user control the domains that an extension can access, but giving Mozilla remote control? No way.
> We need to have ability to set the list of quarantined domains remotely. [...] Filing as confidential for now, until we ship the system addon.
A few questions:
* Why would this be confidential? Was it compelled? Is it tied to a commercial deal?
* If you ship a facility like this, does that lower the bar to being ordered to use it? (No excuse that it would be difficult/time-consuming/expensive to do, because it's already there, and the list can be updated easily?)
* Can changes to this list be done quietly, or with less scrutiny than code changes? And by whom?
* Can this be used in a way that targets individual people?
Yes, the feature can be abused, but frankly, at least Firefox is an open source project, and there are methods that can be used to disable this feature, up to and including using or creating a new Firefox fork.
It's absolutely important to challenge Mozilla and other open source projects, especially in this era of enshittification[1]; Mozilla and Firefox operate in a position of trust on behalf of their users.
That said, the parent post positioned this as an abomination of a feature, but acknowledged it makes sense as a user feature. The ability to disable add-ons by domain is a great feature for user control, but it's functionally useless on it's own as a mechanism to protect users.
In order for that feature to actually protect users, you need a mechanism to turn it on and off remotely so that if a new threat is identified (or there is a serious regression in Firefox that makes specific extensions higher risk), that users don't need to act to do the right thing.
This isn't a meaningful loss of user control, and I already said elsewhere that Mozilla should have communicated more about this new feature, but ultimately it's the right kind of feature.
So open source that the first thing they did was marking the ticket as confidential.
> Given you can just go override Firefox and enable disabled extensions
_I_ can bore out a V-8 0.030 over, choose a proper cam, match all my bearing clearances, assemble the thing balanced, and then tune 30% more power out of it than it came with from the factory. But not all automobile drivers can do that.
Everyone else is running maybe uBlock and a privacy extension that their kid installed for them, and those will be whitelisted.
This is a tempest in a teapot, just like every other "controversy" that Firefox finds themselves embroiled in.
I did.
> they talk about making the list user configurable.
As I said, "I have no problem with letting the user control the domains that an extension can access". Indeed, Safari already has this feature.
Funny how Mozilla implemented the remote kill switch before they implemented the user control, though. Also, AFAIK neither Safari nor Chrome has a remote domain list kill switch, so it's unclear what "security" problem it's supposed to solve.
that would be a fantastic day because autofill based on html/js hackery by extensions is one of the biggest security risks there is. It's why Extensions like Bitwarden caution you to have autofill turned on. Tavis Ormandy (security researcher) demonstrated this last year in a blog post
I think you misunderstood. I was talking about sites disabling built-in browser features.
I think we can all agree that restricting uBlock from working on YouTube probably isn't going to happen, and you might want some restrictions on addons accessing all data on a banking website.
But where did they draw the line? Is someone still allowed to publish an addon which fixes the interface of an absolutely broken banking website, or which allows you to liberate your own data? Will that only be allowed through vetting? What about things like Dark Mode addons which have access to all websites? Is it possible to explicitly request to be included in the allowlist?
I am not against it on principle, but we're missing a loooot of information right now to decide whether this is actually a good thing.
I’m pretty stoked for this. Every time I install an extension I wonder what’s going to happen to my banking info if an update ever gets hijacked. This is a much better solution than turning all my extensions off and on when I visit financial websites.
Extensions already contain a whitelist of what domains they are allowed to interact with. It's shown when you first install the extension and at any time you can see it later by looking at the extension in the settings.
Mozilla gets paid by Google, and Google is experimenting with blocking adblockers on youtube so... no. I don't agree with you.
And why did they mark this matter as employee confidential, if they're not plotting something shady?
I might want to be control of that myself rather than having Mozilla trying to index all banking websites in the world and not being able to use accessibility tools on those they found
Give me full control of all features or I go elsewhere.
That's what's happening here. A feature for which the UX is still in development, and until then, interested users can manage it via the about:config page.
Should I read their own post again?
Why not ask user first? "Do you want to disable add-on not monitored by Mozilla on this specific site?".
Also, how many times users asks about this functionality? "I want Mozilla to monitor add-ons installed on my browser and disable it on some websites, when Mozilly want it" - surelly most of the users wants this.
edit: I misread that ticket. It's about allowing school/company IT to disable the feature, not to allow them to use it.
I think the feature's simply not finished yet, and that in the future this list is going to come pre-loaded with government and banking domains.
That would actually be far worse than a static list.
Preventing the random extension I installed from hijacking my bank login page is good! Giving Mozilla the ability to disable my adblocker or NoScript on an arbitrary domain list that they can update remotely is scary!
A blog post with Mozilla's plans for the feature, what they're implementing to limit abuse on Mozilla's side, and how users can opt out would make this a non-issue. It's nuts that the mozilla bug tracker is the best source for laypeople to get info on this.
So the ability for the web browser to arbitrarily add and remove features from the browser is scary? Just asking because there is a massive security trade-off and the intersection of a number of threat models in this comment.
Do you trust the platform you use to download and execute arbitrary code (that is, web content) to automatically update itself?
If not, how do you balance the lack of automated updates against the need to keep software up to date to prevent exploit of known vulnerabilities?
If so, how do you distinguish the ability to download and execute new code that could remove or suppress the features you choose from the ability to enable and disable add-ons/extensions?
There could have been better communication on this, but describing the feature as scary tells me you don't really understand the threat model around your use of a web browser, and may not be asking the right questions or considering the actual threats.
The "quarantined domains" are the contents of extensions.quarantinedDomains.list, which defaults to empty. So, this has to be some sort of enterprise feature.
There is consideration to allow enterprises to disable this feature though: https://bugzilla.mozilla.org/show_bug.cgi?id=1834985
edit: fixed 2nd link description.
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1745823 https://bugzilla.mozilla.org/show_bug.cgi?id=1834825
With the exception of addressing critical security issues, why does an organization who positions themselves as a leader of open source software make so many user-unfriendly decisions behind closed doors?
I searched a bit through the documentation and code, and these were my findings. I thought I'd share them for others that are interested and for future reference.
Currently, there are no domains blocked, they would appear on this API endpoint: https://firefox.settings.services.mozilla.com/v1/buckets/mai...
This is the JSON schema for this API endpoint: https://firefox.settings.services.mozilla.com/v1/buckets/mai...
More information on the remote settings in general: AMRemoteSettings Overview - quarantinedDomains: https://firefox-source-docs.mozilla.org/toolkit/mozapps/exte... Remote Settings documentation: https://remote-settings.readthedocs.io/en/latest/index.html
Remote Settings DevTools - where you can see all the remote settings, that get set: https://github.com/mozilla-extensions/remote-settings-devtoo...
EDIT: Seems like there are many settings that already get automatically set via AMRemoteSettings (including search-engine configs, cert revocations, dns over https providers, password rules for specific domains, top-sites, URL tracking parameters to clean, etc.). We will see how this new setting will be used, it can be easily disabled (https://support.mozilla.org/en-US/kb/quarantined-domains) and you will get a warning if an Add-On is blocked from accessing the site. Also seems like there will be a UI for this in v116 (https://bugzilla.mozilla.org/show_bug.cgi?id=1837670), where you can configure this better than just disabling this feature completely.
https://www.askvg.com/fix-some-extensions-are-not-allowed-in...