This dispute is because Tridactyl used to provide a function that users could choose to run that would change two of Firefox's settings (the kind you find in about:config). Changing these settings allows addons to run on e.g. addons.mozilla.org and accounts.firefox.org where they otherwise cannot. The change we made is the same change that several blogs had already talked about and suggested.
A mozilla employee informally asked us to remove this function for security reasons (and we did). Later, an AMO reviewer asked us to change users' Firefox config automatically to remove these settings. We would rather this were made an explicit choice for Tridactyl users and we're trying to negotiate a compromise with the reviewer.
This is the only plausible route to exploitation of this situation that I know of, assuming a user acting before we removed the fixamo command:
1. You manually install Tridactyl
2. You manually install our native messenger
3. You manually run a command called `fixamo` or you manually find and install our exemplar RC file that explicitly says at the top that you should read and customise it because it does things you might not like; and then you don't read or edit it
4. You also manually install a malicious addon
5. That malicious addon doesn't have permissions for <all_urls> (otherwise it can steal your banking credentials without tridactyl's help) but does have permission for accounts.firefox.org
6. That addon can then steal your firefox account credentials and use them to e.g. mess with your synced settings and e.g. download your passwords database (if you don't have a master password set).
My view is that you're pretty much fucked if you install a malicious addon with <all_urls> anyway (and many addons request that permission), so this slight extra capability you get if you successfully phish someone in this pool of <1000 people isn't a big deal.
---
Some people have opined that our documentation for the command was not explicit enough. My opinion is that it's good enough and about on par with other resources that talked about the same settings. It would be better if it was more explicit about the security risks, but we provided fairly complete information about what we were doing and a link to the source code.
This is the documentation we provided:
In the "Webextension caveats" section:
"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."
In the docstring for fixamo, partially displayed if you type fixamo in the commandline and also included in the help pages we encourage users to use with e.g. `:h fixamo`:
in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."
You can find these messages in src/excmds.ts at commit 92e1b005c47995e3d24f61a7d4c3935df8437f1a
We also included a variant of the fixamo command in the exemplar .tridactylrc file (not used unless you have also installed the native messenger and also explicitly found, downloaded and installed the exemplar). This file includes this text at the top:
"Provided only as an example.
Do not install/run without reading through as you may be surprised by some of the settings."
And this text right above the fixamo line:
"Make Tridactyl work on more sites at the expense of some security"
This dispute is because Tridactyl used to provide a function that users could choose to run that would change two of Firefox's settings (the kind you find in about:config). Changing these settings allows addons to run on e.g. addons.mozilla.org and accounts.firefox.org where they otherwise cannot. The change we made is the same change that several blogs had already talked about and suggested.
Here is a relevant bugzilla thread that motivated the creation of the blacklist that we turned off, so you can see what Mozilla thinks: https://bugzilla.mozilla.org/show_bug.cgi?id=1415644
A mozilla employee informally asked us to remove this function for security reasons (and we did). Later, an AMO reviewer asked us to change users' Firefox config automatically to remove these settings. We would rather this were made an explicit choice for Tridactyl users and we're trying to negotiate a compromise with the reviewer.
This is the only plausible route to exploitation of this situation that I know of, assuming a user acting before we removed the fixamo command:
1. You manually install Tridactyl
2. You manually install our native messenger
3. You manually run a command called `fixamo` or you manually find and install our exemplar RC file that explicitly says at the top that you should read and customise it because it does things you might not like; and then you don't read or edit it
4. You also manually install a malicious addon
5. That malicious addon doesn't have permissions for <all_urls> (otherwise it can steal your banking credentials without tridactyl's help) but does have permission for accounts.firefox.org
6. That addon can then steal your firefox account credentials and use them to e.g. mess with your synced settings and e.g. download your passwords database (if you don't have a master password set).
My view is that you're pretty much fucked if you install a malicious addon with <all_urls> anyway (and many addons request that permission), so this slight extra capability you get if you successfully phish someone in this pool of <1000 people isn't a big deal.
---
Some people have opined that our documentation for the command was not explicit enough. My opinion is that it's good enough and about on par with other resources that talked about the same settings. It would be better if it was more explicit about the security risks, but we provided fairly complete information about what we were doing and a link to the source code.
This is the documentation we provided:
In the "Webextension caveats" section:
"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."
In the docstring for fixamo, partially displayed if you type fixamo in the commandline and also included in the help pages we encourage users to use with e.g. `:h fixamo`:
"Simply sets
"privacy.resistFingerprinting.block_mozAddonManager":true "extensions.webextensions.restrictedDomains":""
in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."
You can find these messages in src/excmds.ts at commit 92e1b005c47995e3d24f61a7d4c3935df8437f1a
We also included a variant of the fixamo command in the exemplar .tridactylrc file (not used unless you have also installed the native messenger and also explicitly found, downloaded and installed the exemplar). This file includes this text at the top:
"Provided only as an example.
Do not install/run without reading through as you may be surprised by some of the settings."
And this text right above the fixamo line:
"Make Tridactyl work on more sites at the expense of some security"