Hacker News new | past | comments | ask | show | jobs | submit login

But I think Chrome’s example clearly shows why they feel they have to do this. The average user doesn’t understand extensions the same way you do; to them, Firefox is Firefox no matter how many bells and whistles are added on. So it’s a serious reputational risk that Mozilla currently allows unsafe code to run in an official Firefox release.

edit: Like, look at your second link. The extension was running remote code loaded from a third-party site! I'm sure you see why Mozilla can't just let that happen.




Chrome's example clearly shows that having secure default options, while also giving users more control and educating them about possible drawbacks, is a viable alternative to restricting user freedoms and keeping users ignorant.

The extension was running remote code from Google Translate. The extension's author could no longer run a safe, unlisted extension in their own browser. Mozilla should have no business in what code people run in their own browsers, when that code was distributed outside of Mozilla services.

This is esentially arguing that user scripts, and the extensions which enable them, should be banned too.


Sometimes they should be. Consider CORS for example; Firefox will refuse to load some resources it's been instructed to load, and there's no way to make it load them without breaking other things, but this is completely uncontroversial. Enforcing security boundaries is a reasonable thing for a program to do.


Users should be treated with respect and given control over their own devices, while platforms should do their best to implement safe defaults, and educate users about the potential risks of certain actions.

CORS is a security directive set by sites over which users have full control through browser configuration and extensions.


And that's absolutely the right way to think about CORS. But what it actually does under the hood, the underlying behavior that makes CORS effective as a security directive, is:

* You instruct your computer to load site A. Site A has some scripts on it, so part of the process of loading site A is executing that Javascript code.

* The Javascript code instructs Firefox to display a resource from site B.

* Firefox refuses to display that resource, even though your website told it to, because it doesn't think displaying the resource would be safe.

I think that's also the right perspective here. Firefox won't run unsafe extensions, in the same way and for the same reasons as it won't run unsafe cross-origin requests.


Please do not label local extensions as inherently unsafe, it's extremely disingenuous to label software that has not been rubber-stamped by Mozilla as unsafe.

You keep bringing up CORS, but that is a security directive that can be disabled in Firefox. Even an essential security measure such as CORS is allowed to be disabled using extensions approved by Mozilla, opening users up to universal XSS by any site they visit.

In any case I don't think CORS is relevant in a discussion about Mozilla taking away user freedoms under the pretext of a threat model that falls apart once subjected to close scrutiny.


Maybe I'm missing something. As far as I know Firefox only allows you to disable a subset of CORS checks.

I just fundamentally don't agree that taking away extension functionality means taking away user freedoms. Even if Firefox developers are completely wrong about security, I have no moral right to make their project execute my code. My user freedom is to develop and run a modified version of the Firefox code, which Mozilla does allow by making Firefox free software.


And this I think is the crux of how FF has changed its no longer "here's a browser for you to have" it's "here's our browser, you can only use it like this".

This is how you get "we added an addon that you can't remove" and "we re-added icons to the toolbar that you removed" and now "we won't let you simply install any addon".

And presumably next year "only addons from the Mozilla walled-garden"? That seems to be the direction it's going.

Mozilla allow users to do stuff, you say. They used to be about enabling users. Only allowing things a user has a moral right to demand of you doesn't sound like FOSS.


> Consider CORS

Chrome has "--disable-web-security" command-line flag which disables CORS. They may start locking it to be only usable with "--user-data-dir" (see Chromium bug #327804) but that's a clear failsafe, not a limitation.

Firefox doesn't support anything like this. You don't have any control over its behavior, even if you may need this for some unconventional reason.


Or just have an about:config option that allows users to decide.

Why can't Mozilla treat their users as arbiter of what the use may do? They really don't have to decide for users what the only allowable extensions are; they could just advise rather than dictate.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: