Sometimes they should be. Consider CORS for example; Firefox will refuse to load some resources it's been instructed to load, and there's no way to make it load them without breaking other things, but this is completely uncontroversial. Enforcing security boundaries is a reasonable thing for a program to do.
Users should be treated with respect and given control over their own devices, while platforms should do their best to implement safe defaults, and educate users about the potential risks of certain actions.
CORS is a security directive set by sites over which users have full control through browser configuration and extensions.
And that's absolutely the right way to think about CORS. But what it actually does under the hood, the underlying behavior that makes CORS effective as a security directive, is:
* You instruct your computer to load site A. Site A has some scripts on it, so part of the process of loading site A is executing that Javascript code.
* The Javascript code instructs Firefox to display a resource from site B.
* Firefox refuses to display that resource, even though your website told it to, because it doesn't think displaying the resource would be safe.
I think that's also the right perspective here. Firefox won't run unsafe extensions, in the same way and for the same reasons as it won't run unsafe cross-origin requests.
Please do not label local extensions as inherently unsafe, it's extremely disingenuous to label software that has not been rubber-stamped by Mozilla as unsafe.
You keep bringing up CORS, but that is a security directive that can be disabled in Firefox. Even an essential security measure such as CORS is allowed to be disabled using extensions approved by Mozilla, opening users up to universal XSS by any site they visit.
In any case I don't think CORS is relevant in a discussion about Mozilla taking away user freedoms under the pretext of a threat model that falls apart once subjected to close scrutiny.
Maybe I'm missing something. As far as I know Firefox only allows you to disable a subset of CORS checks.
I just fundamentally don't agree that taking away extension functionality means taking away user freedoms. Even if Firefox developers are completely wrong about security, I have no moral right to make their project execute my code. My user freedom is to develop and run a modified version of the Firefox code, which Mozilla does allow by making Firefox free software.
And this I think is the crux of how FF has changed its no longer "here's a browser for you to have" it's "here's our browser, you can only use it like this".
This is how you get "we added an addon that you can't remove" and "we re-added icons to the toolbar that you removed" and now "we won't let you simply install any addon".
And presumably next year "only addons from the Mozilla walled-garden"? That seems to be the direction it's going.
Mozilla allow users to do stuff, you say. They used to be about enabling users. Only allowing things a user has a moral right to demand of you doesn't sound like FOSS.
Chrome has "--disable-web-security" command-line flag which disables CORS. They may start locking it to be only usable with "--user-data-dir" (see Chromium bug #327804) but that's a clear failsafe, not a limitation.
Firefox doesn't support anything like this. You don't have any control over its behavior, even if you may need this for some unconventional reason.