Thanks for this. I want to say that it’s all bad choice from Mozilla and rant, but instead I want to understand the threat model they’re considering. Extensions do get a lot of access to browser, and may also use side-channels[1] to work around inaccessible apis. From a brief look at the linked discussions, I grock that they’re thinking about a malware with admin privileges installing the add-on. Is it likely that some malware only has access to “side-load addons” and nothing more? If not, then can’t it just install keylogger, network monitor, etc? I can’t find better answers other than my speculations.
[1]: Not that I have one such exploit, but even without access to “tabs” permissions, extensions can still query the status of tabs, run benchmark processes, and add context menus with various “filters” such as right click on a text or image. Sure this doesn’t give direct access to data, but timing attacks and such should be possible.
I agree that having a discussion on the actual threat model Mozilla is working with is the best way to approach this issue.
Mozilla is trying to defend against malware or adware with root access on the device.
Malware with root access can do what it wants, inluding just replacing the Firefox executable, keylogging, making screenshots, intercepting traffic, or patching Firefox in any number of ways.
Adware can legally do the same if users give consent. Most antivirus software in fact injects code and is capable of controlling processes, they also intercept traffic to monitor for threats.
If both malware and adware can do esentially what they want on the device, then we are left with how this change affects users.
Users can install a different browser, or patch Firefox, but it becomes prohibitive for regular users to control their own browsers if they choose to continue using Firefox, because they lack the expertise to make the necessary changes.
Disallowing local extensions at all costs in Firefox has minimal security benefits, while greatly harming user and software freedom.
[1]: Not that I have one such exploit, but even without access to “tabs” permissions, extensions can still query the status of tabs, run benchmark processes, and add context menus with various “filters” such as right click on a text or image. Sure this doesn’t give direct access to data, but timing attacks and such should be possible.