> They e.g. also do nothing against data exfiltration by popular extensions although they have known that issue for years.
This kind of sentiment compels mozilla into becoming an apple-like gatekeeper to a walled garden because people conflate the trustworthiness of extension authors with mozilla's trustworthiness, which leads to less software freedom, a single point of failure and a less diverse ecosystem.
There simply should not be an API that allows exfiltrating the URL history of a user and then send it to a remote backend, at least not without making this very, very explicit to the user (which they currently do not).
You don't need to be a "gatekeeper to a walled garden", it's just necessary to have sensible APIs that respect users privacy. I think a browser that puts privacy as its primary feature should be able to do that.
This has nothing to do with an API. Any kind of extension that acts automatically (i.e. doesn't exclusively spring to life when clicking on an extension-specific button) will have to inspect the currently open tabs, page contents or network requests to decide whether it has to do its thing, which means it has access to this kind of information anyway and could exfiltrate it through standard web APIs (fetch/XHR).
This is not on mozilla, their current extension API surface already is much more limited than the old one (killing off some preexisting usecases in the process) and still has many ways to get this information.
It's kind of asking that git shouldn't have filesystem or network access.
Well, I was part of a team that proved that one of the most popular Firefox extensions (Web of Trust) stole and monetized user data, archiving every single URL a user opened and selling it to anyone who was willing to pay (the journalists I worked with even got a free sample containing the data of 3 million people). The extension was then banned for a few weeks before being reinstated, and happily continues to exfiltrate data from millions of users today. So pardon me if I have a slightly different view on this.
It is simply not true that building systems with privacy in mind is not possible. I can think of several ways to drastically improve the privacy of web extensions by providing audit logging or more fine-grained control over permissions.
Comparing end-user software like Firefox with developer tools like Git is also misleading, I find. There are countless studies that show most non-expert users don't know what is happening with their data and are not able to judge the risks they're taking when installing software like browser extensions.
Again, it's perfectly fine to build a product and not care much about user privacy, but if your main selling point is privacy this is different. It's just pointless to have the most advanced content blocking mechanisms when you allow browser extensions to circumvent them all.
> I can think of several ways to drastically improve the privacy of web extensions by providing audit logging or more fine-grained control over permissions.
You were talking about API surface though. Neither of these things are API surface in itself. They are after the fact, informing the user what it can do and what it did with those APIs.
> It's just pointless to have the most advanced content blocking mechanisms when you allow browser extensions to circumvent them all.
I don't think so. It's not pointless. It just means you need to trust more than mozilla, you ALSO need to trust the extensions, just like you need to trust many other things in your system. The error here is assuming that everything should be reducible or can be reduced to a single source of trust.
> There are countless studies that show most non-expert users don't know what is happening with their data and are not able to judge the risks they're taking when installing software like browser extensions.
Perhaps. But if you follow that argument then you end up with a locked-down system with little flexibility, which I was referring to as apple-style walled garden. Some people may value such a thing, but I wouldn't use or recommend firefox if it became something like that. I would flee in terror.
Reducing the API surface is also a way to improve privacy, and I also see many ways in which you could do this, e.g. by not revealing the path (or at least the query part) of the URL to extensions. It's entirely doable and most extensions can work fine without knowing every single URL you open. Apple, Google & FB have all shown that this approach works to improve privacy (not that I want to endorse them here as privacy champions), so why should that not work in the browser?
You can also have an officially sanctioned distribution channel like an app store and still retain the ability to install any software you want. The problem as I see it is that Mozilla provides a free distribution and marketing platform for malicious actors via their extension store, and I think this is in violation of their principles (especially principle 4) because it nullifies most of the security features that their browser offers. It's like putting up a 10-feet reinforced concrete wall to protect your house from intruders and then leaving the backdoor wide open.
I really don't want to argue about this here, I just find they're not doing the right thing and I find it sad, because I care a lot about privacy and I think recently Mozilla just took some bad decisions regarding that.
> It's entirely doable and most extensions can work fine without knowing every single URL you open.
It's needed by: Greasemonkey (to determine whether to run a script), content blockers, password managers (to determine whether to fill in on that site) and any extension running web-standards compliant javascript against a page's DOM (i.e. any page-modifying extensions) as inherent part of standards-compliance
> You can also have an officially sanctioned distribution channel like an app store and still retain the ability to install any software you want.
In theory, yes. But in reality mozilla has been making it more and more difficult to install extensions. You cannot install extensions not signed by mozilla on stable firefox. They already have assumed exclusive control there.
No, it would be straightforward if they asked the user something like this:
"Is it ok that this extension sends every single URL you open to an untrusted third party for processing? Please note that URLs might contain sensitive data like access tokens or session information."
Even so, I don't think such an API should exist. And if you absolutely need to have something like this you should restrict it to domain information by default, cutting away the path.
I can understand that Google might not care much about this (Chrome itself is a data collection platform), but I really don't get why Mozilla is so lenient about it as well, as their main differentiator has been user privacy for years.
> Even so, I don't even think such an API should exist.
There is no "exfiltrate all my history" in the webextension APIs. What exists are two distinct and reasonable components.
A) accessing browsing history/current tabs/network requests¹. all things required for extensions to work
B) ability to make generic network requets
Combining these two can be used to exfiltrate data. But that does not mean that any particular extension that has access to both will also exfiltrate private data. Thus a blanket warning would be overly broad and anything more targeted would require manual sourcecode inspection.
¹ Those require separate permissions, but for the purpose of the discussion they can all be used to harvest data
Wasn't there a big story on HN about how chrome had disabled the ability for plugins to see your URLs and how adblocker plugin makers where up in arms about it?
This kind of sentiment compels mozilla into becoming an apple-like gatekeeper to a walled garden because people conflate the trustworthiness of extension authors with mozilla's trustworthiness, which leads to less software freedom, a single point of failure and a less diverse ecosystem.