[HN Gopher] What's going on in the world of extensions
___________________________________________________________________
What's going on in the world of extensions
Author : Vinnl
Score : 87 points
Date : 2023-01-17 20:24 UTC (2 hours ago)
(HTM) web link (blog.mozilla.org)
(TXT) w3m dump (blog.mozilla.org)
| contravariant wrote:
| Ah so this is why they messed up the overflow menu.
|
| Kind of hoping I can actually order the extensions at some point
| though, it's a bit messy if you can no longer control which
| extensions are in the overflow menu or what order they're in.
| roter wrote:
| extensions.unifiedExtensions.enabled: false
| contravariant wrote:
| Ah that is what it was, thanks!
| karaterobot wrote:
| > The panel shows the user's installed and enabled extensions and
| their current permissions. Users are free to grant ongoing access
| to a website or to make that decision per visit and can remove,
| report, and manage extensions and their permissions directly from
| the toolbar.
|
| Does anybody know whether this change allows me (the user) to
| grant an extension permission to a specific, arbitrary domain
| only? That is, to take an extension which wants permission to
| read and write every website, and sandbox it to only a particular
| set of user-defined domains? Have wanted this for a while.
| Vinnl wrote:
| Some more detail about the control that the new extensions button
| gives users: https://blog.mozilla.org/addons/2022/11/17/unified-
| extension...
|
| It allows you to disable extensions only on specific sites. (And
| presumably, that's also the reason you need to dive into
| about:config to remove it: if you remove it, it's pretty hard for
| casual users to find out why an extension isn't working. By
| gating it behind about:config, people who are able to deal with
| that can still remove it without rendering casual users helpless.
| That's my personal interpretation though.)
| gnicholas wrote:
| Does this allow whitelisting as well as blacklisting? Chrome
| has offered both for a long time, and I remember being
| surprised to learn that FF didn't offer either. It's a welcome
| change!
| tomComb wrote:
| Need we play such language games? It's "ad blocking". People use
| those extensions to block ads.
|
| If you asked the average user about their privacy preserving add-
| on, or their content blocker they would probably be confused.
|
| Yes, obviously I understand the privacy dimensions of
| advertising, and I realize that this is all in the service of the
| good guys and against the bad guys, but that shouldn't affect our
| response to what seems to me to be unnecessary spin.
| ndriscoll wrote:
| If there's any spin, it's in characterizing ads as neutral
| "content". While something like uBlock can block general
| content, it's primarily a _web malware_ blocker. That includes
| adware, spyware, crypto miners, etc. It 's a necessary security
| feature preventing the extremely common practice of websites
| hijacking users computers to run software they don't approve
| of.
| msla wrote:
| I see it as a good rhetorical move: Say it's ad blocking, and
| you get people coming in all po-faced about the need for
| platforms to make money and how horrible it is to have
| freeloaders blocking honest, legitimate adtech. Frame it as
| defense of privacy and malware-blocking and those adtech
| boosters are on the defensive, to the point they probably don't
| comment at all for fear of drawing attention to the
| correlation.
| tomComb wrote:
| > I see it as a good rhetorical move
|
| I completely agree: it is a good rhetorical move. aka good
| spin. But I don't think we should celebrate that sort of
| thing in tech blog posts, or in any writing actually unless
| your work in marketing.
| madeofpalk wrote:
| Did we read different articles?
|
| > If ads give you the ick, then one distinction we've made
| around ad blockers has been especially crucial to privacy-
| lovers everywhere.
| sp332 wrote:
| Yes, it's in bold even.
|
| _If ads give you the ick, then one distinction we've made
| around ad blockers has been especially crucial to privacy-
| lovers everywhere._
| dspillett wrote:
| _> It 's "ad blocking". People use those extensions to block
| ads._
|
| I use them, and DNS filters, to block stalking. They just
| happen to block adverts too because it is practically
| impossible to separate the two ATM. I'll accept ads based on
| the page I'm looking at and my rough geographical position, but
| I don't see why I should put up with being followed and
| profiled everywhere I go.
| tomComb wrote:
| Yes, but you are not the typical user, and that is my point.
| I wasn't denying that cases could be found that would support
| the language that Mozilla is using.
| mxkopy wrote:
| I think typical users also appreciate not being stalked,
| you shouldn't to be interested in power user stuff or the
| source code to have privacy
| jbaber wrote:
| Exactly. I didn't even use adblockers before I had kids and
| thought about them being tracked. Now I use a pihole and bend
| myself in knots trying to figure out how to pay sites I
| visit.
| m-p-3 wrote:
| not only ad-blocking for me, but also for automatically
| stripping superfluous url parameters that are detrimental to
| privacy when sharing a link.
| CharlesW wrote:
| > _It 's "ad blocking". People use those extensions to block
| ads._
|
| But crucially, not _just_ ads -- they block trackers, known
| malware source, etc. "Content blockers" encompasses everything
| that these tools do.
| heresjohnny wrote:
| This article seems in search of an audience. It discusses
| Manifest V3, names uBlock origin, but ends with "don't worry, you
| can take your passwords with you if you switch from Chrome!"
|
| I had to chuckle from mentally constructing a character that
| would fit all of this.
| jakear wrote:
| It's upsetting to see all this corporate double-speak when
| Firefox fails to support the most basic extension functionally:
| the User Agent should allow the User to run their own code on
| their own machine without any requirement of phoning home to the
| manufacturer.
|
| This is currently impossible on Firefox as they forget extension
| loaded from local files to be removed after. The force everyone
| who wants to run their own code on their own machine persistently
| to file for a developer code signing certificate, essentially
| copying Apple's approach to marketplace management.
|
| Further, this limitation makes auditing the code of extensions
| you install from third party sources effectively impossible: I
| don't see any way to stop automatic updates in settings, so at
| any point the third party code you've installed and enabled to
| execute on any website you visit can just change out from under
| you workout warning.
|
| This is all trivial in Edge.
|
| It is difficult to understand where the HN vulpephillia comes
| from.
| 4bpp wrote:
| > It is difficult to understand where the HN vulpephillia comes
| from.
|
| I imagine it is in part backlash, fueled by political impulse.
| Mozilla's appointment of Mitchell Baker and subsequent course
| of Firefox development have taken on unmistakable political
| valence in the US culture war (especially seeing how its drift
| could be uncharitably glossed as "coddling non-technical users
| at the expense of power users"), which resulted in criticism
| invariably sounding like, and, I guess, even really somewhat
| functioning* as an attack on the political group that Mozilla
| is associated with. This, in turn, makes those who support said
| political group, or simply are exasperated with its most vocal
| opponents, instinctively oppose the criticism.
|
| *I'm thinking of something like the affect-loading concept in
| https://slatestarcodex.com/2014/11/04/ethnic-tension-and-
| mea....
| Arnavion wrote:
| >This is currently impossible on Firefox as they forget
| extension loaded from local files to be removed after. The
| force everyone who wants to run their own code on their own
| machine persistently to file for a developer code signing
| certificate, essentially copying Apple's approach to
| marketplace management.
|
| My distro's firefox package loads extensions I zip'd and placed
| in /usr/lib64/firefox/browser/extensions , probably because
| it's compiled with `--with-unsigned-addon-scopes=app --allow-
| addon-sideload`
|
| FOSS authors are catching on to all the tricks that Windows etc
| closed source authors have been doing - locking down their
| software, phoning home with telemetry, bundling in closed-
| source components with non-free licenses and what not. Distro
| maintainers are the last line of defence against this shit.
| Don't use upstream binaries.
| dessant wrote:
| Firefox no longer allows extensions to have full control over
| requests in Manifest V3, despite their repeated public
| statements.
|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1786919
|
| They have merged a change that makes it impossible to access and
| download certain website content the user is viewing and wants to
| process. Now that Firefox has introduced this limitation without
| offering an alternative, it is now much easier to port some of my
| extensions to Manifest V3 on Chrome, despite Chrome not
| supporting the blocking webRequest API.
|
| It's disheartening to see how these changes are introduced
| without any planning or care for how it affects extensions that
| are being ported to Manifest V3, and the general lack of respect
| towards extension developers.
| Vinnl wrote:
| That bug reads to me like that functionality is _not yet_
| implemented, because they 're still figuring out how to
| securely add that back in. However, since MV2 is still
| supported, I don't see the problem here -- this is just the
| first public release of some MV3 functionality, but full
| feature parity is still being worked on (Service Workers aren't
| supported yet either, for an example that affects my
| extension).
| dessant wrote:
| You think it's fine to invite developers to begin porting
| extensions to Manifest V3, and then kneecap their work a
| couple of months later as they port their extensions, while
| also telling them to open new bug reports in which they need
| to spend time defending general-purpose computing? This is
| not a missing feature, but a limitation that has been added
| only to Firefox.
| Vinnl wrote:
| As long as it's clear that it's an initial exploration and
| that not everything is possible yet, sure. It was clear to
| me, though admittedly I'm probably paying closer attention
| than most, so I'm not representative -- it might indeed be
| that communication could have been better.
| [deleted]
| RobotToaster wrote:
| Once again they ruin the extension API to please their overlord
| google.
| tannhaeuser wrote:
| Sad but true. FF devs and fans will complain, but a look over
| the Mozilla Foundation's balance sheet/annual report [1], and
| in particular the share of revenue that royalties received
| from "search engines" have, is all you need to know.
|
| [1]: https://assets.mozilla.net/annualreport/2021/mozilla-
| fdn-202...
| evilpie wrote:
| Did you ever get around to communicating your use-case to the
| developers?
| tommica wrote:
| No fucking way - I guess its time to setup pihole again
| NegativeLatency wrote:
| FWIW I switched to adguard home and it's been much more
| reliable for me
| evilpie wrote:
| This doesn't really affect _blocking_ requests in any way,
| actually it 's the opposite: This change doesn't allow
| extensions to bypass builtin security features.
|
| Firefox is going to continue to have more powerful blocking
| features compared to what a DNS based approach like pihole
| can provide.
| [deleted]
| rom-antics wrote:
| Is the content-blocking model tied to the manifest version, or
| can you mix and match?
|
| Or, rephrased: could gorhill conceivably upgrade uBlock
| Origin's manifest.json to v3, while still using the v2 content
| blocking APIs?
| cmeacham98 wrote:
| The linked change doesn't affect addons like uBlock Origin.
| GP is being unnecessarily alarmist about a relatively minor
| change, where the FF devs have even expressed they'd be
| willing to add back in support for their usecase (they just
| don't want to allow it by default).
| glasss wrote:
| >ick-inducing ads
|
| I guess I'm getting old and grouchy.
| nfriedly wrote:
| Meanwhile in Firefox for Android: absolutely nothing is going on
| with extensions, because Mozilla disabled nearly all of them.
| briffle wrote:
| Which is WAY better than Firefox for IOS.
| Ygg2 wrote:
| You mean Firefox branded Safari (not a dig at Mozilla).
| heresaPizza wrote:
| It is Apple's fault, but the EU's DMA will force Apple to
| allow alternative engines. However this raises many doubts: -
| Will Apple just allow every browser in the App Store or
| they'll manage to use side load (which they'll also be forced
| to allow) as the only way to comply? (Probably not legal but
| i expect them to try, would vastly limit an App's user base
| as demonstrated by Android). - In the best scenario, wich is
| Apple letting Mozilla put the full Firefox in the App Store,
| would they be interested at all to port Gecko to iOS?
| piyh wrote:
| You can use Firefox nightly and enable any that you want.
|
| I'd rather use the version of Firefox that doesn't crash more
| frequently, but that's the trade-off I gotta make at the
| moment.
| nfriedly wrote:
| Yeah, I know there's workarounds, but it's a pain in the
| rear.
|
| Currently I'm using Iceraven which is essentially just
| Firefox with about a thousand extensions enabled instead of
| 17.
| burkaman wrote:
| How? I use Firefox Nightly but I only see the handful of
| recommended extensions available.
| keyme wrote:
| https://addons.mozilla.org/en-US/firefox/collections/
|
| You can create your own "extension collection", and change
| the default one used by FF on Android. I use the Fennec
| build of FF from F-droid (Playstore build doesn't support
| this).
| necrosmash wrote:
| You can do the same thing with the regular playstore
| nightly build, works great
| hoppyhoppy2 wrote:
| https://blog.mozilla.org/addons/2020/09/29/expanded-
| extensio... has the full instructions. In addition to
| creating an add-on collection you need to go to the About
| page and tap the Firefox logo 5 times to get the proper
| menu items.
| causality0 wrote:
| There's still no way to change the User Agent in Firefox
| Mobile. I switched to Vivaldi because at least there when I
| tell it to show me the desktop site it shows me the goddamn
| desktop site.
___________________________________________________________________
(page generated 2023-01-17 23:00 UTC)