[HN Gopher] What's going on in the world of extensions ___________________________________________________________________ What's going on in the world of extensions Author : Vinnl Score : 87 points Date : 2023-01-17 20:24 UTC (2 hours ago) (HTM) web link (blog.mozilla.org) (TXT) w3m dump (blog.mozilla.org) | contravariant wrote: | Ah so this is why they messed up the overflow menu. | | Kind of hoping I can actually order the extensions at some point | though, it's a bit messy if you can no longer control which | extensions are in the overflow menu or what order they're in. | roter wrote: | extensions.unifiedExtensions.enabled: false | contravariant wrote: | Ah that is what it was, thanks! | karaterobot wrote: | > The panel shows the user's installed and enabled extensions and | their current permissions. Users are free to grant ongoing access | to a website or to make that decision per visit and can remove, | report, and manage extensions and their permissions directly from | the toolbar. | | Does anybody know whether this change allows me (the user) to | grant an extension permission to a specific, arbitrary domain | only? That is, to take an extension which wants permission to | read and write every website, and sandbox it to only a particular | set of user-defined domains? Have wanted this for a while. | Vinnl wrote: | Some more detail about the control that the new extensions button | gives users: https://blog.mozilla.org/addons/2022/11/17/unified- | extension... | | It allows you to disable extensions only on specific sites. (And | presumably, that's also the reason you need to dive into | about:config to remove it: if you remove it, it's pretty hard for | casual users to find out why an extension isn't working. By | gating it behind about:config, people who are able to deal with | that can still remove it without rendering casual users helpless. | That's my personal interpretation though.) | gnicholas wrote: | Does this allow whitelisting as well as blacklisting? Chrome | has offered both for a long time, and I remember being | surprised to learn that FF didn't offer either. It's a welcome | change! | tomComb wrote: | Need we play such language games? It's "ad blocking". People use | those extensions to block ads. | | If you asked the average user about their privacy preserving add- | on, or their content blocker they would probably be confused. | | Yes, obviously I understand the privacy dimensions of | advertising, and I realize that this is all in the service of the | good guys and against the bad guys, but that shouldn't affect our | response to what seems to me to be unnecessary spin. | ndriscoll wrote: | If there's any spin, it's in characterizing ads as neutral | "content". While something like uBlock can block general | content, it's primarily a _web malware_ blocker. That includes | adware, spyware, crypto miners, etc. It 's a necessary security | feature preventing the extremely common practice of websites | hijacking users computers to run software they don't approve | of. | msla wrote: | I see it as a good rhetorical move: Say it's ad blocking, and | you get people coming in all po-faced about the need for | platforms to make money and how horrible it is to have | freeloaders blocking honest, legitimate adtech. Frame it as | defense of privacy and malware-blocking and those adtech | boosters are on the defensive, to the point they probably don't | comment at all for fear of drawing attention to the | correlation. | tomComb wrote: | > I see it as a good rhetorical move | | I completely agree: it is a good rhetorical move. aka good | spin. But I don't think we should celebrate that sort of | thing in tech blog posts, or in any writing actually unless | your work in marketing. | madeofpalk wrote: | Did we read different articles? | | > If ads give you the ick, then one distinction we've made | around ad blockers has been especially crucial to privacy- | lovers everywhere. | sp332 wrote: | Yes, it's in bold even. | | _If ads give you the ick, then one distinction we've made | around ad blockers has been especially crucial to privacy- | lovers everywhere._ | dspillett wrote: | _> It 's "ad blocking". People use those extensions to block | ads._ | | I use them, and DNS filters, to block stalking. They just | happen to block adverts too because it is practically | impossible to separate the two ATM. I'll accept ads based on | the page I'm looking at and my rough geographical position, but | I don't see why I should put up with being followed and | profiled everywhere I go. | tomComb wrote: | Yes, but you are not the typical user, and that is my point. | I wasn't denying that cases could be found that would support | the language that Mozilla is using. | mxkopy wrote: | I think typical users also appreciate not being stalked, | you shouldn't to be interested in power user stuff or the | source code to have privacy | jbaber wrote: | Exactly. I didn't even use adblockers before I had kids and | thought about them being tracked. Now I use a pihole and bend | myself in knots trying to figure out how to pay sites I | visit. | m-p-3 wrote: | not only ad-blocking for me, but also for automatically | stripping superfluous url parameters that are detrimental to | privacy when sharing a link. | CharlesW wrote: | > _It 's "ad blocking". People use those extensions to block | ads._ | | But crucially, not _just_ ads -- they block trackers, known | malware source, etc. "Content blockers" encompasses everything | that these tools do. | heresjohnny wrote: | This article seems in search of an audience. It discusses | Manifest V3, names uBlock origin, but ends with "don't worry, you | can take your passwords with you if you switch from Chrome!" | | I had to chuckle from mentally constructing a character that | would fit all of this. | jakear wrote: | It's upsetting to see all this corporate double-speak when | Firefox fails to support the most basic extension functionally: | the User Agent should allow the User to run their own code on | their own machine without any requirement of phoning home to the | manufacturer. | | This is currently impossible on Firefox as they forget extension | loaded from local files to be removed after. The force everyone | who wants to run their own code on their own machine persistently | to file for a developer code signing certificate, essentially | copying Apple's approach to marketplace management. | | Further, this limitation makes auditing the code of extensions | you install from third party sources effectively impossible: I | don't see any way to stop automatic updates in settings, so at | any point the third party code you've installed and enabled to | execute on any website you visit can just change out from under | you workout warning. | | This is all trivial in Edge. | | It is difficult to understand where the HN vulpephillia comes | from. | 4bpp wrote: | > It is difficult to understand where the HN vulpephillia comes | from. | | I imagine it is in part backlash, fueled by political impulse. | Mozilla's appointment of Mitchell Baker and subsequent course | of Firefox development have taken on unmistakable political | valence in the US culture war (especially seeing how its drift | could be uncharitably glossed as "coddling non-technical users | at the expense of power users"), which resulted in criticism | invariably sounding like, and, I guess, even really somewhat | functioning* as an attack on the political group that Mozilla | is associated with. This, in turn, makes those who support said | political group, or simply are exasperated with its most vocal | opponents, instinctively oppose the criticism. | | *I'm thinking of something like the affect-loading concept in | https://slatestarcodex.com/2014/11/04/ethnic-tension-and- | mea.... | Arnavion wrote: | >This is currently impossible on Firefox as they forget | extension loaded from local files to be removed after. The | force everyone who wants to run their own code on their own | machine persistently to file for a developer code signing | certificate, essentially copying Apple's approach to | marketplace management. | | My distro's firefox package loads extensions I zip'd and placed | in /usr/lib64/firefox/browser/extensions , probably because | it's compiled with `--with-unsigned-addon-scopes=app --allow- | addon-sideload` | | FOSS authors are catching on to all the tricks that Windows etc | closed source authors have been doing - locking down their | software, phoning home with telemetry, bundling in closed- | source components with non-free licenses and what not. Distro | maintainers are the last line of defence against this shit. | Don't use upstream binaries. | dessant wrote: | Firefox no longer allows extensions to have full control over | requests in Manifest V3, despite their repeated public | statements. | | https://bugzilla.mozilla.org/show_bug.cgi?id=1786919 | | They have merged a change that makes it impossible to access and | download certain website content the user is viewing and wants to | process. Now that Firefox has introduced this limitation without | offering an alternative, it is now much easier to port some of my | extensions to Manifest V3 on Chrome, despite Chrome not | supporting the blocking webRequest API. | | It's disheartening to see how these changes are introduced | without any planning or care for how it affects extensions that | are being ported to Manifest V3, and the general lack of respect | towards extension developers. | Vinnl wrote: | That bug reads to me like that functionality is _not yet_ | implemented, because they 're still figuring out how to | securely add that back in. However, since MV2 is still | supported, I don't see the problem here -- this is just the | first public release of some MV3 functionality, but full | feature parity is still being worked on (Service Workers aren't | supported yet either, for an example that affects my | extension). | dessant wrote: | You think it's fine to invite developers to begin porting | extensions to Manifest V3, and then kneecap their work a | couple of months later as they port their extensions, while | also telling them to open new bug reports in which they need | to spend time defending general-purpose computing? This is | not a missing feature, but a limitation that has been added | only to Firefox. | Vinnl wrote: | As long as it's clear that it's an initial exploration and | that not everything is possible yet, sure. It was clear to | me, though admittedly I'm probably paying closer attention | than most, so I'm not representative -- it might indeed be | that communication could have been better. | [deleted] | RobotToaster wrote: | Once again they ruin the extension API to please their overlord | google. | tannhaeuser wrote: | Sad but true. FF devs and fans will complain, but a look over | the Mozilla Foundation's balance sheet/annual report [1], and | in particular the share of revenue that royalties received | from "search engines" have, is all you need to know. | | [1]: https://assets.mozilla.net/annualreport/2021/mozilla- | fdn-202... | evilpie wrote: | Did you ever get around to communicating your use-case to the | developers? | tommica wrote: | No fucking way - I guess its time to setup pihole again | NegativeLatency wrote: | FWIW I switched to adguard home and it's been much more | reliable for me | evilpie wrote: | This doesn't really affect _blocking_ requests in any way, | actually it 's the opposite: This change doesn't allow | extensions to bypass builtin security features. | | Firefox is going to continue to have more powerful blocking | features compared to what a DNS based approach like pihole | can provide. | [deleted] | rom-antics wrote: | Is the content-blocking model tied to the manifest version, or | can you mix and match? | | Or, rephrased: could gorhill conceivably upgrade uBlock | Origin's manifest.json to v3, while still using the v2 content | blocking APIs? | cmeacham98 wrote: | The linked change doesn't affect addons like uBlock Origin. | GP is being unnecessarily alarmist about a relatively minor | change, where the FF devs have even expressed they'd be | willing to add back in support for their usecase (they just | don't want to allow it by default). | glasss wrote: | >ick-inducing ads | | I guess I'm getting old and grouchy. | nfriedly wrote: | Meanwhile in Firefox for Android: absolutely nothing is going on | with extensions, because Mozilla disabled nearly all of them. | briffle wrote: | Which is WAY better than Firefox for IOS. | Ygg2 wrote: | You mean Firefox branded Safari (not a dig at Mozilla). | heresaPizza wrote: | It is Apple's fault, but the EU's DMA will force Apple to | allow alternative engines. However this raises many doubts: - | Will Apple just allow every browser in the App Store or | they'll manage to use side load (which they'll also be forced | to allow) as the only way to comply? (Probably not legal but | i expect them to try, would vastly limit an App's user base | as demonstrated by Android). - In the best scenario, wich is | Apple letting Mozilla put the full Firefox in the App Store, | would they be interested at all to port Gecko to iOS? | piyh wrote: | You can use Firefox nightly and enable any that you want. | | I'd rather use the version of Firefox that doesn't crash more | frequently, but that's the trade-off I gotta make at the | moment. | nfriedly wrote: | Yeah, I know there's workarounds, but it's a pain in the | rear. | | Currently I'm using Iceraven which is essentially just | Firefox with about a thousand extensions enabled instead of | 17. | burkaman wrote: | How? I use Firefox Nightly but I only see the handful of | recommended extensions available. | keyme wrote: | https://addons.mozilla.org/en-US/firefox/collections/ | | You can create your own "extension collection", and change | the default one used by FF on Android. I use the Fennec | build of FF from F-droid (Playstore build doesn't support | this). | necrosmash wrote: | You can do the same thing with the regular playstore | nightly build, works great | hoppyhoppy2 wrote: | https://blog.mozilla.org/addons/2020/09/29/expanded- | extensio... has the full instructions. In addition to | creating an add-on collection you need to go to the About | page and tap the Firefox logo 5 times to get the proper | menu items. | causality0 wrote: | There's still no way to change the User Agent in Firefox | Mobile. I switched to Vivaldi because at least there when I | tell it to show me the desktop site it shows me the goddamn | desktop site. ___________________________________________________________________ (page generated 2023-01-17 23:00 UTC)