Firefox 115 can silently remotely disable my extension on any site Previous: My thoughts on Apple Vision Pro
Articles index

Firefox 115 can silently remotely disable my extension on any site

July 5 2023

Firefox version 115.0 was released on July 4, but I'm not celebrating. I'm concerned about a new "feature" in the release notes.

Certain Firefox users may come across a message in the extensions panel indicating that their add-ons are not allowed on the site currently open. We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns.

For various reasons. That's quite uninformative and mysterious.

I'm all in favor of giving users control over which extensions are allowed to load on which sites. Safari already has this feature on both macOS and iOS. My concern is not about user control—little of which even exists in Firefox 115, as I'll show later—but rather about the remote control that Mozilla has now given itself, as mentioned in a Bugzilla report.

We need to have ability to set the list of quarantined domains remotely. The pref should be a string with the same format as extensions.webextensions.restrictedDomains.

The pref will be extensions.webextensions.quarantinedDomains, and it will have a default value set in a patch for bug 1745823 (to include a couple real but "test" subdomains from badssl.com).

Filing as confidential for now, until we ship the system addon.

You have to wonder why an open source project required confidentiality about this. Incidentally, neither Safari nor Chrome, or any other browser as far as I know, has such a remote domain-specific kill switch for extensions, so you have to wonder why it was necessary in Firefox.

I believe that Mozilla already had the capability to remotely disable an individual extension, if it turned out to be malware. After all, every Firefox extension needs to be uploaded to Mozilla for analysis and cryptographically code signed before it can be installed in Firefox. [Edit: I've now confirmed that Mozilla has an extensions blocklist.] Given this preexisting capability, it's unclear why there should be a list of domains where all except a lucky few chosen extensions are disabled, regardless of whether the disabled extensions have shown signs of misbehavior.

The Firefox quarantined domains list is currently empty. Mozilla hasn't said which domains it intends to add, or even why a domain-specific list is required. I find this troubling. It's a feature with no apparent motivation, supposedly for "security concerns"—among other "various reasons"—but what are the specific security concerns here, that would be addressed by a remotely controlled domain list? Mozilla's opacity and vagueness feels almost deliberate, undermining our trust.

Let's see how the user interface actually works in Firefox 115. Although the quarantined domains list is empty by default, you can edit the list manually in the about:config page.

I've added the domain www.youtube.com to the list. After relaunching Firefox, you can see the warning in the Extensions popup.

My own extension StopTheMadness, which is not "monitored by Mozilla", is "Not allowed by Mozilla" on YouTube. (This warning is inaccurate, of course, since it was me rather than Mozilla who added YouTube to the domains list.) Apparently uBlock Origin is monitored by Mozilla, for it is allowed on YouTube despite my quarantined domains list. It's nice to be big, I guess.

Note that the warning appears in the Extensions popup rather than on the Extensions icon, so you wouldn't know that StopTheMadness was disabled on YouTube unless you opened the popup (or unless you saw the autoplaying videos on YouTube that StopTheMadness would otherwise stop.)

What happens, though, if you pin the extensions to the toolbar for easy access to their settings?

It turns out that when you pin an extension to the toolbar, it no longer appears in the Extensions popup! Consequently, the quarantined domains warning no longer appears in the Extensions popup either. In fact, there's no longer an Extensions popup: clicking the Extensions toolbar icon simply opens the about:addons page, which doesn't show the quarantined domains warning anywhere.

This is a terrible user interface design for the new so-called "security" feature, silently disabling extensions while hiding the warning from the user. And remember, the quarantined domains list can be changed remotely at any time by Mozilla, without needing a Firefox software update. Firefox just has to "phone home" to Mozilla. (Another reason to install Little Snitch. [Edit: I believe the domain is firefox.settings.services.mozilla.com in this case.])

We have no idea how Mozilla intends to use the quarantined domains list. Some people are speculating, with no evidence, about "banking". But there are innumerable banks in the world. What is Mozilla supposed to do, make and maintain a list of every banking web site in the world? While it makes sense for users to have the ability to manually exclude their own banking sites from extension access if they prefer, what sense does it make for Mozilla to arbitrarily select certain web site domains for general exclusion? Another question: is it impossible for the user to purposely exclude extensions that are "monitored by Mozilla" and given special treatment by Firefox?

My own extension StopTheMadness stops web sites from disabling your browser's built-in paste and autofill features, a kind of madness commonly implemented by sites that have a misguided, ignorant notion about what makes a login form "secure". Thus, it would be a disservice rather than a service to users for Mozilla to remotely disable user extensions on some arbitrarily selected banking sites.

As a little indie software developer, I'm disappointed and irritated that Mozilla, a little developer compared to its competitors—corporate giant browser vendors Apple, Google, and Microsoft—would choose to create a two-tier system in which only the biggest extension developers get exclusive access and exemptions. I know that users love uBlock Origin, but I hate the idea of a world where uBlock Origin is the only extension allowed. That's the type of consumer and power centralization that Firefox and Mozilla are supposed to be fighting against. I don't like an extension monopoly any more than I like a browser monopoly.

Articles index
Previous: My thoughts on Apple Vision Pro

</body