Mozilla Firefox 17: better add-on security but some add-ons may break - gHacks Tech News

Mozilla Firefox 17: better add-on security but some add-ons may break

Additional security is always a good thing, right? Mozilla is currently working on a patch that is improving the add-on security of the Firefox web browser.  The initial idea appeared on Bugzilla in 2010 and is rather technical in nature. Firefox add-ons currently can expose privileged objects to web content which is something that should not happen in first place as websites may be able to access contents that they should not have access to.

To resolve the issue, Mozilla had the idea that objects had to be whitelisted explicitly by the add-on before web pages can access them.The company has added the feature to Firefox 15 Beta and all other development channels in a non-restrictive way. Instead of blocking access to the object outright, the browser will report any error in the browser's error console. From Firefox 17 on, the whitelisting becomes mandatory in the web browser which may have the consequence that add-ons that you rely on may not work properly anymore if the developer of the extension failed to update it in time to reflect the change. Chance is though that Mozilla may post pone the release in Firefox 17 if too many add-ons turn out to be incompatible at the release date.

It needs to be noted that this affects add-ons that share objects with the content, and that it won't affect add-ons that do not do that. Mozilla is asking developers to look at the error console output of their extensions to make sure it is not throwing error messages. Developers should see a message like "Error: Exposing chrome JS objects to content without __exposedProps__ is insecure and deprecated" here in this case.

firefox addon security

A new post on the Mozilla blog explains what add-on developers have to change in this case to make sure that their add-on continues to work in Firefox 17.

Mozilla in addition will notify Jetpack author add-ons with information on how to update the add-ons with the most recent version to resolve issues such as memory leaks and security related issues such as this.

If you are a user of the Firefox browser and using at least the beta version, you can check the error log yourself to see if any of your extension will break in Firefox 17.  You can open the error console with Ctrl-Shift-J.





  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Fine citizen said on August 22, 2012 at 6:49 pm
      Reply

      GreaseMonkey (16 Aurora)

    2. Nebulus said on August 22, 2012 at 11:55 pm
      Reply

      Every time I see some news about a future version of Firefox, it is impossible not to mention addons functionality problems/breaking. It’s almost hilarious…

    3. John said on August 23, 2012 at 8:07 am
      Reply

      Great news about the better security, but functionality problems again? I also want to know when Firefox is going to give us the ability to add extensions without having to restart. Firefox has been around much longer than Google Chrome yet Firefox is lagging behind in this respect?

    4. Fox said on August 23, 2012 at 11:10 am
      Reply

      @John

      Meh..

      ” I also want to know when Firefox is going to give us the ability to add extensions without having to restart. ”

      It is possible to build them since Firefox 4.. but many devs wont rebuild their old addons, so they need to be restarted like before.

      Few of restartless addons: https://addons.mozilla.org/pl/firefox/search/?q=restartless&appver=&platform=

      Technology: https://addons.mozilla.org/en-US/developers/

    5. sgr said on August 27, 2012 at 3:46 pm
      Reply

      Hi Martin,
      did you know you can no longer ad this new integer nglayout.initialpaint.delay to Firefox?

      Best Regards.

    6. sgr said on August 27, 2012 at 3:53 pm
      Reply

      Ups! I was wrong with this one I did not see it untill I have restarted Firefox.
      Just ignore me then.

    7. Michael Fisher said on November 21, 2012 at 12:40 am
      Reply

      Anyone using Tab Max Plus [TMP] with firefox 17 will find they can’t open Add Ons Manager & a few other problems too. You can test that TMP is the cause by temporarily disabling TMP. Over at the TMP forum there’s a build that solves the problem.

      Here’s the post containing a link to the particular Tab Mix Plus Dev-Build 0.4.X that solves the problem:- http://tmp.garyr.net/forum/viewtopic.php?p=58622#p58622

    Leave a Reply