Firefox gets a User Scripts API
Mozilla is working on implementing a UserScripts WebExtensions API in the organization's Firefox web browser.
Firefox, just like Google Chrome and many other web browsers, supports so-called user scripts. These scripts are executed on page load to add, remove, or change functionality on the page that gets loaded.
User scripts exist for numerous purposes: from adding download options on video sites to changing how web page looks.
Mozilla addresses several issues related to user scripts with the upcoming User Scripts API:
- Performance issues -- better isolation of scripts thanks to efficient methods.
- Reliability issues -- issues during page load and race conditions between the page loading and script injection.
- Security issues -- the use of sandboxes for individual user scripts reduces the impact that scripts have may have on each other.
The new API runs each user script in its own sandbox to isolate them from one another; this is a different approach to how content scripts are handled from extensions like Greasemonkey or Tampermonkey, as they are executed in the same process.
Support for providing user scripts with a set of functions, e.g. Greasemonkey GM_ functions, is supported as well
Mozilla's initial plan was to introduce support in Firefox 63 but the introduction has been postponed. The new target is Firefox 68 Stable.
The User Scripts WebExtensions API
Mozilla's User Scripts API is already available in Firefox. It is enabled by default in Firefox Nightly (version 68), and disabled by default in Firefox Stable (version 66) and Firefox Beta (version 67),
Firefox users may do the following to change the status of the API:
- Load about:config in the Firefox address bar.
- Confirm that you will be careful if the warning message is displayed.
- Search for extensions.webextensions.userScripts.enabled.
- Change the status of the preference to True to enable support or to False to disable it.
- Restart Firefox.
Extensions such as Greasemonkey or Tampermonkey need to implement the new API before it can be used.
Closing Words
The User Scripts API is finally coming and it should address issues identified when using user scripts in Firefox. It remains to be seen if there are any downsides to the implementation; you can follow the Meta Bug on Mozilla's bug tracking website to stay in the loop.
Now You: What is your expectation in regards to the user scripts API?
A question: Will I not need an extension to run userscripts now?
This is a great move my Mozilla. Congratulations.
This preference seems to be true by default in the latest Nightly.
Yes, that is right.
Mozilla should just create a built-in extension for adding user scripts. I don’t trust all those monkeys as much as I trust Firefox itself.
This is good news. I would also like to see them do this for userChrome, so extensions can modify the browser’s UI. This would really set Firefox apart from other browsers.
You will have lots of fun, when userChrome will be disabled :)
And yes it will be in the future, as Moz specifically stated they don’t want you to mess with the UI.
*digging own grave intensifies*
there’s a lot to fix in FF currently
and the easiest fix would be bringing extensions back
The solution would be to ditch the garbage that is version 57+ “quantum”, and the silly deceiving name with it as well, and bring version 52 up to date from a security and web standards point of view, of which the later there are not many.
Of course, moz://a being moz://a has their head pushed far too much up their own ass to realize this, so don’t expect anything any time soon, if ever.
Bring 52 up to date from security point of view does mean doing the step that 57 did.
You need sandboxing to be anywhere near state of the art. For that you need a multiprocess architecture, which broke pretty much all old extensions.
Theoretically, and if all extension authors suddenly decided to only write good code from now on, it would have been possible to adjust the old extension API for multiprocess, but it would have still required all of those single-process extensions to be modernized.
There’s also the massive security hole implied by the old extension API itself. It had pretty much limitless access to the entirety of Firefox’s codebase. It could change out the URL that’s being displayed, it could encrypt your user-files, it could probably key-log the passwords you type in and send them off to the darknet.
And that’s what it can do, whether you willingly install this extension, it gets auto-updated to this malicious version or there’s a remote code execution vulnerability in one of your extensions (bringing us back to extension authors suddenly deciding to only write good code).
Another security problem is that the old extension API was no API, it was pretty much direct access to the code. So, changes to the code will break extensions and users will choose to not update when their extensions break.
Finally, maybe 1% of users at most would actually make use of these advanced extension capabilities. The rest would just be exposed to unnecessary security problems.
Maybe for you it is a relatively obvious solution to go back to the old extension API. But you’re being nothing more than a cynic when you claim that this would be the clear and obvious path for reaching Mozilla’s goal, which is to make the web a healthy place for which they need many users using their browser. They cannot cater only to the power-users.
@Anonymous: “Finally, maybe 1% of users at most would actually make use of these advanced extension capabilities.”
Perhaps so. But as one of that 1%, I really wish Firefox fans would stop constantly telling me that Firefox is better and I’m wrong for finding that it no longer meets my needs.
“There’s also the massive security hole implied by the old extension API itself […] it could probably key-log the passwords you type in and send them off to the darknet.”
are you aware that contentscripts can easily do that? new API isn’t any more secure, it’s just more limited
“Finally, maybe 1% of users at most would actually make use of these advanced extension capabilities. The rest would just be exposed to unnecessary security problems.”
breaking mouse gestures, keyboard bindings, taking away proper UI affected much more than 1% of users
if they want to make web a healthy place they should never be putting us in a golden cage apple style
Mozilla deliberately removed the option for extensions to change UI and that was already separating FF from other browsers. Mozilla has become corrupt and they give zero elves for their users. They champion privacy while implementing anti privacy search engines and practices.
Allowing extensions to modify the UI to the extent that userChrome.css allows it, can be dangerous. They could obfuscate the URL on phishing websites or forge the certificate information.
With most users not anywhere near the skill level to review extensions and auto-updating extensions being the norm, this does translate into real-world attacks being prevented.
If you’re an advanced user, you can use userChrome.css to do most things.
@Anonymous: “If you’re an advanced user, you can use userChrome.css to do most things.”
Yes, to do a lot of things. However, there are many things you can’t do at all anymore. Whether or not those matter to you is clearly subjective. They matter to me.
You can still easily change the UI yourself through userChrome
https://luke-baker.github.io/
https://www.reddit.com/r/FirefoxCSS/
The old extension system was part of code that held Firefox development back. AFAICT the plan has been all along to reintroduce capabilities for addons to do more things to the UI but through an updated and manageable codebase.
Firefox is open source software. Do you yourself put in any work to improve it? Do you donate regularly, contribute code or help out in some other way?
Sure, I’ll donate to a BILLION dollar devious cult every day; Rolls Eyes.
@chai_tea:
To an extent, yes, but the changes possible through that mechanism are very limited.