Mozilla updates its Firefox Add-on Policy
Mozilla will make changes to Firefox Add-on policies in June 2019 that are designed to improve user safety and privacy when using extensions.
Starting in June 2019, extensions may no longer contain obfuscated code. Caitlin Neiman, Mozilla's Add-ons Community Manager notes that extensions may still use minified, concatenated or otherwise machine-generated code, but that the source code needs to be included and that obfuscation is not allowed anymore.
Mozilla will improve the blocking process as well to block extensions "more proactively" if they violate policies.
The organization changed the review process from "review first, publish second" to an automated review system. Granted, add-ons are still reviewed manually which sets the process apart from how Google handles Chrome extension reviews.
Mozilla announced a new Recommended Extensions program in April to promote excellent extensions for Firefox. These would be reviewed before they are published, and promoted in various places.
Add-on Policies
All extensions released for Firefox need are subject to the policies regardless of how they are distributed. Mozilla reviewers will use the policies as a guideline to determine whether an add-on is safe or in violation of the policies. Violating add-ons will be blocked by the organization.
Mozilla's new policies for add-ons address several add-ons related issues of the past; it requires that add-ons come with a description that clearly states what changes they make, that changes must be opt-in, must disclose if payment is required, must only request necessary permissions, and must disclose data collection, storage, and user data sharing policies.
A large part of the policy focuses on data collection and user privacy. Mozilla notes that add-ons need to disclose when they use cookies and describe the purpose of the cookies clearly, and that add-ons need to provide users with options to refuse the storage of cookies or access to cookies. Furthermore, add-ons need to inform users about the consequences should they choose to disallow cookies or disallow access to them.
The collection of personal information is prohibited without user consent, and the collection of personal information not required for the add-ons "basic functionality" is prohibited as well. Add-ons may not leak local or user-sensitive data to websites.
The new Firefox Add-ons Blocking Process
Mozilla may block add-on versions, entire add-ons, or even developer accounts if violations are detected. It applies "security over choice" when it comes to blocking which means that it "err on the side of security to protect the user".
The organization distinguishes between hard and soft blocks. Soft blocks disable add-ons by default but users may override the block to continue using it. Soft blocks may be used if an add-on contains non-critical policy violations, or causes "severe stability and performance issues in Firefox".
Hard blocks on the other hand disable Firefox add-ons and block users from enabling them in the browser. These are applied when add-ons are found to "intentionally violate policies", contain critical security vulnerabilities", "compromise user privacy", or "severely circumvent user consent or control".
Anyone may request a block on Bugzilla.
Closing Words
All extensions are subject to these new policies. Mozilla notes explicitly that developers should update extensions if these extensions contain obfuscated code as they might be blocked otherwise.
The updated policies address improve transparency (cookie disclosure, monetization, opt-in nature, description), and disallow obfuscation which should improve user safety and privacy when it comes to Firefox add-ons.
Add-on developers may need to update descriptions, extensions, and privacy policies; it is unclear if they are notified by Mozilla about the upcoming policy changes. Add-on developers were notified about the changes.
Now You: what is your take on the announced changes?
https://www.reddit.com/r/firefox/comments/bkspmk/addons_fix_for_5602_older/
AMO has a decades long problem about not givingAF about user’s privacy. This new FAKE stand on policy is INANITY
AMO allows affiliate urls to be added to surfing by an extension. FAIL on privacy
AMO allows extensions to render third party ads. FAIL on privacy
Mozilla telemetry is the worst privacy fail to happen to users. FAILED to collect INFORMED consent.
Shame on mozilla… again
Firefox 66.0.4 is working with AdBlock Plus, so maybe fixed now. Unfortunately lots of damage done as people with large amounts of extensions probably had many problems. At least they fixed it fairly quickly, but this begs the question is the modern day browser just too complex and ate up with ads spying etc. Only you can decide. ;-)
Have used Firefox for many years on Windows, Linux and Apple computers. As of two hours ago with StartPage blocked and no access to my password manager I have moved over to Safari whilst I download and investigate a possible alternative browser which offers similar functions to those that have been taken away. Unbelievable. Firefox RIP.
Who runs these companies, monkeys? How can they think people won’t be completely raged about this? Meanwhile idiot Microsoft is going to ram Chrome spyware on an already spyware ridden OS. How many billions of dollars damage have they caused in the past two days? This is a fallen world.
I am not happy that my browser extensions in FF suddenly stopping working, completely without warning. In the end, I will stay with FF simply because it is the best browser in the world, and because it has nothing to do with Google.
Mozilla does not consider the user. apparently, we are nothing more that $$$ to them. now that google is involved, everything now is for money. they disabled all of my add-ons and extensions for the same reasons noted by the above posters. My internet is not safe without privacy badger from eff and ublock. my cherished theme of many years is now forever lost. mozilla is very bad.
Given moz is becoming so much like ms these days, and can no longer implement simple features, maybe moz should just leave this one alone.
Ref: the addon meltdown better known as the cert expiration apocalypse of May 4, 2019. Thanks for nothing FF.
Bug on the one side, but the sheer capability of removing something I explicitly installed, without valid reason, warning and not even an option to revert (not to mention doung removal by themselves without providing a choice nor information).
Firefox just lost all of the reasons (control, security, configurability/addons) I was still using it despite how much trouble dealing with google stuff (monopolistic performance issues on their websites) created for me.
No idea what they expect to achieve this way – but they can go F themselves, as I am already in a process of testing replacements…
Chill out people, it’s probably a bug. Just wait a couple of days.
Hi. I cannot recommend FF to my friends anymore! They destroy FF which was the best browser years ago. I recommend Waterfox and Palemoon to my friend. May Firefox should employ a developer! BRGDS
I agree. I use Waterfox for years and Palemoon like second browser.
Mozilla has ‘updated’ its addon policy to such an extent that as of today, literally millions of users have had almost all of their addons suddenly disabled, apparently due to the expiration of a security certificate associated with extension signing.
Even featured addons like UBlock Origin have been disabled.
It seems that for the time being, the only ‘solution’ is to install the development version of the browser, go to ‘about:config’ and toggle the ,xpinstall.signatures.required’ to ‘false’.
This particular toggle has been removed from the stable channel, because Mozilla developers’ infinite wisdom says they know better than their users.
Way to go, Mozilla!
So this is why all my add-ons just deleted themselves and I can not install any new ones
No, this is unrelated. See https://www.ghacks.net/2019/05/04/your-firefox-extensions-are-all-disabled-thats-a-bug/
wow, was using https eveywhere, adblock,no script…. all disabled wont reinstall thanx a bunch
About a dozen extensions stopped working this evening (May 3), including uBlockO. Very disheartening. I think they really shot themselves in the foot.
G*d d*mn m*th*r f*ck*n Mozilla!
I just got hit with the premature legacy extension bug! >:(
https://www.reddit.com/r/firefox/comments/bkcjoa/all_of_my_addons_got_disabled_and_they_are_all/
I just got a 2 hour session of work wiped out because the bug auto-closed all the tabs and disabled all my extensions.
/r/firefox meanwhile has jumped from like 2k subs to 10k.
Apparently it’s now an official thing.
https://bugzilla.mozilla.org/show_bug.cgi?id=1548973
Seriously Mozilla – how f*n hard is it to test your sh*t for bugs before you release it to stable!!!
You guys are going to lose a metric sh*t ton of users by tomorrow. Addons and customizeable privacy are the only things that are keeping me from jumping ship to Chrome. Now we (users) don’t even have control over our own extensions. I swear I have no good will towards Mozilla anymore. This feels like forced Win10 upgrades all over again. F Mozilla.
While browsing (GMT 01:00) in Firefox beta (67.0b16 64bit), most add-ons were suddenly disabled.
The Add-ons Manager is quarantined with no support (Legacy Addons) and is described as “These extensions are disabled because they are not suitable for the current Firefox standard (use can not be verified).”
# 1. List of disabled add-ons:
Auto Tab Discard 0.3.1
Boostaler 2.0.9.3
Buster: Captcha Solver for Humans 0.5.2
Chameleon 0.12.0
Check iframe 1.3.2
ClearURLs 1.6.2
Cookie AutoDelete 3.0.2
CSS Exfil Protection 1.0.12
Dark Background and Light Text 0.6.10
Decentraleyes 2.0.10
DuckDuckGo Privacy Essentials 2019.4.26
Enterprise Policy Generator 4.4.0
Extension source viewer 1.6.10
Facebook Container 1.6.5
Feedbro 3.41.0
Firefox Lightbeam 2.1.0
Forecastfox (fix version) 4.20
Ghostery – Privacy Ad Blocker 8.3.3
hide-scrollbars 2.1.8
HTTPS Everywhere 2019.5.2.1
IDM Integration Module 6.32.11
MaterialFox Helper 1.2
Nano Defender 15.0.0.139
Neat URL 4.1.5
Netcraft Extension 1.13.1
New Tab Override 14.2.0
Privacy Badger 2019.2.19
Privacy Possum 2018.8.31
Privacy Settings 0.3.7
Simple Translate 2.0.4
SingleFile 1.10.48
Speed Dial 0.1.7
Startpage.com — Private Search Engine 1.1.3
Temporary Containers 0.97
Trace – Online Tracking Protection 2.2.6
Tree Style Tab 3.0.10
uBlock Origin 1.18.16
uBO-Scope 0.1.12
uMatrix 1.3.16
VTZilla 2.1.1
# 2.Available add-ons:
AmIUnique 1.0.4
Disable WebRTC 1.0.20
Google Analytics Opt-out Add-on (by Google) 1.0.7
Open Link with New Tab 1.0
Skip Redirect 2.2.1
Almost all of my extensions have been disabled, among them https everywhere, nano adblocker, startpage, privacy possum, decentraleyes and cookie autodelete.
When trying to download ublock origin or privacy badger and the like, downloads are not possible. “Please check your connection”.
When checking users reviews from ublock origin for example this is running rampant at the moment.
Martin please check this out. This is insane. I have Firefox 66.0.3 installed, stable version.
Tonight, May 3, 2019, I started firefox to find all my extensions disabled. I have read their info about starting to do this in June; yet it was done tonight. To get work done tonight, will use Vivaldi for rest of the night. Ongoing, probably will start using PaleMoon and/or Waterfox. This was done with no notice to me; and in violation of what their own write-ups say about when they will start doing it.. I’ve used Mozilla/ Firefox for years; now, Vivaldi seems like a good new browser, although greatly deficient in addons. But, as more people switch to it from Firefox, that should improve.
I really need to get this off my chest…
As of May 3rd, 2019, the last day I used Firefox, I was greeted with a message from it telling me my add-ons are permanently disabled because they are “untrustworthy” & “not up to firefox standards”…🤯😡
Here’s a list of my addons:
1. uBlock Origin
2. uMatrix
3. Nano Defender (for uBlock Origin)
4. HTTPS Everywhere
5. Decentraleyes
6. Violentmonkey
7. Wayback Machine
8. Dark Reader
9. Video DownloadHelper
10. Dark Reader
11. Bitwarden
All of these mentioned add-ons are PERMANENTLY DISABLED by Firefux WITHOUT an option to reinstall them!
I can’t even…
…What…the…FUCK!?😡
In WHAT WAY are the aforementioned add-ons “UNTRUSTWORTHY” & “NOT UP TO FIREFOX STANDARDS”?😡
That means I can no longer block ads, the bane of the internet and enhance website functionality like Iridium for YouTube (available on GitHub), as a result of this SHIT!😡
I am fucking outraged by such a retarded, draconian dick move by Mozzerilla; never again!
A company & browser I had put my trust in for YEARS has now fucking betrayed me & fucked up my browser profile beyond repair, you pompous, inconsiderate cunts. FUCK YOU!🤬
I’m moving to Safari & Chrome, and I am NEVER looking back, so long as Mozilla enforces this new bullshit on its users!
I feel your pain brother and have share the sentiment. Every addon on my machine was disabled today as I was working. Your sentiment is strong and righteous.
I had allot of work to do today and now I cannot. I am blocked from working due to a handful of putrid pencil necked half wit geeks who haven’t a clue about software design, user respect, nor deep_wide_careful thought.
OPERA allows all of these extensions / addons. i made the switch today
This broke ALL of my add ons and now I can’t even download most them from Mozilla’s own list. We aren’t even talking really sketchy stuff. These are from developers that are nearly a decade old or more with 4.5 and 5 star reviews. Not only that but half the links for more information go to generic articles that are over 3 years old. There’s no way to reverse this mess that I can find, and now I have to reset all of my passwords just to get on with my day because one of the add ons that has disappeared was my password manager. This is a trainwreck. If even a fraction of the people out there are having the same problems then this is going to tank Mozilla’s reputation.
YAY! Firefox just disabled 100% of my whopping eight extensions. All of which I adore and all of which are non-malicious (speaking as a commercial IT administrator). F them and F this very heavy handed policy. In the end, there will be work-arounds and everything will be functioning as well as it did before this annoyance.
Blah blah blah says Mozilla’s pages regarding this decision. Its for me! they say, will reduce the injection of harmful code or inappropriate addons which will degrade the overall user experience. Typical! Sling this nonsense to the weakest links, spread it to a few tech related news outlets that focus only on the most rudimentary aspects of IT and promise everyone that this is all for the best! I’m sure some welcome this policy but I guarantee the majority do not.
I’ve been watching Firefox slowly degrade and try to become chrome bit-by-bit over time and am extremely disheartened at this decision. Until today, Firefox was the only mainstream browser I could depend upon for flexibility and easy to modify policies. For those that were a bit more troublesome – like what is happening today, there is always github. I hate the idea of now having to expend effort in “making firefox great again” and getting it back to something I find useful and convenient. For the very short term, I will pretend to be compliant but I will never let any company dictate to me what is best and good and right and proper and certainly not an organization like Mozilla.
Fully agree. I believe they have just lost a large market chunk. I manage a small herd of non-power user’s computers. People will all see Firefox out and (probably) Brave in, come Monday and onward. Ad blocking is absolutely necessary in our industry.
Did anyone else get most of their add ons disabled today because Mozilla could not “verify” them?
To understand the hostility of mozilla towards both users and developers, I refer to this incident that happend a couple of years ago shortly before the WebExtensions theater:
https://danstillman.com/2015/11/23/firefox-extension-scanning-is-security-theater#update-2015-12-01
Thus I am very confident to say the new policy is simply to do even less work on extensions than before, while marketing it as a pro-privacy move.
Extensions seem to be a target these days especially after plugins are going away. But you also can’t always trust the extension developer to do right either so I guess Mozilla had to take this step to try and prevent some of this potential security issues. I’d say if your doing things right this shouldn’t affect a honest developer.
That’s the thing, unfortunately. You’ll be amazed at the number of non-power users who install the most ridiculous add-ons on their system and then conveniently forget that they ever did it.
Unfortunately, Mozilla has to take these non-power user, non-vocal community into mind for its decisions, as they would comprise a lot of its users.
Even more unfortunately, Mozilla doesn’t seem to think it needs to retain those features that power users would love to have, like overriding the default behaviour of “choice over security”.
And yet they spew slogans such as “Individuals must have the ability to shape the internet and their own experiences on it.” At least now it seems they’ve finally owned up to it – the “choice” NEVER MATTERED.
@ZeoMal: “Mozilla has to take these non-power user, non-vocal community into mind for its decisions, as they would comprise a lot of its users.”
Yes, they do. It’s just unfortunate that they can’t seem to find a way to do that while keeping the browser good for the rest of us.
Then too you have extension developers who orphan the support for the extensions and they remain installed on users Firefox. Yeah, other platforms like Android for example don’t always have developers who do the right things. Side loading extensions is another problem when you cannot make any sort of review of that extension running in your browser. This creates a bad reputation for Firefox if these rogue extensions become a problem.
> Add-on developers may need to update descriptions, extensions, and privacy policies; it is unclear if they are notified by Mozilla about the upcoming policy changes.
Yes, we add-on developers were notified.
Thank You!
Probably not, the idea was outlined last year already:
https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/
General observation:
1) Not allowing obfuscated code anymore is probably not a security decision, as the above blog post already indicates that it is simply about mozilla saving time not checking the obfuscated code.
As a matter of fact, Firefox always allowed obfuscation exactly because it is developer-friendly!
2) I am not sure how the new policy changes anything substantial compared to the old one: https://blog.mozilla.org/addons/2018/03/05/updates-add-review-policies/
The only thing the wording actually communicates is that Mozilla is getting more serious about privacy-invading stuff.
“Security over choice” seems to be the fundamental change, while originally it was always “choice over security”.
This is highlighted by the quote: “We will be blocking extensions more proactively if they are found to be in violation of our policies.”
When it comes to users, the only question is how mozilla will communicate these changes to the average user who doesn’t know what all of this means.
Is this an attempted explanation of the Dissenter add-on ban even though it broke none of the rules?
https://github.com/gab-ai-inc/gab-dissenter-extension/issues/51