Firefox 74: sideloading extension support ends
Mozilla announced this week that the organization's Firefox web browser will stop supporting extension sideloading in Firefox 74.
Current versions of the Firefox web browser support three different methods when it comes to the installation of extensions:
- Install via Mozilla's official add-ons repository Mozilla AMO.
- Use Firefox's "Install add-on from file" functionality in the Add-ons Manager. To use it, load about:addons in the Firefox address bar and select Menu > Install Add-on from File. Select the Firefox extension using the file browser that opens to start the installation dialog.
- Place extension files into standard extension folders.
The change removes the third option but does not touch the other two options. The third method caused issues frequently for Firefox users according to Mozilla as these extensions were not installed directly by users of the browser and could not be removed from the add-ons manager either.
While sideloading has been used by legitimate developers to test Firefox installations and organizations to deploy extensions on systems, it has also been abused in the past, e.g. to install malicious extensions in Firefox.
Mozilla plans to remove support in Firefox 74. Here is the full timeline (see our release schedule for Firefox for additional information):
- Firefox 73 (out February 11, 2020) -- Sideloaded extensions will be copied to the user's profile and installed as regular add-ons.
- Firefox 74 (out March 10, 2020) -- Sideloading is no longer supported
The change in Firefox 73 ensures that installed extensions won't be removed without recourse. Firefox users find these extensions in the built-in extension manager from where they may be removed just like any other extension installed in the web browser. Firefox users may remove these extensions then from the web browser in case they have no intention of using them.
Closing Words
Organizations who use sideloading currently need to use different options to install Firefox extensions, e.g. by using the Windows Registry. The options are explained here.
Firefox users will benefit from the change as it removes an option that has been abused by malicious actors and also some software companies in the past to install extensions in Firefox.
Firefox users and developers will still be able to install extensions in the browser that are stored locally.
Now You: Do you use extensions that you installed locally in Firefox?
Since the second option listed is still going to be available, the title of the article is misleading. It’s also possible to temporarily load an extension .xpi file via about:debugging.
Thankfully these options won’t be discontinued because one extension I use a lot was removed from AMO some time ago, but since the .xpi file was still in the profile extensions folder, it could be sideloaded after the extension disappeared following the Firefox add-on certificate expiry debacle.
Let’s go back to the main topic!
Now You: Do you use extensions that you installed locally in Firefox?
I am using locally installed extensions with Firefox and Thunderbird.
Example:
â— Firefox “xpi-filesâ€
・api_killer_indexeddb-1.0.3.6-an+fx.xpi
・brief-custom-style-dark.zip
â— Thunderbird “xpi-filesâ€
・CompactHeader-3.0.0beta1.xpi
・enigmail-2.1.1.1-tb.xpi
・enigmail-nightly-all.xpi
・manually_sort_folders_2.0.0pre1.xpi
・manually-sort-folders-201909221547.xpi
Firefox and Thunderbird cannot implement extensions that have not been approved by Add-on Reviewers.
However, even unapproved, there are useful extensions published on “GitHubâ€.
It is also necessary to implement unapproved extensions (such as beta specifications) in tests to help develop extensions.
Their implementation is limited to this third method.
Careful judgment is desired so that they are not unjustly excluded.
In other words, “Things that must not be excluded” and “Do not impose a burden on developers” should be sufficient consideration.
Add-on Policies – Mozilla | MDN | Extension Workshop
https://extensionworkshop.com/documentation/publish/add-on-policies/
Add-ons/Reviewers/Guide/Reviewing | MozillaWiki
https://wiki.mozilla.org/Add-ons/Reviewers/Guide/Reviewing
I noticed that my Comment was wrong.
Correct the sentence:
False:Their implementation is limited to this third method.
True:Their implementation is limited to this second method.
2.Use Firefox’s “Install add-on from file” functionality in the Add-ons Manager. To use it, load about:addons in the Firefox address bar and select Menu > Install Add-on from File. Select the Firefox extension using the file browser that opens to start the installation dialog.
This comment thread is starting to stink like Twitter’s blue check mark woke brigade. Not sure why all the vitriol against Firefox. No public software will ever perfect or please everyone. Who do you think has your back more – Google? Apple? Microsoft? Not bloody likely. Get a grip will you. This site and comment section used to known for its courteous, thought-out contributions. Please leave the attacks and opinions for twatter and foolbook.
@Lawrence
Let me think for a short moment… First and most important Mozilla is a greedy and jealous org which saw the loss of power user features and abandoning power users as some kind of ‘collateral damage’ – as Mozilla was thinking about ways to outsmart Google and defeat them – which worked only out in their most illusionary day-dreams.
Also… we have Mozillas alignment with the most radical opinions and goals of the so-called ‘progressive movement’ these days.
And last but not least – Mozilla is no longer a honest champion of the free web – what they care most for today is all about numbers – no matter if tables or quotas in whatever for a kind of way or plain market share numbers – and following Google Chrome in Mozillas quest to find a way to become the leader themselves!
For this Mozilla has casted their own power user base aside – the kind of users who wanted unique features, made awesome full themes and add-ons which have beaten everything in direct comparison to what Mozilla offers today – creativity wise and in being so much more capable of what was able to do.
An org which is acting that way – and still claims that they are honest and FOSS – is nothing less than spineless. Mozilla of the past earned indeed the batch to be honored, as it had visions and was fully respectable!
What is left today of all of that is grave-robbing from their past – nothing more and nothing less and neither earns the name Mozilla or Firefox anymore.
Mozilla Firefox 200 can’t be started at all. New feature by Mozilla.
firefox became so ugly and stupid. lot of main functions are broken(flashgot, tab mix plus, extended statusbar). all features from gecko were removed.
last move to say him R.I.P is removing support of any unsigned addons(ublock origin may became unsigned – google and other bastards wanted to kill it) and customcss. next step after removing manual install addons -destroy portable builds(like in chrome, user profile became broken(except chinese chromium).
what hacks? any extensions which provided a lot of functional, but conflicted with google,mozilla and any other money kings became dead. where is the time of 2006-10?
Get Pale Moon. What Firefox once was – still 100% customizable and privacy friendly, zero bloat and full XUL/XPCOM support. And don’t listen to the morons who say ‘iT’s jUsT a fORk of an old Firefox’ without understanding what a fork means (Firefox is also ‘a fork of an old Netscape’ by that reasoning) or that it’s insecure.
Grow up.
Firefox lost my support when its focus become less about function and More about being a net nanny browser for tin foil hat people. I mean where is all these users who Mozilla claims want such a browser?
@JohnL That would be the majority of people using web browsers on PC’s.
The people that actually know how anything works on a PC are only a small minority and most of them realize that.
The majority just wants it to work and has no interest in knowing how it works.
I would like to see someone put out a browser that’s just a basic base that users could add the functions they wanted to and leave out the ones they don’t want, like building with Legos.
100% customizable.
majority=sheeps band going to the slaughterhouse.
IMO, the third option listed above used for side-loading extensions is more of a hack and Mozilla is right to remove it for security reasons.
I have to agree with the general level of criticism aimed at Firefox for the most part but in this specific instance the change seems to be a good one. They are removing a vulnerability while maintaining the functionality and should not be condemned in a knee-jerk fashion simply on the basis of past mistakes.
I personally think the management at Mozilla have lost their minds but maybe this is a first step back toward sanity. After all, anything is possible.
“should not be condemned in a knee-jerk fashion simply on the basis of past mistakes.”
Most of what Mozilla is criticized for is not past mistakes, it’s intentional and consistent behavior that they did not revert and even less apologize for. And the very few times when they apologized for doing something evil intentionally, it was obviously forced by a level a backlash they could not handle in spite of their extremely high threshold.
No one mentioned the case of GNU/Linux distribution, that use to package popular extensions, and install them in global directory to be sure it’s loaded for every user.
This behavior will be broken. I think this is sad. I really think (like other people here) that the extension manager should be able to deal with sideloaded extension, and be able to disable them if they are read-only.
Now, if they’re so concerned about end user security, I wish Mozilla would program in an ability to see which extensions in Firefox are calling out to remote servers and which ones they’re calling out to. AFAIK, there’s currently way in the Firefox UI to obtain this information, and I’m seeing a lot of this kind of activity in my fully updated (70.0.1) copy of Firefox.
> Mozilla announced this week that the organization’s Firefox web browser will stop supporting extension sideloading in Firefox 74.
No, they did not.
They will discontinue *one* *bad* method of sideloading (what this article calls “method 3”), but the other, *better* method of sideloading (what this article calls “method 2”) will continue to be supported.
There will be no loss of functionality, unless you are writing malware.
Right. Title was (unintentionally) misleading since that’s not how most users understand “sideloading”.
When I read it, I thought you can only use AMO now!
Yep, people complaining about it are haters or malware developers.
“haters”
Another magic word to kill all rational discussion. What is even a “hater” ? Does hating anything automatically disqualify any argument ? What about hating Google, hating corruption, hating ads, hating privacy invasions, hating having our freedom confiscated by some business, hating shills like you ? Or maybe it’s a term you reserve for anyone with strong opinions, or more exactly strong opinions that were not engraved by some corporate propaganda campaign ?
“Firefox users will benefit from the change as it removes an option that has been abused by malicious actors and also some software companies in the past to install extensions in Firefox.”
What about software that needs to install an extension automatically in Firefox for legitimate reasons ? Will this still be possible ? Or is it again Mozilla’s trend to turn the browser into a locked box that users can’t control “for their own security”, but that Mozilla can play with remotely at any time to install spyware, and that gives to random web sites always increasing control on our computers ?
Is this just from the release version of Firefox? Are developer and unbranded versions affected?
and firefox continues to remove more functionality than they add in updates. Even their transition from version 73 to 74 shows how they could have handled this differently to maintain the functionality while changing. Just make the manager capable with dealing with the sideloaded extensions, done. A truly capable manager sould be able to manage any type of file that the application picks up, including the side loading one.
Firefox continues to make the case that other options are superior.
Firefox’ goal is to become the best Chrome clone it can be. That means if you want to change the Download directory, you have to modify your Firefox client with additional code.
Firefox is dead and also a joke now.
@daveb – this option was being abused by many software companies as a sneaky way to install PUPs without any clear way to remove, especially anti-virus software, most notably Symantec constantly abused this method, making their tracking extension impossible to remove by ordinary users. This change is a net-positive in this instance, as a corporate systems admin speaking.
“making their tracking extension impossible to remove by ordinary users”
This is exclusively a problem with the manager, not a problem with side-loading. As I said, anything that has the capability of being picked up by the browser should also be controlled by the manager. Thats a very basic coding practice. They are taking the worst direction possible because its the easy route.
Yes every ‘lock down’ admin out there is getting moist at these changes. ..but they are the furthest thing from what an application should be focusing on pleasing.
The easy route is their go-to move time and time again. Tabs on top vs on bottom?…ugh maintenance burden…remove it! Option in about:config to control close buttons on tabs?…hardly anyone uses it and who cares about those people, anyway? Remove it! It’s not even that this one issue is a huge issue because you can still install manually, but it’s just yet one more time options are removed for their convenience. The right thing to do would be to have it disable any sideloaded extensions by default so they are enabled only if you choose and, as daveb mentioned, the ability for the extension manager to remove them. That would take more effort so obviously that can’t happen.
Side Loading is not truly removed since you can install an extension manually. As someone who manages many Firefox installations I see this as a plus because it improves security. The method being removed probably should never have been included anyway as it is way to easy to abuse. That’s my 2 cents…
But what other options are there that are not open source and have the best extensions possible, ublock origin, umatrix and noscript? It seems like the choices here are very limited.
“To give users more control over their extensions, support for sideloaded extensions will be discontinued.”
I’m not sure if they’re serious or not lol
Addons installed by the removed method do not give the user control over them within the browser and are often automatically installed by other software which may be malicious. You can still load an addon from a file but have that control and have to very deliberately do it.