Mozilla bans all extensions that execute remote code

Martin Brinkmann
Nov 5, 2019
Firefox
|
47

Mozilla added a number of extensions for the Firefox web browser that execute code remotely to the organization's blocklist in the beginning of November.

The bugzilla listing shows only IDs of the extensions and (almost) no names but the move appears to have affected several translation add-ons for the browser that injected Google Translate or Bing Translate code into websites to provide users of the web browser with page translation functionality.

The developers of Page Translator and Google Translate this page revealed recently that their extensions were banned by Mozilla. Several other translator extensions, Babelfox, Google Translate Element or Bridge Translate seem to be affected by the ban as well.

mozilla block addons

The developer of Page Translator offers insights into what happened in the past couple of days. The extension used Google Translate or Microsoft Translator libraries to provide Firefox users with in-line language translation capabilities. It downloaded the JavaScript file and injected it into pages to provide on-page translations.

Mozilla disallowed execution of external remote code for listed extensions for some time. Extensions listed on AMO were not allowed to execute remote code; the same was not true in all cases for self-hosted, read unlisted, extensions.

The developer had the extension removed from AMO when Mozilla made the initial policy change but did offer it as an unlisted add-on to users. According to him, the extension was used by thousands of users who used it to translate pages in Firefox.

Mozilla put the extension on a blacklist which killed it remotely in all Firefox installations that did not have the blacklisting functionality disabled.

An exchange with a Mozilla representative confirmed Mozilla's stance on the matter.

I've read your article, but unfortunately this is not a restriction we will be lifting.

If you find a way to provide this feature in compliance with our policies, we'd be willing to lift the block in a way that you could submit a new version for your users.

Where does that leave Firefox users?

There are still add-ons available for Firefox that offer translation functionality and these may work for users of the browser. None of these appear to support the on-page translation of the entire page though and that puts Firefox at a severe disadvantage when compared to Chrome or Edge which both support the feature natively.

Mozilla announced some time ago that it is working on integrating translate functionality natively in the browser but it will take some time before the first implementation becomes available in Stable versions of the web browser.

Another option that Firefox users have is to install userscripts in the browser as these are not subject to the same limitation as add-ons.

Closing Words

Mozilla's stance is clear: it does not want any extensions to execute remote code anymore because of potential security or privacy implications.

Extension developers were caught off-guard as it appears that no communication took place prior to the execution of the ban.

Now You: What is your take on this?

Summary
Mozilla bans all extensions that execute remote code
Article Name
Mozilla bans all extensions that execute remote code
Description
Mozilla added a number of extensions for the Firefox web browser that execute code remotely to the organization's blocklist in the beginning of November. 
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on January 20, 2020 at 7:16 pm
    Reply

    So here am I, a FF user since Netscape 1.0 struggling with the decision to upgrade my current FF Quantum 60 because a couple of my add-ons were borked when FF f*ed it’s user-base.
    Too, I’m starting to see the “your browser is shite and this website won’t work with it” on a couple websites…otherwords, I have no real particular reason to upgrade…

    I’m not a coder or any such thing but I do muck about heavily with “about:config”; despise auto updates and advertisements on my device. My FF 60 is tweaked to smithereens and I’m afraid to upgrade it and lose that tweakability.

    Should I upgrade or not? I was considering upgrading to FF 62 but only to get some add-on functionality back…I want to be able to tweak privacy settings in about config, have a few add-ons (uBO uMatrix and a monkey flavor as default must-haves) that work and will not be disabled again; I do not want forced updates whatsoever.

  2. elstaci said on December 19, 2019 at 3:20 am
    Reply

    Personally I was upset when S3 Translator was banned. I added and temporarily tried several different acceptable translators and none instantly translated the entire webpage automatically like S3. None was able to tell me what language I was translating from. Translating only what you highlight is time consuming and annoying.

    S3 when you install the extension asks you if you want to join in giving the authors authority to your browsing content. I always mark “No” but of course have no way of actually knowing if they comply with my wishes or not.

    After trying several different translation extensions, I went to S3 website and manually downloaded the API. Then I manually installed it back on FireFox. So far it hasn’t been deleted yet. Maybe in the next update version it will again be deleted. Again I will manually install it again.

    S3 Translator is the only translation that has so many excellent features. The best is when it automatically translates the entire webpage into the language I selected – English in this case. The other translation when I ask it to translate a webpage with some foreign language in it. It tells me the page is already in English. So the Foreign language inside the English webpage goes without being translated. S3 translates any foreign language in a English webpage automatically.

    At AMD Forums, most of the times I don’t realize the OP posted a question in a foreign language because S3 automatically translated it into English as soon as the webpage loaded. Which I really like and I feel is the best feature of S3.

    Also I run many security scans on my computer every month using Malwarebytes, Mcafee, and Spybot and none has ever tagged S3 as malware or spyware.

    So whatever info S3 authors are gathering is something I don’t particular care for but at least, so far, I haven’t seen any types of infections from using S3.

  3. owl said on November 15, 2019 at 1:48 am
    Reply

    To bug 1593243 is “report / investigation is necessary” has been intermittently post.
    https://bugzilla.mozilla.org/show_bug.cgi?id=1593243

    Those I tried looking at the extensions that have been certified as “illegality”,
    Most of them seem to have been registered with AMO (addons.mozilla.org) after adjusting the Google Web Store (for Google Chrome and Chromium) extensions to “Firefox compatible”.
    Due to the notable trend of “Origin and Career”, the Google Web Store still feels potential problems (such as flaws and Google ’s intentional background).

  4. Stan said on November 8, 2019 at 5:37 pm
    Reply

    “The End”

    In reality, ‘Google Chrome Developer to shut down Mozilla Help Forum’.

    Doesn’t make for pretty reading does it?
    Rather than let the site slowly fall apart (for years he’s refused to respond to Mods and members requesting he fix stuff there) he should have divested ownership the moment Google hired him.

    One wonders if Kersey’s masters have told him to close it down, conflict of interest?

  5. Anonymous said on November 7, 2019 at 4:09 pm
    Reply

    ”What is your take on this?”

    A good thing but also bad for some legitimate addons.

    Sad news about MozillaZine:

    The End
    http://forums.mozillazine.org/viewtopic.php?f=38&t=3055133&
    sid=f2c03085ee6a4c655671a77c8fa6b643

    Maybe Martin or Ashwin could write an article about this or comment it part of an article.

  6. Yuliya said on November 6, 2019 at 10:19 pm
    Reply

    have they banned “telemetry-coverage-bug1487578@mozilla.org.xpi” as well?

  7. Anonymous said on November 6, 2019 at 9:38 pm
    Reply

    Mozilla is banning these translation addons in favor of a privacy-focused rival to Google Translate that will enable Firefox users to read pages in different languages without gobbling up data.

    https://www.trustedreviews.com/news/firefox-translation-bergamot-mozilla-3948613

  8. Claymore said on November 5, 2019 at 11:35 pm
    Reply

    Well… I’m certain, most devs are around Mozillazine anyways.
    So just a few steps in about:config

    extensions.blocklist.enabled;false
    xpinstall.signatures.required;false
    xpinstall.whitelist.required;false

    Download the XPI > Open addons in Firefox > Drag & Drop the downloaded extension into the addons tab. Done.

    Like always: Use your brain if you download 3rd party extensions.

  9. ipnonymous said on November 5, 2019 at 10:55 pm
    Reply

    In case it is helpful-
    Duckduckgo is the default search in my browser and with it any page can be translated using the Duckduckgo’s !bang function.

    !gt is the bang for google-translate. In the url bar copy, paste and enter example;

    !gt amazon.de

    Then click on the link that appears. The page will auto-magically translate the German Amazon website into English.

  10. daveb said on November 5, 2019 at 9:55 pm
    Reply

    ..aaand the tale of Firefox attempting to turn itself FROM a beacon of moddability and the user’s preference comes first TO a feeble attempt at a closed garden where Mozilla’s preferences come first.

    Almost every change (note I don’t say upgrade) for the past few years has been to deny small communities functionality to be sacrificed on the altar of security. Its pathetic. If you want that much security don’t go installing a pile of addons, even better don’t browse the internet or use a web browser.

    Luckily there are other browsers using most of the same code that don’t do this.

  11. John said on November 5, 2019 at 7:08 pm
    Reply

    I’m surprised that extensions were allowed to execute remote code in the first place. That’s a glaring security hole. I’m glad Mozilla patched it. Without question (to me, anyway), they did the right thing.

    However, the timing is a bit unfortunate here. They will likely lose a lot of users from countries where many people are not native English readers but who read a lot of English websites because websites in their own language are not plentiful enough within their chosen fields of interest (Whether it be work or entertainment). It’s going to look like a feature was taken away that many will know other browsers have and switch to said browsers, and it’s always harder to get a user back than to retain one.

    Firefox has a native translation thing in the works- and in some ways, it’s going to be better than what other browsers have, because the translation is going to be handled client-side on people’s own machines (Which is much more private) rather than in the cloud (Usually by Google). Maybe the ideal thing would have been to wait until that was ready to roll out this restriction or, because it looks (and probably) bad when you delay safety measures, they could have banned extensions that execute remote code in general while grandfathering in existing translations for a limited time while they get their translation thing read, or rushed a beta version of their translation service into “production”, and offered an opt-in to anyone who lost a translation extension in a way they’d see the first time they are informed the extension is gone or would notice it missing.

  12. anon said on November 5, 2019 at 6:30 pm
    Reply

    Thumbs up to Mozilla.
    I want nothing to do with Google, Bing or any of the others leeches.
    Everybody knows about their agendas.

    As far as the developers are concerned.
    Better luck next time.
    My heart bleeds for you.

    1. Anonymous said on November 5, 2019 at 7:53 pm
      Reply

      “Thumbs up to Mozilla.
      I want nothing to do with Google”

      90% of their revenue, their default search engine, Google Analytics everywhere on their sites and even in the browser, their location service, their extension standard, their safebrowsing service where their tell Google about half of our downloads, copying most of the nasty things Google does in Chrome, and more…

      It’s just impossible to use something Mozilla does and have nothing to do with Google. You picked the wrong fight to side with Mozilla against Google, because what they are actually siding against here is just your freedom to install the non-malicious extensions you want to install, Google-related or not.

  13. Tom Hawack said on November 5, 2019 at 3:50 pm
    Reply

    Extensions that execute remote code being mainly discussed here as to the impact on translation extensions, scripts and search engines can bring their contribution (as noted in the article).

    For those who may be interested :

    Make bookmarklets executable on websites that use a strict CSP : ‘Bookmarklets context menu’
    https://addons.mozilla.org/en-US/firefox/addon/bookmarklets-context-menu/

    Create/use your own search engines :

    ‘Add custom search engine’
    https://addons.mozilla.org/en-US/firefox/addon/add-custom-search-engine/

    ‘Swift Selection Search’
    https://addons.mozilla.org/en-US/firefox/addon/swift-selection-search/

    Bookmarklet example : Google Translate page to English
    javascript:void(open(‘https://translate.google.com/translate?sl=auto&tl=en&u=’+location.href))

    Search engine example 1 : DeepL Translate text to English
    https://www.deepl.com/translator#en/en/{searchTerms}

    Search engine exaample 2: Google Translate text to English
    https://translate.google.com/#view=home&op=translate&sl=auto&tl=en&text={searchTerms}

    Of course results will always be opened in a tab and not as a popup but unless you spend your time translating (concerns mainly users not fluent in English), above tools seem to me quite sufficient.

    1. Peterc said on November 5, 2019 at 6:31 pm
      Reply

      @Tom Hawack:

      I nabbed the following bookmarklet from somewhere on the Web many years ago and am using it to this day. It uses Google Translate to automatically detect the source language and translate the selection (if any) or the entire page (if nothing is selected) to English. Results are loaded in a Google Translate interface in the same tab as the source. To go back to the source page, you use the browser’s normal “Back” command. I suppose it could probably be edited to open results in a new tab, but I don’t know anything about JavaScript.

      javascript:var%20t=((window.getSelection&&window.getSelection())||(document.getSelection&&document.getSelection())||(document.selection&&document.selection.createRange&&document.selection.createRange().text));var%20e=(document.charset||document.characterSet);if(t!=”){location.href=’http://translate.google.com/translate_t?text=’+t+’&hl=en&langpair=auto|en&tbb=1&ie=’+e;}else{location.href=’http://translate.google.com/translate?u=’+escape(location.href)+’&hl=en&langpair=auto|en&tbb=1&ie=’+e;};

      Incidental Remarks:

      I just tested the bookmarklet on a webpage in French (your first language and my second) to make sure I was correctly describing how it worked. Google Translate didn’t bother translating “éborgnés” (people who’ve lost an eye, which probably should have been reworked into “eye loss” in that context) and it used a deceptive cognate (faux-ami) for “communautarisme.” Google Translate isn’t perfect, even between two relatively similar languages. (But it did help me realize why I keep spelling former Iranian prime minister Mosaddegh’s name wrong in English: it’s spelled Mossadegh in French. Don’t get me started on Gaddafi. ;-)

      On the few occasions I’ve had to correspond with someone who spoke no English or French whatsoever, I translated from English to the target language and back again to English to get an idea of how badly Google Translate might have screwed up. Then I kept rephrasing and tweaking the original English until I got something *reasonably* accurate in the English re-translation. It seems to have worked, more or less.

      I’ve read that Bing does a better job, at least with some language pairs (e.g., Mandarin-English), but I haven’t tried it out. I should actually put more effort into finding some really good translation engines, as I try to get news and opinion from a wide variety of sources and being able to read only English and French is pretty limiting. Even foreign sites with native English- or French-language editions often tailor their coverage and opinion to what they perceive to be their target audience, and it may not be the same as what people at home are being told.

      1. Tom Hawack said on November 5, 2019 at 9:18 pm
        Reply

        @PeterC, besides the raw information your speech is a reading pleasure.

        Your Google translation text/page popup bookmarklet reminds me that I was wrong indeed to point out scripts rendering on a tab as if this was corollary; I have some bookmarklets which as well open a popup. Regarding the script itself I unfortunately cannot get it to work here, be it chosen text or page. I’d have to look at it and also my environment which may block it somewhere. I’m about to view on TV ‘Four Weddings and a Funeral’ once again so i’m a bit in a hurry :=)

        Google’s translations make it as myself with English when the topic is basic, but sort of slips occasionally in surrealistic renderings, lol. I was about to suggest this other translation tool called ‘DeepL Translator’ which you must know already when i’m realizing right now that it translates “éborgné” by “ebony”, in competition therefor with Google for the most amazing semantic transfer; nevertheless IMO it generally translates better than Google but unfortunately handles less languages.

        Round-trip translations as I call them (A-B->A) are indeed a great way to follow the odyssey of words, sentences when pushed approximately rather than pulled with precision (even if “precision” may not the required state of mind depending on the topic : science articles and literature require different translation approaches).

        There is also indeed Bing Translation but I’ll have to confess being rude in the face of Microsoft ever since i’ve decided to boycott all of the company’s services, besides the company itself (it all started with Windows 10 and the way the company dealt with its own rudeness).

        Algorithms may improve but I cannot imagine any having this very human ability to interpret (that is, to understand thoughts behind words) before translation. I may be wrong.

      2. 99 said on November 6, 2019 at 7:11 pm
        Reply

        >>> Regarding the script itself I unfortunately cannot get it to work here

        That’s no surprise!

        ghacks.net runs on WordPress and not CodePress. By default, WordPress will convert your straight quotation marks into curvy quotation marks (left/right quotes).

        If you are posting a code snippet, the curvy quotes will cause errors in JavaScript and render your bookmarklets into a useless piece of junkcode.

        To avoid this, enclose your snippet with the appropriate HTML Tag.

  14. Anonymous said on November 5, 2019 at 3:02 pm
    Reply

    I’m happy with Pale Moon and Translate This Page, Text, or Link 2.10

  15. ULBoom said on November 5, 2019 at 2:36 pm
    Reply

    Extensions aren’t needed to do this or many of the other things extensions do but they make it easier for users.

    Regardless of how a function is performed, within a browser, OS or third party program, the key is trust. Do you trust whomever is, in this case, doing the translating?

  16. owl said on November 5, 2019 at 12:16 pm
    Reply

    @Martin Brinkmann said on November 05, 2019:
    Where does that leave Firefox users?
    There are still add-ons available for Firefox that offer translation functionality and these may work for users of the browser. None of these appear to support the on-page translation of the entire page though…..

    No, it is not appropriate.
    Add-on “To Google Translate” is possible.
    Just select “Translate this page” (or Hotkey: Ctrl + Shift + F) from the context menu.
    However, it is necessary to set in advance the Option (Translate Page).
    To Google Translate is a useful translator add-on for Firefox | gHacks Tech News
    https://www.ghacks.net/2019/07/15/to-google-translate-add-on-for-firefox/

  17. Anonymous said on November 5, 2019 at 11:51 am
    Reply

    And it looks like Waterfox bent over for Mozilla here, it seems like the extension ban cannot be worked around in Waterfox either. I thought that setting xpinstall.signatures.required = false would be enough, but it’s not.

  18. Anonymous said on November 5, 2019 at 11:04 am
    Reply

    ofc no coincidence here, that mozilla is going to implement its own translation servive into future browser versions ..

  19. test said on November 5, 2019 at 10:51 am
    Reply

    Hi,

    Timely and important post, Martin.
    Thank you!.

    Does the warning also apply
    to the excellent”
    TransOver extension
    in latest Chrome browser (Linux – 64bits) ?.

    ==> I am not the author, just a concerned Chrome user.

    In the Chrome Web Store
    the TransOver extension shows (approx):
    – 1400 5-stars and
    – 104 thousand Users.

    It’s not banned by Google,
    but it’s a truly great extension
    and I hope it’s safe,
    as the author claims in the Chrome Web Store…

  20. owl said on November 5, 2019 at 10:31 am
    Reply

    As far as Addons of “Translation Function” is concerned,
    The add-on “To Google Translate” exists in AMO and continues to work in Firefox as before.

    To Google Translate is a useful translator add-on for Firefox | gHacks Tech News
    https://www.ghacks.net/2019/07/15/to-google-translate-add-on-for-firefox/#comment-4443460

    Incidentally, To Google Translate is an extension of an open source project developed exclusively for Firefox. In this project, the author (the main character) of the “tree style tab” who is familiar with Web technology is listed as a development collaborator.

    A Classic Extension Reborn: Tree Style Tab – Mozilla Hacks – the Web developer blog
    Interview with an add-on developer (Piro) who rebuilt a very complex extension (Tree Style Tab) created on the legacy XUL platform for the new WebExtensions API
    https://hacks.mozilla.org/2017/12/webextension-tree-style-tab/
    More technical details:
    Tree Style Tab WebExtensions Migration Story |
    XUL and WebExtensions platform strategy, code snippets, and architecture diagrams
    https://piro.sakura.ne.jp/latest/blosxom/mozilla/extension/treestyletab/2017-10-03_migration-we-en.htm

    As information:
    Add-on Policies – Mozilla | MDN | Extension Workshop
    https://extensionworkshop.com/documentation/publish/add-on-policies/
    Add-ons/Reviewers/Guide/Reviewing | MozillaWiki
    https://wiki.mozilla.org/Add-ons/Reviewers/Guide/Reviewing

    1. Gabriel said on November 5, 2019 at 2:33 pm
      Reply

      Owl, the issue I have with “Google Translate” that you linked is that recently it changed it’s permissions to read all website data.

      1. owl said on November 15, 2019 at 7:21 am
        Reply

        @Gabriel said on November 5, 2019 at 2:33 pm:
        Owl, the issue I have with “Google Translate” that you linked is that recently it changed it’s permissions to read all website data.

        Issues · to-google-translate | GitHub
        https://github.com/itsecurityco/to-google-translate/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aall+
        > New permissions? · Issue #55 · to-google-translate | GitHub
        https://github.com/itsecurityco/to-google-translate/issues/55

  21. Anonymous said on November 5, 2019 at 10:20 am
    Reply

    I will refer to what I said before about this:

    https://www.ghacks.net/2019/10/20/mozilla-working-on-native-firefox-translation-feature/#comment-4442672

    and add this more general perspective:

    When they enforced their walled garden addon signature system, they said don’t worry, we will only use it to remove malicious addons, no need to be angry. Now they use it to enforce their abusive addon policies with no work-around against non malicious and perfectly good addons. And they will alter the deal further in the future, zero doubt on that.

    When they collected telemetry, they say don’t worry it’s opt-in. When they made it on by default, they said don’t worry you can opt out. Now we can no longer disable it fully, and maybe in the future, not at all.

    They also said don’t worry, it’s just not-too-sensitive data. Then when they start collecting browsing data, they say don’t worry, it’s anonymized. Until in the future it won’t even be.

    They said that they use our private data just to improve the browser, that they’re not in the business of selling data. Now they have sold browsing data to Cliqz, Pocket exploits browsing data to target ads, they experimented ad tiles targeted on browsing data, they want their telemetry to count how many ads we see and click on on search engine pages to help them negotiate their search deals. They probably count how many times we click on all the sponsored stuff in the browser, that you wouldn’t even suspect they are paid to display.

    When they added arbitrary remote Mozilla code execution in the browser, they said don’t be angry, trust us, it’s only to improve the browser. Then they installed remotely the Cliqz spyware and the Mr Robot advertising add-on.

    When they added ads in the form of Pocket sponsored news (ironically saying that a news system where businesses can pay to display their ad content as news was their way to fulfil their mission of protecting us from the internet disinformation by curating news content themselves), they said don’t worry, ads are not wrong because you can opt out of ad display. Now in Android Firefox they display links to sponsored sites that can’t be removed.

    When they killed classic extensions, they said don’t worry we won’t do it again, you won’t have to rewrite all your addons again to comply with the latest restriction Google decided on user freedom. Now they are going to do it again with manifest v3, that they will partly follow.

    When they implemented click tracking pings, they said don’t worry, it’s off by default. Now they said they will turn it on by default, with no UI to disable it.

    There is a lot more along those lines.

    In retrospect, it’s quite visible that Mozilla has repetitively manipulated us by giving us excuses for everything evil they pushed, just to lower our resistance, while their management was planning from the beginning to kill later the concessions they had made, but carefully avoided informing us about their future plans. It would be completely foolish to trust anything they say now.

    They are worse than Google, because at least people will fight Google, understanding that it cannot be trusted. Mozilla plays the buddy card to screw us.

    1. Crambie said on November 5, 2019 at 3:37 pm
      Reply

      To me the main reason they are worse than Google is that Google don’t pretend to be something they’re not. They are totally upfront about collecting your data for their own use, so in that respect they can be trusted to do exactly what they say, if you don’t like it then there are many alternatives (except for mobile OS’s). Mozilla on the other hand, much like Apple and others, are hypocrites, lecturing people about “evils” then doing it themselves. The typical left, do as I say not as I do.

      So for me Google are one of the least bad of the bad bunch. People still think of Mozilla as the Mozilla of old who did care about the users, that died when Eich was ousted.

      1. Anonymous said on November 5, 2019 at 4:44 pm
        Reply

        “They are totally upfront about collecting your data for their own use, so in that respect they can be trusted to do exactly what they say”

        It’s not that simple. They are upfront only for the minority knowledgeable people who will know what to expect from Google but might still be tricked by Mozilla. But the masses will still use Google products without questioning what might happen with their data. Google is just like Mozilla the vicious kind, the nuance is that they are the vicious kind that does not pretend to fight the vicious kind, but that’s not enough to be called trustworthy. And even for the knowledgeable type that reads the privacy policies, they are not really upfront. For example they once released a home device with a microphone that was mentioned nowhere in the specs. If you didn’t read the right news, you wouldn’t have known it. And there are so many similar examples. Google is NOT upfront, they are full slimy.

        “The typical left, do as I say not as I do.”

        The typical corporate left, or fake left, yes.

        “People still think of Mozilla as the Mozilla of old who did care about the users, that died when Eich was ousted.”

        Eich being ousted was not a quarrel on user rights, it was a quarrel between different factions of exploiters. The current Mozilla and the current Eich faction (Brave) are essentially doing the same anti-user work.

        The mistake would be to oppose Mozilla and Google (especially ridiculous given how the first often works for the second), Mozilla and Brave, and pick your side based on your political affiliation with the corporate right or left. Both want to fuck you, none is the solution.

      2. Crambie said on November 6, 2019 at 9:22 am
        Reply

        No, they are very clear that they collect your data for targeted ads. Of course not 100% of people realize this knows this. Some because they are just too dumb, the same people who say they don’t know about the Facebook controversies despite news of it being plastered everywhere, over and over.

        Eich was pro-user. For example he was absolutely against DRM and didn’t want it added to FF. Almost as soon as he was got rid of DRM was added.

        Yes both the left and right screw you over however it’s really only the left that preach to everyone, tell everyone what they can or can’t say, can or can’t do. Then often ignore those made up rules for themselves.

  22. Allen said on November 5, 2019 at 10:02 am
    Reply

    Not;hing is more secure than a browser which does nothing.

    1. owl said on November 5, 2019 at 11:11 am
      Reply

      @Allen said on November 5, 2019 at 10:02 am:
      Nothing is more secure than a browser which does nothing.

      No, it is not.
      Many malicious tricks are not noticed by the end user.
      In particular, many of the end-user, because there are using a smartphone in the main, PC skills are beginner class.
      Accordingly, end-users ignorance and indifference are serious and easy targets.
      In order to ensure the public nature (safe and comfortable) of Web cyber, it is necessary to take measures against the “Browser” and “Extended Functions” that are the main features of the tool.

      Reference examples below:
      About “malicious incidents such as tricks”:
      It is time to get rid of Stylish | gHacks Tech News
      https://www.ghacks.net/2018/07/03/it-is-time-to-get-rid-of-stylish/
      Stylus sees large user increase after Stylish removal | gHacks Tech News
      https://www.ghacks.net/2018/07/09/stylus-sees-large-user-increase-after-stylish-removal/

      A wave of malware add-ons hit the Mozilla Firefox Extensions Store | gHacks Tech News
      https://www.ghacks.net/2019/05/29/another-malware-wave-hit-the-mozilla-firefox-extensions-store/
      Reprinted the main part from the article:
      Malicious or spam extensions that use the names of popular extensions or programs are not anything new. Mozilla’s AMO store was hit with waves of spam extensions in 2017 and 2018, both happened after Mozilla switched the release process.
      Google’s Chrome Web Store was hit even harder by unwanted extensions in recent years. Chrome’s popularity and the fact that Google does not review any extensions manually by default play a role here.
      While it is easy to spot these particular fake extensions, others may not be as easy to spot. Back in 2017 I suggested Mozilla add a “manual reviewed” batch to extensions to give Firefox users more confidence in the legitimacy of extensions on the official add-ons repository.

      About “waves of spam extensions in 2017”:
      Mozilla’s AMO Extensions store has a spam infestation problem | gHacks Tech News
      https://www.ghacks.net/2017/12/13/mozillas-extensions-store-has-a-spam-infestation/

      About “waves of spam extensions in 2018”:
      Another wave of spam add-ons hits Mozilla Firefox AMO | gHacks Tech News
      https://www.ghacks.net/2018/04/09/another-wave-of-spam-add-ons-hits-mozilla-firefox-amo/

      About “Google’s Chrome Web Store was hit even harder by unwanted extensions in recent years”:
      Another Chrome extension horror story: coinhive and domain registration | gHacks Tech News
      https://www.ghacks.net/2017/10/15/another-chrome-extension-horror-story-coinhive-and-domain-registration/
      Google’s bad track record of malicious Chrome extensions continues | gHacks Tech News
      https://www.ghacks.net/2018/05/11/googles-bad-track-record-of-malicious-chrome-extensions-continues/
      Malicious Chrome extensions with Session Replay appear in Chrome Store | gHacks Tech News
      https://www.ghacks.net/2018/02/05/malicious-chrome-extensions-with-session-replay-appear-in-chrome-store/

      1. Rex said on November 16, 2019 at 6:16 am
        Reply

        Remember how the castration of XUL/XPCOM support in favor of WebExtensions (which is little more than Greasemonkey functionality wise) was supposed to make the browser sECuRe and prevent exactly the kind of situations shown by your links?

        The real problem is how Mozilla chooses to spend its money on all sorts of SJW propaganda and side projects instead of focusing on Firefox. Back in the day they used to manually verify extension submissions, now it’s all automated – leading to the same problems that have been seen on Android’s Play Store as well – malicious apps with names similar to popular ones (uBlock had many counterfeits).

      2. owl said on November 16, 2019 at 12:32 pm
        Reply

        @Rex said on November 16, 2019 at 6:16 am:
        Back in the day they used to manually verify extension submissions, now it’s all automated

        Do not demagogie(gossip) on the web by guess.
        Certainly, Google introduced full automation with the “AI” system, but Mozilla “manually, scrutinized by dedicated personnel”

        Add-on Policies – Mozilla | MDN | Extension Workshop
        https://extensionworkshop.com/documentation/publish/add-on-policies/
        Add-ons/Reviewers/Guide/Reviewing | MozillaWiki
        https://wiki.mozilla.org/Add-ons/Reviewers/Guide/Reviewing

        To bug 1593243 is “report / investigation is necessary” has been intermittently post.
        https://bugzilla.mozilla.org/show_bug.cgi?id=1593243

        Those I tried looking at the extensions that have been certified as “illegality”,
        Most of them seem to have been registered with AMO (addons.mozilla.org) after adjusting the Google Web Store (for Google Chrome and Chromium) extensions to “Firefox compatible”.
        Due to the notable trend of “Origin and Career”, the Google Web Store still feels potential problems (such as flaws and Google ’s intentional background).

      3. owl said on November 16, 2019 at 12:45 pm
        Reply

        WebExtensions API is a specification standard for “protecting the browser’s core program”.
        WebExtension API has nothing to do with “extension safety measures”.

        In measures against cyber attacks and personal information protection, browser vulnerability countermeasures have become an issue:
        Prevention of browser “core program” tampering,
        Measures to prevent historical data leakage,
        Measures against malware hidden in updates,
        Measures against privacy policy violations,
        etc.
        Based on those perspectives, Mozilla decided to abolish the “XUL/XPCOM” API, which can be directly involved in the program, and switch to the “WebExtension” API, which cannot be involved in the core program.

        Why Firefox Had to Kill Your Favorite Extension | How-To Geek(Justin Pot | November 18, 2017, 6:40am EDT )
        https://www.howtogeek.com/333230/why-firefox-had-to-kill-your-favorite-extension/

        What’s the WebExtensions API? | Browser Extensions – Mozilla | MDN |
        https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions

        Firefox’s WebExtension API is separate from the Chromium’s WebExtension API and is not just a subset. Many Firefox-specific APIs have been established:
        Browser support for JavaScript APIs – Mozilla | MDN |
        https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Browser_support_for_JavaScript_APIs

        A Classic Extension Reborn: Tree Style Tab – Mozilla Hacks – the Web developer blog
        Interview with an add-on developer (Piro) who rebuilt a very complex extension (Tree Style Tab) created on the legacy XUL platform for the new WebExtensions API
        https://hacks.mozilla.org/2017/12/webextension-tree-style-tab/

        Want more technical detail? Check out Piro’s post WebExtensions Migration Story of Tree Style Tab for his strategies, code snippets, and architectural diagrams of the XUL and WebExtensions platforms.
        WebExtensions Migration Story of Tree Style Tab | Piro’s post
        https://piro.sakura.ne.jp/latest/blosxom/mozilla/extension/treestyletab/2017-10-03_migration-we-en.htm

      4. Rex said on November 17, 2019 at 4:19 am
        Reply

        So how many times were there similar outbreaks of malicious extensions that ‘compromise the browser core’ or ‘malware in updates’ etc that you mentioned during the 10+ years of the XUL era, and if WebExtensions are so great, why are we having problems like this?

        https://hothardware.com/news/malicious-google-chrome-firefox-extensions-near-impossible-remove

        And this is before the whole forced extension signing debacle from May this year.

        Firefox’s WebExtension API is a pale shadow of its original XUL overlay/bootstrap/XPCOM APIs which were deprecated with no evidence of there being some outbreak of malware that used them. I’ve been using Firefox since it was called Phoenix (from 2002-2015) and in all this time I’ve never seen any such news of addon malware until after their creating a ‘solution’ in search of a non existent problem.

        All the Firefox malware in the news has been *AFTER* Webextensions, not before, so how secure are they exactly?

        And coming to TST, the author acknowledges it was bloody hard to work around the restrictions placed by Mozilla, and there are features that will never work anymore even after all this effort.
        The same goes for other popular addons like DownThemAll.

  23. Anonymous said on November 5, 2019 at 9:31 am
    Reply

    I believe the ban is because Mozilla want people to use the built in translation feature

  24. notanon said on November 5, 2019 at 9:00 am
    Reply

    Mozilla was the first to ban the Dissenter extension (the Free Speech expension) on April 2019, because of “hate speech”. As the U.S. Supreme Court has repeatedly ruled, there is NO “hate speech”, only “FREE speech” & censorship.

    Dissenter created the Dissenter browser, based on Brave’s browser engine, to allow it’s users to use Dissenter.

    While I use Firefox as my primary browser (Gecko is the only competitor to the Blink engine on the Windows platform), I don’t have any illusions about Mozilla’s corporate bias against what it considers “wrongthink”.

    Mozilla will continue to ban extensions on Firefox, based solely on what the corporate executives dictate.

    Unfortunately, this groupthink at Mozilla will not change anytime soon.

    Sometimes you choose the lesser evil (Firefox over Chrome spyware).

    1. Anonymous said on November 5, 2019 at 10:29 am
      Reply

      And thanks to vocal people like you, the Silicon Valley can justify their censorship systems by pretending that they are only/mainly using them against the fascists. They are glad that they now have their hands free to treat very generally the “dissent” or “free speech” words as suspect now that your vocal friends tainted them brown. In a sense, you’re helping them.

      1. notanon said on November 5, 2019 at 12:17 pm
        Reply

        Ah, no.

        Only people like YOU are calling everyone fascist.

        Free speech is the 1st amendment for a reason, without it the Republic falls.

        America was given birth opposing a King in England.

        We embraced a democratic republic to give the power to the people.

        The Constitutions begins with WE THE PEOPLE.

        Free speech is the cornerstone of American Democracy.

        If you want to hide behind some ridiculous name calling, then be a coward.

        As longs as I have free speech, I’m fighting censorship.

        The only people afraid of words, are people who are afraid of the truth.

        In the marketplace of free ideas, the best ideas prevail. That’s why people who support bad ideas champion censorship.

      2. Anonymous said on November 5, 2019 at 4:30 pm
        Reply

        “Only people like YOU are calling everyone fascist.”

        I did not call everyone a fascist, I implied that Dissenter was fascist-friendly:

        “Gab is an English-language social media website known for its far-right user base.The site has been widely described as a “safe haven”for extremists including neo-Nazis, white supremacists, and the alt-right.”

        https://en.wikipedia.org/wiki/Gab_(social_network)

        “Free speech is the 1st amendment for a reason, without it the Republic falls.
        America was given birth opposing a King in England.
        We embraced a democratic republic to give the power to the people.
        The Constitutions begins with WE THE PEOPLE.
        Free speech is the cornerstone of American Democracy.”

        I am not the one who censored you, so go take you complaints to them. My main concern is that they use your kind as an excuse to censor dissenters who are actually defending people’s rights.

        But anyway. The black slaves might have objected to this point of view about America. What is the opinion of the average Gab dweller on this ? Well it’s not fair to target you on that. Most of US people would also claim that the birth of their nation was about being so very democratic and freedom loving. As a nationalist you’re not going to contradict that, no matter how false this is.

        Even today free speech is a fiction, an empty right, when means of communication are monopolized by a wealthy minority with the power to censor whatever they want. You talk like you’re aware of that and not happy with that, but many Gab dwellers think that this is still too much freedom of speech (except when they are the ones censored) and do not even believe in a republican form of government, so please do not play the democracy violin with me.

      3. notanon said on November 6, 2019 at 6:57 am
        Reply

        Wikipedia? Really?

        I could go into Wikipedia right now & post that the Washington Post is communist-friendly. It doesn’t make it so.

        Dissenter is Free Speech friendly, if you don’t like it, why don’t you go to communist China, where there is open censorship.

        You’re retarded if you think free speech is “fiction” used by the wealthy. It’s billionaires running tech firms & the mainstream media that’s pushing censorship.

        You’re so stupid that you don’t realize you’re a useful idiot, spouting canned phrases/ideology that your’re indoctrinated to believe.

        There’s been no slavery for centuries, yet you bring it up, because you were taught to push your victimhood narrative.

        America was built on a “can do” attitude, not a victimhood/reparations mental illness narrative.

        In the end, Trump won, because social justice is really a death cult, pushed by globalist billionaires to take advantage of the stupidest, most narcissitic generation (millennials). Fortunately, Generation Z is more conservative, & coming of voting age, so this stupidity will end soon.

        Enjoy your echo chamber, everyone else will never let you forget your idiocy when the SJW’s bubble bursts.

      4. Anonymous said on November 27, 2019 at 1:30 pm
        Reply

        “social justice is really a death cult, pushed by globalist billionaires”

        Social justice and communism mean that billionaires shouldn’t even exist, they should be expropriated. Saying that billionaires are for social justice or are communists (as your far-right friends or aliases also repeat often on this site) is incredibly stupid.

        Fascists like notanon and the other nicknames he uses here to spread his far-right idiocies are not dissenters, they have always been a tool of the capitalists they falsely pretend not to like, to repress the workers, to fight social justice, to become even richer and more powerful by making workers even more miserable, because this is the real meaning of social injustice. Racism, xenophobia, homophobia are just divide-and-conquer tactics they use to get recruits to crush all the workers independently of their race, nationality or sexual orientation.

      5. Anonymous said on November 7, 2019 at 3:39 pm
        Reply

        “In the marketplace of free ideas, the best ideas prevail. That’s why people who support bad ideas champion censorship.”

        Market is what produced the private monopolies that, as their sacred right given by the US Constitution of our freedom loving founding fathers is, didn’t want you treading on their private property. Market is what kicked your ass out, it’s not the open censorship of communist China. So what are you complaining about ? Stop with your SJW victimhood narrative that what is happening to you is not FAIR. Your bad ideas did not prevail on the market, so just go back to your anachronic Gab echo chamber with the KKK and the nazis. Or be like the communists and use ideology and politics with bureaucrats like Trump because you failed to win by the market only.

  25. happysurf said on November 5, 2019 at 8:12 am
    Reply

    Fortunately Simple Translate is still live. :-)

  26. ard said on November 5, 2019 at 7:59 am
    Reply

    Firefox made the right changes to reduce the risks of malware etc to exploit the remote execution of code. Firefox tries to make their browser as safe and secure as possible, and I belief this blocking of execution of external code is a good step in the secure direction.

    BTW , I do use FF and an translation extension that indeed lost its ability to translate a whole page, but it still translate the highlighted portion of the page; trust this is not using this remote execution feature.

    1. Mozzilla only thinks of murica said on November 5, 2019 at 1:05 pm
      Reply

      I tried dozens of extensions but S3.Translator was the only one that worked and still works in full page without renouncing cookies. However, it was removed from the store some time ago for asking users to share their history for commercial reasons.
      It must be already very obsolete, I hope it continues to work, otherwise I will have to give up the vast majority of the Internet or get sick of translating paragraph by paragraph to reach the limit of the API extension and have to copy it to a translator manually.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.