←back to thread

Firefox 42 will not allow unsigned extensions

(wiki.mozilla.org)
288 points fernandotakai | 3 comments | 11 Aug 15 03:51 UTC | HN request time: 0.001s | source
Show context
nathanb ◴[11 Aug 15 04:41 UTC] No.10039122[source]
It's the "no override" part that concerns me.

I created and maintain an extension that is used by visually-impaired people around the world (it has been translated by volunteers into Dutch and Chinese, for example).

Occasionally a Firefox update breaks this extension. OK, fine, that's the cost of doing business. Of course, the automated compatibility report that Firefox creates is utterly useless; it almost never catches the breakage. But that's a side rant....

There can be a decent turnaround lag (sometimes on the order of a few days) to get a new version of an extension reviewed by addons.mozilla.org. In the meantime, I have made a habit of building a new version of the extension and giving it to anyone who asks. Some people rely on it to use the web and can't wait for Mozilla to do their thing (another side rant: I once stupidly forgot to check in a key resource. I've since changed my development process to keep this from happening again. But the non-functional extension that I pushed passed Mozilla's review just fine. Makes me wonder how much value the review process is really adding.)

If I want to be able to continue this process, I will need to sign the extension myself (and who knows what histrionics Firefox will throw if a user tries to replace an extension with one that has the same UUID but a different signature!)

replies(8): >>10039130 #>>10039580 #>>10039659 #>>10039887 #>>10039941 #>>10040621 #>>10040999 #>>10041707 #
jsingleton ◴[11 Aug 15 09:55 UTC] No.10039941[source]
I don't use many extensions but I'm finding I have to use more as Mozilla remove features from Firefox.

For example you can no longer set the User Agent string on a per site basis natively in Firefox preferences [0]. This would be very handy to force HTML5 video on BBC News when you don't want to install flash [1]. I only discovered this setting was deprecated by finding that bug report whilst researching the blog post.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=933959

[1] https://unop.uk/dev/how-to-watch-bbc-news-videos-on-a-deskto...

replies(2): >>10040237 #>>10040605 #
chriswarbo ◴[11 Aug 15 11:27 UTC] No.10040237[source]
> I don't use many extensions but I'm finding I have to use more as Mozilla remove features from Firefox.

To me, that's the way Firefox should work: a fast, lightweight browser, with a powerful extension system.

I get disappointed when Mozilla add "features" to Firefox, like PDF viewers, Pocket, etc.

replies(1): >>10040445 #
TazeTSchnitzel ◴[11 Aug 15 12:25 UTC] No.10040445[source]
The PDF viewer is rather important if only for security.
replies(2): >>10040709 #>>10042981 #
doodpants ◴[11 Aug 15 13:11 UTC] No.10040709[source]
How is having a built-in PDF viewer more secure than downloading the PDF and viewing it in Adobe Reader or Foxit? Is it just that those readers have vulnerabilities that Firefox doesn't?
replies(1): >>10040989 #
1. rockdoe ◴[11 Aug 15 13:47 UTC] No.10040989[source]
Yes. The Firefox viewer sits on top of the JavaScript sandbox, which is the same sandbox that has to withstand attacks from pretty much everything on the internet and has been very hardened over the years (same for other browsers).

Ironically it had a vulnerability last week, but that's ONE and that's why it got so much attention. Adobe Reader and similar have had hundreds.

replies(1): >>10041470 #
2. detaro ◴[11 Aug 15 14:52 UTC] No.10041470[source]
Allowing people to implement viewers for file types that run in the sandbox as plugins seems like a good idea then. Not that I mind that a PDF-viewer is already built in, but firefox can't support all file types.
replies(1): >>10042080 #
3. pcwalton ◴[11 Aug 15 16:04 UTC] No.10042080[source]
A plugin API separate from the Web APIs is itself a large source of complexity and bloat.