Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

* https://news.ycombinator.com/item?id=15921134

This is a link to the GitHub issue:

* https://github.com/gregglind/addon-wr/issues/36

There are several scary things about this:

- Unknown Mozilla developers can distribute addons to users without their permission

- Mozilla developers can distribute addons to users without their knowledge

- Mozilla developers themselves don't realise the consequences of doing this

- Experiments are not explicitly enabled by users

- Opening the addons window reverts configuration changes which disable experiments

- The only way to properly disable this requires fairly arcane knowledge Firefox preferences (lockpref(), which I'd never heard of until today)

I think for most people this is the stickiest point. Other commenters have said things along the lines of, "well if you trust their browser you should be able to trust their add-ons" and I do, mostly, trust their add-on here... but I really don't like how it slipped into my Add-Ons without telling me. For every other Add-On I have to click an explicit blue button, so I know what's in and what's out.

In today's landscape, Add-Ons have massive potential as security threats. For instance, would a savvy user who is security-aware (most users on HN, I assume) install an Add-On like Gmail Checker Plus[0]? Without digging in, it's hard to be 100% certain what this Add-On is and isn't doing with my Gmail content (I have no reason to assume anything nefarious, it's just an example). My browser Add-Ons should be off-limits to any sort of tampering without my permission, as well should be my bookmarks and auto-fill info. If I broke into your house and changed your bedsheets, you'd rightly be creeped out... nothing was stolen, new bedsheets don't affect you in any significant way, but it's still wrong and weird and hurts trust.

0. https://addons.mozilla.org/en-US/firefox/addon/checker-plus-...