Silently, but with a huuuuge Banner that notifies you that the extensions were disabled; not really silent then?
You would have to be looking for it:
Note that the warning appears in the Extensions popup rather than on the Extensions icon, so you wouldn't know that StopTheMadness was disabled on YouTube unless you opened the popup (or unless you saw the autoplaying videos on YouTube that StopTheMadness would otherwise stop.)
What happens, though, if you pin the extensions to the toolbar for easy access to their settings?
It turns out that when you pin an extension to the toolbar, it no longer appears in the Extensions popup! Consequently, the quarantined domains warning no longer appears in the Extensions popup either. In fact, there's no longer an Extensions popup: clicking the Extensions toolbar icon simply opens the about:addons page, which doesn't show the quarantined domains warning anywhere.
I would like to see a link to that setting even with a security banner in front of it where you have to agree that everything that happens from now on is on you and not firefox.
This does feel like something you should be able to toggle off. I can understand their security concerns, but I didn't switch to Firefox because I wanted less control/trust from my browser.
You can, set extensions.quarantinedDomains.enabled to false.
I'm generally fine with anything mozilla chooses to with firefox as long as we retain the ability to undo it, but it is something that should be watched closely given the power of the default.
The intent behind the feature is obviously to keep a list of known-bad domains there, to disable extensions Mozilla hasn't vetted as safe on said malicious domains.
If I had to guess, I'd say it'll be set to "" by default, unless you crank up some security setting to extra-paranoid, or, obviously, set it yourself.
It's unclear exactly what's going on here. It could be a good idea or a bad idea.
Good idea: When accessing the login page for an important service, the user should be warned before low-trust extensions are enabled, to reduce the chance of hostile extensions stealing user credentials.
Bad idea: Allowing web site operators to dictate what extensions users may use on those sites.
"And now, it's time for another good idea and bad idea... "
Wheel of Morality, turn turn turn ...
I wish I could have extensions default to off and be able to turn them on selectively on sites. For things like darkreader I don't want to use it 90% of the time so it shouldn't need to have at access to site data.
By the way, I don't like the title of this article, how is it done "remotely", it's just a list in about:config, no? Sounds clickbaity.
Most people leave those settings alone. If you've never changed the value, whenever Mozilla change the default, you'll be updated to the new default when you update your browser. That's a remote change to which websites remain unaffected by extensions, except for the minority of users who've done something about it.
extensions are already disabled on Firefox help website. No dark reader will work there. They probably extended that capability into an actual backdoor.
Last time I checked companies don't share backdoors they've added in release notes.
Access to literally every website is a very scary permission that is too common. I’m not sure the best approach but limiting this, with some user input, is a good move.
i could imagine putting a banking site on that list to make sure no banking data can be leaked to an extension. two edged sword tho
Can confirm.
I just upgraded to 115, and tried out my own extension Obliterate Curves, which is similarly not monitored by mozilla due to how tiny it is.
If the current domain is a "Quarantined Domain.", all extensions which aren't monitored will get downright disabled.
Do note, the list was empty by default. 100% troubling but hard to say where they'll go with it. Might end up as a "tick this website as secure" box later, though I'd personally prefer control over which sites an extension is allowed to run in.
Yet another reason to use mullvad-browser instead of vanilla Firefox.
Removing user agency is a big deal, to do it silently is a massive red flag. Even if the intentions are good paternalistic behavior removes agency from users.
Silently, but with a huuuuge Banner that notifies you that the extensions were disabled; not really silent then?
You would have to be looking for it:
I would like to see a link to that setting even with a security banner in front of it where you have to agree that everything that happens from now on is on you and not firefox.
This does feel like something you should be able to toggle off. I can understand their security concerns, but I didn't switch to Firefox because I wanted less control/trust from my browser.
You can, set
extensions.quarantinedDomains.enabledto false.https://support.mozilla.org/en-US/kb/quarantined-domains
I'm generally fine with anything mozilla chooses to with firefox as long as we retain the ability to undo it, but it is something that should be watched closely given the power of the default.
The intent behind the feature is obviously to keep a list of known-bad domains there, to disable extensions Mozilla hasn't vetted as safe on said malicious domains.
If I had to guess, I'd say it'll be set to
""by default, unless you crank up some security setting to extra-paranoid, or, obviously, set it yourself.It's unclear exactly what's going on here. It could be a good idea or a bad idea.
Good idea: When accessing the login page for an important service, the user should be warned before low-trust extensions are enabled, to reduce the chance of hostile extensions stealing user credentials.
Bad idea: Allowing web site operators to dictate what extensions users may use on those sites.
"And now, it's time for another good idea and bad idea... "
Wheel of Morality, turn turn turn ...
I wish I could have extensions default to off and be able to turn them on selectively on sites. For things like darkreader I don't want to use it 90% of the time so it shouldn't need to have at access to site data.
By the way, I don't like the title of this article, how is it done "remotely", it's just a list in about:config, no? Sounds clickbaity.
Most people leave those settings alone. If you've never changed the value, whenever Mozilla change the default, you'll be updated to the new default when you update your browser. That's a remote change to which websites remain unaffected by extensions, except for the minority of users who've done something about it.
extensions are already disabled on Firefox help website. No dark reader will work there. They probably extended that capability into an actual backdoor.
Last time I checked companies don't share backdoors they've added in release notes.
Access to literally every website is a very scary permission that is too common. I’m not sure the best approach but limiting this, with some user input, is a good move.
i could imagine putting a banking site on that list to make sure no banking data can be leaked to an extension. two edged sword tho
Can confirm. I just upgraded to 115, and tried out my own extension Obliterate Curves, which is similarly not monitored by mozilla due to how tiny it is. If the current domain is a "Quarantined Domain.", all extensions which aren't monitored will get downright disabled.
Do note, the list was empty by default. 100% troubling but hard to say where they'll go with it. Might end up as a "tick this website as secure" box later, though I'd personally prefer control over which sites an extension is allowed to run in.
Yet another reason to use mullvad-browser instead of vanilla Firefox.
Removing user agency is a big deal, to do it silently is a massive red flag. Even if the intentions are good paternalistic behavior removes agency from users.
use Librewolf
fiReFox iS So much BEtTer tHan ChrOme foR PrivACY
still is.