Firefox, Chrome and the Future of Trustworthy Extensions

<!DOCTYPE html> <html lang="en-US" dir="ltr" class="no-js"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="license" href="#license"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="shortcut icon" type="image/png" href="https://blog.mozilla.org/addons/wp-content/themes/frontierline/img/favicon.png">   <meta name="title" content="Firefox, Chrome and the Future of Trustworthy Extensions – Mozilla Add-ons Community Blog"> <meta property="og:site_name" content="Mozilla Add-ons Community Blog"> <meta property="og:url" content="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions"> <meta property="og:title" content="Firefox, Chrome and the Future of Trustworthy Extensions – Mozilla Add-ons Community Blog"> <meta property="og:description" content="An interesting comparison between Chrome's announced changes for trustworthy browser extensions and what Mozilla has built into Firefox."> <meta property="og:image" content="https://blog.mozilla.org/addons/files/2018/10/cross-hands.jpeg"> <meta property="twitter:title" content="Firefox, Chrome and the Future of Trustworthy Extensions – Mozilla Add-ons Community Blog"> <meta property="twitter:description" content="An interesting comparison between Chrome's announced changes for trustworthy browser extensions and what Mozilla has built into Firefox."> <meta name="twitter:card" content="summary_large_image"> <meta property="twitter:image" content="https://blog.mozilla.org/addons/files/2018/10/cross-hands.jpeg"> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <meta name="blog-name" content="Mozilla Add-ons Community Blog" />  <title>Firefox, Chrome and the Future of Trustworthy Extensions - Mozilla Add-ons Community Blog</title> <meta name="description" content="An interesting comparison between Chrome's announced changes for trustworthy browser extensions and what Mozilla has built into Firefox." /> <link rel="canonical" href="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/" /> <meta name="twitter:label1" content="Written by" /> <meta name="twitter:data1" content="Mike Conca" /> <meta name="twitter:label2" content="Est. reading time" /> <meta name="twitter:data2" content="6 minutes" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebPage","@id":"https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/","url":"https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/","name":"Firefox, Chrome and the Future of Trustworthy Extensions - Mozilla Add-ons Community Blog","isPartOf":{"@id":"https://blog.mozilla.org/addons/#website"},"primaryImageOfPage":{"@id":"https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#primaryimage"},"image":{"@id":"https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#primaryimage"},"thumbnailUrl":"https://blog.mozilla.org/addons/files/2018/10/cross-hands.jpeg","datePublished":"2018-10-26T21:00:42+00:00","dateModified":"2018-10-26T21:00:42+00:00","author":{"@id":"https://blog.mozilla.org/addons/#/schema/person/b31783432b399e8124c76a08c5658ad2"},"description":"An interesting comparison between Chrome's announced changes for trustworthy browser extensions and what Mozilla has built into Firefox.","breadcrumb":{"@id":"https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#primaryimage","url":"https://blog.mozilla.org/addons/files/2018/10/cross-hands.jpeg","contentUrl":"https://blog.mozilla.org/addons/files/2018/10/cross-hands.jpeg","width":640,"height":427,"caption":"Crossed Hands"},{"@type":"BreadcrumbList","@id":"https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://blog.mozilla.org/addons/"},{"@type":"ListItem","position":2,"name":"Firefox, Chrome and the Future of Trustworthy Extensions"}]},{"@type":"WebSite","@id":"https://blog.mozilla.org/addons/#website","url":"https://blog.mozilla.org/addons/","name":"Mozilla Add-ons Community Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://blog.mozilla.org/addons/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https://blog.mozilla.org/addons/#/schema/person/b31783432b399e8124c76a08c5658ad2","name":"Mike Conca","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://blog.mozilla.org/addons/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/04780e375a532aeb20ec1365ce163109?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/04780e375a532aeb20ec1365ce163109?s=96&d=mm&r=g","caption":"Mike Conca"},"description":"Mike Conca is the Group Product Manager for the Firefox Web Platform, leading the product team responsible for the core web technologies in Firefox including JavaScript, DOM Web API, WebAssembly, storage, layout, media, and graphics.","sameAs":["https://www.linkedin.com/in/mconca/","https://x.com/MikeConca"],"url":"https://blog.mozilla.org/addons/author/mconcamozilla-com/"}]}</script>  <link rel="alternate" type="application/rss+xml" title="Mozilla Add-ons Community Blog » Feed" href="https://blog.mozilla.org/addons/feed/" /> <link rel="alternate" type="application/rss+xml" title="Mozilla Add-ons Community Blog » Comments Feed" href="https://blog.mozilla.org/addons/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Mozilla Add-ons Community Blog » Firefox, Chrome and the Future of Trustworthy Extensions Comments Feed" href="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/feed/" /> <link rel='stylesheet' id='wp-block-library-css' href='https://blog.mozilla.org/addons/wp-includes/css/dist/block-library/style.min.css?ver=6.3.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='frontierline-parent-css' href='https://blog.mozilla.org/addons/wp-content/themes/frontierline/style.css?ver=6.3.5' type='text/css' media='all' /> <link rel='stylesheet' id='frontierline-css' href='https://blog.mozilla.org/addons/wp-content/themes/frontierline-firefox/style.css?ver=1686919482' type='text/css' media='all' /> <script type='text/javascript' src='https://blog.mozilla.org/wp-content/mu-plugins/mozilla-custom/ga-snippet.js?ver=.4' id='ga-snippet-js'></script> <script type='text/javascript' src='https://blog.mozilla.org/addons/wp-includes/js/jquery/jquery.min.js?ver=3.7.0' id='jquery-core-js'></script> <script type='text/javascript' src='https://blog.mozilla.org/addons/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1' id='jquery-migrate-js'></script> <link rel="https://api.w.org/" href="https://blog.mozilla.org/addons/wp-json/" /><link rel="alternate" type="application/json" href="https://blog.mozilla.org/addons/wp-json/wp/v2/posts/8573" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blog.mozilla.org/addons/xmlrpc.php?rsd" /> <link rel='shortlink' href='https://blog.mozilla.org/addons/?p=8573' /> <link rel="alternate" type="application/json+oembed" href="https://blog.mozilla.org/addons/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.mozilla.org%2Faddons%2F2018%2F10%2F26%2Ffirefox-chrome-and-the-future-of-trustworthy-extensions%2F" /> <link rel="alternate" type="text/xml+oembed" href="https://blog.mozilla.org/addons/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.mozilla.org%2Faddons%2F2018%2F10%2F26%2Ffirefox-chrome-and-the-future-of-trustworthy-extensions%2F&format=xml" /> </head> <body class="post-template-default single single-post postid-8573 single-format-standard color-scheme-none pattern-slashbracket" data-blogname="Mozilla Add-ons Community Blog"> <nav id="nav-global" class="nav-global can-stick"> <div class="content"> <div class="logo"><a href="https://www.mozilla.org/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external" title="Visit mozilla.org">Mozilla</a></div> <div class="nav-mozilla"> <span class="toggle" role="button" aria-controls="nav-mozilla-menu" aria-expanded="false" tabindex="0">Menu</span> <ul class="nav-mozilla-menu" id="nav-mozilla-menu"> <li class="nav-global-health"><a href="https://www.mozilla.org/about/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">About Mozilla</a></li> <li class="nav-global-tech"><a href="https://www.mozilla.org/firefox/products/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">Products</a></li> <li class="nav-global-donate"><a href="https://donate.mozilla.org/?presets=50,30,20,10&amount=30&currency=usd&utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external">Give</a></li> </ul> <aside class="nav-global-fxdownload"><a href="https://www.mozilla.org/firefox/new/?utm_source=blog.mozilla.org&utm_medium=referral&utm_campaign=blog-nav" rel="external" class="button button-product">Download Firefox</a></aside> </div> </div> </nav> <header id="masthead" class="section"> <div class="site-id"> <div class="site-title-wrap content"> <a href="https://blog.mozilla.org/addons/" rel="home" title="Go to the front page"> <h4 id="site-title"><span>Mozilla Add-ons Community Blog</span></h4> </a> </div> </div> </header> <div class="site-wrap"> <nav id="nav-util" class="can-stick has-sidebar "> <ul class="content"> <li class="nav-util-sidebar"><a href="#sidebar" aria-controls="sidebar" id="toggle-sidebar">Explore</a></li> <li class="nav-util-search"> <form id="search" class="fm-search" method="get" action="https://blog.mozilla.org/addons/"> <fieldset> <p> <label for="s">Search this site</label> <input type="search" value="" name="s" id="s"> <button type="submit" class="button button-minor">Search</button> </p> </fieldset> </form> </li> </ul> </nav> <main id="content"> <div class="content"> <div class="post-image post-image-featured"> <img width="640" height="427" src="https://blog.mozilla.org/addons/files/2018/10/cross-hands.jpeg" class="attachment-post-full-size size-post-full-size wp-post-image" alt="Crossed Hands" decoding="async" fetchpriority="high" srcset="https://blog.mozilla.org/addons/files/2018/10/cross-hands.jpeg 640w, https://blog.mozilla.org/addons/files/2018/10/cross-hands-252x168.jpeg 252w, https://blog.mozilla.org/addons/files/2018/10/cross-hands-600x400.jpeg 600w" sizes="(max-width: 640px) 100vw, 640px" /> </div> <article id="post-8573" class="post post-8573 type-post status-publish format-standard has-post-thumbnail hentry category-developers category-policy category-web-extensions tag-chrome tag-extensions tag-firefox tag-trustworthy tag-webextensions"> <header class="entry-header"> <div class="entry-tools"> <div class="categories"> <b>Categories:</b> <a href="https://blog.mozilla.org/addons/category/developers/" rel="category tag">developers</a> <a href="https://blog.mozilla.org/addons/category/policy/" rel="category tag">policy</a> <a href="https://blog.mozilla.org/addons/category/web-extensions/" rel="category tag">webextensions</a> </div> </div> <h1 class="entry-title"> Firefox, Chrome and the Future of Trustworthy Extensions </h1> <div class="entry-info"> <address class="vcard"> <a href="https://blog.mozilla.org/addons/author/mconcamozilla-com/" title="Posts by Mike Conca" rel="author">Mike Conca</a> </address> <time class="date published" datetime="2018-10-26T14:00:42-07:00">October 26, 2018</time> <p class="entry-comments"> <a href="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#comments">6 responses</a> </p> </div> </header> <div class="entry-content"> <p>Browser extensions are wonderful. Nearly every day I come across a new Firefox extension that customizes my browser in some creative way I’d never even considered. Some <a href="https://addons.mozilla.org/firefox/search/?category=games-entertainment&sort=rating&type=extension">provide amusement for a short time</a>, while others have become indispensable to my work and life. Extensions are a real-world manifestation of one of Mozilla’s core principles — that <a href="https://www.mozilla.org/about/manifesto/#principle-05">individuals must have the ability to shape the internet and their experiences on it</a>.</p> <p>Another of Mozilla’s core principles is that <a href="https://www.mozilla.org/about/manifesto/#principle-04">an individual’s security and privacy on the internet are fundamental and must not be treated as optional</a>. We’ve made the decision to support extensions, but it is definitely a balancing act. Our users’ freedom to customize their browser – their “user agent” – and to personalize their experience on the web can also be exploited by malicious actors to compromise users’ security and privacy.</p> <p>At Mozilla, we continually strive to honor both principles. It’s why Firefox extensions written to the WebExtensions API are limited in their abilities and have good oversight, including automatic and manual review. It’s also why we make sure users can understand exactly what permissions they’ve granted to those extensions and what parts of their browser they can access.</p> <p>In short, Mozilla makes every effort to ensure that the extensions we offer are trustworthy.</p> <p>So it was with great interest that I read Google’s recent Chromium Blog blog post entitled “<a href="https://blog.chromium.org/2018/10/trustworthy-chrome-extensions-by-default.html"><i>Trustworthy Chrome Extensions, by default</i></a>.” It outlines upcoming changes to Chrome’s extension architecture designed to make “extensions trustworthy by default.” I thought it would be interesting to explore each of the announced changes and compare them to what Mozilla has built into Firefox.</p> <h2>User Controls for Host Permissions</h2> <p style="padding-left: 30px;"><i>“Beginning in Chrome 70, users will have the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.”</i></p> <p>Being able to review and modify the sites that an extension has access to, especially those extensions that ask to “access your data for all websites,” is a worthy goal. Mozilla has discussed similar ideas, but the problem always comes down presenting this in a clear, uncomplicated way to a majority of users.</p> <p>Having played a bit with this feature in Chrome, the implementation definitely seems targeted at power users. Extensions that request access to all websites still get installed with that access, so the default behavior has not changed.</p> <p>The click-to-script option is intriguing, although the UX is a bit awkward. It’s workable if you have a single extension, but becomes unwieldy to click and reload every site visited for every installed extension.</p> <p>Admittedly, getting this interface right in an intuitive and easy-to-use manner is not straightforward and I applaud Google for taking a shot at it. Meanwhile Mozilla will continue to look for ways Firefox can provide more permission control to a majority of extension users.</p> <h2>Extension Review Process</h2> <p style="padding-left: 30px;"><i>“Going forward, extensions that request powerful permissions will be subject to additional compliance review.”</i></p> <p>The post is vague about exactly what this means, but it likely means these extensions will be flagged for manual review. This brings Chrome up to the standard that <a href="https://blog.mozilla.org/addons/2017/09/21/review-wait-times-get-shorter/">Firefox set last year</a>, which is great news for the web. More manual review means fewer malicious extensions.</p> <p style="padding-left: 30px;"><i>“We’re also looking very closely at extensions that use remotely hosted code, with ongoing monitoring.”</i></p> <p>Firefox <a href="https://developer.mozilla.org/docs/Mozilla/Add-ons/AMO/Policy/Reviews#Development_Practices">expressly forbids</a> remotely hosted code. Our feeling is that no amount of review can eliminate the risks introduced when developers can easily and undetectably change what code is loaded by extensions. Mozilla’s policy ensures that no unreviewed code is ever loaded into the browser, and <a href="https://developer.mozilla.org/docs/Mozilla/Add-ons/Distribution#Signing_your_add-ons">enforced signatures</a> prevents reviewed code from being altered after release.</p> <h2>Code Readability Requirements</h2> <p style="padding-left: 30px;"><i>“Starting today, Chrome Web Store will no longer allow extensions with obfuscated code…minification will still be allowed.”</i></p> <p>In reality, minified and obfuscated code are not very useful in extensions. In both Chrome and Firefox, extensions load locally (not over the network) so there is almost no performance advantage to minification, and obfuscation can be overcome by a dedicated person with readily available tools and sufficient effort.</p> <p>Nevertheless, Mozilla permits both obfuscated and minified extensions in our <a href="https://addons.mozilla.org/">store</a>. Critically, though, Mozilla requires all developers to <a href="https://developer.mozilla.org/docs/Mozilla/Add-ons/AMO/Policy/Reviews#Source_Code_Submission">submit original, non-obfuscated, non-minified code for review</a>, along with instructions on how to reproduce (including any obfuscation or minification) the store version. This ensures that reviewers are able to review and understand every extension, and that the store version is unaltered from the reviewed version.</p> <p>As you might expect, this takes a significant investment of time and energy for both Mozilla and developers. We believe it is worth it, though, to allow developers to secure their code, if desired, while simultaneously providing thoroughly reviewed extensions that maintain user security and privacy.</p> <h2>Required 2-Step Verification</h2> <p>As a whole, the web is moving in this direction and requiring it for developer accounts is a strong step towards protecting users. Mozilla recently added <a href="https://blog.mozilla.org/services/2018/05/22/two-step-authentication-in-firefox-accounts/">two-step authentication for Firefox Sync</a> accounts, and two-step authentication for Firefox extension developers is <a href="https://github.com/mozilla/addons/issues/732">on the roadmap</a> for the fourth quarter of 2018. Like Google, we expect to have this feature enabled by 2019.</p> <h2>Manifest v3</h2> <p style="padding-left: 30px;"><i>“In 2019 we will introduce the next extensions manifest version…We intend to make the transition to manifest v3 as smooth as possible and we’re thinking carefully about the rollout plan.”</i></p> <p>In 2015, Mozilla announced we were deprecating our extremely popular extension system in favor of WebExtensions, an API compatible with Chrome, as well as Edge and Opera. There were several reasons for this, but a large part of the motivation was standards — a fundamental belief that adopting the API of the market leader, in effect creating a de facto standard, was in the <a href="https://www.mozilla.org/about/manifesto/#principle-06">best interests of all users</a>.</p> <p>It was a controversial decision, but it was right for the web and it represents who Mozilla is and <a href="https://www.mozilla.org/mission/">our core mission</a>. Three years later, while there still isn’t an <a href="https://browserext.github.io/browserext/">official standard for browser extensions</a>, the web is a place where developers can quickly and easily create cross-browser extensions that run nearly unchanged on every major platform.</p> <p>So I would like to publicly invite Google to collaborate with Mozilla and other browser vendors on manifest v3. It is an incredible opportunity to show that Chrome embodies <a href="https://www.google.com/about/philosophy.html">Google’s philosophy</a> to “focus on the user,” would reaffirm the Chrome team’s commitment to open standards and an interoperable web, and be a powerful statement that working together on the future of browser extensions is in the best interests of a healthy internet.</p> <h2>Conclusion</h2> <p>While all of the changes Google outlined are interesting, some of them could go a step further in protecting users online. Nevertheless, I’d like say — bravo! The motivation behind these changes is definitely in the spirit of Mozilla’s mission and a gain for the open web. With Chrome’s market share, these initiatives will have a positive impact in protecting the security and privacy of millions of users around the world, and the web will be a better place for it.</p> <p>A lot of work remains, though. Expect Mozilla to keep fighting for users on the web, launching new initiatives, like <a href="https://monitor.firefox.com/">Firefox Monitor</a>, to keep people safe, and <a href="https://blog.mozilla.org/blog/2018/10/23/latest-firefox-rolls-out-enhanced-tracking-protection/">advancing Firefox</a> to be the best user agent you can have in your online journies.</p> </div> <footer class="entry-tags"> <p><b>Tags:</b> <a href="https://blog.mozilla.org/addons/tag/chrome/" rel="tag">chrome</a>, <a href="https://blog.mozilla.org/addons/tag/extensions/" rel="tag">extensions</a>, <a href="https://blog.mozilla.org/addons/tag/firefox/" rel="tag">firefox</a>, <a href="https://blog.mozilla.org/addons/tag/trustworthy/" rel="tag">trustworthy</a>, <a href="https://blog.mozilla.org/addons/tag/webextensions/" rel="tag">webextensions</a></p> </footer> <footer class="fx-footer"> <h4>Browse fast. Browse free.</h4> <p><a href="https://www.mozilla.org/firefox/new/?utm_source=blog.mozilla.org&utm_campaign=firefox_frontier&utm_medium=referral" rel="external" class="button button-product">Download Firefox</a></p> </footer> </article> </div> <nav id="adjacent-posts" class="section nav-paging"> <div class="content"> <p class="nav-paging-prev" role="navigation"> <a href="https://blog.mozilla.org/addons/2018/10/15/apply-to-join-the-featured-extensions-advisory-board-2/"> <span class="label">Previous article</span> <strong class="entry-title">Apply to Join the Featured Extensions Advisory Board</strong> <time class="date" datetime="2018-10-15T10:57:03-07:00">October 15, 2018</time> <svg class="arrow-left" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 23.62 43"><defs><style>.cls-1{fill:none;stroke:#000;stroke-linecap:round;stroke-miterlimit:10;stroke-width:3px;}</style></defs><polyline class="cls-1" points="22.12 1.5 2.12 21.5 22.12 41.5"/></svg> </a> </p> <p class="nav-paging-next" role="navigation"> <a href="https://blog.mozilla.org/addons/2018/11/01/novembers-featured-extensions/"> <span class="label">Next article</span> <strong class="entry-title">November's Featured Extensions</strong> <time class="date" datetime="2018-11-01T14:29:46-07:00">November 1, 2018</time> <svg class="arrow-right" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 23.62 43"><defs><style>.cls-1{fill:none;stroke:#000;stroke-linecap:round;stroke-miterlimit:10;stroke-width:3px;}</style></defs><polyline class="cls-1" points="1.5 1.5 21.5 21.5 1.5 41.5"/></svg> </a> </p> </div> </nav> <aside id="related-posts" class="section"> <div class="content"> <div class="in-category"> <h4 class="module-title">More articles in “developers”</h4> <ul class="cat-posts"> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2024/07/10/manifest-v3-updates-landed-in-firefox-128/">Manifest V3 updates landed in Firefox 128</a></h5> <time class="date" datetime="2024-07-10T07:40:08-07:00">July 10, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2024/06/13/manifest-v3-updates-landed-in-firefox-127/">Manifest V3 updates landed in Firefox 127</a></h5> <time class="date" datetime="2024-06-13T08:20:29-07:00">June 13, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2024/05/14/manifest-v3-updates/">Manifest V3 Updates</a></h5> <time class="date" datetime="2024-05-14T15:41:23-07:00">May 14, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2023/11/28/open-extensions-on-firefox-for-android-debut-december-14-but-you-can-get-a-sneak-peek-today/">Open extensions on Firefox for Android debut December 14 (but you can get a sneak peek today)</a></h5> <time class="date" datetime="2023-11-28T12:33:34-08:00">November 28, 2023</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2023/11/01/is-your-extension-ready-for-firefox-for-android/">Is your extension ready for Firefox for Android? Be part of the launch of a new open mobile ecosystem</a></h5> <time class="date" datetime="2023-11-01T17:42:06-07:00">November 1, 2023</time> </li> </ul> </div> <div class="popular"> <h4 class="module-title">Recent articles</h4> <ul class="recent-posts"> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2024/09/19/help-select-new-firefox-recommended-extensions-join-the-community-advisory-board/">Help select new Firefox Recommended Extensions — join the Community Advisory Board</a></h5> <time class="date" datetime="2024-09-19T13:20:34-07:00">September 19, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2024/09/03/developer-spotlight-audd-music-recognition/">Developer Spotlight: AudD® Music Recognition</a></h5> <time class="date" datetime="2024-09-03T10:30:49-07:00">September 3, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2024/07/10/manifest-v3-updates-landed-in-firefox-128/">Manifest V3 updates landed in Firefox 128</a></h5> <time class="date" datetime="2024-07-10T07:40:08-07:00">July 10, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2024/06/13/developer-spotlight-dedalium-turn-the-entire-web-into-an-rpg-game/">Developer Spotlight: Dedalium — turn the entire web into an RPG game</a></h5> <time class="date" datetime="2024-06-13T15:09:34-07:00">June 13, 2024</time> </li> <li> <h5 class="entry-title"><a href="https://blog.mozilla.org/addons/2024/06/13/manifest-v3-updates-landed-in-firefox-127/">Manifest V3 updates landed in Firefox 127</a></h5> <time class="date" datetime="2024-06-13T08:20:29-07:00">June 13, 2024</time> </li> </ul> </div> </div> </aside> <aside id="newsletter-subscribe" class="section newsletter-firefox"> <form id="newsletter_form" class="content newsletter_form" name="newsletter_form" action="https://www.mozilla.org/en-US/newsletter/" method="post" data-blog="Mozilla Add-ons Community Blog"> <input type="hidden" id="newsletters" name="newsletters" value="mozilla-and-you"> <input type="hidden" id="source_url" name="source_url" value="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions"> <div class="form-title"> <h3>Keep up with<br> all things Firefox.</h3> </div> <div id="form-contents" class="form-contents"> <div id="newsletter_errors" class="newsletter_errors"></div> <div class="field field-email"> <label for="email">Your e-mail address</label> <input type="email" id="email" name="email" required placeholder="yourname@example.com" size="30"> </div> <div class="form-details"> <div class="field field-country"> <label for="country">Country</label> <select id="country" name="country" required="required"> <option value="" selected="selected">- select -</option> <option value="af">Afghanistan</option> <option value="qz">Akrotiri</option> <option value="al">Albania</option> <option value="dz">Algeria</option> <option value="as">American Samoa</option> <option value="ad">Andorra</option> <option value="ao">Angola</option> <option value="ai">Anguilla</option> <option value="aq">Antarctica</option> <option value="ag">Antigua and Barbuda</option> <option value="ar">Argentina</option> <option value="am">Armenia</option> <option value="aw">Aruba</option> <option value="xa">Ashmore and Cartier Islands</option> <option value="au">Australia</option> <option value="at">Austria</option> <option value="az">Azerbaijan</option> <option value="bs">Bahamas, The</option> <option value="bh">Bahrain</option> <option value="xb">Baker Island</option> <option value="bd">Bangladesh</option> <option value="bb">Barbados</option> <option value="qs">Bassas da India</option> <option value="by">Belarus</option> <option value="be">Belgium</option> <option value="bz">Belize</option> <option value="bj">Benin</option> <option value="bm">Bermuda</option> <option value="bt">Bhutan</option> <option value="bo">Bolivia</option> <option value="bq">Bonaire, Sint Eustatius, and Saba</option> <option value="ba">Bosnia and Herzegovina</option> <option value="bw">Botswana</option> <option value="bv">Bouvet Island</option> <option value="br">Brazil</option> <option value="io">British Indian Ocean Territory</option> <option value="bn">Brunei</option> <option value="bg">Bulgaria</option> <option value="bf">Burkina Faso</option> <option value="mm">Burma</option> <option value="bi">Burundi</option> <option value="cv">Cabo Verde</option> <option value="kh">Cambodia</option> <option value="cm">Cameroon</option> <option value="ca">Canada</option> <option value="ky">Cayman Islands</option> <option value="cf">Central African Republic</option> <option value="td">Chad</option> <option value="cl">Chile</option> <option value="cn">China</option> <option value="cx">Christmas Island</option> <option value="cp">Clipperton Island</option> <option value="cc">Cocos (Keeling) Islands</option> <option value="co">Colombia</option> <option value="km">Comoros</option> <option value="cg">Congo (Brazzaville)</option> <option value="cd">Congo (Kinshasa)</option> <option value="ck">Cook Islands</option> <option value="xc">Coral Sea Islands</option> <option value="cr">Costa Rica</option> <option value="hr">Croatia</option> <option value="cu">Cuba</option> <option value="cw">Curaçao</option> <option value="cy">Cyprus</option> <option value="cz">Czech Republic</option> <option value="ci">Côte d’Ivoire</option> <option value="dk">Denmark</option> <option value="xd">Dhekelia</option> <option value="dg">Diego Garcia</option> <option value="dj">Djibouti</option> <option value="dm">Dominica</option> <option value="do">Dominican Republic</option> <option value="ec">Ecuador</option> <option value="eg">Egypt</option> <option value="sv">El Salvador</option> <option value="gq">Equatorial Guinea</option> <option value="er">Eritrea</option> <option value="ee">Estonia</option> <option value="et">Ethiopia</option> <option value="xe">Europa Island</option> <option value="fk">Falkland Islands (Islas Malvinas)</option> <option value="fo">Faroe Islands</option> <option value="fj">Fiji</option> <option value="fi">Finland</option> <option value="fr">France</option> <option value="gf">French Guiana</option> <option value="pf">French Polynesia</option> <option value="tf">French Southern and Antarctic Lands</option> <option value="ga">Gabon</option> <option value="gm">Gambia, The</option> <option value="xg">Gaza Strip</option> <option value="ge">Georgia</option> <option value="de">Germany</option> <option value="gh">Ghana</option> <option value="gi">Gibraltar</option> <option value="qx">Glorioso Islands</option> <option value="gr">Greece</option> <option value="gl">Greenland</option> <option value="gd">Grenada</option> <option value="gp">Guadeloupe</option> <option value="gu">Guam</option> <option value="gt">Guatemala</option> <option value="gg">Guernsey</option> <option value="gn">Guinea</option> <option value="gw">Guinea-Bissau</option> <option value="gy">Guyana</option> <option value="ht">Haiti</option> <option value="hm">Heard Island and McDonald Islands</option> <option value="hn">Honduras</option> <option value="hk">Hong Kong</option> <option value="xh">Howland Island</option> <option value="hu">Hungary</option> <option value="is">Iceland</option> <option value="in">India</option> <option value="id">Indonesia</option> <option value="ir">Iran</option> <option value="iq">Iraq</option> <option value="ie">Ireland</option> <option value="im">Isle of Man</option> <option value="il">Israel</option> <option value="it">Italy</option> <option value="jm">Jamaica</option> <option value="xj">Jan Mayen</option> <option value="jp">Japan</option> <option value="xq">Jarvis Island</option> <option value="je">Jersey</option> <option value="xu">Johnston Atoll</option> <option value="jo">Jordan</option> <option value="qu">Juan de Nova Island</option> <option value="kz">Kazakhstan</option> <option value="ke">Kenya</option> <option value="xm">Kingman Reef</option> <option value="ki">Kiribati</option> <option value="kp">Korea, North</option> <option value="kr">Korea, South</option> <option value="xk">Kosovo</option> <option value="kw">Kuwait</option> <option value="kg">Kyrgyzstan</option> <option value="la">Laos</option> <option value="lv">Latvia</option> <option value="lb">Lebanon</option> <option value="ls">Lesotho</option> <option value="lr">Liberia</option> <option value="ly">Libya</option> <option value="li">Liechtenstein</option> <option value="lt">Lithuania</option> <option value="lu">Luxembourg</option> <option value="mo">Macau</option> <option value="mk">Macedonia</option> <option value="mg">Madagascar</option> <option value="mw">Malawi</option> <option value="my">Malaysia</option> <option value="mv">Maldives</option> <option value="ml">Mali</option> <option value="mt">Malta</option> <option value="mh">Marshall Islands</option> <option value="mq">Martinique</option> <option value="mr">Mauritania</option> <option value="mu">Mauritius</option> <option value="yt">Mayotte</option> <option value="mx">Mexico</option> <option value="fm">Micronesia, Federated States of</option> <option value="qm">Midway Islands</option> <option value="md">Moldova</option> <option value="mc">Monaco</option> <option value="mn">Mongolia</option> <option value="me">Montenegro</option> <option value="ms">Montserrat</option> <option value="ma">Morocco</option> <option value="mz">Mozambique</option> <option value="na">Namibia</option> <option value="nr">Nauru</option> <option value="xv">Navassa Island</option> <option value="np">Nepal</option> <option value="nl">Netherlands</option> <option value="nc">New Caledonia</option> <option value="nz">New Zealand</option> <option value="ni">Nicaragua</option> <option value="ne">Niger</option> <option value="ng">Nigeria</option> <option value="nu">Niue</option> <option value="nf">Norfolk Island</option> <option value="mp">Northern Mariana Islands</option> <option value="no">Norway</option> <option value="om">Oman</option> <option value="pk">Pakistan</option> <option value="pw">Palau</option> <option value="xl">Palmyra Atoll</option> <option value="pa">Panama</option> <option value="pg">Papua New Guinea</option> <option value="xp">Paracel Islands</option> <option value="py">Paraguay</option> <option value="pe">Peru</option> <option value="ph">Philippines</option> <option value="pn">Pitcairn Islands</option> <option value="pl">Poland</option> <option value="pt">Portugal</option> <option value="pr">Puerto Rico</option> <option value="qa">Qatar</option> <option value="re">Reunion</option> <option value="ro">Romania</option> <option value="ru">Russia</option> <option value="rw">Rwanda</option> <option value="bl">Saint Barthelemy</option> <option value="sh">Saint Helena, Ascension, and Tristan da Cunha</option> <option value="kn">Saint Kitts and Nevis</option> <option value="lc">Saint Lucia</option> <option value="mf">Saint Martin</option> <option value="pm">Saint Pierre and Miquelon</option> <option value="vc">Saint Vincent and the Grenadines</option> <option value="ws">Samoa</option> <option value="sm">San Marino</option> <option value="st">Sao Tome and Principe</option> <option value="sa">Saudi Arabia</option> <option value="sn">Senegal</option> <option value="rs">Serbia</option> <option value="sc">Seychelles</option> <option value="sl">Sierra Leone</option> <option value="sg">Singapore</option> <option value="sx">Sint Maarten</option> <option value="sk">Slovakia</option> <option value="si">Slovenia</option> <option value="sb">Solomon Islands</option> <option value="so">Somalia</option> <option value="za">South Africa</option> <option value="gs">South Georgia and South Sandwich Islands</option> <option value="ss">South Sudan</option> <option value="es">Spain</option> <option value="xs">Spratly Islands</option> <option value="lk">Sri Lanka</option> <option value="sd">Sudan</option> <option value="sr">Suriname</option> <option value="xr">Svalbard</option> <option value="sz">Swaziland</option> <option value="se">Sweden</option> <option value="ch">Switzerland</option> <option value="sy">Syria</option> <option value="tw">Taiwan</option> <option value="tj">Tajikistan</option> <option value="tz">Tanzania</option> <option value="th">Thailand</option> <option value="tl">Timor-Leste</option> <option value="tg">Togo</option> <option value="tk">Tokelau</option> <option value="to">Tonga</option> <option value="tt">Trinidad and Tobago</option> <option value="xt">Tromelin Island</option> <option value="tn">Tunisia</option> <option value="tr">Turkey</option> <option value="tm">Turkmenistan</option> <option value="tc">Turks and Caicos Islands</option> <option value="tv">Tuvalu</option> <option value="ug">Uganda</option> <option value="ua">Ukraine</option> <option value="ae">United Arab Emirates</option> <option value="gb">United Kingdom</option> <option value="us">United States</option> <option value="uy">Uruguay</option> <option value="uz">Uzbekistan</option> <option value="vu">Vanuatu</option> <option value="va">Vatican City</option> <option value="ve">Venezuela</option> <option value="vn">Vietnam</option> <option value="vg">Virgin Islands, British</option> <option value="vi">Virgin Islands, U.S.</option> <option value="qw">Wake Island</option> <option value="wf">Wallis and Futuna</option> <option value="xw">West Bank</option> <option value="eh">Western Sahara</option> <option value="ye">Yemen</option> <option value="zm">Zambia</option> <option value="zw">Zimbabwe</option> </select> </div> <div class="field field-language"> <label for="lang">Language</label> <select id="lang" name="lang" required="required"> <option value="id">Bahasa Indonesia</option> <option value="de">Deutsch</option> <option value="en" selected="selected">English</option> <option value="es">Español</option> <option value="fr">Français</option> <option value="pl">Polski</option> <option value="pt">Português</option> <option value="ru">Русский</option> <option value="zh-TW">正體中文</option> </select> </div> <div class="field field-format"> <label for="format-h"><input checked="checked" id="format-h" name="fmt" value="H" type="radio"> HTML</label> <label for="format-t"><input id="format-t" name="fmt" value="T" type="radio"> Text</label> </div> <div class="field field-privacy"> <label for="privacy"> <input type="checkbox" id="privacy" name="privacy" required> I’m okay with Mozilla handling my info as explained in this <a href="https://www.mozilla.org/privacy/">Privacy Policy</a>. </label> </div> </div> <div class="form-submit"> <button id="newsletter_submit" type="submit" class="form-button button-light">Sign up now</button> <p class="form-details promise"> <small>We will only send you Mozilla-related information.</small> </p> </div> </div> <div id="newsletter_thanks" class="thanks"> <h2>Thanks!</h2> <p> If you haven’t previously confirmed a subscription to a Mozilla-related newsletter you may have to do so. Please check your inbox or your spam filter for an e-mail from us. </p> </div> </form> </aside> <section id="comments" class="section"> <div class="content"> <header class="comments-head"> <h3> 6 comments on “Firefox, Chrome and the Future of Trustworthy Extensions” </h3> </header> <ol id="comment-list" class="comment-list hfeed"> <li id="comment-225542" class="comment even thread-even depth-1 hentry"> <h4 class="entry-title vcard"> <cite class="author fn">Bill Dietrich</cite> <span class="photo"><img alt='' src='https://secure.gravatar.com/avatar/8a280877f8b9fbc0a3be2a8ab9e2ffc1?s=60&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/8a280877f8b9fbc0a3be2a8ab9e2ffc1?s=120&d=mm&r=g 2x' class='avatar avatar-60 photo' height='60' width='60' loading='lazy' decoding='async'/></span> <span class="comment-meta"> wrote on <a href="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#comment-225542" rel="bookmark" title="Permanent link to this comment by Bill Dietrich"> <time class="published" datetime="2018-10-27" title="2018-10-27"> October 27, 2018 at 12:08 am: </time> </a> </span> </h4> <blockquote class="entry-content"> <p>I’d like to see some per-add-on permission setup. Such as “this add-on is/isn’t allowed to access microphone, access camera, offer to save files on disk, read files on disk, read disk outside its home directory, read a tab outside the current tab, create a pop-up dialog, create a new tab, change contents of the current tab, talk to a helper app” etc.</p> </blockquote> <p class="comment-util"> </p> </li> <li id="comment-225543" class="comment odd alt thread-odd thread-alt depth-1 hentry"> <h4 class="entry-title vcard"> <cite class="author fn">Andrey Kartashov</cite> <span class="photo"><img alt='' src='https://secure.gravatar.com/avatar/a6c1c3b54f5a7368a3d6374e96e8e7eb?s=60&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/a6c1c3b54f5a7368a3d6374e96e8e7eb?s=120&d=mm&r=g 2x' class='avatar avatar-60 photo' height='60' width='60' loading='lazy' decoding='async'/></span> <span class="comment-meta"> wrote on <a href="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#comment-225543" rel="bookmark" title="Permanent link to this comment by Andrey Kartashov"> <time class="published" datetime="2018-10-27" title="2018-10-27"> October 27, 2018 at 5:35 am: </time> </a> </span> </h4> <blockquote class="entry-content"> <p>Thanks for the update!<br /> One point is confusing: what stops someone from giving you code for review different from the one they’ve obfuscated? Even if you know the process these tools don’t have to produce identical results even with identical input.</p> <p>Surely it’d be easier to just offer developers an option where your publishing tool obfucates the code in a manner you can trust but they submit and you review the original.</p> </blockquote> <p class="comment-util"> </p> <ol class="children"> <li id="comment-225546" class="comment byuser comment-author-jvillalobosmozilla-com even depth-2 hentry"> <h4 class="entry-title vcard"> <cite class="author fn">Jorge Villalobos</cite> <span class="photo"><img alt='' src='https://secure.gravatar.com/avatar/6d1966118f16e4b99a6e3ad07883be33?s=60&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/6d1966118f16e4b99a6e3ad07883be33?s=120&d=mm&r=g 2x' class='avatar avatar-60 photo' height='60' width='60' loading='lazy' decoding='async'/></span> <span class="comment-meta"> wrote on <a href="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#comment-225546" rel="bookmark" title="Permanent link to this comment by Jorge Villalobos"> <time class="published" datetime="2018-10-30" title="2018-10-30"> October 30, 2018 at 1:41 pm: </time> </a> </span> </h4> <blockquote class="entry-content"> <p>Developers are required to submit steps that reproduce the exact package that is being shipped on our site. There aren’t many tools that produce unpredictable results, so it’s not such a common problem.</p> <p>We did consider providing our own obfuscation / minification process, but decided against it. Developers tend to be very protective about their workflow, and taking over that step was probably going to cause some conflict and have reduced adoption. Also, dynamically changing the package server-side can lead to add-ons that worked for the dev but are broken once published.</p> </blockquote> <p class="comment-util"> </p> </li> </ol> </li> <li id="comment-225544" class="comment odd alt thread-even depth-1 hentry"> <h4 class="entry-title vcard"> <cite class="author fn">Dorothy West</cite> <span class="photo"><img alt='' src='https://secure.gravatar.com/avatar/25d33d870f19e4040012e2439a8b6462?s=60&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/25d33d870f19e4040012e2439a8b6462?s=120&d=mm&r=g 2x' class='avatar avatar-60 photo' height='60' width='60' loading='lazy' decoding='async'/></span> <span class="comment-meta"> wrote on <a href="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#comment-225544" rel="bookmark" title="Permanent link to this comment by Dorothy West"> <time class="published" datetime="2018-10-27" title="2018-10-27"> October 27, 2018 at 5:18 pm: </time> </a> </span> </h4> <blockquote class="entry-content"> <p>Trying to be able to send emails</p> </blockquote> <p class="comment-util"> </p> </li> <li id="comment-225545" class="comment even thread-odd thread-alt depth-1 hentry"> <h4 class="entry-title vcard"> <cite class="author fn">Nathar Leichoz</cite> <span class="photo"><img alt='' src='https://secure.gravatar.com/avatar/f0c4f701b5edc44d341f1d578ffe913c?s=60&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/f0c4f701b5edc44d341f1d578ffe913c?s=120&d=mm&r=g 2x' class='avatar avatar-60 photo' height='60' width='60' loading='lazy' decoding='async'/></span> <span class="comment-meta"> wrote on <a href="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#comment-225545" rel="bookmark" title="Permanent link to this comment by Nathar Leichoz"> <time class="published" datetime="2018-10-29" title="2018-10-29"> October 29, 2018 at 11:03 pm: </time> </a> </span> </h4> <blockquote class="entry-content"> <p>Getting the UI right for “user control for host permissions” is not straightforward indeed, but the current Firefox way is downright uninformative. Currently we get prompted by a tiny hanger dialog with permissions listed by tiny bullet-points. This doesn’t convey the seriousness of the user’s actions. Each bullet point should be bigger in red font and the bullet point should be shaped like a shield. That ought to get users to think twice before installing an extension.</p> </blockquote> <p class="comment-util"> </p> </li> <li id="comment-225547" class="comment odd alt thread-even depth-1 hentry"> <h4 class="entry-title vcard"> <cite class="author fn">basil</cite> <span class="photo"><img alt='' src='https://secure.gravatar.com/avatar/4631d0b9c05da5a81ca289155b689183?s=60&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/4631d0b9c05da5a81ca289155b689183?s=120&d=mm&r=g 2x' class='avatar avatar-60 photo' height='60' width='60' loading='lazy' decoding='async'/></span> <span class="comment-meta"> wrote on <a href="https://blog.mozilla.org/addons/2018/10/26/firefox-chrome-and-the-future-of-trustworthy-extensions/#comment-225547" rel="bookmark" title="Permanent link to this comment by basil"> <time class="published" datetime="2018-11-02" title="2018-11-02"> November 2, 2018 at 12:14 am: </time> </a> </span> </h4> <blockquote class="entry-content"> <p>what’s the point? you already stripped away our choice to give consent to experimental addons about a year ago. There’s a reason I’m still on my esr 52, i need the legacy addons I use, and until firefox “trusts” that i’m an adult and know what i’m doing and downloading, I see no reason to move to a newer version.</p> <p>You want to treat us like big kids now with a “auto consent” option for addons? Tough, you should have thought of that over a year ago when everyone was asking for the option.</p> </blockquote> <p class="comment-util"> </p> </li> </ol> </div> </section> </main> <aside id="sidebar" class="section widgets can-stick"> <div class="content"> <aside id="text-456878582" class="widget widget_text"><h3 class="widget-title">Looking for add-ons?</h3> <div class="textwidget"><p><strong><a href="https://addons.mozilla.org/?utm_source=blog.mozilla.org&utm_medium=referral&utm_content=sidebar-link">Search & install add-ons</a></strong></p> </div> </aside><aside id="categories-254997392" class="widget widget_categories"><h3 class="widget-title">Tags</h3> <ul> <li class="cat-item cat-item-7117"><a href="https://blog.mozilla.org/addons/category/builder/">builder</a> (77) </li> <li class="cat-item cat-item-388"><a href="https://blog.mozilla.org/addons/category/compatibility/">compatibility</a> (277) </li> <li class="cat-item cat-item-6744"><a href="https://blog.mozilla.org/addons/category/competition/">contests</a> (26) </li> <li class="cat-item cat-item-176604"><a href="https://blog.mozilla.org/addons/category/contribute/">contribute</a> (11) </li> <li class="cat-item cat-item-44"><a href="https://blog.mozilla.org/addons/category/developers/">developers</a> (715) </li> <li class="cat-item cat-item-295"><a href="https://blog.mozilla.org/addons/category/documentation/">documentation</a> (240) </li> <li class="cat-item cat-item-581"><a href="https://blog.mozilla.org/addons/category/end-users/">end users</a> (214) </li> <li class="cat-item cat-item-39"><a href="https://blog.mozilla.org/addons/category/events/">events</a> (76) </li> <li class="cat-item cat-item-278884"><a href="https://blog.mozilla.org/addons/category/featured-addons/">featured addons</a> (115) </li> <li class="cat-item cat-item-278890"><a href="https://blog.mozilla.org/addons/category/featured-contributors/">featured contributors</a> (36) </li> <li class="cat-item cat-item-121"><a href="https://blog.mozilla.org/addons/tag/general/">general</a> (3) </li> <li class="cat-item cat-item-588"><a href="https://blog.mozilla.org/addons/category/jetpack/">jetpack</a> (150) </li> <li class="cat-item cat-item-322922"><a href="https://blog.mozilla.org/addons/tag/manifest-v3/">manifest v3</a> (6) </li> <li class="cat-item cat-item-124"><a href="https://blog.mozilla.org/addons/category/mobile/">mobile</a> (58) </li> <li class="cat-item cat-item-574"><a href="https://blog.mozilla.org/addons/category/policy/">policy</a> (49) </li> <li class="cat-item cat-item-227"><a href="https://blog.mozilla.org/addons/category/releases/">releases</a> (149) </li> <li class="cat-item cat-item-7119"><a href="https://blog.mozilla.org/addons/category/restartless/">restartless</a> (8) </li> <li class="cat-item cat-item-742"><a href="https://blog.mozilla.org/addons/category/sdk/">sdk</a> (133) </li> <li class="cat-item cat-item-551"><a href="https://blog.mozilla.org/addons/category/personas/">themes</a> (27) </li> <li class="cat-item cat-item-278886"><a href="https://blog.mozilla.org/addons/category/web-extensions/">webextensions</a> (121) </li> </ul> </aside> </div> </aside> </div> <footer id="site-info" class="section"> <div class="content"> <nav class="primary"> <div class="logo"> <a href="https://www.mozilla.org/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mozilla">Mozilla</a> </div> <section class="mozilla"> <h5><a href="https://www.mozilla.org/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mozilla">Mozilla</a></h5> <ul class="mozilla-links"> <li><a href="https://www.mozilla.org/about/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="About">About</a></li> <li><a href="https://www.mozilla.org/contact/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Contact Us">Contact Us</a></li> <li><a href="https://donate.mozilla.org/?presets=50,30,20,10&amount=30&currency=usd&utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" class="donate" data-link-type="footer" data-link-name="Donate">Donate</a></li> <li> <ul class="social-links"> <li><a class="twitter" href="https://twitter.com/mozilla" data-link-type="footer" data-link-name="Twitter (@mozilla)">Twitter<span> (@mozilla)</span></a></li> <li><a class="instagram" href="https://www.instagram.com/mozillagram/" data-link-type="footer" data-link-name="Instagram (@mozillagram)">Instagram<span> (@mozillagram)</span></a></li> </ul> </li> </ul> </section> <section class="firefox"> <h5><a href="https://www.mozilla.org/firefox/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mozilla">Firefox</a></h5> <ul class="firefox-links"> <li><a href="https://www.mozilla.org/firefox/new/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Download Firefox">Download Firefox</a></li> <li><a href="https://www.mozilla.org/firefox/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Desktop">Desktop</a></li> <li><a href="https://www.mozilla.org/firefox/mobile/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Mobile">Mobile</a></li> <li><a href="https://www.mozilla.org/firefox/features/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Features">Features</a></li> <li><a href="https://www.mozilla.org/firefox/channel/desktop/?utm_source=blog.mozilla.org&utm_campaign=footer&utm_medium=referral" data-link-type="footer" data-link-name="Beta, Nightly, Developer Edition">Beta, Nightly, Developer Edition</a></li> <li> <ul class="social-links"> <li><a class="twitter" href="https://twitter.com/firefox" data-link-type="footer" data-link-name="Twitter (@firefox)">Twitter<span> (@firefox)</span></a></li> <li><a class="youtube" href="https://www.youtube.com/firefoxchannel" data-link-type="footer" data-link-name="YouTube (firefoxchannel)">YouTube<span> (firefoxchannel)</span></a></li> </ul> </li> </ul> </section> </nav> <nav class="secondary"> <div class="small-links"> <ul> <li><a rel="nofollow" href="https://www.mozilla.org/privacy/" data-link-type="footer" data-link-name="Privacy">Website Privacy Notice</a></li> <li><a rel="nofollow" href="https://www.mozilla.org/privacy/websites/#cookies" data-link-type="footer" data-link-name="Cookies">Cookies</a></li> <li><a rel="nofollow" href="https://www.mozilla.org/about/legal/" data-link-type="footer" data-link-name="Legal">Legal</a></li> </ul> <p class="license"> Visit Mozilla Corporation’s not-for-profit parent, the <a href="https://foundation.mozilla.org" data-link-type="footer" data-link-name="Mozilla Foundation">Mozilla Foundation</a>. </p> <p class="license"> Portions of this content are ©1998-2024 by individual contributors. Content available under a <a href="https://www.mozilla.org/foundation/licensing/website-content/" rel="external license">Creative Commons license</a>. </p> </div> </nav> </div> </footer>  <script type='text/javascript' src='https://blog.mozilla.org/addons/wp-content/themes/frontierline/js/global.js?ver=2.2' id='global-js'></script> <script type='text/javascript' src='https://blog.mozilla.org/addons/wp-content/themes/frontierline/js/basket-client.js?ver=1.2' id='basket-client-js'></script> </body> </html>

CINXE.COM

Firefox, Chrome and the Future of Trustworthy Extensions - Mozilla Add-ons Community Blog