There is no piece of software in the world harder to secure than a browser. There's almost no other piece of software where compromises have higher stakes. Further, the verdict is probably in on whether browsers should use multi-process sandboxes, and how careful they need to be about privilege-escalated Javascript, which is an <i>enormous</i> loophole for runtime security measures like ASLR and DEP.<p>Firefox's multi-process model is apparently called Electrolysis. Electrolysis apparently breaks XUL extensions.<p>If that's the short term cost of getting Firefox to the same level of security that Chrome is at, it seems more than worth it.<p>If this were an encrypted messaging application like TextSecure making an extension-breaking announcement for security, we'd have no trouble understanding the stakes. What some people seem to have a hard time accepting is that their browser is their most important encrypted messaging application.
I think some of this might be Firefox OS mentality creeping into the browser.<p>I have used Firefox since right after it stopped being called Firebird (0.8 - 0.9 days). I loved it because it seemed to be built around an aesthetic of tinkering. Coming from Konqueror, which is like the tape deck in your mom's minivan, Firefox was like a fancy hi-fi sound system. You get decent sound with the defaults, but if you really know what you're doing you can produce jaw-dropping results.<p>In grad school, I did some research work examining and improving a Firefox extension. I had toyed with extension writing before, but the power that extensions had over the DOM on one end and the whole browser experience on the other end was amazing.<p>Now, I think Mozilla developers have gotten the Firefox OS mentality and are treating the browser core like a kernel. Sure, you can do anything you want in user mode, but the kernel is inviolable.<p>I understand that Firefox is a Big Boy browser now. People are using it the world over; using it in corporate settings; trusting it to keep their personal information safe. That has got to put a lot of pressure on the Mozilla devs to make sure the browser is locked down as tight as can be.<p>I can install the Developer Edition. I can still tinker. I can customize my own experience to my heart's content. But as an extension author myself, I sympathize mightily with the developers of DownThemAll. I want to make others' browsing experiences better too, and lately I feel like Mozilla have been working against me rather than with me on this.<p>Firefox is actually a really good browser. They've made some pretty questionable decisions of late, but I do think their tech is as good as any browser tech out there today. But I liked Firefox not because I like <i>their</i> browser but because I could make it <i>my</i> browser, and Mozilla keep making it harder to do that. That makes me sad.
This seems like a classic case if thinking people use your software for the core features you develop. I hate to break it to you but people don't use windows for the control panel. Firefox and other browsers have become development platforms and many of their "users" don't use their platform for its 'control panel,' they use it for some useful tool built on top of it.<p>To use a linux kernel term, this breaks userspace (might be a sign that browsers have some serious OS envy). This is particularly bad because if many of your users use your platform for a tool that only works on an old, unsupported version (think XP), you actually make the security situation WORSE since those users don't care about security, they care about the tools they need to get their jobs done. They are still going to use those tools and you have just left them hanging out to dry from a security perspective. Talk about passing the buck.
I don't know if it's very smart to limit one of the most distinctive features of Firefox, the powerful add-ons available. Erodes the differences between Firefox and other browsers. If Firefox is going to be just another Chrome, people will just use Chrome.
I'll be pretty upset if the addons that let you modify the Firefox UI via XUL have to go away. Tree-style tabs[1] for example is one of the major extensions keeping me with FF. There's really no alternative for Chrome since they can't completely change the tab UI like Firefox can. Check out the screenshots!<p>[1] <a href="https://addons.mozilla.org/en-us/firefox/addon/tree-style-tab/" rel="nofollow">https://addons.mozilla.org/en-us/firefox/addon/tree-style-ta...</a>
From the Firefox announcement:<p>Re: Why they are removing XUL:<p>"XPCOM and XUL are two of the most fundamental technologies to Firefox. The ability to write much of the browser in JavaScript has been a huge advantage for Mozilla. It also makes Firefox far more customizable than other browsers. However, the add-on model that arose naturally from these technologies is extremely permissive. Add-ons have complete access to Firefox’s internal implementation. This lack of modularity leads to many problems.<p>A permissive add-on model means that we have limited flexibility in changing the foundations of Firefox.<p>...<p>"The tight coupling between the browser and its add-ons also creates shorter-term problems for Firefox development. It’s not uncommon for Firefox development to be delayed because of broken add-ons. In the most extreme cases, changes to the formatting of a method in Firefox can trigger problems caused by add-ons that modify our code via regular expressions. Add-ons can also cause Firefox to crash when they use APIs in unexpected ways.<p>Re: When XUL is being ripped out<p>Consequently, we have decided to deprecate add-ons that depend on XUL, XPCOM, and XBL. We don’t have a specific timeline for deprecation, but most likely it will take place within 12 to 18 months from now. "<p>Re: The gap in capability<p>"A major challenge we face is that many Firefox add-ons cannot possibly be built using either WebExtensions or the SDK as they currently exist. Over the coming year, we will seek feedback from the development community, and will continue to develop and extend the WebExtension API to support as much of the functionality needed by the most popular Firefox extensions as possible."<p>-------------------------------<p>It's overly optimistic to assume add-on developers will have new versions ready in just a year if the API they're expected to rewrite everything in isn't even ready yet. I can understand why Mozilla is making this move, but it's being rushed. If WebExtension were ready <i>today</i> then this announcement would be more reasonable, but it's not even close!<p>Hopefully Mozilla is just trying to scare their add-on developers into action, so they'll speak up and tell Mozilla exactly what they need from WebExtension.<p>Starting over in a new API means a lot of existing add-ons will probably die anyways, but hopefully the important ones will make the move if Mozilla gives them enough time and support.
From a technical point of view, what is DownThemAll? It seems like it looks at the structure of the current web page, identifies all links, and then downloads them (in some cases using range requests, as with '90s-era download accelerators), with options for pausing and resuming downloads and renaming them in certain ways.<p>What prevents this from being done using a Chrome extension to look at the page structure and render some UI, plus a bit of native code using the native messaging API to actually store the files on disk?<p><a href="https://developer.chrome.com/extensions/nativeMessaging" rel="nofollow">https://developer.chrome.com/extensions/nativeMessaging</a><p>"Developer frustration" is a more-than-valid reason, but I'm trying to understand if this is a claim that <i>no software like DownThemAll can possibly be written</i> without Mozilla introducing purpose-built extension APIs.
Speaking of Download managers - Chrome still doesn't have a decent one and I for one will miss DownThemAll if it goes away - it is definitely a useful piece of software.<p>Wonder what the new signing and addon development policies will do to FF market share - there won't be any reason not to just use Chrome anymore. I get the security part but the reason I use FF is because it is less memory hungry and has these extensions that either are not on Chrome or work poorly on it.
As people have been saying in the thread that links to the announcement, it is not at all clear that extensions that today can do things in Firefox that are not possible in Chrome will be unable to do those things in the future. The <i>mechanism</i> for things like changing tab management and such would surely change, but that doesn't mean there won't be one.
Not just DTA, but FireGestures, Easy DragToGo, and all the amazing extensions that made me stick by Firefox even though most of my colleagues left for Chrome. It is a sad day.
They should spearhead the work on pushing the spec people (and in extension the actual developer teams) at the browser companies to support what is needed to implement DownThemAll in Chrome/Opera/Safari/New Firefox. I have the feeling there isn't that much that is lacking today (sparse file writing support?).<p>This is clearly a use case that users want.<p>(DownThemAll is the sole reason I have Firefox installed. Would love to have it work in e.g. Chrome.)
As to NoScript:<p>- from a linked Mozilla blog post:<p><i>> [...] A major challenge we face is that many Firefox add-ons cannot possibly be built using either WebExtensions or the SDK as they currently exist. Over the coming year, we will seek feedback from the development community, and will continue to develop and extend the WebExtension API to support as much of the functionality needed by the most popular Firefox extensions as possible. [...]</i><p>(<a href="https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/" rel="nofollow">https://blog.mozilla.org/addons/2015/08/21/the-future-of-dev...</a>)<p>- then, from a link posted at the end of the Mozilla blog post (in an "Update" section):<p><i>> [...] One concern people have is that their favorite add-on is no longer going to be supported, especially add-ons for power users. Some of the ones being mentioned are:</i><p><i>> [...] NoScript, [...]</i><p><i>> We’re working with Giorgio Maone, the developer of NoScript, to design the APIs he needs to implement NoScript as a WebExtension. [...]</i><p>(<a href="https://billmccloskey.wordpress.com/2015/08/21/firefox-add-on-changes/" rel="nofollow">https://billmccloskey.wordpress.com/2015/08/21/firefox-add-o...</a>)
Don't be so pessimistic. 18 months are a lot of time, Mozilla folks are smart and often listen to their users, there's the browser.html experiment going on, etc.<p>I have a gut feeling that in a way or another, things will roughly be the same for extensions developers.
First, see <a href="https://billmccloskey.wordpress.com/2015/08/21/firefox-add-on-changes/" rel="nofollow">https://billmccloskey.wordpress.com/2015/08/21/firefox-add-o...</a><p>1. these ideas are being announced far in advance of any actual changes<p>2. firefox devs (see link above) actively want to support current popular extensions, by adding to the Web Extension APIs<p>In fact, you can participate in this discussion with Mozilla devs more directly: <a href="https://webextensions.uservoice.com/forums/315663-webextension-api-ideas" rel="nofollow">https://webextensions.uservoice.com/forums/315663-webextensi...</a><p>Nobody working on Firefox <i>wants</i> to take away your most useful extensions, become a "clone" of Chrome (or any other browser) or otherwise has ulterior motives. The goals is really about improving performance and security and making add-ons easier to write and port between browsers.
"The new APIs would only allow for a severely limited in functionality, severely stripped down DownThemAll! at best."<p>This is speculation. The new APIs aren't finished yet, and the announcement they linked to specifically addresses this concern, stating that the new APIs <i>as implemented today</i> don't allow for a lot of existing addons functionality, and specifically states their intention to work with addon developers to ensure that the functionality can be added.
Shame, I used to use it back in college. Like most colleges there was a proxy so torrenting without ssh tunnelling was difficult and I didn't have a server to tunnel in to anyway.<p>Most people just bought RapidShare (also gone) and downthemall saved mind numbing ctrl+c/v for .rar files along with being able to pause and resume downloads which few others have seemed to grasp as well as they did.
How DTA is this dominant at all is a bit of a mystery to me. It allows me to download sequentially names files in rudimentary batches yes but thats not exactly mindblowing tech.
Something I just thought of... if these changes are presumably meant to keep malware addons out of the browser, then it's necessarily operating in an infected environment.<p>(I.e. something already had the ability to do things in the context of the user without that user's permission, and we're just preventing it from doing this one thing via restricting what the user can do)<p>In what way does this meaningfully secure the browser from malware, with that in mind? If I've got code running in the user's account, I don't need to hook into the browser engine to direct the user at popup ads, phishing sites, harvest their keystrokes, or do any number of other evil things. Hooking into the browser is one of the <i>least</i> interesting things that evil me could be doing. I've got access to the browser's memory, the TCP stream, the ability to launch whatever programs the user does, and am probably traveling along with a payload to allow for privilege escalation.<p>So, WTF?
For me, tree style tabs and the ability to have 100s of tabs open is the killer feature of firefox, and the reason I don't use any other browser. I will likely stop updating if these cease to work, and switch to any other browser which allows me to continue my workflow (or maybe start developing my own fork).<p>I suspect that a substantial portion of firefox's remaining users are there not because of the core browser (which is now almost indistinguishable from chrome), but because of an extension which either no-one cares or no-one is able to port to another browser.
I've started searching for an alternative download accelerator.
So far, the best option seems to be the Citrio browser. It's downloading capabilities are on par with dTa: <a href="http://www.tutorialspoint.com/articles/citrio-a-chrome-like-browser-with-a-built-in-download-manager" rel="nofollow">http://www.tutorialspoint.com/articles/citrio-a-chrome-like-...</a>
Mozilla is dead. Long live Mozilla Extended Support Release! <a href="https://www.mozilla.org/en-US/firefox/organizations/" rel="nofollow">https://www.mozilla.org/en-US/firefox/organizations/</a>
Man, if my favourite extensions no longer work properly then I don't know what I'll do.<p>I think I might have to go full Stallman and wget + email html-only web pages to myself.
I'm maintaining two Add-Ons with around 20k active users.
I agree with his predictions, but I also find it hard to give to much attention to voices like the one expressed here.<p>It's hard for me to tell how much of this is genuine concern, or just how many donations or how much income he will loose because of this. I never see numbers from these Add-Ons. The one in question here has 1,300,000 daily active users.<p>Sure, if I make $1500 per month on an Add-On, I would be very upset if things change. Then I'd rather see the XUL/XPCOM stuff around for another 15 years.
This, along with all the other simplifications in tech lately, along with everyone's inexplicable obsession with tablets/phablets/phones, signals the end of the power user era
This is what happens when humans achieve success. Rather than maintain the course they are obligated to exploit to the nth in order to squeeze every gram of return from an idea(product) until they can get no more. Then, they will get creative and pull out every hook & crook to squeeze some more. Thanks Mozilla, for everything up until your mass-collection, feature- bloat, entrapment blitz you've set out upon. Perhaps DTA will make their plug-in compatible with PaleMtoon now. Chances are the forks will come out on top & Moz can go f-up Thunderbird & Seamonkey for awhil as their top-heavy pyramid topples.<p>edit:admittedly a pipe dream, markets ruled by duops and oligops never lose the top players, they just cannibalize each othet and bloat.