Mozilla restricts extensions on some domains on Firefox 115

This is crazy. Mozilla can remotely disable extensions on any domain that Mozilla chooses? <a href="https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1832791" rel="nofollow noreferrer">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1832791</a><p>Apparently they&#x27;re luring everyone into accepting this abomination by starting with an empty list, but what in the world is the motivation for this feature, and which domains do they intend to add??? &quot;We don&#x27;t know, we just thought it would be a good idea&quot; is no explanation or justification.<p>People are going to talk about &quot;security&quot; and &quot;banking&quot;, but that&#x27;s a load of crap. Just wait until your bank disables password autofill and paste on their site, and no extension can override it.<p>I have no problem with letting the <i>user</i> control the domains that an extension can access, but giving Mozilla remote control? No way.

This feature stems from an attempt at disallowing extensions with have rights to all websites on certain websites[1]. Version 116 will have an UI for users to control this.[2]<p>[1]: <a href="https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1745823" rel="nofollow noreferrer">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1745823</a> <a href="https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1834825" rel="nofollow noreferrer">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1834825</a><p>[2]: <a href="https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1837670" rel="nofollow noreferrer">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1837670</a>

This is a community comms failure.<p>Preventing the random extension I installed from hijacking my bank login page is good! Giving Mozilla the ability to disable my adblocker or NoScript on an arbitrary domain list that they can update remotely is scary!<p>A blog post with Mozilla&#x27;s plans for the feature, what they&#x27;re implementing to limit abuse on Mozilla&#x27;s side, and how users can opt out would make this a non-issue. It&#x27;s nuts that the mozilla bug tracker is the best source for laypeople to get info on this.

Looks like blogspam for <a href="https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;quarantined-domains" rel="nofollow noreferrer">https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;quarantined-domains</a>.

Which extensions and which domains, though?<p>I think we can all agree that restricting uBlock from working on YouTube probably isn&#x27;t going to happen, and you <i>might</i> want some restrictions on addons accessing all data on a banking website.<p>But where did they draw the line? Is someone still allowed to publish an addon which fixes the interface of an absolutely broken banking website, or which allows you to liberate your own data? Will that only be allowed through vetting? What about things like Dark Mode addons which have access to <i>all</i> websites? Is it possible to explicitly request to be included in the allowlist?<p>I am not against it on principle, but we&#x27;re missing a loooot of information right now to decide whether this is actually a <i>good thing</i>.

Ok I went through the implementation code.<p>The &quot;quarantined domains&quot; are the contents of extensions.quarantinedDomains.list, which defaults to empty. So, this has to be some sort of enterprise feature.

&gt; mozilla-employee-confidential<p>With the exception of addressing critical security issues, why does an organization who positions themselves as a leader of open source software make so many user-unfriendly decisions behind closed doors?

The reverse of this would be even more useful to me, i.e. a list where the extension _is_ allowed. So many developers hit the &quot;ALL THE THINGS&quot; button out of laziness.

This would be a nice feature if the user can manage the restriction list. This is the kind of feature that will make the web a better place.

This is great. I would like to block extensions on certain websites. For example, I probably should not run any extensions on the website of my bank.

I want to say something good, but it looks like Mozilla continue search for a way to take more control from the user.

What&#x27;s the list of quarantined domains?

Reposting my comment about this from the other discussion (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36590507">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36590507</a>):<p>I searched a bit through the documentation and code, and these were my findings. I thought I&#x27;d share them for others that are interested and for future reference.<p>Currently, there are no domains blocked, they would appear on this API endpoint: <a href="https:&#x2F;&#x2F;firefox.settings.services.mozilla.com&#x2F;v1&#x2F;buckets&#x2F;main&#x2F;collections&#x2F;addons-manager-settings&#x2F;records" rel="nofollow noreferrer">https:&#x2F;&#x2F;firefox.settings.services.mozilla.com&#x2F;v1&#x2F;buckets&#x2F;mai...</a><p>This is the JSON schema for this API endpoint: <a href="https:&#x2F;&#x2F;firefox.settings.services.mozilla.com&#x2F;v1&#x2F;buckets&#x2F;main&#x2F;collections&#x2F;addons-manager-settings" rel="nofollow noreferrer">https:&#x2F;&#x2F;firefox.settings.services.mozilla.com&#x2F;v1&#x2F;buckets&#x2F;mai...</a><p>More information on the remote settings in general: AMRemoteSettings Overview - quarantinedDomains: <a href="https:&#x2F;&#x2F;firefox-source-docs.mozilla.org&#x2F;toolkit&#x2F;mozapps&#x2F;extensions&#x2F;addon-manager&#x2F;AMRemoteSettings-overview.html#quarantineddomains" rel="nofollow noreferrer">https:&#x2F;&#x2F;firefox-source-docs.mozilla.org&#x2F;toolkit&#x2F;mozapps&#x2F;exte...</a> Remote Settings documentation: <a href="https:&#x2F;&#x2F;remote-settings.readthedocs.io&#x2F;en&#x2F;latest&#x2F;index.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;remote-settings.readthedocs.io&#x2F;en&#x2F;latest&#x2F;index.html</a><p>Remote Settings DevTools - where you can see all the remote settings, that get set: <a href="https:&#x2F;&#x2F;github.com&#x2F;mozilla-extensions&#x2F;remote-settings-devtools">https:&#x2F;&#x2F;github.com&#x2F;mozilla-extensions&#x2F;remote-settings-devtoo...</a><p>EDIT: Seems like there are many settings that already get automatically set via AMRemoteSettings (including search-engine configs, cert revocations, dns over https providers, password rules for specific domains, top-sites, URL tracking parameters to clean, etc.). We will see how this new setting will be used, it can be easily disabled (<a href="https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;quarantined-domains" rel="nofollow noreferrer">https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;quarantined-domains</a>) and you will get a warning if an Add-On is blocked from accessing the site. Also seems like there will be a UI for this in v116 (<a href="https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1837670" rel="nofollow noreferrer">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=1837670</a>), where you can configure this better than just disabling this feature completely.

Disabling the restriction is pretty easy.<p><a href="https:&#x2F;&#x2F;www.askvg.com&#x2F;fix-some-extensions-are-not-allowed-in-firefox-115-and-later&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.askvg.com&#x2F;fix-some-extensions-are-not-allowed-in...</a>

Is there a list of these domains?

Mozilla must have introduced this feature for some reason, but the article doesn&#x27;t talk about the possible negative consequences of disabling it.

What mozilla wants to censor the hecking internet. How could i have been so foolish. Brah cmon guys we knew thats what they are upto all along.

So how much do I have to pay the foundation in order to make sure my ad-funded website can&#x27;t be adblocked? Google has deep pockets.

it’s not ideal, but using little snitch to prevent firefox from talking to mozilla should help.

Yet another mechanism for a 3-letter-agency to remotely change your browser settings.

I wonder if this <i>mysteriously</i> blocks adblockers running on certain sites like youtube?