New Firefox security feature restricts extensions

Just a note to inform those that use Firefox that they’ve introduced a new feature in the new version 115 that may restrict certain extensions from running on certain sites. I wish they would clearly list which extensions and which sites, but I suspect they think that would be giving away a secret detail they wish to keep away from potential attackers. I will be very upset if my password manager stops working on the sites it’s most important that it keeps working on… or if my ad blocker stops working on any site.


Anything and everything in the name of safety :roll_eyes:

Not seen this yet, I’m guessing it stops addins that scan the page, when logging in or accessing sensitive information, if they haven’t been checked for security.

This sounds to me like “we’re suspecting this extension is unsafe but don’t know how, so we’re keeping it in the store but we’re breaking it on purpose”. I don’t see why an extension should be in this state if it has been reviewed properly.

I would be curious to see a list of which extensions are affected and why, specifically, they’re still in the store and for how long. I don’t use Firefox currently, but I’m considering switching to it if Chrome goes ahead with the Manivest v2 “breaking-adblocker-change”.

I’m going to guess it’s for when an extension was later found to have a security vulnerability that the author hasn’t had time to patch yet. There’s also a chance that it might be pulled from the store, or at least blocked from new installs when it’s added to this.

1 Like

There are just too many and changed too often to be fully checked and the status held current.

Something like DarkReader or ad blockers dig into the website code that is being delivered and change it - either removing ad links or changing the CSS to make the site “dark”. Those could easily have extra code that sends “interesting” data back home. The same goes for password managers, but they, by definition, already have all your passwords.

I suspect that the big names have already had their add-ins verified - especially password managers and the main ad blockers.

But, over the years, there have been several stories of benign add-ins being sold and suddenly they start scraping the website for information or embedding additional adverts (or changing the existing adverts for ones of their own) and getting revenue without the user being aware.

I remember the Chrome extension “The Great Suspender” shipped malware at some point.

The extension was removed from the store and completely disabled in Chrome, and if I remember correctly, there was no way go re-enable it. I guess Firefox will use a similar strategy, but you can re-enable the extension at your own risk.

No, Mozilla have kicked out add-ins completely over the years as well. One of the big ad-blockers was bought out and suddenly started showing its own ads, it was kicked out.

But they can’t test every add-in for security quickly, there are simply too many and it would take too long, therefore those that are tested get whitelisted for sensitive sites, those not tested and verified aren’t allowed to interact with sensitive sites until they have been tested.

If they are tested and found to be dubious, I expect they will still be kicked out of Firefox.