Sideloading is a method of installing an extension in Firefox by adding an extension file to a special location using an executable application installer. This installs the extension in all Firefox instances on a computer.
Sideloaded extensions frequently cause issues for users since they did not explicitly choose to install them and are unable to remove them from the Add-ons Manager. This mechanism has also been employed in the past to install malware into Firefox. To give users more control over their extensions, support for sideloaded extensions will be discontinued.
This blog post requires some very clear translating before all of grab our pitchforks. Users will still be able to install extensions from outside Mozilla’s own add-on website, and developers will still be able to distribute them separately. The functionality Mozilla is removing from Firefox is the ability for application installers – such as Skype – to dump an extension in a folder and then have that extension be installed in every Firefox profile on the machine.
This still breaks any Linux distro shipping GNOME from being able to install GNOME Shell extensions through the website since they need a Firefox extension to do it.
Grood. Good and great. That always seemed like it could have been very easily abused, if Gnome users were high enough of a target.
This is nothing but good news then. I’ve been using their alpha builds and did notice that change, which just meant a bit of an extra steps to install extensions, especially for regular users, but sys admins and developers should not have an issue.
Gosh this is unclear. I *think* mozilla is attempting to abuse “sideloading” terminology in order to make the claims it is making in this post. Mozilla is *already* prohibiting sideloading in mainline firefox for a while now. Sideloading is only allowed if you use the nightly build or use the enterprise version which is a year behind mainline. If you want to sideload on the regular version, mozilla does not allow it, only plugins approved by mozilla are allowed.
I re-read this post three times, I and it sounds like mozilla intends for “sideloading” to refer to approved plugins being installed systemwide by loading them into the firefox installation path. With this is mind, we can translate mozilla’s statement to mean “To give users more control over their extensions, support for extensions installed into firefox’s system-wide installation path will be discontinued.” Going forward the plugins will only work if they are installed into each and every user’s local profile. I don’t know why their post is so terribly worded, but this seems to be what they actually mean here. This could impact things like plugins distributed by package managers or automated means across many users.
I don’t believe this will technically improve security since the firefox binary itself could be replaced.
As for denying users sideloading rights, mozilla deserves exactly the same blame as before; no more, no less.
Good point about the firefox binary, but I guess this means the Mozilla update process on Windows can also just check with hash/throw away any files that shouldn’t exists in that directory. Maybe even work like a virus scanner and monitor any file changes in the directory.
I thought they already did this ages ago, back around the time they removed support for legacy extension. I guess they just planned to do it and it got delayed.
ssokolow,
Yes, sideloading is totally prohibited in the normal version, and will continue to be totally prohibited. Nothing changes with respect to users being able to sideload, users can only install extensions that have been censored by mozilla. The change is that mozilla approved extensions will no longer be installable system-wide, but rather they have to be installed for each individual user in their profiles. This change does not improve security, however it does make it easier for an end user to remove/disable an extension because going forward all extensions must be in their local profile.
Technically there would have been other ways for mozilla to handle this, For example, system-wide extensions could have a flag in the user’s local profile to enable/disable system extensions even though they aren’t installed in their local profiles. To me, this seems to be the best of both worlds and is how I would have handled it, but mozilla decided to completely remove support for system-wide extensions. This affects system administrators more than normal users. For better or worse, it makes it harder for administrators to deploy extensions.
This is going to make Firefox even less suitable for enterprise deployments.
Right now, it’s possible for a business to preload extensions for users. It appears that’s going to become an awful lot more difficult.
More market share lost to Chrome, I suppose.
We really need independent, third party extension “stores” so browser makers don’t control extensions so tightly. A private store could push out extensions to users, or an independent store host extensions that the browser makers don’t choose to for political reasons.
We already have this and admire it when it comes to OS level applications – Linux has repos, and MacOS/Windows you can just download a .exe/.msi/.dmg and install whatever you like. For some reason, though, it’s acceptable for two or three companies to tightly control how we use our browsers…
The1stImmortal,
Mozilla would argue that extensions CAN be delivered from an independent store, the problem of course is that they have to be signed by mozilla so that they can censor them. For all the criticism apple faces over making technology less free, which I find despicable, at least I understand why apple does it – they make billions of dollars on restriction driven fees. It’s unethical, but their motives are clear and make sense. But I’ll probably never understand why mozilla does it, of all the companies they ought to be more vested in promoting user freedoms, and yet mozilla chooses to be part of the problem by pulling the same “we know what’s best for you” crap and actively contributing to web technology being more locked up.
I agree, but we have to be extremely careful with how we tread because these companies have shown an affinity for taking user control away whenever we let them. Authoritarianism is on the rise not only in government, but in our tech companies too: 1984, here we come.