this post was submitted on 05 Jul 2023
78 points (91.5% liked)

Technology

59038 readers
4196 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 22 comments
sorted by: hot top controversial new old
[–] DmMacniel@feddit.de 39 points 1 year ago (1 children)

Silently, but with a huuuuge Banner that notifies you that the extensions were disabled; not really silent then?

[–] foobar@lemmy.villa-straylight.social 15 points 1 year ago (1 children)

You would have to be looking for it:

Note that the warning appears in the Extensions popup rather than on the Extensions icon, so you wouldn't know that StopTheMadness was disabled on YouTube unless you opened the popup (or unless you saw the autoplaying videos on YouTube that StopTheMadness would otherwise stop.)

What happens, though, if you pin the extensions to the toolbar for easy access to their settings?

It turns out that when you pin an extension to the toolbar, it no longer appears in the Extensions popup! Consequently, the quarantined domains warning no longer appears in the Extensions popup either. In fact, there's no longer an Extensions popup: clicking the Extensions toolbar icon simply opens the about:addons page, which doesn't show the quarantined domains warning anywhere.

[–] DmMacniel@feddit.de 1 points 1 year ago

I would like to see a link to that setting even with a security banner in front of it where you have to agree that everything that happens from now on is on you and not firefox.

[–] rookie@programming.dev 19 points 1 year ago (2 children)

This does feel like something you should be able to toggle off. I can understand their security concerns, but I didn't switch to Firefox because I wanted less control/trust from my browser.

[–] MangoPenguin@lemmy.blahaj.zone 23 points 1 year ago

You can, set extensions.quarantinedDomains.enabled to false.

[–] darcmage@lemm.ee 5 points 1 year ago (1 children)

https://support.mozilla.org/en-US/kb/quarantined-domains

I'm generally fine with anything mozilla chooses to with firefox as long as we retain the ability to undo it, but it is something that should be watched closely given the power of the default.

[–] axtualdave@lemmy.world 2 points 1 year ago

The intent behind the feature is obviously to keep a list of known-bad domains there, to disable extensions Mozilla hasn't vetted as safe on said malicious domains.

If I had to guess, I'd say it'll be set to "" by default, unless you crank up some security setting to extra-paranoid, or, obviously, set it yourself.

[–] fubo@lemmy.world 12 points 1 year ago (1 children)

It's unclear exactly what's going on here. It could be a good idea or a bad idea.

Good idea: When accessing the login page for an important service, the user should be warned before low-trust extensions are enabled, to reduce the chance of hostile extensions stealing user credentials.

Bad idea: Allowing web site operators to dictate what extensions users may use on those sites.

[–] skullone@lemmy.world 2 points 1 year ago (1 children)

"And now, it's time for another good idea and bad idea... "

[–] fubo@lemmy.world 3 points 1 year ago

Wheel of Morality, turn turn turn ...

[–] qwop@programming.dev 11 points 1 year ago (2 children)

I wish I could have extensions default to off and be able to turn them on selectively on sites. For things like darkreader I don't want to use it 90% of the time so it shouldn't need to have at access to site data.

By the way, I don't like the title of this article, how is it done "remotely", it's just a list in about:config, no? Sounds clickbaity.

[–] AnyOldName3@lemmy.world 5 points 1 year ago

Most people leave those settings alone. If you've never changed the value, whenever Mozilla change the default, you'll be updated to the new default when you update your browser. That's a remote change to which websites remain unaffected by extensions, except for the minority of users who've done something about it.

[–] where_am_i@lemmy.world 0 points 1 year ago (1 children)

extensions are already disabled on Firefox help website. No dark reader will work there. They probably extended that capability into an actual backdoor.

[–] qwop@programming.dev 4 points 1 year ago

Last time I checked companies don't share backdoors they've added in release notes.

[–] AProfessional@lemmy.world 5 points 1 year ago

Access to literally every website is a very scary permission that is too common. I’m not sure the best approach but limiting this, with some user input, is a good move.

[–] zosu@vlemmy.net 5 points 1 year ago

i could imagine putting a banking site on that list to make sure no banking data can be leaked to an extension. two edged sword tho

[–] ArkyonVeil@lemmy.world 3 points 1 year ago

Can confirm. I just upgraded to 115, and tried out my own extension Obliterate Curves, which is similarly not monitored by mozilla due to how tiny it is. If the current domain is a "Quarantined Domain.", all extensions which aren't monitored will get downright disabled.

Do note, the list was empty by default. 100% troubling but hard to say where they'll go with it. Might end up as a "tick this website as secure" box later, though I'd personally prefer control over which sites an extension is allowed to run in.

[–] jet@hackertalks.com 1 points 1 year ago* (last edited 1 year ago)

Yet another reason to use mullvad-browser instead of vanilla Firefox.

Removing user agency is a big deal, to do it silently is a massive red flag. Even if the intentions are good paternalistic behavior removes agency from users.

[–] Raphael@lemmy.world 0 points 1 year ago

use Librewolf