[the8472]

> But you can't deny the old model had downsides.

Sure, but also upsides. That doesn't mean the change, as announced, is the ideal trade-off.

You could easily add an "you can continue to access all browser internels if you flip this switch" option to let those who are willing to break their browser do so and let everyone else be nannied by mozilla.

> That's why Firefox is moving away from it, and why no other browser uses the old model.

That is a distinguishing factor to many users. Maybe not to the majority, but that majority might also be just as happy with chrome and simply stick with firefox due to inertia, who knows.

[brighteyes]

Of course I agree, it had upsides as well.

But you can't add such a switch - if it's there, malware can access it. A switch might prevent other problems, but not that main one.

[the8472]

> if it's there, malware can access it

If malware is already on your system then your system is already compromised. It could also patch firefox or download a firefox with signature verification disabled.

Or it could just send your password store file to some server in russia, encrypt your harddrive and extort money from you.

Really, if malware is on your system then some extension sideloading is not really a big concern in the grand scheme of things.

I totally cannot follow that argument. To me it's like being relieved that your wallet hasn't been taken after someone knifed you and you're rapidly losing blood.

[brighteyes]

This isn't my argument - it's the argument used by Chrome, Firefox and other browsers. It's why browser plugins like NPAPI are being disabled (Chrome did it earlier this year).

Yes, local attacks are not impossible without this, but the point is to make them harder. A simple switch that opens up a lot of entry points is an easy target for malware.

Some malware might not need an easy target, but you at least prevent some malware by removing it. The harder it is, the fewer attacks will succeed.