[zaroth]

What’s the trade-off here? Browsers are trying to protect users against a metric ton of malware trying to exfiltrate login credentials, and the vast majority of users have no clue what an extension even is.

Last week my dad thought he had a virus, but really it was just a BS spam site that he had accidentally allowed to send him notifications. The screen in Chrome to revoke notification access was like 8 clicks deep.

Browser extensions are a powerful, beautiful, dangerous bit of tech. Is it asking too much to put some guard rails in place that really aren’t too much trouble to follow?

[anoncake]

> Is it asking too much to put some guard rails in place that really aren’t too much trouble to follow?

No, but that's not what Mozilla is doing. A confirmation prompt is a guardrail. This is a fence.

> Last week my dad thought he had a virus, but really it was just a BS spam site that he had [...] allowed to send him notifications.

That's his own fault. Not an ideal outcome by any means but a private organization has no right to restrict people's freedom just to protect others from themselves.

[apostacy]

This would not have protected your father from any of that. If hostile code can inject an extension into your Firefox profile, it can also install a keylogger or read your unencrypted Firefox password store. There is almost no protection against your credentials being exfiltrated. Neither would it protect you against unwanted notifications. It will however greatly reduce the functionality of Firefox.

This is security theater.

> Browser extensions are a powerful, beautiful, dangerous bit of tech. Is it asking too much to put some guard rails in place that really aren’t too much trouble to follow?

There are many layers of guard rails already. The problem is that now they want to also inspect every extension that I use, even if it is for completely private use and will never be available to the public. And Mozilla does not exactly have a good track record with trust.