I didn't think that "Cu.import("resource://gre/modules/ctypes.jsm")" was allowed in a Firefox add-on.
This is bad. Add-ons should not be allowed that much power. Especially since Wips has been buying up add-ons and putting in adware and spyware.[1][2][3] It looks like if you have the right connections, you can get malware approved into Firefox.
That blocksite looks pretty annoying, but according to our Add-on Dev Relations Lead (jorgev), since the tracking in blocksite is "opt in", it doesn't actually violate any of the AMO policies.
"Add-ons should not be allowed that much power" - this is tricky. We want add-ons to be powerful enough that users can customize Firefox to their liking down to the tiniest detail. And yet, we want to make sure that the add-ons are not doing completely evil things to your machine.
Our solution to that problem is code review and static analysis of add-ons that are submitted to AMO. For add-ons that you install outside of AMO... well, you're on your own there.
It's tricky. We do very much want to make the browser safer for our users, and eliminating evil add-ons is high on our list of priorities, but there's a lot of stop energy put against our solutions[2].
I'm not in charge of add-ons, but I the predicament is clear. Add-on authors want the power to make the browser do amazing things. Users want add-ons to do amazing things. Bad actors want add-ons to do evil things. We want to protect the user, but we also want to respect the user's right to do or install whatever they'd like on their machines.
It's a fine balance.
[1]: Which is something our AMO editors do - they review the source of all add-ons that go up to AMO.
"According to our Add-on Dev Relations Lead (jorgev), since the tracking in blocksite is "opt in", it doesn't actually violate any of the AMO policies."
I know, but it says something about the Mozilla Foundation that they let that through.
It says that they value their user's freedom? Including the freedom to apply footguns to themselves if they are clearly told that they are dealing with a footgun?
Also note that spying on the user can be done without system-level access. Since addons generally are allowed to do arbitrary XHRs anyway, so they can just record in-browser data and send it via XHR. No access to the filesystem needed.
So this issue is somewhat orthogonal to access to the rest of the system, besides the aspect that a malicious addon can do more damage that way. It can still be malicious when restricted to just the browser.
Note that I haven't actually installed the add-on or looked at the source[1], but just echoing what I'm reading in this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=903799
"Add-ons should not be allowed that much power" - this is tricky. We want add-ons to be powerful enough that users can customize Firefox to their liking down to the tiniest detail. And yet, we want to make sure that the add-ons are not doing completely evil things to your machine.
Our solution to that problem is code review and static analysis of add-ons that are submitted to AMO. For add-ons that you install outside of AMO... well, you're on your own there.
It's tricky. We do very much want to make the browser safer for our users, and eliminating evil add-ons is high on our list of priorities, but there's a lot of stop energy put against our solutions[2].
I'm not in charge of add-ons, but I the predicament is clear. Add-on authors want the power to make the browser do amazing things. Users want add-ons to do amazing things. Bad actors want add-ons to do evil things. We want to protect the user, but we also want to respect the user's right to do or install whatever they'd like on their machines.
It's a fine balance.
[1]: Which is something our AMO editors do - they review the source of all add-ons that go up to AMO.
[2]: https://blog.mozilla.org/addons/2015/02/10/extension-signing... is one solution we're going after. Check out the comments for some of the fors and againsts.