Mozilla will start blocking Firefox add-ons that contain obfuscated code as part of the updated Add-on Policy that aims to rid the portal of third-party malicious code.
Come June 10, Mozilla will reject submissions for Firefox add-ons that disregard the new rule and . Developers with products with obfuscated code should resubmit them in a variant that complies with the policy update.
Add-ons violating the policy get blocked
Caitlin Neiman, Add-ons Community Manager at Mozilla, says in an announcement today that "minified, concatenated, or otherwise machine-generated code" will still be allowed if the source is included.
Obfuscation is a technique often used for malicious purposes, to hide its true functionality, which remains unaffected. Humans have a hard time understanding it and the conversion into a clean form takes time.
Neiman explained that blocking, also called "blocklisting," the add-ons with obfuscated code means disabling them in the browser after the user installed them.
"We will be blocking extensions more proactively if they are found to be in violation of our policies. We will be casting a wider net, and will err on the side of user security when determining whether or not to block," Neiman says.
The new add-on policies that will take effect on June 10 are available for review here.
Different block levels
Depending on the nature of policy violation, the sanction could be a hard or a soft block. While a soft block disables the add-on by default users still have the possibility to override the sanction and keep using it.
This penalty applies to extensions that affect the stability or performance of the browser, or the policy violation is non-critical.
When a hard block happens, the override option is no longer available. This sanction is enforced to extensions that:
Appear to intentionally violate policy
Contain critical security vulnerabilities
Compromise user privacy
Severely circumvent user consent or control
"We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control," informs Neiman.
Comments
SuperSapien64 - 5 years ago
I wonder if Web Of Trust will be affected by this?
tik2roo - 5 years ago
I hope they aren't planning to use it for censorship.
RatMan29 - 5 years ago
"I hope they aren't planning to use it for censorship."
Fortunately, if they do, the source code is still available. And forks are already out there, including Waterfox and Pale Moon.
GT500 - 5 years ago
This is a move that may hurt Mozilla, however at the same time it will make determining if extensions are malicious easier.
Is it necessary? Probably not, however I could certainly see it being beneficial.
SuperSapien64 - 5 years ago
Well Firefox for Android just disabled Noscript, Privacy Badger, HTTPS Everywhere and Ublock Origin. So yeah some well trusted add-ons were just disabled suddenly. :(
respoda - 5 years ago
Apparently that went well, Mozilla ! F*-ups !
DawidG - 5 years ago
Certificate ScrewJob
https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047/12
Lawrence Abrams - 5 years ago
See here:
https://www.bleepingcomputer.com/news/software/firefox-addons-being-disabled-due-to-an-expired-certificate/