Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>XUL-based Firefox add-ons are not better. They essentially give full control of your computer to the developer of the add-on

XUL does open up more attack surface than a web extension. However, web extensions open up enough that you're already in the business of trusting the creator of the extension.

A web extension is fully capable of stealing my online banking credentials, for example.



> you're already in the business of trusting the creator of the extension

Those were my thoughts exactly.

And tangentially related to your point, I am wondering why the addon developer, who I have explicitly trusted by intentionally installing their software, is not at least on the same or even higher level of trust as an unknown 3rd party web developer whose arbitrary Javascript application the browser automatically installs and runs when I visit a desired 1st party website?

There are no built-in protections that Firefox (or any browser) provides for running arbitrary 3rd party code that happened to be included by an unsuspected website that features 3rd party fingerprinting, tracking user actions, access to DOM, whether for "benign" or malicious purposes. In my mind that is just as, if not more, important for both security and privacy.

It looks like it is yet to be seen whether Mozilla's extended WebExtensions API will provide enough for existing add-ons that use current low-level access that to some level restrict 3rd party web applications.


Web extensions are vetted by amo reviewers if they come from that channel. Is it going to catch every single malicious extension? Doubtful. Is it better than nothing? Yes.


I suppose. The whole idea just seems to miss that for many, online data is more important than my local pc. A web extension that deleted my google account would be more disruptive than an XUL extension that formatted my hard drive. XUL is a superset, but restricting to "web only" leaves you with the most significant subset...at least for me.


> Web extensions are vetted by amo reviewers [...]

But so is every other type of add-on. You even need to upload source code for binary components. (A XUL extension can include DLLs or their cross-platform equivalents.)


XUL extensions may not include binary components anymore.


XUL extensions are also vetted by AMO reviewers if they come from that channel, so that's no change, except to the extent they're easier to review.


All add-ons are vetted by amo reviewers -- unless explicitly stated otherwise. That's no argument pro web extensions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: