Thursday, July 6, 2023

Firefox 115’s Two-Tier Extensions System

Vishal Gupta (Hacker News):

If you installed or upgraded to the new Mozilla Firefox 115 or later version and you are getting “Some extensions are not allowed” error message on Extensions panel or flyout (puzzle piece toolbar icon), this article will help you in fixing the issue and enabling the blocked extensions again in Firefox web browser.


The [error message] is shown by a new feature called “Quarantined Domains”[…]. According to Mozilla team, this new back-end feature has been implemented to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns.


Now double-click on extensions.quarantinedDomains.enabled preference and set its value to false.

Jeff Johnson (Mastodon, Hacker News):

I’m all in favor of giving users control over which extensions are allowed to load on which sites. Safari already has this feature on both macOS and iOS. My concern is not about user control—little of which even exists in Firefox 115, as I’ll show later—but rather about the remote control that Mozilla has now given itself, as mentioned in a Bugzilla report.


You have to wonder why an open source project required confidentiality about this. Incidentally, neither Safari nor Chrome, or any other browser as far as I know, has such a remote domain-specific kill switch for extensions, so you have to wonder why it was necessary in Firefox.


I believe that Mozilla already had the capability to remotely disable an individual extension, if it turned out to be malware. […] Given this preexisting capability, it’s unclear why there should be a list of domains where all except a lucky few chosen extensions are disabled, regardless of whether the disabled extensions have shown signs of misbehavior.

Update (2023-07-10): Jeff Johnson:

Mozilla has posted additional information about the quarantined domains feature added in Firefox 115.

Update (2023-07-11): Jeff Johnson:

Note that extensions.webextensions.restrictedDomains and extensions.quarantinedDomains.list are two separate settings in Firefox.


Thus, it appears that Mozilla introduced a built-in add-on to disable the Brazilian web sites in Firefox version 113, then they moved the same functionality from the add-on into the main app in Firefox version 115.

We still have no information from Mozilla about why most Firefox add-ons, except for a select few add-ons “monitored by Mozilla”, have been disabled on those six Brazilian web sites.

3 Comments RSS · Twitter · Mastodon

This addition was indeed weird, but the good thing is that we always have the option with Firefox.

I vehemently oppose this and Mozilla's increasingly anti-FOSS conduct.

That said, it's worth pointing out that Chrome has had this for a while, except (unsurprisingly) without a way to disable the "feature":

@Someone That Chrome feature sounds more like what Johnson mentions in the last quoted paragraph, which I think is different from what Firefox just added.

Leave a Comment