back to article Mozilla to auto-block unwanted Firefox add-ons

Mozilla's Firefox will soon start blocking browser add-ons installed by other programs until users explicitly approve them, a move that's designed to give people more control over their web surfing experience. The feature will debut next week in the Firefox Aurora prebeta, Justin Scott a Mozilla product manager for add-ons said …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    what i'd really prefer

    Is that plugins be checked prior to upgrade instead of after....without requiring users to verify all of them first.

    1. Anonymous Coward
      Facepalm

      Trouble is

      some of these plugins are installed while Firefox might not be running.

      1. Pseu Donyme

        Yup, but ...

        ... the idea was that Firefox would check with the user when it finds a new plugin installed on startup. Since the plugins have no effect until Firefox makes use of them this should work fine.

  2. Anonymous Coward
    Anonymous Coward

    Needs locked down

    We really need an option to stop user installed add ons in schools offices etc... that is issue #1.

    An overriding config file in the program directory is all we need.

    1. Anonymous Coward
      Anonymous Coward

      @AC

      This is similar to Enterprise needs, and Mozilla has publicly stated it does not care.

      As a school you will be able to get educational discounts on MS software and you can use Group Policy in Active Directory to do what you need.

      or

      Block the Moz add-on page at your firewall

      or

      Use VMs and scrub the machines back to a known base once a week.

    2. Peter2 Silver badge

      denying write permissions to the folder

      Is this too difficult?

      1. Anonymous Coward
        Unhappy

        MS Steady state for XP...

        ...was a bloody godsend for this. Same they want to go to the VM method now i.e. no Staedy state for Win7, which requires a lot more horsepower.

      2. alien anthropologist
        FAIL

        @Peter2: denying write permissions to the folder

        > Is this too difficult?

        Yes. What do you (aka the kernel or file system driver) use as ACL to determine that process foo may have write access to a specific folder? How does it determine that process foo is foo and not its notorious cousin, fubar? Keep in mind that creating a signature for process foo will fail when foo itself is updated. What about advance user Johnie that wants to use process screwup to access the folder and make some manual mods and changes?

        Security is complex. Period.

      3. stu 19

        security?

        probably not on *nix but windoze has the option of the hidden super-user that make all those other attacks possible too.

    3. Anonymous Coward
      Thumb Down

      lock down?

      This was done on the centrally-managed (Unix) software distribution server where I work. Completely pointless, people who cared just downloaded & installed their own independent copy and ignored the central one.

  3. Brezin Bardout

    About time

    I've got three addons from Kaspersky that are absolutely impossible to get rid of short of reinstalling Firefox. They've been there for about a year and the only reason they're not enabled right now is because they're not compatible with Firefox 5.0.

    And yeah, I know Kaspersky's turning into a bloated mess. That's why there's absolutely no chance of it getting renewed. When the installer gives you no option as to what gets installed or not, and removing the stuff you don't want is harder than getting rid of any malware, you know it's time for a change.

    1. Anonymous Coward
      Anonymous Coward

      Re: About time

      I'm intrigued - why the downvote? Do feelings run that high regarding Kaspersky?

  4. Richard Boyce

    Why can't we have full control of our add-ons?

    We also need the ability to forceably remove extensions/plug-ins (I'm not sure what the difference is) that don't volunteer a removal option.

    Right now, I've got quite a few obsolete or unwanted addons that are disabled. For example, I have old versions of addons that were not removed when a new version was added by a third party, such as old versions of Java Console and AVG Safe Search. We shouldn't have to consider editing the registry and searching out files to delete.

  5. Cheese
    Boffin

    Addon Stuff

    RE: Needs locked down

    Toggle xpinstall.enabled to false in about:config.

    To prevent users from re-enabling it, read the following article about locking the config file:

    http://support.mozilla.com/en-US/questions/808176#answer-170945

    RE: About time

    Can't you just delete the Kaspersky addons from the global add-on folder?

    C:\Program Files\Mozilla Firefox\extension

  6. The BigYin

    Take a leaf from Linux

    Inform the user that some add-ons need updated or wish to be installed.

    Warn (with big flashing lights and screaming sirens) if an add-on has not been signed by a verified GPG-key.

    Then let the user select what to allow/block.

    1. Ru
      FAIL

      big flashing lights and screaming sirens

      They do *nothing*. The people who would most benefit from such things have never paid attention and never will.

      1. Pete B
        Alert

        @Ru

        Very true - if user education were going to work then we'd have started seeing results long since - it's now apparent that you *have* to treat users as complete idiots and try and prevent them from doing what they think might be a good idea.

        Much as it grieves me for the vast majority of users Apple's approach actually isn't a bad thing!

        1. stu 19

          user paying attention to what's on their machine?

          If users wanted to pay attention to what's on their machines they would all be using linux and windoze would not be the ubiquitous OS it is.

  7. Ian Emery Silver badge
    FAIL

    Other needs

    I need FF to stop blocking every auto page refresh from my favourite currency exchange site; one "allow" should be enough, two "allows" should be dropping a big hint, but having to constantly manually accept the page refresh every buggering time is too much!!!

    FF4 = FAIL

    1. Cowardly Animosity
      Facepalm

      You Fail

      FFS, a quick Google would give you the following solution: open about:config, set the accessibility.blockautorefresh preference setting to False.

    2. Anonymous Coward
      FAIL

      Refresh!

      Or instead, ask your 'favourite currency exchange site' to stop using an outdated, depreciated by W3C and often abused method of refreshing pages, and use Ajax or something similar instead to only update the bit of the page that actually needs to be updated!

  8. bex

    following ie 9

    internet explorer has this feature, I assume Mozilla thought now thats a good idea. They need the feature that ie 9 has that any addon that slows the startup by more than 0.2 of a second throws up a dialogue asking if you want to disable it.

  9. wired_retired
    Thumb Up

    If you don't like it...

    If you don't like it, stop using it. At least they are doing something...unlike Google.

    1. Ammaross Danan

      IE

      even better, IE needs to have this auro-disabled option. to make it even better than that, make them have to click though a non-autopop menu to actually enable the toolbar. people end up with toolbars get them because they just have to hit yes to a popup: and thwy always hit yes.

      1. stu 19

        toolbars

        I have had things like AVG safe search appear even though I did not want it and asked for it not be be installed, I think another one was the foxit toolbar - I like the reader but was midly annoyed to have to go and manually remove the toolbar add-on.

        The option to NOT install is not always given.

    2. TeeCee Gold badge

      Re: Following ie 9

      Yes and there are already those here saying that it also needs the ability to turn off / remove plugins at will, like wot IE also already has. Presumably that'll turn up soon as well.

      Following IE for function and Chrome for versioning? Isn't that kinda like the worst of both worlds?

      I had also noticed the "warn about plugins that chew too much time on startup" function in IE, although personally I get enough of a cue to remove the "PDF helper" plugin from seeing the Adobe Reader update dialogue......

  10. Henry Wertz 1 Gold badge

    Doesn't sound right to me...

    As devil's advocate, if my system is slow for whatever reason (perhaps I'm just running too many jobs so the load average is high, or I'm momentarily swapping a bit) then EVERY addon will add 0.2 seconds to the startup. I don't want my browser throwing up like 10 warnings because of this. Also I bet plenty of crapware addons do not slow down the startup, just do unwanted things later.

  11. Anonymous Coward
    Thumb Up

    Needs locked down

    perms only work on 1 existing profile, addons can be installed from other sources but the cheese was awesome - there is a lock file!

    xpinstall.enabled=false

    in a locking file

    http://kb.mozillazine.org/Locking_preferences

  12. ShelLuser

    Underimpressed

    Sure, its a good addition and one which is most likely going to please a lot of people.

    But when are they going to fix the real problems at hand? Why insist on forcing tabs upon thunderbird users without giving them an option to turn that stuff on or off themselves ?

    Its not as if it isn't possible.. Last week I discovered to my surprise that my current browser / mail client of choice, SeaMonkey, /also/ supports tabs in the mail client. After using it for 3 - 4 months now I accidentally pressed control-t while reading an e-mail.

    Both are Mozilla products.. Why can SeaMonkey give me "non-intrusive mail tabs" while thunderbird can only hide these at best ?

    I think mozilla needs to get their priorities straightened out. Version 6 is about to come out yet in my website logs Firefox represents 34% (others being Chrome (23%) & Safari (31%)). Out of that 34% of firefox users 64% use version 3, 14% version 4, 25% version 5, 1% version 6 and the others cannot be determined.

    If they keep this up I wouldn't be surprised if FF will be the next browser to get a reputation of being "unsafe to use". Not because the current product is unsafe; but because most people use outdated versions which are unsafe.

    Once that starts I think they can kiss their good reputation goodbye; a downward spiral always proceeds faster than the upward spiral.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019