Security news that informs and inspires

Mozilla Setting Tight Restrictions for Firefox Add-Ons


Beginning next month, Mozilla will ban any add-ons for its Firefox browser that contain obfuscated code or hide their real purpose from users.

The change is part of a larger overhaul of the add-on policy for Firefox that Mozilla will put into effect on June 10. The policies apply to any add-ons in the Firefox ecosystem, regardless of whether they’re hosted on Mozilla’s site or elsewhere. Like Google and the other major browser manufacturers, Mozilla has cultivated a community of developers that create add-ons for the browser that extend the functionality of the software. But because the add-ons are written by third-party developers, Mozilla doesn’t have direct control of the content, so the company has to set strict policies about what add-ons can and can’t do.

The updated policy that goes into effect next month includes a number of changes, and one of the main ones is a prohibition on add-ons that try to deceive users or hide their functionality.

“Add-ons are not allowed to contain obfuscated code, nor code that hides the purpose of the functionality involved. If external resources are used in combination with add-on code, the functionality of the code must not be obscured,” the Mozilla policy says.

The use of obfuscated code is common in malicious or deceptive browser extensions that try to disguise what they do. It’s difficult if not impossible for many people to determine what exactly an extension is doing, so they have to rely on the judgment and expertise of whoever is hosting the extensions, which can also be problematic. Developer who don’t comply with the Mozilla policy may find their add-ons blocked, or in severe cases, have their developer accounts revoked.

Browser add-ons have become a significant part of the ecosystem around all of the major browsers, as the vendors have focused on the core functionality and reliability of the software. Add-ons and extensions run the gamut in terms of functionality, with some changing the appearance of web pages and others blocking cookies, third-party content and other privacy invading elements on pages. But there are plenty of extensions and add-ons that purport to do one thing while doing another, or collect user browsing data without notice.

With the new policies, Mozilla is trying to make it as clear as possible for both developers and individuals what kind of behavior is permissible and what isn’t. For example, the policy spells out how developers need to notify users about any data that an add-on collects.

“You must disclose how the add-on collects, uses, stores and shares user data in the privacy policy field on AMO. Mozilla expects that the add-on limits data collection whenever possible, in keeping with Mozilla’s Lean Data Practices and Mozilla’s Data Privacy Principles, and uses the data only for the purpose for which it was originally collected,” the policy says.

Mozilla also is putting the burden on developers to ensure that their add-ons are secure and don’t open the browser and user up to attack.

“Because add-ons run in an environment with elevated privileges relative to ordinary web pages, they present a very serious set of security considerations. They have the potential to open security holes not only in the add-ons themselves, but also in the browser, in web pages, and, in particularly distressing cases, the entire system the browser is running on,” the policy says.

“As a result, we take our security policies very seriously and apply them to all add-ons, whether hosted on AMO or not. We expect all add-ons to be secure and well-maintained in handling both their own data and their user’s data. They must also securely manage all of their interactions with the web, the browser and the operating system.”