Authorization dialogs of the Firefox extensions
Firefox extentions often ask for the authorization "Access your data for all websites". The description is "The extension can read the content of any webpage you visit as well as the data you enter there, e.g. B. Usernames and Passwords." Does this mean e.g. if I type in my bank account in a firefox browser window or a password for any other pge that this extension has access to this input/password??? Martin
All Replies (5)
Technically, yes.
However, in reality, almost all of the extensions on the Firefox add-on website are using that permission for legitimate purposes. For example, an ad blocking extension needs to be able to modify the website that you are viewing so that it can detect and remove ads. A website filtering add-on needs to have that permission so it can see what websites are trying to load and block ones you don't want. Even something as simple a program that allows the user to change the color of the scrollbars in Firefox needs this permission so that the scrollbars on every website you visit can be changed.
The permission can be used for a variety of legitimate purposes. The message that is on the add-on website sometimes scares users, but it's very much a worst case scenario situation.
In reality, any program that you install on your computer could access that same data.
It's up to you to ensure that you are only using reputable add-ons or add-ons from the Recommended Extensions program (because those are manually reviewed by a human).
Thank you for the explanation. It means that a) you cannot be absolutely sure even with 'recommended extensions" that secret information like login data are not sent to "extension related peaple" b) you should always boot the PC from a clean e.g. UBUNTU DVD when handling such secret data c) "clean" extensions should have open source and generate a log file with clear text what is sent out of the PC d) Mozilla should add an option to open a "secure" Tab blocking ALL extensions (and other "dangerous" processes) but those explicitly allowed by the user.
Sorry but the comment "it's very much a worst case scenario situation" sounds like "bad boys are SO EXTREMELY rare in the WWW that I do not have to become angray...".
It is extremely difficult to achieve 100 % security but extremly easy at least to achieve 100 % transparency, and global "back doors" should not be accepted as 'normal' just by the argumentation "but they HAVE to be there otherwise the application cannot work" and "at the end THE USER DECIDES whether he uses an extension". This makes life of vendors (and Mozilla too) too easy and irresponsible.
Hi m_vanselow, the extensions in the Recommended program are reviewed by human reviewers for each update. Other extensions are mostly reviewed by software.
By default, extensions do not run in private windows (at install time, you'll see a small panel with a checkbox to enable the extension in private windows if you like). You can use that feature to open pages free of any risk that extensions can read them, but of course, no history will be saved for those tabs.
Currently, there isn't a feature to block extensions in regular tabs or container tabs, or on particular sites. Hopefully that will be added in the future.
You have many choices to submit suggestions related to how add-ons work in Firefox, depending on your desired style of interaction:
Discussion Sites/Advocacy
- Mozilla Discourse: https://discourse.mozilla.org/
If none of the categories seem to fit, try this board regarding the Add-ons site: https://discourse.mozilla.org/c/add-ons/addons-mozilla-org - Reddit (monitored by Mozilla): https://www.reddit.com/r/firefox/
- I saw someone created a Change.org petition but I don't know who sees those
Limited Length Comments
- Feedback site: https://qsurvey.mozilla.com/s3/FirefoxInput/
- Twitter (Mozilla official): https://twitter.com/firefox
Hi Jefferson, thank you for the helpful response. The 'private windows' looks like a relatively secure solution. It means that extensions can monitor only the tabs within a firefox window but not in different windows. Correct? Is there an option to change the status of installed extensions whether they should be used in the private window or not, e.g. when I have overlooked the checkbox during installation or do I have to uninstall and install them again? Martin
m_vanselow said
The 'private windows' looks like a relatively secure solution. It means that extensions can monitor only the tabs within a firefox window but not in different windows. Correct?
Hi Martin, it is better to think of all regular windows as one group, and all private windows as a second group.
Even though extensions may act within (inject scripts into) the scope of a tab, if this is happening in every tab in all regular windows, it does in theory provide some visibility across regular windows. There also are extensions that do not modify pages but work in the background monitoring and potentially modifying requests to servers and responses back. In that case, it doesn't matter whether your regular window tabs are all in one window or split across multiple windows.
Is there an option to change the status of installed extensions whether they should be used in the private window or not, e.g. when I have overlooked the checkbox during installation or do I have to uninstall and install them again?
At least this question is easy. To adjust an extension's permission to run in private windows, you can open the Add-ons page (Ctrl+Shift+A), click Extensions in the left column, and check whether there is a purple mask icon next to the names of your extensions. The icon indicates that extension currently is allowed to run in private windows. To modify the permission, click the extension's name to open the Details panel, the scroll down past the description to the controls.