How Writing Firefox Extensions Can Scare You Away From Them


Extensions are one of the key reasons we love Firefox. However, one extension developer found the security model for Firefox extensions so disturbing that she’s stopped using them altogether.

In a fascinating presentation at Linux.conf.au 2011, Anna Gerber outlined the development of LORE, a complex Firefox extension designed to help literary scholars annotate texts, create compound objects which combine multiple texts and notes and share their work. Gerber works as a senior software engineer with the ITEE eResearch Lab at the University of Queensland, and the project was developed as a Firefox extension because most researchers are used to working in a browser environment, and it enables installation easily even on locked-down machines. (You can see some of its functions in the video above.)

While the LORE project has been very successful so far, Gerber said that the entire experience was a real eye-opener in terms of how Firefox extensions actually work and where the development process needs to improve. In particular, the open-ended privileges which Firefox extensions have is a concern:

It’s all or nothing. Firefox extensions run in this privileged environment — it’s really scary what they can do. Since writing this, I don’t run any Firefox extensions anymore. I just don’t trust them.

Building the extension was also tricky, though Gerber stressed that this was in large part because LORE is a multi-faceted extension with its own GUI, rather than the more typical single-function add-on. “It works great for simple tasks,” she said. “But for complex extensions, it’s really, really difficult. There are almost no tools you can use for debugging them. The tools that work for web development don’t work within the extension environment. Chromebug is so flaky it’s not funny. There’s a real gap there for people developing complex extensions.” Constant changes to the Firefox API are also an issue, meaning lots of features break as new versions appear.

The inevitable question: does Chrome do better? Gerber thinks so — “they have what seems to be what seems to a be a well thought out extension framework” — though again she stressed that this is partly because Chrome’s developers have been able to learn from the Firefox experience and start with a more efficient and secure model. She can also see potential in the Mozilla Jetpack project for this kind of development.

Arguably none of that means you should be throwing out your tried and trusted Firefox extensions, but it’s a reminder to remain cautious when installing unfamiliar software and to have a little sympathy if your favourite extension doesn’t immediately update when Firefox does. Thanks again to Anna for a great presentation!


The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.

Comments


8 responses to “How Writing Firefox Extensions Can Scare You Away From Them”

Leave a Reply