Mozilla yesterday detailed plans to require Firefox add-ons to be digitally signed, a move meant to bear down on rogue and malicious extensions, and one that resembled Google's decision years ago to secure Chrome's add-on ecosystem.
Some Firefox users called out Mozilla for disregarding its own long-and-often-expressed ethos of the need for an open Internet.
"We're responsible for our add-ons ecosystem and we can't sit idle as our users suffer due to bad add-ons," said Jorge Villalobos, the add-ons developer relations lead at Mozilla, in a blog post Wednesday.
Firefox, which celebrated its 10th-year anniversary last November, has long been known for its laissez-faire approach to add-ons, one of the features that propelled it to a 25% share of all browsers in 2009 and helped revitalize the browser market.
As of January 2015, Firefox owned a 12% user share of all browsers, according to analytics company Net Applications.
Add-ons have gotten out of hand, said Mozilla's Villalobos and the rules must be tightened. "Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites," he said, citing reasons for the digital-signing requirement.
An earlier attempt to stymie bad add-ons with a list of developer guidelines didn't work, in large part because Firefox add-ons can be hosted anywhere — much like Android apps — not only on AMO (Mozilla Add-On), the browser's official mart. One option Mozilla considered but discarded was to mimic Chrome by requiring all Firefox add-ons to be downloaded from AMO. "We believe that forcing all installs through our distribution channel is an unnecessary constraint," Villalobos said.
Instead, Mozilla will require all add-ons to be digitally signed. Those approved for hosting on AMO will be automatically signed by Mozilla, but others intended for distribution outside AMO must still be submitted for review, and thus, signing. Mozilla will run automated checks for malicious content or operation on all extensions submitted to AMO, with manual review as a backup.
A third option for add-ons that will never be publicly distributed — ones crafted by a business, for example, for use only by its employees — will exist. "We'll have more details available on this in the near future," Villalobos promised.
Once the new policy takes effect, unsigned add-ons will not be installable on Firefox's Release and Beta builds, the most stable, most popular of Mozilla's four channels. Unsigned extensions will be able to be installed on the other two channels, Aurora and Nightly.
Mozilla plans to use a two-cycle transition period — each cycle is six weeks, the interval between Firefox version numbers — to ease users into the new policy. During the transition, unsigned add-ons will only trigger an on-screen warning.
Sign up for CIO Asia eNewsletters.