Mozilla takes pity on Firefox extension developers

Mozilla plans to make life easier for developers of Firefox browser Add-ons, aka extensions, by reducing the burden of presenting custom consent dialogs to those installing extensions.

Alan Byrne, senior staff product manager of Firefox Add-ons, reports that Mozilla intends to change its Add-on policies governing consent dialog prompts.

Presently, Mozilla's Add-on policies impose extensive obligations on developers to ensure that when any extension gathers or sends user data, it must present the user a consent dialog that explains what data will be collected or transmitted and must obtain the user's consent.

It's a sensible requirement because browser extensions potentially have access to whatever sensitive data is exposed during web browsing and many in the past have abused this broad level of access to violate privacy and steal data.

Such problems continue to this day, at least in the Chrome Web Store, as noted recently by security researcher Wladimir Palant, who between 2015 and 2017 reviewed extensions for Mozilla Add-ons. Palant's assessment of the Chrome Web Store is that it's "a mess."

Google's latest modest effort to improve things involves a ban on modifying affiliate links, which is done to commit affiliate fraud – stealing credit for commission fees awarded through affiliate marketing programs.

Mozilla Add-ons, too, have had their share of bad actors. Up through 2020, the Firefox maker maintained a list of Add-ons that have been blocked for bad behavior.

Now and next

Presently in the Firefox extension ecosystem, Byrne's concern is that Mozilla's Add-on policies make life unnecessarily difficult for developers while also confusing those installing extensions because each onboarding experience is different. Not only that, but Add-on reviewers, tasked with catching non-compliant and malicious extensions prior to public distribution, have to evaluate all the custom code implemented to meet platform policies.

Later this year, Mozilla aims to standardize the data consent experience for those installing Firefox extensions by building it into the Firefox installation flow. The hope is that this will reduce the development burden of developing custom permission prompts, provide users with a consistent interface and experience, and reduce the code that needs to be reviewed for compliance.

Instead of having to create custom data content dialogs from those installing extensions, future versions of Firefox will allow developers to declare in the extension manifest – a file that describes the extensions capabilities and API usage – what types of data the extension collects and transmits. And this will be presented to those installing extensions in a uniform manner.

"When a user then adds an extension to Firefox, the installation prompt will show what required types of data the extension collects, if any, alongside a list of permissions that the extension requests," said Byrne in a write-up this month. "Users will have a choice to opt in/out of providing the optional technical and usage data if the add-on has requested it, as well as any optional data collection the developer requests."

• You know that generative AI browser assistant extension is probably beaming everything to the cloud, right?
• Google Chrome Enterprise to get better warning labels that you're using a company profile
• uBlock Origin dead for many as Google purges Manifest v2 extensions
• Google's 7-year slog to improve Chrome extensions still hasn't satisfied developers

Byrne said Mozilla intends to extend the WebExtensions permissions APIs to cover additional data collection options.

This information will be made available through the AMO (addons.mozilla.org) extension listing pages, and some thought is being given to allow developers to expand upon extension data practices in their store listings.

That's the plan and it will take time, according to Byrne. The standardization effort is expected to first appear in an upcoming Nightly version of Firefox for the desktop, with the goal being to gather more information from developers about how the new process compares with prior practice. To help make that happen, Mozilla is asking extension developers to share their thoughts on the process in a survey. ®