Mozilla’s policy ensures that no unreviewed code is ever loaded into the browser, and enforced signatures prevents reviewed code from being altered after release. - mozilla blogSomething has scared me about Mozilla's addon signing policy ever since it was first announced: extensions that are designed specifically to let users write their own addons, such as Greasemonkey, Violentmonkey, Tampermonkey. They seem to blast a gaping hole in Mozilla's addon review process. I've used the various monkey addons (currently preferring Violentmonkey) to write countless little scripts over the years to fix little things (or big things) with websites that irritate me. I'm scared that one day Mozilla will decide that script addons are "dangerous", since they provide an addon platform within an addon platform, and outlaw them. And then what will I use? Bookmarklets? Or will they ban those too?
Mozilla sold the addon signing requirement as a way to stop malware, but I never understood how it could help, because malware that can edit someone's Firefox profile to install an addon can do unlimited other malicious things to undermine it. I worry because I don't quite understand how far Mozilla will go to try to lock down the browser.
Post a Comment