Hello!
I have a couple of questions for the developers.
You claim that the browser itself won't handle my private data to anyone, but I'm still concerned about the browser addons' treatment of this data. I want to be sure that they won't do this either.
It's written on Mozilla's addons portal that their team regularly inspects the extensions' code in order to make sure it's safe and not malicious. Do you inspect the code of extensions that are listed on your extensions page? And the same question is about Firefox extensions which are not listed there, but are installable for Pale Moon.
I also noticed that some Firefox extensions have a list of permissions attached to them which says what actions in the browser this extension will perform. But there are no such lists for Pale Moon extensions.
Why?
Extensions safety
Moderators: FranklinDM, Lootyhoof
Re: Extensions safety
Any add-ons that are submitted for Pale Moon are reviewed by the Add-ons Team to ensure that they function correctly and do not maliciously affect the browser. We would only check those submitted to us for hosting, not any Firefox-specific extensions (i.e. those on Mozilla's add-ons site). Add-ons which are listed as "external" on our site are also checked.
The permissions list in Firefox is a side-product of the WebExtensions system, in which add-ons must explicitly declare which permissions they need in order to perform specific actions. XUL-based add-ons such as those that work with Pale Moon do not need to (nor are able to) declare which permissions they require, as they, in theory, have access to the entire browser.
To be absolutely sure that an add-on behaves as you would prefer, it is possible to inspect its source code. Every add-on is in the .xpi format (or rarely, for older add-ons the .jar format) which is essentially just a .zip file with a different extension. Therefore, you could open it up if you wanted. In that case though, please respect the original developer's licensing of the add-on if you ever wanted to make changes and publish those to anyone else.
The permissions list in Firefox is a side-product of the WebExtensions system, in which add-ons must explicitly declare which permissions they need in order to perform specific actions. XUL-based add-ons such as those that work with Pale Moon do not need to (nor are able to) declare which permissions they require, as they, in theory, have access to the entire browser.
To be absolutely sure that an add-on behaves as you would prefer, it is possible to inspect its source code. Every add-on is in the .xpi format (or rarely, for older add-ons the .jar format) which is essentially just a .zip file with a different extension. Therefore, you could open it up if you wanted. In that case though, please respect the original developer's licensing of the add-on if you ever wanted to make changes and publish those to anyone else.
Last edited by Lootyhoof on 2018-06-01, 16:13, edited 1 time in total.
Re: Extensions safety
I see. Then could you explain me another couple of things.
What does this XUL stand for?
And if this kind of extension has access to all browser functions, as you say, then I assume that an extension can view all my data like the content of pages I'm browsing and my bookmarks and search queries via the search field. Is this correct?
When checking for malicious affections do you check that the code doesn't send any user data like the afore-mentioned one anywhere?
And one more thing. Do you perform these extension checks only when one is
first submitted or when it is updated too?
What does this XUL stand for?
And if this kind of extension has access to all browser functions, as you say, then I assume that an extension can view all my data like the content of pages I'm browsing and my bookmarks and search queries via the search field. Is this correct?
When checking for malicious affections do you check that the code doesn't send any user data like the afore-mentioned one anywhere?
And one more thing. Do you perform these extension checks only when one is
first submitted or when it is updated too?
Re: Extensions safety
Hello there!
The link is fine, but I'd like read the answer to the rest of the question.
The link is fine, but I'd like read the answer to the rest of the question.
Re: Extensions safety
You are correct.VPupkin wrote:And if this kind of extension has access to all browser functions, as you say, then I assume that an extension can view all my data like the content of pages I'm browsing and my bookmarks and search queries via the search field. Is this correct?
Re: Extensions safety
This is correct.VPupkin wrote:And if this kind of extension has access to all browser functions, as you say, then I assume that an extension can view all my data like the content of pages I'm browsing and my bookmarks and search queries via the search field. Is this correct?
If it's malicious, then yes. Some extensions do rely on web services though, so not all extensions can run purely offline, per se.VPupkin wrote:When checking for malicious affections do you check that the code doesn't send any user data like the afore-mentioned one anywhere?
Take for instance Greasemonkey. It queries the update URL specified in the script to see if there's an update (if present). Do we ultimately know what happens when we reach that server? No. It serves us a script and that's all anyone cares about. Would we reject Greasemonkey on the basis that it communicates with a server on the Internet somewhere in the background? Definitely not, but only because we know WHY it's doing that. If some extension did a job, while ALSO contacting some server (for no immediate benefit to the extension), then we'd certainly question it.
We only review the initial submission. If there is an issue with later updates, following any reports (by users) of there being issues we can certainly look into it and possibly remove the offending extension until it is fixed.VPupkin wrote:And one more thing. Do you perform these extension checks only when one is
first submitted or when it is updated too?