New Mozilla Feature Blocks Risky Add-Ons on Specific Websites to Safeguard User Security
10.7.23 Security The Hacker News
Mozilla has announced that some add-ons may be blocked from running on certain sites as part of a new feature called Quarantined Domains.
"We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns," the company said in its Release Notes for Firefox 115.0 released last week.
The company said the openness afforded by the add-on ecosystem could be exploited by malicious actors to their advantage.
"This feature allows us to prevent attacks by malicious actors targeting specific domains when we have reason to believe there may be malicious add-ons we have not yet discovered," Mozilla said in a separate support document.
Users are expected to have more control over the setting for each add-on, starting with Firefox version 116. That said, it can be disabled by loading "about:config" in the address bar and setting "extensions.quarantinedDomains.enabled" to false.
The development adds to Mozilla's existing capability to remotely disable individual extensions that pose a risk to user privacy and security.
It's worth noting that the warning appears in the Extensions popup rather than on the Extensions icon in the current implementation, as a result of which the alerts are not displayed should an add-on be pinned to the toolbar.
"It turns out that when you pin an extension to the toolbar, it no longer appears in the Extensions popup!," security researcher and add-on developer Jeff Johnson noted.
"Consequently, the quarantined domains warning no longer appears in the Extensions popup either. In fact, there's no longer an Extensions popup: clicking the Extensions toolbar icon simply opens the about:addons page, which doesn't show the quarantined domains warning anywhere."
"This is a terrible user interface design for the new so-called 'security' feature, silently disabling extensions while hiding the warning from the user," Johnson added.
Mozilla has said that it intends to improve the user experience in future releases, although it did not give a definitive timeline.
The change also comes as Mozilla decried a browser-based website blocking proposal put forth by France that would require browser vendors to establish mechanisms to mandatorily block websites present on a government-provided list to tackle online fraud.
"Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments that will easily negate the existence of censorship circumvention tools," the company said.