Mozilla has warned about the tightening of plugin catalog rules for Firefox (Mozilla AMO) to counteract the placement of malicious plugins.
For as of June 10, 2019 (current year), it will be forbidden to place in the catalog plugins that use obfuscation methods, that is, plugins that use methods such as packing the code in Base64 blocks or other methods.
Firefox recommends developers use code obfuscation or minimization techniques to release a new version before June 10 that complies with up-to-date AMO rules and includes the complete source code for all components.
After June 10, problematic plugins will be blocked in the directory and instances already installed will be disabled on users' systems by distributing the blacklist.
In addition, the practice of blocking systems installed on users' systems with installed add-ons containing critical vulnerabilities, violating confidentiality, and taking actions without user consent or control will continue.
Mozilla will take action against those who do not follow the rules
En general, developers are free to maintain their plugins in the form they choose.
However, to maintain adequate data security and effectively review the code, Mozilla requires certain technical requirements that all plugins must meet.
- Plugins should only request the necessary permissions for the role
- Plugins must be self-contained and not upload remote code for execution
- Plugins must use encrypted channels to send sensitive user data
- Plugins should avoid including duplicate or unnecessary files
- Additional code should be written in a way that is reviewable and understandable. Reviewers may ask you to refactor parts of the code if it is not reviewable.
- Add-ons should not adversely affect the performance or stability of Firefox.
- Only release versions of third party libraries and / or frameworks can be bundled with a plugin. Modifications to these libraries / frameworks are not allowed.
Depending on the nature of the policy violation, Mozilla will use different types of locks.
With a "Hard block", the plugin is disabled in Firefox and users cannot bypass the block. This action is reserved for plugins with the following characteristics:
- It seems they are intentionally raping
- They contain critical security vulnerabilities.
- They compromise the privacy of users.
- They severely circumvent user consent or control.
Un Soft Software Lock will disable a default plugin, but allow the user to override it and continue using it. This lock is used for add-ons with the following characteristics:
- They cause serious stability and performance problems in Firefox.
- They contain non-critical policy violations.
Each Plugins that appear to be clones, repeats, or close copies of already locked plugins will also be removed.
If a problem affects only a subset of versions, the lock can be applied specifically to the affected versions. Plugins that contain hidden or unreadable code will also be blocked.
“When we decide to block a plugin, we can contact the developer if we think the problem can be solved.
As user safety may be at stake, we ask developers to respond within three days. If a response is not received within this timeframe or if the developer cannot resolve the issue, we can proceed with the lockdown.
"More generally, we will not contact developers before blocking if the plugin turns out to be intentionally violating our policies or if the violation is serious enough."
Mozilla said that the strategy was designed to help you better handle malicious extensions:
“When we decide to block an add-on in Firefox, we wonder if the risk is such that it exceeds the choice of The user must install the software, the utility it provides, as well as the freedom of the developer to distribute and control their software. "If we find ourselves in a situation where we cannot make a clear decision, we will seek security to protect the user."