An extension is software developed by a third party that modifies how you experience the web in Firefox. Since they work by tapping into the inner workings of Firefox, but are not built by Mozilla, it’s good practice to understand the permissions they ask for and how to make decisions about what to install. While rare, a malicious extension can do things like steal your data or track your browsing across the web without you realizing it.
We have been taking steps to reduce the risk of extensions, the most significant of which was moving to a WebExtensions architecture with the release of Firefox 57 last fall. The new APIs limit an extension’s ability to access certain parts of the browser and the information they process. We also have a variety of security measures in place, such as a review process that is designed to make it difficult for malicious developers to publish extensions. Nevertheless, these systems cannot guarantee that extensions will be 100% safe.
Here’s where you come in
We want to make it easier for you to make informed decisions about the extensions you install, by providing transparency about what individual extensions can do. Since transitioning to the WebExtensions API, we have been displaying a permissions message corresponding to the extension you are installing.
Extensions have always had access to this type of information, but by showing you what they are (and telling you what they mean), we hope to help you become more savvy about choosing safe extensions.
How about the scary-sounding one?
There is one permission in particular, “Access your data for all websites”, that we’ve gotten many questions about since the feature launched. The reason why it’s worded this way is because a web page can contain virtually anything, and some extensions need to read everything on it in order to perform an action based on what the page contains.
For example, an ad blocker needs to read all web page content to identify and remove ad code. A password manager needs to detect and write to username and password fields. A shopping extension might need to read details of the products you’re searching for.
Since these types of extensions wouldn’t know whether any particular web page contains the bit it needs to modify until it’s loaded, and neither does Firefox, it needs access to everything on a page so it can look for and modify the appropriate parts. This means that in theory, while rare, a malicious developer could tell you their extension does one thing while it actually does something else.
How do I stay safe?
While there is an element of risk to installing any third-party software, there are a few simple best practices you can follow to reduce it. Is the extension made by a reputable developer? Are the user ratings high? Are the permission requests consistent with the features of the extension?
We’ve compiled a short checklist of questions to consider in our support forum. These best practices can help you evaluate any potential software you install, and feel safer and better informed wherever you are on the web.