I'm curious to know what the in-the-wild breakage rate for FF's blocking feature is. I use Ghostery myself and I find that maybe 1 in 100 are broken. I feel like that could be 1 in 1000 if blockers implemented a Google Analytics stub -- by far the most commonly required script for things to work.
I've run into the Google Analytics issue multiple times. It may be just because usage is so prevalent, so it's more visible, but it's bad when your website breaks because a third party script doesn't load.
In the situations I've seen, the issue was using GA without first checking it loaded correctly. Defensively coding third party requests, let alone all requests, should be second nature.
It raises two questions for me:
1. Is there some code out there being copied everywhere which assumes GA will always load?
2. How do I make sure this is never an issue in my projects?
I don't think (1) is an actual problem, and I don't know of any options for (2).
Bandwidth throttling doesn't directly help, although it may make it obvious which third-party scripts block the render of the page (which often seems related).
Ideally you would have good test coverage on the loaded page, and then randomly block requests to see what breaks. Mark resources as either hard or soft dependencies, make sure soft dependencies never break the page/functionality of the app, and make sure loss of a hard dependency degrades nicely.
Edit: I should also add, my most memorable run in with this bug was with a very well known application, and they were very quick to fix it once reported. I was surprised none of the internal devs had run into the problem, as I assumed most would run a blocker, but it may have been an early access release...
As a user, I would tend to agree; but as a developer, thinking about "what if the browser decides to kill this one script request but run the rest of the scripts?" is the last thing on my mind. I don't know, maybe I'm a lazy dev[0], but when you consider it's essentially the browser's selective compliance to the standards, how far down that rabbit hole do you want to go?
Now, you could argue that requests can legitimately fail at any time, and it's best to handle it. OK, as a lazy/efficient dev willing to entertain that, I'll design my page to put up a modal alert saying "There was an error loading this page. Click OK to refresh." if anything fails to load. Now my error-handling job is done, but privacy-conscious users will still be mad at me, demanding that I gracefully degrade for every combination of request-blocking (or in GP's case, request-tampering!) they can dream up.
Again, I'm sympathetic as a user, and I've even experienced broken pages due to Ghostery, but as a developer it's hard to blame them.
[0] And AFAIK have no hard dependencies on third-party scripts like GA.
This is why I think the concept of soft and hard dependencies is useful.
As a dev, it's nice that I can track what my users are doing with GA, but I would rather my users be able to use my application. This is definitely a 'soft' dependency because I do not have a hard requirement to use its functionality. If a critical piece of my application (a 'hard' dependency) fails to load then that is a bigger problem.
I don't think we have to degrade gracefully for every possible failure, but failing to render anything is a really bad failure mode. Your lazy/efficient dev is actually just providing a good user experience; if something bad has gone wrong, let the user know so they can refresh etc.
The thing about third-party scripts is that you have no control over them at all. By their nature, you can't even bundle them (that is a workaround for some options though)!
If your users are deploying your web-app behind the firewall, and outbound requests are blocked, if you don't handle these requests failing then the entire app becomes unusable regardless of if they use ad blocking or not.
Yeah, I got a little carried away ranting. It's probably reasonable to make sure your page works if GA doesn't load. There may be other third-party scripts that the developer views as essential but the user doesn't.
I found this searching for "google analytics stub": http://ejohn.org/blog/fixing-google-analytics-for-ghostery/ . Supposedly Ghostery was already stubbing it in 2013. They might be missing some stubs for certain scripts though, because I've had something break 6-8 weeks ago, and it worked when I disabled Ghostery and refreshed.
im running tracking protection since an intern wrote it and ran into an issue a single time, so thats over 2 years of daily browsing for me.
ublock origin which i also use atm (and before that other things) rarely break stuff i visit either..
ghostery and friends tend to break stuff more often.
I truly appreciate how much time and effort Mozilla puts into Firefox privacy. I do wish however that some more effort was spent on stability and performance. It seems like every day I hear coworkers growling that Firefox has crashed on them and while I'm sure that plugins are a huge part of this it's not exactly easy for the end user to pinpoint where the issue is occurring.
It works great for me; my OS crashes much more often (and that's rarely); I'm a heavy user with dozens of extensions installed and often 50-100 or more tabs open.
But yours and my general anecdotal experiences aren't useful. There are hundreds of millions of Firefox users; we [EDIT: i.e., you and I] could have great or horrible experiences and they would indicate nothing. Perhaps if we could point to specific bugs our posts would be substantive, though still probably not of much consequence. We need data.
We spend plenty of effort is spent on both stability and performance. "Improved performance by x% in this particular situation that you may or may experience!" just isn't something you can wrap up neatly into a high-level blog post like you can with a new feature, so you may not get an accurate picture of where development effort is going based just on reading the official blog and release notes.
For instance, somebody just landed a pretty tricky bit of code to fix a severe incremental GC performance fault he'd been experiencing with a lot of tabs open (disclaimer: I reviewed the patch): https://bugzilla.mozilla.org/show_bug.cgi?id=1214961
Weird. Never had a problem my side. One crash a month, tops (heavy usage).
I moved to Firefox a while back in futile protest at the big G ... but I've come to truly appreciate it.
It's the much better browser. Not sure where Chrome is nowadays but I remember it looked clean, and was like lightning at the beginning. Crapware now (or when I left it).
Electrolysis ("e10s") has been enabled by default on the Nightly and Developer Edition* channels, if you'd like to help test it.
* Although we're currently running an A/B test to measure performance differences with e10s enabled and disabled, so you might fall into the disabled cohort when you run Dev Edition. This experiment is scheduled to end in a few days.
The last time I tried Electrolysis I had issues with plugins. Some of the plugins are fairly essential to me (e.g. NoScript, HTTPS Everywhere) so I wasn't able to use it as a daily driver. The fault for that may rest at the plugin developers, but I wonder if it has been resolved?
It's still imperfect; expect some breakage, depending on your addons. I myself faced problems in HighlightAll (fixed in recently-released 1.8), and VimFx (still broken, which leads me to disable e10s for now).
Nit: you mean (js-based) addons/extensions, not (binary) plugins.
I wonder about Mozilla's strategies for two key challenges:
1) The greatest challenge for Tracking Protection seems to me to be not technical, but strategic: How do you protect users from tracking without creating a backlash from the tracking industry and their customers (the whole Internet economy built on tracking) that will make the outcome worse or no better, and after an expensive battle. As an extreme example, if the next release of Firefox cut off tracking for all its users then I think there would be a war, including possibly lawsuits and an arms race between trackers and tracking protection. The users would be no better off (or worse off) and it would consume Mozilla's resources.
2) How do they plan to protect the great majority of users who lack the knowledge and skill to understand tracking protection? Remember that most users barely know they are being tracked, much less what that means or how it's done. Many users I deal with don't know the URL field from the search box on their home page; they don't understand what a web browser, web page, or remote server are, much less their components, requests, JavaScript, etc. They lack even the framework to begin understanding tracking. Most other end users I know would be overwhelmed by the concept and extra hassle to load a page. Also, how will most users understand why the webpage is malfunctioning, of all the possible reasons, and what to do about it? Maybe they'll think Firefox is simply broken. Maybe this is why Tracking Protection is available only in Private Browsing right now, and hidden behind a small, somewhat obscure icon (if I understand correctly); maybe that's a way of limiting it to more technically skilled users. Providing tracking protection to technical users has been done, via Ghostery, Disconnect, etc. I'd like to see it become available to everyone else. (That's not a criticism of Mozilla - this is a great, precedent-setting step forward, establishing that major browser vendors might block tracking and act in user interests over industry's, and hopefully creating some competition in that area.)
Maybe the first step is to raise awareness of tracking and the idea that users benefit from and should have the option for privacy, which can be done by simply telling users about Tracking Protection when they open Firefox after the update, whether or not they actually use it.
"How do you protect users from tracking without creating a backlash from the tracking industry and their customers?"
I don't see this as a concern for Mozilla. Google/Apple/Microsoft and their respective browsers sure, but the point of Firefox is to provide a browser whose goals align with the user. The industry's goals here have never aligned with users and it's about time (many, many years too late) that a major browser vendor ships this as part of the browser rather than an addon.
I agree about Mozilla's principles, but my point is that if there is a backlash they will have done something that is good in principle but which doesn't actually make the situation better for users. They'll end up with just as much tracking (but using different tech), more broken websites, etc.
This is a fair question as, correct me if I'm wrong, but they still make a significant chunk of revenue from the search partner programs. If they were to cause a significant impact in that trackability, I imagine those negotiations would be a lot less favorable for Mozilla.
Hurting alternative revenue streams for somebody you're negotiating with can help to increase the leverage you hold.
For example, if you're trying to sell tickets to your ski resort, it wouldn't necessarily hurt your bargaining position to burn down gyms, bicycle shops, and other places that command your prospective customers' time and money.
Both of those challenges are a big factor in why it's only turned on in private browsing mode. Just shipping it even in this limited form is a big deal.
Nicholas - Yes, it's definitely a big deal. And I can only imagine the potential costs of supporting users and keeping it updated! Thank you to all of Mozilla and especially the team that put this together.
This is the first time I've had to downgrade after upgrading. For avid users of Tree Style Tab I can report that it is completely unusable in Firefox 42.
A new version (0.15.20150902901) of TreeStyleTabs has been released that works with Firefox 42, but it will not automatically update so you need to install it from [1]. See also [2].
Between firing the CEO over someone making noise in social media and planning to make Tree Style Tabs etc impossible by breaking the API and not replacing it with a usable one I'm, if not out, at least looking for good alternatives.
Edit: the sad thing being that I have been a Firefox user since the first time I got my hands on it and never looked back after the two first addon competitions where brilliant stuff like Scrapbook was created. Basically it is another league than any other browsers addons for now.
So if someone starts following me on the street and gets close enough to put their hand in one of my pockets and just continues on that way every morning I leave my house, for weeks or longer, I don't say, "Hey stranger, I'd like to make an argument why you should afford me some privacy tomorrow." I'd likely say, "Wtf person, you're being the kind of weird that gets the police called on people. Step back. Or better yet, go away to somewhere that I can't see you." But hey, this is the Internet, so let's just all stop thinking as though this all has anything to do with real life.
Seems like "Tracking protection" should be the default, not an opt-on. Like disabling "beacon.enabled" by default, for instance.
If you're using a general purpose blocker (uBlock, uMatrix, PoliceMan, AdBlock, etc, even NoScript), it makes sense to actually disable the internal blocker (less hooks/rules to parse), as FF's list is not even remotely comparable to what you get by subscribing to a couple of community-maintained ones, plus there's no convenient way to tweak the rules (something that other addons excel at).
FF internal tracking protection is somewhat nice for the casual user, and it's going to stir some extra polemics about content blocking (which I consider a positive thing), but it's nowhere as effective as the others. I fear it's also going to be circumvented more quickly, promoting more inline JS, supercookies and fingerprinting techniques.
Overall, it's not something that I would have included in FF from a purely pragmatical perspective. It's just opening Mozilla to direct liability, while not providing anything for the privacy conscious person.
> It's just opening Mozilla to direct liability, while not providing anything for the privacy conscious person.
I would guess that there are many people who use Private Browsing mode that don't understand or use security addons. This change may not help many Hacker News users, almost all of whom do understand and can easily use the addons, but we are only a tiny fraction of the Internet.
Note that you should be using Tor Browser instead unless you specifically want the 3rd party sites to see your real IP address, or need to use a browser that is more compatible with standard browsers.
Firefox, as of this update, is completely unstable on Mountain Lion. I have two notebooks running Mountain Lion, and both have the same issues. Opening new tabs results in this weird bug where the current page is changed to the about:blank page, sort of, and the new tab doesn't actually appear. I've used Firefox since 2.1, and this organization is now falling apart, in terms of producing a functioning product. How is it possible to make a worse browser in 2015 than they made in 2007 or so?
A "more private browsing experience" that still features the Pocket bundleware and button in the toolbar thats still not un-installable like other extensions and requires about:config edits to disable..
Awesome! This was the only way forward for a user-centric web browser like Firefox. Glad to see that they have listened to user feedback (and uproar) and backed down.
sort of hoping other similar things like hello do that too. thats how id like firefox to be, as a user. would be even better if default off at install ;-) (albeit id probably enable hello, its just nice to not be forced-in for such features)
I was bouncing between firefox and chrome, using them both more-or-less equally. The day the "hello" thing appeared, I uninstalled firefox. Too many useless and annoying things being added to firefox as core components where they do not belong. The fact that anybody can pay Mozilla to have their crappy addon forced onto all users is a problem.
In theory, you can examine it, sure. But I fear that in practice, it's so complicated and large, it's unlikely there are many humans who can really tell about themselves that they really know how the thing works. A certain part - sure, given enough time to read and learn. A whole thing - quite unlikely.
You don't have to understand it in this case, you just have to make sure that code path isn't invoked by anything other than clicking the button. This can be pretty easily verified.
Not really easily in general sense, given that it's JS and not, say, Haskell or BitC.
But true enough, you can spend some time and check that it's unlikely to be executed, unless there's some hidden malicious obfuscated code sneaked under the hood. And discovery of such code would be a giant scandal, so it's unlikely there'd be some - it just won't worth it. Anyway, such analysis would take some time and skill. It's not really possible to just open Firefox source code and immediately understand what's going on. And I was commenting on the general nature of Firefox, not this particular button.
To be precise, though, static analysis can only confirm that there are no obvious direct references to the specific code parts outside of certain areas. Given that in a language like JS such references are surely not the only way how execution can get there, the task is not really trivial.
> And I was commenting on the general nature of Firefox, not this particular button.
Then we have no argument there. I thought you were commenting on the general nature of the Pocket feature, which is also probably complicated given it's its own separate thing, and my reply was just echoing that you only need to understand and audit the layer that talks to the black box. In this case, a button response handler.
I found https://hg.mozilla.org/mozilla-central/file/tip/browser/comp... within 5 minutes of looking. It's very readable, I spent another 5-10 minutes reading it. This is the first time in memory I've looked at Firefox's code, so I didn't even know where to find it, though I'm sure I've browsed bits of the codebase before for some reason. I first browsed to their files, went to 'browser', and since we're talking about the button I thought 'components' was a good next choice, and hey, a pocket directory. Lucky? Maybe. Reading through the component tells me the initial claim of nothing important happening until you click the button seems accurate, except that functions are exposed publicly so other bits of Firefox could probably get at them without user interaction, and when you do click on it (L165) it'll prompt you to sign up at about:pocket-signup before doing anything. If I wanted to get rid of this, googling seems to say you can override default components with some extra effort. I build Firefox from source (Gentoo) so it would be simpler to just add a patch to the build process that removes the whole directory and deletes the dir line from moz.build.
This is just static human analysis, it didn't take much time or skill. But static analysis isn't the only thing you can do, as I initially said "verify". Active verification by monitoring and alerting works great, and if you can do rebuilds like you can with Firefox then you have even greater control. If I were particularly concerned about something happening without my knowledge (with or without the button) I'd use what I learned from reading the code to monitor my network for outreaches to pocket's website. Of course I can't be fully certain some other code doesn't send all my visited sites to some other IP (or maybe an IRC server) that is then harvested by pocket asynchronously... But as you say, it's very unlikely for such malicious and underhanded code to be there.
Stick a printf/file write/breakpoint at the root of the code path if you want continuous verification that the code path never executes except by clicking the button. This isn't hard.
The "Hello" button automatically came back to the toolbar (I had removed it) after the Firefox 42 upgrade. Thought that it could be accidental and checked on a different machine, the same thing happened.
Funny how decisions which financially benefit the developer have a way of "accidentally" being activated by default. The automatic downloading of the Windows 10 update. Or these bundled Telefonica extensions in Firefox.
It compromises Mozilla's claims that they still put users' interests first. Furthermore, they insist that these promoted tiles is something that people want, whereby it absolutely bloody obvious that nobody, except for Mozilla, wants this junk. These tiles basically show that Mozilla can act against users' interests and in a blatantly disingenuous manner. This in turn makes you question the rest of their efforts that are branded as pro-user.
Ads on the web want to track that you saw it, clicked on it, on which website you saw it, when, with which browser, which OS, which was the previous page you visited, what site you are used to browsing, what you purchased, where you live, what is your sexual preference, ... and nowadays they can and they do :/
There are many sites that I like and would happily unblock their ads to support them, but I often don't because they use ad systems that want to spy on me.
The main problem with ads on the web is not that they are annoying (like on TV for example), it is that they are spying on you.
As far as I know, that's not really severe. They only collect stats how much those "directory tiles" are clicked, pinned or removed. Maybe I'm unaware, though.
There are other concerns, though. Did you know that when you type in sync passphrase (if you dare to use sync, of course) - the one that Mozilla is supposed to never have any access to - you're actually fetching a piece of HTML+JS from Mozilla's servers and letting that code process it? That's a privacy/security concern that really bothers me.
> They only collect stats how much those "directory tiles" are clicked, pinned or removed. Maybe I'm unaware, though.
No personally identifiable data leaves your machine, AFAIK. It's actually an innovative way to provide advertising, necessary to fund many things today, while maintaining privacy. Unfortunately there is a lot of misinformation about it and knee-jerk responses to any advertising.
So, as I get it (I haven't read code for this part of Firefox) it sends some counters about how tiles perform. The data is weakly personally identifiable - in a sense that sender's IP address is logged.
Whatever, I disabled those tiles because I just didn't fancy the selection - but it doesn't bother me (personally, other opinions may vary) if browser would eventually ping Mozilla back telling that I had clicked few tiles.
To deliver content, Firefox downloads all possible Tiles for your location and/or language and determines for itself what to display. Data is only collected to report on the performance of Tiles in Firefox. No data is collected to deliver the New Tab experience.
To report on the performance of these Tiles, Firefox reports back to Mozilla:
* Geo/Locale
* How many times a Tile is:
-- Displayed
-- Pinned
-- Clicked on
-- Blocked
The data is stored on a restricted access server for a maximum of 7 days, and then the IP address (the only data that would associate the Tile with an individual) is removed.
--------------
WHERE DOES MY DATA GO/GET SHARED?
Data is transmitted directly to Mozilla and only aggregate data is stored on Mozilla servers. Mozilla is sharing aggregate numbers with partners on the number of impressions, clicks, pins, and hides their own content received. The little data that suggested sites reports goes to a restricted access server located in the USA. This data is stripped of IP addresses within 7 days, meaning that no one can be identified. We retain this data for a maximum of 13 months.
Any data that is to be shared with a partner is this aggregated data on the number of impressions, clicks, pins, and hides their own content received.
In fairness, what amounts to a hyperlink is not "bloat". I wish it wasn't there because it's a thing nobody is ever going to use in the age of Hangouts and Skype, but it's not like impacts the rest of the browser in any way
It only takes a tiny number of people to make a lot of noise, but I don't think it represents public opinion. Consider the Tea Party: Whether you agree with them or not (please don't answer), based on the noise they generate they might seem to be a majority, but they are a small and shrinking minority.
I wouldn't be so sure about that. There may be a relatively small number of very vocal individuals, but I think their opinions may be much more widely held that you believe they are. It's no secret that Firefox's share of the market has been dropping lately. For every individual who speaks out against the latest set of bad decisions from Mozilla, there are clearly many other users who share that disappointment, but say nothing, and instead just move from Firefox to some other browser. It's these silent former users who contribute to Firefox's decline in market share each month.
Those are all essentially infrastructure projects that (one way or another) add value to end user products that (not always, but quite often) are monetised somehow and in turn contribute or donate back, because they can. Firefox OTOH is an end user product itself, quite a different case.
Note that I'm no fan of the Pocket integration at all - to my knowledge there isn't even any sort of bundling deal or other kind of monetisation involved. I don't understand why Mozilla does this.
I don't agree with you. Firefox is an infrastructure product; it's how end users interact with actual products they care about (e.g., Facebook, Netflix, etc). Few people fire up a web browser without the intention of consuming third-party (non-Mozilla) content, just like few people boot a linux system just to watch the kernel run.
You are welcome to draw your own conclusions about the viability of constructing a modern browser engine on donated time from a handful of Facebook and Netflix engineers.
OTOH, there's the counter argument that if search engines and OS vendors are willing to pay for browsers, why should Facebook and/or Netflix spend any money? It seems to be the classic business case problem of, "well everyone else is paying for it already, and as a result we won't have much affect".
I do, of course, realise that FB and Netflix very much have an interest in the web platform, and could undoubtedly influence it more if they were willing to contribute code. That said, it's probably worthwhile to point out to those who don't know that both FB and Netflix are W3C members, and have several people who contribute heavily to specs.
With very few exceptions, open source projects (particularly infrastructure projects that add value to end-user projects) are not getting financial contributions from the companies that monetize them.
Just look at GnuPG, OpenSSH, or OpenBSD. These are projects that produce some really essential infrastructure that runs the modern web. This software has been in use at companies like Amazon, Facebook, Google, IBM, etc for decades. They have received almost no support whatsover. Werner Koch (of GPG fame) was so broke and desperate that he considered getting a corporate job. Theo de Raadt tried to get support from any of the hardware vendors that used OpenSSH in their products. He eventually got a laptop from IBM after pestering them for a year. I doubt busybox or mksh get much in the way of support from Google or Android hardware manufacturers.
I would hazard a guess that Firefox is better-funded than most open source "infrastructure" products.
So Telefonica is just doing this because they're really nice guys and aren't trying to increase the visibility of their products? And the Mozilla Foundation took on the extra code debt only because they were 100% convinced users wanted these extensions and not because they received a sizable donation from their partner to have it installed and on the toolbar by default with no way to completely remove it unlike every other extension.
Telefonica has nothing to do with the Pocket extension, they just (as far as I know) run the rendezvous servers that support the Hello feature.
Mozilla wanted to ship a WebRTC implementation, but it's not much use having webcam and microphone input unless you can send them to other people, and in this age of NAT and firewalls, that needs a rendezvous server. Mozilla had already had fruitful business interactions with Telefonica with FirefoxOS, and a telco seems like a reasonable choice for hosting a long-uptime network service...
In exchange for donating server hosting, Telefonica gets to display their logo in the Hello UI. I don't know if they also shelled out money in addition to hosting a service, but 80% of Hello's code is Firefox platform stuff (VP8 encoding and decoding, etc.) not Telefonica stuff.
The huge problem with today's generation; they want everything and they want it now and they want it free. How dare they make money somehow because the same person complaining about the pocket and hello integration would also not pay anything for the browser.
Parsing and loading an add-on would increase startup time. If you haven't put in your Pocket credentials, it's a single "if" statement that has to be evaluated. Having Pocket installed is the common case and the one that should be optimized for.
Are you worried that data will go to Pocket even if you don't log in?
> Having Pocket installed is the common case and the one that should be optimized for.
This statement is utterly wrong. Pocket has 14,000,000 users. Firefox has between 125,000,000 and 150,000,000 users. Assuming every single Pocket user is also a Firefox user, you're now optimizing for 10% of your users. This is clearly stupid.
It's also incorrect to claim that parsing and loading an addon would increase startup time. It's already loading the Pocket button; moving that code into an addon would not affect startup time at all. What it would do is allow users to disable or remove the Pocket integration -- which of course Pocket is paying Mozilla to prevent.
Don't pretend this is a technical decision. It is a business transaction.
You can strip it from the code, its not too hard. The issue is with the release cycle, an having to modify the code each time. I wish they would just make a build without the crapware bundled.
And I’d have to write a patchset and maintain it to get rid of it.
It’s as if my browser had a copy of Wolfenstein3D integrated.
Funny easteregg, but just a waste of development and testing time, and a waste of storage space.
Every line of code costs time and money in testing.
And here it costs me time every few days to fix new issues that were introduced when the code changed, to update my .patch, reapply it, recompile, repackage. Every few days. All the time.
And when the regression with Gtk3.14 -> 3.18 regarding Drag-and-Drop is still not fixed, but they have time and money to implement, test and bugfix this, sorry, but then I am seriously out of options for running a stable, customizable no-bullshit browser.
It's a bug in e10s mode, which is still a beta feature that you need to enable! If you want a stable browser, WTH are you enabling opt-in, explicitly unstable features?
Okay, then which version of Firefox supports a single tab crashing without the whole browser crashing with me not having to enable e10s?
Because I have enough of Firefox Stable with just recommended settings completely hanging up or crashing every time it encounters flash or similar things.
Flash already runs in a different process, even without e10s enabled.
Dunno why your Firefox is crashing every time it encounters Flash or similar media, but I can assure you that's not a common experience. Maybe try enabling click-to-play?
I filed a bug report for that, too, and it discovered multiple gaping holes in the sandbox, which, luckily, only allowed null pointer dereferencing (so no RCE problems, but still DoS)
I can easily submit a patch to remove pocket and place about:reader more prominently.
Is it going to get accepted into Firefox? No. Just like the last 5 times people tried to do this.
What I currently do is constantly keeping my patch up to date and recompiling Firefox for my Desktop and Laptop (ARCH and Kubuntu) every night based on the current source from the latest trunk release.
But it’s not nearly worth the effort to do this when the browser could easily accept one of the many patches people have written by now to get rid of pocket as part of the system and to move it into an addon.
Same with the ad-ridden new tab page. Put that stuff into an addon and allow me to uninstall it.
Expose the EME DRM feature as plugin on the plugins page, and allow me to uninstall it (I do not know if this is yet the case, I haven’t checked).
I don’t want to have to maintain a huge patchset just to run my browser.
I already have to hack-fix bugs like the before mentioned drag-and-drop bug myself (or downgrade to Gtk3.14).
I find it hard to believe that someone with significant karma on HN doesn't understand surveillance-as-a-business-model. Just being a yet another Service As A Software Substitute[1] is bad enough, but in this case these rent-seekers are exploiting user ignorance (it's a "dark pattern"). Firefox has always been a local app, with remote features requiring the user to opt-in to an extension. The distinction between Mozilla "only providing a button" and the actual feature that loads from the remote SaaSS only exists for people that understand these technologies.
Mozilla is being especially hypocritical with the integration of these features. During their previous projects (e.g. Australis) Mozilla pushed a lot of previously-integrated features into extensions. This caused problems for a LOT of people, but I reluctantly supported it because a minimal core with most features as plugins is generally a good design. For them to turn around an integrate a plugin that baits people into using spyware is outrageous - and somewhat suspicious.
That button needs to be removed because it's an attractive nuisance[2].
>This caused problems for a LOT of people, but I reluctantly supported it because a minimal core with most features as plugins is generally a good design. For them to turn around an integrate a plugin that baits people into using spyware is outrageous - and somewhat suspicious.
Bah. It's basically a lightweight extension, and will soon get packaged as one. It's not integrated into the core, which means the main anti-bloat principles are still upheld.
And it's not like it hides the process of making an account. If you want to sync things, you need a server. Not suspicious.
Sync was useful in it's original form that was encrypted entirely client-side. With the recent(-ish) changes, Sync should be considered spyware (or at least having the potential to be hijacked into spyware).
But does making this stuff uninstallable and difficult to disable really make them that much additional money? Seems like a poorly negotiated deal if that was really part of it.
That's like saying that bookmarks are disabled by default because the bookmark code does nothing until you interact with the browser, eg click the star or type in the "awesomebar".
If it's in the default UI it's not disabled, disabled means you have to take steps outside the expected workflow to enable it.
Dramatisation follows ...
"Oh, this rock I put in the middle of the floor, don't worry it's disabled; if you don't kick it or fall on it then it can't hurt you. Sure, putting it there makes you likely to trip on it; requires you to move it if you don't want to.
What's that? The company name on the side, oh that's just the company that asked us to put the rock here. Yeah, we're totally honouring our roots and keeping with minimalism aren't we!
No, no, it's not an advert - many of our users like having this rock here.
Next week we're going to scatter marbles on the floor, each one says 'drink more Koke', aren't we just being awesome.
Ha, do you remember when you had to choose for yourself which junk to clutter your office up with."
I haven't been thrilled with Mozilla's direction for a while now. Bloating Firefox by embedding Pocket and Hello into it, speeding up Firefox's release frequency just because Chrome does it that way, wasting resources on Firefox-OS, and firing an employee just for donating to a political cause.
If they are not careful, they are going to run Mozilla into the ground.
(I don't need answers directly, but perhaps a FAQ would help. ...)
1) It's good to see threads managed more agressively; thanks. I can think of another benefit from higher quality discussions: I see a few Mozillians here and of course they aren't the only vendors to participate; perhaps more would come and be more engaged if there was less nonsense. And that would attract more people who are interested in valuable, informative interaction, which would attract more vendors, which would ... etc.
2) "marked it off-topic": What does this mean in practice?
3) While the issue with Eich is off-topic, so is the issue with Pocket and many other threads and subthreads. I don't understand the distinction, unless that the former is more inflamatory, more outdated, and more tired. Yawn.
Re #2: "marking off-topic" penalizes the subthread so it falls lower on the page. That's the purpose of detaching it as well.
Re #3: we marked that subthread off-topic because a user emailed to complain about it. Didn't see the other ones.
General note: we started doing this as an experiment and it's clear by now that it has improved thread quality, so we're probably going to write code to support it, and let the community mostly manage it, probably by generalizing the flagging mechanism.
I don't quite understand 'bloating' in this context, especially with the example of 'Hello'. My understanding is that this is really merely a link. A bookmark, if you will. To a website/service that will use WebRTC, tech that was meant to be implemented by browsers.
What do you consider bloat here? The 'Hello' button/promotion? Or the full WebRTC stack?
And how can you decide that efforts spent to build FxOS are 'wasted'?
They didn't "fire" Brendan Eich, they just acknowledged that his personal values were at odd with Mozilla's mission and overall sentiment across the organization, basically demoting him from the CEO role. Eich then resigned.
Look, I don't agree with him, I also voted against Prop 8, but it still feels that this was an infraction on his freedom of speech (as Citizens United ruling said that money = speech :).
It's not as he was CEO of LGBT organization or he was running for a public office. Mozilla is not a political organization, his opinions in this matter should make no difference whatsoever.
This move was basically infringing on rights to have his personal beliefs.
How would it looks like if it was the reverse? Someone pro LGBT made a contribution against prop 8 and then was told 6 years later that his personal values did not match the company's even though the company has nothing to do with LGBT and his opinion has no impact.
This move was is simply discrimination. It should matter whether he is republican or democrat, christian/muslim/atheist or fire worshiper, whether he's pro guns or against. Mozilla is a technology company, neither of that should matter in what they do.
As someone who cares about politics, I would be furious if my employer told me that my personal beliefs are wrong. That infringes on my rights as a citizen and voter.
I repeatedly fail to understand this 'Freedom of Speech' notion - and certainly do here. Mozilla is a company. They certainly can pick roles based on the statements of an individual. If you apply for a job there and can't stop cursing like a madman, or if you happen to add juicy details about your personal homophobic beliefs to the interview, you might not get the job. Free speech? Doesn't matter.
Now, I do admit that I didn't like the whole 'we dug up this stuff in his past' part of the story. Nor the pitchfork wielding crowds on the net. I, personally, would've considered him misguided and stuck in the past in this regard, but I wasn't calling for (or expecting) consequences. Mozilla decided (or was pressured) to distance itself from the person and his statements. That might be correct or might be unfair, depending on your stance.
I guess I was not clear, the first amendment is not for individual companies. If a company tells me that I cannot talk about for internal technology that is used (NDA) then I better won't because no first amendment will protect me.
What I mean is that by telling me that my vote or contribution toward specific cause is not aligned with company's goals essentially forces me to vote in a specific way which does affect my freedom of speech.
If Mozilla would be an LGBT organization and I joined and was told that my contribution don't agree with company's values. Then I'm totally at fault and should look for job somewhere else if this matter to me, but company like Mozilla has no obvious political affiliations and in fact they should not have any.
> People have freedom of speech, not freedom from consequences.
This definition of a "right" is so loose as to be basically meaningless. Accordingly, I have the freedom to murder anyone, just not the freedom from its consequences. People in North Korea are free to speak whatever they want, but aren't free to remain living if the government doesn't like what they said.
If you make the other cliched argument that the first amendment only applies to government suppression of speech, that's true, but the US Constitution doesn't have a monopoly on what "freedom of expression" means. It's only a legal lower bound, and in one country.
> What I mean is that by telling me that my vote or contribution toward specific cause is not aligned with company's goals essentially forces me to vote in a specific way which does affect my freedom of speech.
They don't say that though. The problem wasn't that he did something, the problem is that what he did prevented him from performing his role as CEO. And CEO is not just another employee. They are the public face of the company. They are the leader. And I don't think you'll find anyone that would argue that when he was made CEO, there was a backlash which caused problems both internally and externally for his role as CEO.
And that's why the board and he decided he would not be able to fill the role of CEO and he stepped down. Not because of his political affiliations, but because he couldn't fulfill the role they needed him to fulfill.
If the civil rights movement has taught us anything, we know that there is a difference between legal right and moral right.
This action of Mozilla's doesn't peal back the first amendment. But it does chill the free exchange of ideas. That's what the first amendment was for. Shouldn't we be concerned when someone finds a way around the safeguards we put in place to protect free society?
The "free exchange of ideas" like "I gave money to people that think you're subhuman?" (Hardly an exaggeration either. The ads from the group Eich directly supported are still available on youtube, and are downright disgusting.)
Let's not mince words here. This was never about "speech", this was about action, and his complete unwillingness to own up to that action. For a CEO, that's a pretty big failure of leadership.
> It's not as he was CEO of LGBT organization or he was running for a public office. Mozilla is not a political organization, his opinions in this matter should make no difference whatsoever.
Mozilla is explicitly political. That's like their entire shtick: they want a more open web that respects user freedom and privacy. That's a political stance.
And Mozilla has LGBT employees. They'd like leadership that isn't going to make them feel unwelcome.
Honestly? I don't care. I just pointed out that he wasn't "fired" in any real meaning of the term. He lost control of his own troops and decided to go. That's not "getting fired" in my book.
I'm curious why people singled out Eich vs say Ed Catmull. If I understand correctly Catmull is a practicing Mormon which means he gives 10% of his gross income to a church that has been strongly anti LGBT rights. I haven't noticed a big movement trying to get him to resign from Pixar or to boycott Pixar or Disney.
Do I have my facts wrong?
Is there something that makes Eich's situation different than Catmull's?
If I understood the difference I feel like I'd be more enlightened.
1. Pixar is a private for-profit company, while Mozilla is at least in part a political nonprofit. For obvious reasons, people are more concerned about the political positions in such a case.
2. I suspect that many people would find the act of donating to a religious body, which holds a wide-ranging diversity of opinions on many subject (not all of which an individual may agree with) as distinct from the explicit act of making a donation for one specific political aim.
You do realize that the U.S. Constitution only prohibits the _government_ from infringing on right to free speech? The Mozilla Foundation is not a governmental entity, thus they can take whatever actions they want when employee says something they don't like. Also, while there are laws prohibiting private employment discrimination based on e.g., race, sex, religion, or other protected classes of people, there are (afaik) no laws against discriminating against people on the basis of political affiliation or gun-rights beliefs. Heck, in many states it's still legal to discriminate on the basis of sexual orientation:
https://en.wikipedia.org/wiki/LGBT_employment_discrimination...
1101: No employer shall make, adopt, or enforce any rule,
regulation, or policy (a) Forbidding or preventing employees from engaging or participating in politics or from becoming candidates for public office. b) Controlling or directing, or tending to control or direct the
political activities or affiliations of employees.
1102: No employer shall coerce or influence or attempt to coerce or influence his employees through or by means of threat of discharge or loss of employment to adopt or follow or refrain from adopting or following any particular course or line of political action or political activity.
etc. So in California (where Mozilla is headquartered and where Brendan lives) it is in fact illegal to fire someone for a political donation they make.
Now the actual punishment is a slap on the wrist in practice (see section 1103; it's a $5k maximum fine for the corporation if the employer is a corporation).
Thanks for the example of California. I expect there may be more. However, the main thing I wanted to point out in my post was OP's confusion, shared by many, regarding what entities are prohibited from infringing on constitutional rights. Only government (or in some cases quasi-government) entities are prohibited from infringing constitutional rights. Private entities can in most cases do whatever they want, unless a statutory law (i.e., a non-constitutional law) has been enacted prohibiting their action.
Also, I don't know much about the CA law you quote, though I wonder whether it prohibits political discrimination in the _hiring_ of employees at all. Section 1102 definitely prohibits firing based on political activity. I don't see anything that says you can't discriminate on a political basis in _hiring_. Perhaps that is in a different section. I tend to think, e.g., that the Democratic Party organization would not be forced to consider hiring Republicans equally with Democrats, not sure how that's dealt with.
> How would you feel as an out direct report to Eich?
You could try asking some of the "out" people who work at Mozilla who blogged about it at the time (they were not direct reports, but were certainly working at Mozilla) and supported him being CEO.
I'm just going by media reports and the answers the Mozilla leadership gave at the time. It was clear the pressure was on and without you stepping out voluntarily (which was the right gesture, from all points of view), something would have happened which would have damaged the project more -- in that sense, it would have been at odd with the project's aims. I expect you share the same view, or you wouldn't have stepped down in the first place.
I was just pointing out that you weren't fired and you likely would have not been fired in any case; at worst, you would have been moved to a different role; hence "demoted", since most people see the CEO as the pinnacle of a pyramid.
Would you agree that this is a fairer representation of the historical truth, from your point of view, than "Eich was fired"?
Other people are too polite to phrase their questions bluntly, I suppose.
You and Mozilla both claim you were not fired and that you chose to step down. Had there not been political pressure from a certain group, would you still have stepped down?
When people hear about your story - it sounds more like being smoked out of your own house. A group wants you ousted due to a donation they disagree with and will be disruptive, give bad PR, or straight up quit developing for Mozilla until and unless you leave. At that point it is within Mozilla's and your best interests for you to step down.
So if you stepped down for entirely unrelated reasons than the rabble rabble going on by a certain group of people - why then? I don't think I've ever seen that answered.
And if you did step down because of the rabble rabble going on - that is what so many people have a problem with. Even if you necessarily don't.
The liberal mob will have its way. But it's of course not anything like any other tyrannies and controlling mobs. It's different of course. I don't necessarily agree with his donation either, but what he does with his own money should be up to him within the realm of the legal framework. You don't just smother dissenting opinions. You are no different than that which you feel yourself superior to.
What would you consider the line to be? What if he had donated to a organization against interracial marriage? What if he had donated to a Neo-Nazi group? There are many consider causes against same-sex marriage to be equally morally repugnant (to the first one, anyway).
The fact that my rather legitimate and rational and fundamentally American point is being down-voted kind of makes my point. To be honest, I really don't think that no matter how repugnant that I may think one or the other organization or movement may be that it be smothered, banned, or hidden, let alone controlled. Unfortunately, and this is something that many in the liberal mob don't quite comprehend about themselves, is that they are quite a bit more like the very things and people they wish to shame than not. Just because you have the power and dominance to control the issue, doesn't mean you should abuse that power to stifle other people's beliefs and freedom of speech and expression.
What is the difference between lynch-mobbing someone because they don't support {fill in your individual preferences or proclivities} and lynch-mobbing someone because they do support {fill in your individual preferences or proclivities}. There is absolutely nothing different than the perspective. Everyone should have the right to express their opinions, even if you don't like them and they are not your favorite thing (to invoke Louis CK) and then a conversation may lead to a debate and that is how better ideas come about.
The process that society is going through right now is really nothing but a hardening of positions, a "liberal" form of tyranny if you will; the overbearing imposition of a particular perspective upon others. Ironically, that is the very thing the "liberal" side claims is done by the "right/conservatives".
What the current state of civilization in the west shares is an apparent inherent stupidity and irrationality that is quite stunning. Up is right, left is forward, down is blue, billion dollar valuations for what is essentially marketing middle-ware, people maintain their own personal state surveillance dossiers on themselves. It's like the world has gone god damn ape shit mad.
Perhaps the line is somewhere beyond donating money, regardless of cause. Maybe the line is throwing bricks through windows or chasing people with a bat.
I really didn't want to get involved but your argument is specious. If I don't get my hands dirty, but I financially support organisations that do (and lots of right-wing groups are not exactly squeaky clean in that regard), it's all well and good?
So it's a position against California's at-will employment rules? I can sympathize, but it seems like a weird case to use to make that point, considering that both the board and Eich himself deny he was fired.
He worked to destroy some peoples marriages. Then some people worked to get him fired. What is the difference? Which is worse? I'm not asking a rhetorical question here, I'm genuinely interested in why you think the one thing is OK and the other not?
I'm much more concerned with the next version of Firefox permanently breaking a lot of important extensions like Pentadactyl and Tree Style Tabs.[1][2][3]
Well I for one love the rapid release cycle, am glad about Firefox Hello because it is advancing the state of WebRTC and don't mind the Pocket integration because the client-side code is developed by Mozilla and doesn't consume resources unless you actually use it. And I've been a Chrome user and switched back to Firefox because I think they are doing good work lately.
I love how the page fails to provide any explanation of how it works or what it does at all. Maybe there is something in the video, but I'm not going to watch it.
"We first added Private Browsing to Firefox to give you control over your privacy locally by not saving your browser history and cookies when you close a private window. However, when you browse the Web, you can unknowingly share information about yourself with third parties that are separate from the site you’re actually visiting, even in Private Browsing mode on any browser. Until today.
Private Browsing with Tracking Protection in Firefox for Windows, Mac, Android and Linux actively blocks content like ads, analytics trackers and social share buttons that may record your behavior without your knowledge across sites."
Unfortunately they have also yet again changed things internally that break plug-ins, apparently including various popular ones used for privacy and blocking purposes. So in reality, since I don't habitually browse in Private Browsing mode, the more private browsing I've experienced with the recent Firefox updates has involved more ads and trackers than I've seen in years, followed by a lot of frustration searching for replacement extensions that actually work and then still more frustration configuring things manually that used to just work a few months ago.
I really wish Mozilla would get back to promoting the add-ons model that once made Firefox so attractive, and prioritising flexibility and stability accordingly. Some of the other features they've added directly might be useful, but the price of the constant change is too high, and in just about every case I can think of the add-ons community already had good, working solutions.
Which add-ons are you referring to? AFAIK the big 3 are AdBlock (Plus? There's so many jeez), uBlock (and Origin), and, in a distant third, Privacy Badger.
Adblock Edge was discontinued a little while back but had effectively replaced the not-fully-blocking Adblock Plus of recent months. ABE's UI integration broke in another recent FF update, but the blocking itself continued to work usefully until FF42, at which point apparently it ceased doing anything useful at all.
uBlock Origin is apparently now the blessed alternative and is OK for blocking most ads, but I immediately found a few potential tracking issues with its default lists, and its UI is awful.
Ghostery also isn't blocking various trackers effectively now, even though its UI still claims it has detected and blocked them. I can't 100% guarantee that's FF42 if Ghostery also updated its lists at almost exactly the same time, but that's when I saw things like Facebook Connect start hitting FB servers even though it's supposedly blocked.
This is almost a brand new machine, BTW, which just happened to update FF and lead to changes in the plug-ins a few days after initial set-up. There's relatively little chance of odd things going on or historical baggage distorting these results.
Bottom line: The day I bought the machine and installed FF and my usual set up add-ons, my browsing experience was fine, and then a few days later FF updated to 42, and my browsing experience immediately sucked.
> I immediately found a few potential tracking issues with its default lists
I am curious: what are these "few potential tracking issues" specifically?
Whatever default lists uBO is using, unlike with ABE (which is essentially ABP filtering engine), users have the last words in what is blocked:
- The `important` filter option can be used to override exception filters.[1]
- Dynamic filtering override all static filters.[2] For example, you do not need a special filter list to block Facebook everywhere, it's a matter of a few point-and-click to block it everywhere without any way for any static filter to counter it.[3]
Some specific examples I've noticed on the privacy side are pinging a Facebook server when a page uses Facebook Connect, and allowing the various web font services.
It's certainly possible to customise uBlock Origin to prevent these things. However, I couldn't immediately see any of the other suggested lists that would have blocked some of these potential privacy/tracking issues either, which suggests that not only do I need to manually block them if I want to stop the tracking, I also need to manually update those lists.
In contrast, with a couple of fire-and-forget plug-ins I've been installing as standard for years until recent FF updates broke them, I very rarely had to customise anything manually. They just worked as standard, and I trusted them to keep working and never noticed any significant problems, until now.
> I couldn't immediately see any of the other suggested lists
Fanboy's Anti-ThirdpartySocial is right there in the list of lists, under the Social header.
> In contrast, with a couple of fire-and-forget plug-ins I've been installing as standard for years until recent FF updates broke them
Ok, my answer was meant to address your point that uBO was no replacement for ABE, as you stated "uBlock Origin is apparently now the blessed alternative [to ABE]".
Fanboy's Anti-ThirdpartySocial is right there in the list of lists, under the Social header.
And it doesn't block any of the things I mentioned. The domain connect.facebook.com isn't in there, for example, and I ran into a page running a script from there within five minutes of switching to the new plug-ins.
Ok, my answer was meant to address your point that uBO was no replacement for ABE
Sorry, I'm not sure where I said anything like that. I explicitly noted that uBO was apparently being promoted as the successor to ABE, as you seem to have noticed. I just also noted that the plug-ins I've got running now aren't as good in some respects as the ones that worked just fine for a long time until recent FF changes.
Yes, you're right, apologies to you and to 'gorhill.
I misunderstood before and at the time I read "Fanboy's Anti-ThirdpartySocial" as "Fanboy’s Social Blocking List" not "Anti-ThirdpartySocial (see warning inside list)", perhaps because the latter sometimes seems to change its name to "Anti-Facebook List" for reasons I haven't identified. The former does block numerous Facebook addresses, just not that one.
I'm not sure any of this really invalidates my original point, though. Two weeks ago my Firefox had a couple of privacy/blocker extensions installed, and with no real configuration beyond ticking the "everything" boxes in the Ghostery wizard, they blocked pretty much everything that bothered me. Today, with FF42, neither of them works any more.
Apparently the new version involves figuring out which of the almost 50 lists that are suggested but not active by default in uBlock Origin are needed to get a reasonable level of blocking. I dare say almost no-one is actually going to get that right reliably even if they want to. And while I might have guessed to just activate everything under the social heading to block Facebook Connect (at least if I'd realised something related to Facebook wasn't already blocked by default), I have no idea which of those lists to even check to see if I can disable the various web font resources that involve tracking.
> Adblock Edge was discontinued a little while back [...] uBlock Origin is apparently now the blessed alternative [...] but I immediately found a few potential tracking issues with its default lists [...]
"but", implying Adblock Edge somehow did not have the "few potential tracking issues" you said you found in uBO.
You're reading things into my posts that aren't there. Please note that the context for my original comment that you selectively quoted was the add-ons (plural) I had used before. My full comment on uBO was that it was OK for blocking most ads but didn't block some of the trackers. The next part of the comment was about Ghostery, which was what did previously block (but no longer appears to block) those trackers.
It's a step in the right direction, but I'm afraid we need more than this.
> Since some Web pages may appear broken when elements that track behavior are blocked, we’ve made it easy to turn off Tracking Protection in Private Browsing for a particular site using the Control Center.
Whitelisting a whole site because it "appears broken" is a pretty weak approach, and clearly incentivizes "brokenness". I notice the spies (google etc.) are more intelligent and creative than the defenders of privacy.
We need a browser that can make such sites work - for the user. Without leaking any cross-site information. This involves rewriting URLs and cookies, or "mixmastering" identifiers across a cloud of users.
>Today we’re also releasing new visual editing tools in Firefox Developer Edition including Animation Tools that work the same way animators think.
To me this sounds like fiddling while Rome burns.
Typical of their track record of wasting energy on irrelevant projects instead of making a great browser.
> To me this sounds like fiddling while Rome burns. Typical of their track record of wasting energy on irrelevant projects instead of making a great browser.
I don't think you're being fair. I'm seeing a lot of improvements from Firefox, outside of their vastly improved developer tools and tracking prevention.
* They've been working on multi-process Firefox,
enabled in developer edition [1]
* They've been beating Chrome's JS Engine in the
benchmarks (not to mention IE) [2]
* They've been implementing more and more of HTML5, about
81% of the way there according to [3]
* Firefox supports more ES6 features than Chrome [4]
I guess I'm seeing a lot of good progress coming from the Firefox team.
And links to lists of what is blocked: https://wiki.mozilla.org/Security/Tracking_protection#Lists
I'm curious to know what the in-the-wild breakage rate for FF's blocking feature is. I use Ghostery myself and I find that maybe 1 in 100 are broken. I feel like that could be 1 in 1000 if blockers implemented a Google Analytics stub -- by far the most commonly required script for things to work.