> It is a regular occurrence to hear about open source developers selling their browser extensions, only for their users to be exploited later on by the new owners. ... We are witnessing the failure of browser vendors to recognize the value of our labor and the important role it plays in a healthy browser ecosystem.
So this is an interesting philosophical question - the market value of the extension is the value of "monetizing" it by stuffing ads, or worse, monitoring/tracking/exfiltration, into the extension. It's the market value of the trust of the extension's userbase. Is that the value of the extension developer's labor?
I would argue not really. The value of a bank, for instance, is not the amount of money in all of the vaults. That money is held in trust for customers, and it is not for the owner of the bank to dispose of. Therefore, nobody who makes a fair offer for the bank should expect those resources in the transaction, so a fair market price for the bank is much less - such as the present value of the interest earned by the bank minus the interest returned to customers.
In particular, the only reason the bank has customers is they expect to get their money back, generally with interest, at some point in the future. If they didn't, they'd put their money elsewhere. So if a bank is willing to sell the contents of the customer accounts, that indicates incomplete information in the market - customers didn't know the bank wasn't trustworthy. The true market value of the bank, in a perfect-information market, would be close to zero.
It seems like the problem here is that we know two ways of compensating browser extension developers: "don't" and "breach your users' trust." Those point to wildly undervalued and wildly overvalued estimates of the fair market value of the developers' work. And we should come up with some fairer way to value their work (or, more fundamentally, to compensate them; we may not need to monetize the extension, necessarily) first, and I'm not totally sure it's the fault of browsers for not having had such a clever idea - it seems like we collectively need to figure that out.
As an extension developer who recently got one of these offers, your analysis is a good verbalization of my gut feeling on the matter. I turned it down, of course.
While users may feel bad about extension developers not being compensated, I feel like the larger story here is that:
- Companies are buying extensions for nefarious purposes, which presents a huge security risk.
- Evidently, app stores are sufficiently bad at detecting this that it remains profitable.
Yes, agree - detecting extensions that have changed hands into someone who wants to "monetize" it and preventing those updates from getting to users definitely seems like a thing that the browser manufacturers should be doing (even if - and perhaps especially if - it lowers the apparent market value of extensions) and that the onus is on browser manufacturers / extension store operators to do so.
I'm not sure how one would automatically detect such a thing as a browser extension changing hands. If you require signing extensions to make a release, there's nothing stopping a developer from selling their keys. And even without changing hands, the threat to users remains the same if the company just goes from "we'll give you $10k for your extension" to "we'll give you $10k to link this library into your extension and not ask what it does" (one might counter that an ethical developer could accept the former option while rejecting the latter, but it's hard to believe any developer willing to sell their extension in the first place isn't fully aware of what that means for the future of their users).
As others mentioned, I'm primarily interested in noticing the extension gaining malicious code, such as often occurs in the wake of a transfer, not noticing the transfer itself. (Which would also capture the case of extension not actually changing hands but nonetheless shipping malicious code - including both your example as well as a targeted attack on an ethical developer.)
Also I think it's reasonable for browsers to require complete auditable source (even if there's some obfuscation happening before it gets to users), which would probably have a deterrent effect on weakly-ethical developers - it's harder to ship code you can plainly see is malicious than to just sell the extension and wipe your hands of it. (There are enough stories of founders who care about their companies selling startups to acquirers that don't that I think there is something in human nature that makes it easier to hand off your creation to someone who will do bad things with it than to do the same bad things yourself.)
It would not be about detecting the change of hands but about detecting the (malicious) monetization.
Depending on the type of extension this might still be hard to do, but I could well imagine heuristics triggering a manual check from the extension store providers.
With many extensions having hundreds of thousands of lines of minified code, a manual check is unlikely to find anything nefarious if it's been well hidden.
IMO, extension authors should not be allowed to submit minified code alone to the extension stores for review. (Options include having standard minifiers that the extension stores run themselves, allowing extension authors to provide a .travis.yml or something where the sources to the build pipeline are themselves auditable, etc.) I can see an argument for withholding source from end users for things like paid extensions or clients to proprietary services (to be clear, I wouldn't agree with such arguments but I can see them), but I don't see the argument for withholding source from the browser manufacturers themselves.
Put another way, if the browser manufacturers run an extension store, they are (or ought to, at least) endorse the extensions in that store as reasonable to install. I don't see how they can do that without source. I think they could sort of make that endorsement without proactive auditing if they can remove extensions they discover are malicious, but if they can't even human-audit the source in response to a report of problems, I don't think there's any way they can responsibly offer extensions to their users.
IIRC Mozilla requires that you submit unminified code plus the minified code and how you compiled it, so they can reproduce it durign review. And they do Human Reviews using Volunteers.
Mozilla does a lot to protect users from malicious extensions, thousands times more than Google.
Just never allow such a transfer force a new user to create a new name. Ensure this is part of the terms of service. Prosecute violators that is to say buyer and dev under cfaa and ensure a hefty fine is levied with prison time. Nefarious parties will find few sellers thereafter.
Show whether extensions are certified by counties with similarly ridiculous laws and wait for that to become a required after the first 100 million people get pwned.
As long as an extension can be owned by a company, you can bypass restrictions on transferring the extension by transferring ownership of the company.
Unless you think plugins for HTTPS Everywhere, Google Translate, and LastPass should be signed by an individual developer - in which case you'll have to solve the problem of what to do when that developer moves between jobs :)
The point is not whether its possible to transfer ownership of the code it's whether its possible to transfer it in a way that causes a user who agreed to trust Bob or Bobco inc to automatically end up trusting Crook or Crookco inc.
A buyer company or individual ought to have to create a different name and convince users to install/trust their extension if ownership is transferred instead of merely taking control of the existing name and having the next automatic update install malware.
Extension systems and language specific package managers on the overall have garbage security and are going to be a way bigger problem in the future. They are low hanging fruit.
Right, but if a user has trusted an extension by Bobco Inc, and Bobco becomes a wholly-owned subsidiary of Crookco Inc, then Crookco can put what they like into the trusted extension.
I suppose you could argue that when Facebook buys Instagram the Instagram app should be uninstalled from users' phones and all their accounts and posts deleted, because they didn't agree to trust Facebook or consent to the data being shared with Facebook. There's a certain logic to that, but it would be a big change to how the current tech ecosystem works.
It's a superficially attractive answer, but the reality is that it's unenforceable.
Nation states get unstuck here on taxation, and bluntly it is unlikely any browser vendor will ever invest as heavily as nation states do on getting revenue.
The point is not to stop anyone on earth from behaving in a shady fashion its to make it systematically challenging for the normal behavior of non malicious people to enable malicious people.
If you can buy or take over responsibility for extension foo and automatically exploit thousands of people who automatically get updated to foo 1.1 now with 1000% more malware then it will happen.
If you have me/foo and you want to take over maintaining foo and you have to create you/foo and convince people to remove the working version of me/foo and switch to your you/foo this is a small burden for legitimate users but a higher bar for scummy companies whose accounts will doubtlessly either have a bad history or far more likely none at all to lean on.
Further the time required to convince users to switch will be much longer leading to more time for something to be discovered as malicious before users are effected.
Best this whole process makes exploiting users much less valuable and thus you have less of it to start with.
The fact that it has changed hands or not is irrelevant, there are valid use cases for ownership change, and there are many ways to "monetize" via malicious partner without selling the extension itself.
What should be monitored are changes in the extension codebase that inject 3rd party scripts and/or modify the list of external endpoints the extension is exchanging data with.
> Evidently, app stores are sufficiently bad at detecting this that it remains profitable.
What percent of extensions connect/download from the internet? That could be an easy way to identify a much smaller group of vulnerable extensions. Make extensions request permission to connect, then you can see the smaller group and watch any new extensions that request the permission. Connections could also be domain restricted to a list defined before distribution (and IP connections banned.)
Also, Mozilla could force extensions to make requests through proxies it controls... although that would be a whole other issue.
The relevant extensions here (adblockers like uBlock vs. uBlock Origin, the author's extensions like adding a search-by-image button and removing +1s from GitHub) all have the ability to modify the web page that they're running on. If you have that ability, you therefore have the indirect ability to perform network access as that web page. Blocking the extension's own network access won't identify malicious behavior, and blocking indirect network access will get in the way of productive extensions.
Yes, you can imagine a way where extensions provide some declarative input to the browser saying how to block certain elements, and don't have any connection to the web page. That's more or less what iOS ad blockers do, as well as Chrome's new proposed ad blocker approach, and extension authors generally dislike it. And that only helps you remove elements, not add them - things like night mode extensions generally want to add either elements or at least CSS to the browser, and if you have that much access, you can definitely add ads or inject referral links into shopping sites.
> Those point to wildly undervalued and wildly overvalued estimates of the fair market value of the developers' work.
Hrm. I would say that it indicates that there are two different types of market. There is the market for free, ethical extensions. This market is full of products that have no value, either being freely given away by their author, or having insufficient reach or utility to garner commercial success. Then there is the black market for remote access to millions of end user machines. This market is likely illegal, but plausible deniability allows unethical devs to sell access to end users on this market.
It should not surprise anyone that it's tough to get compensated when you don't charge anything for the product you sell. Despite the name "Chrome Web Store," I could not find any for-sale extensions on the featured page. It seems like it's not in the culture to pay for extensions, possible because most of them are low-effort and have little marginal utility.
The only people who are making money ethically on the Chrome Web Store are folks who are selling a service to which their extension is a portal. And I don't really see how it will ever be otherwise.
Should he decide to terminate the project, I expect that he'll find that he's wildly underestimated human capabilities for entitlement. The upside is that he won't feel obligated to those people.
As always value is a separate thing from "money some hypothetical somebody will pay".
Oxygenated air has next to zero price you could sell it for, but it has basically infinite value to somebody deprived of it.
Browser extensions create a ton of value, but its likely very little of that can be turned into a paycheck for somebody without destroying the value they create.
Google pays Adblock plus so they can get their ads through their "ad-blocking". The same org behind this is the one that bought the uBlock clone and the uBlock.org domain name.
The upcoming changes to the Chrome browser, will limit the performance and capabilities of actual ad-blocking extensions like uBlock Origin. Google claims these changes are being done to protect users privacy.
This would not create a scenario for extension developers to get rich, but it would provide some support to keep going, which could justify turning down potentially harmful monetization alternatives.
Hosting a conference or creating a fellowship for top extension developers could also work -- some measure of appreciation that helps developers earn a living, directly or indirectly.
LanguageTool Plus [0] is an open source (optionally self hosted) replacement for Grammarly (a paid version is available but the free one already finds more mistakes than the free version of Grammarly did for me). Available for FF and that google browser ;)
Yup (I think I'm loosely counting that as exfiltration, because you can monetize an all-sites extension real effectively if you exfiltrate the browser cookies from online banking websites.... keyloggers only get you so far if they have 2FA, but a logged-in browser session is valuable.)
> Is that the value of the extension developer's labor?
Labor itself has no intrinsic value at all. You don’t have to think very hard to come up with a list of things that would be laborious but not valuable. Economically speaking, the value of any product can only ever be what people are willing to pay for it. If your users aren’t willing to pay for your product in one way or another, then your only option is to sell access to your users, in one way or another.
$10K’s doesn’t “wildly overvalue” the developer time that goes into a successful browser extension.
At almost $200k/year, a starting google developer makes ~$4K a week (pre tax, but also ignoring health care, facilities, etc).
The browser extension offers are comparable to months of developer time, but since they are made after an extension succeeds, they’re not accounting for the probability that a new extension won’t become wildly popular.
Put another way, if the scammers could develop (or steal) extensions for less than they’re buying them for, I’m sure they would.
Yeah, I did gloss over a bit the distinction between the value of the developer's labor and the value of the extension.
I do think that $200K/year is a wild overestimate of the value of the extension, on the ground that Google and other similar companies assign very few new hires to write browser extensions. But yes, the amount of skill and time and focus that goes into the average extension and the average new hire project is at least within the same order of magnitude.
We are generally bad at finding ways to compensate/monetize people for skilled labor that does useful things for the world but isn't directly profitable, so I think trying to tackle that for the case of extensions is a harder problem than is reasonable to demand.
The root cause of all this is autoupdating. I hope we will eventually move away from that paradigm. But currently its needed, since lack of updates is even less secure.
We will get away from auto updating and security issues once we have a feature complete browser and a stable HTML specification. Given past trends I would expect this no earlier than the heat death of the universe.
I disagree. The key driver of the need for auto updates is security patches. Many people would accept missing out on new features. In fact, I suspect some would see that as a positive.
I think the reality is that more people would accept missing out on security patches than missing out on features, once those features gain traction on sites.
For example, Netflix' use of in-browser DRM makes it a must-have for mainstream browsers.
The value of an extension is whatever someone is willing to pay for it. The value of someone's ethics also has a price. It is a different price for everyone. It's silly to go into details about ethics, because maybe I donate half of the unethical income to buy mosquito nets and now I've traded saving lives with inconveniencing users or some other such very personal calculation/rationalization.
You can browbeat developers with your ethics and ideals, but your approval doesn't feed anyone's children.
This doesn't respond to my argument: if your users knew that your sense of ethics is that attacking their private browsing data to buy mosquito nets is justified, they wouldn't be your users. (That small subset of your users that thinks mosquito nets are a good use of money would either donate directly and ignore your extension, or voluntarily participate in a scheme to turn ad views into mosquito nets such that you gain no additional mosquito nets by selling.) So whether or not you are willing to sell, in a market with perfect information, the value of your extension would be close to zero.
Therefore the only way that your extension has value is if you are intentionally withholding information from users about your willingness to sell. Which, even without getting into the ethics of deceiving your users, is at odds with the generally-accepted sense of the word "value" in economics. If a company is withholding information about it doing poorly and has a higher stock price than it would if it didn't, you generally say the company is "overvalued," that people are erring in attributing that value to it, not that it increased its actual value.
NoCoin author here. With approx 700k users across 3 browsers, I have obviously received many emails for purchasing my extension. I have never accepted to sell my project, even when I had some low financial moments, because my intent was never to make money with it. And it being an open source project, it belongs to the community. I would also feel like I am breaching the trust of my users if I decide to hand it over to an unknown party. I always look up at the exemplar integrity of VLC maintainer @jbk [0].
Regarding the monetization of NoCoin, I advertise the fact that I am accepting donations in the description of the extension and have links on the GitHub page. There is also a button to donate directly on the Firefox add-ons page. Almost all donations came from the Firefox Add-ons store. I guess if Google would do the same on the Chrome store, developers would get more donations?
I’m the author of JSON Formatter [1] with 989,000 users.
I probably get a couple of offers a year for it. Of those that have offered specific sums, they ranged from from $10-20k. I always reject them, because it’s pretty obvious they want to turn it into malware.
I’ve had a couple of cases where I felt they went to some effort to schmooze me first, presenting themselves as having benign intentions, almost like a carefully crafted con. But as far as I can tell, there is no legitimate, ethical reason to want to acquire it, and I won’t sell out my users like that.
$20k seems like a pretty lowball offer? Close to 1M users (plus potential for further growth) and you have me expecting at least $400k... Or, am I expecting too much?
I publish an extension on the store of Chrome with 1+ million
of (technical) users. Three years ago, someone proposed me to buy it for 50,000 USD. He clearly indicated that he was interested by the user base...
I was never curious enough to read the offers, I just bin those emails. As said, this project was never about being profitable and I am already very grateful for the donations I received.
On the one hand, this seems like a real missed opportunity by Mozilla. As Chrome reigns in extensions that conflict with Google's business model, this is a reason to use Firefox.
BUT - extensions are also often the cause of a slow and frustrating Firefox experience, which then leads folks to talk about how Chrome is better-performing/faster (I've been guilty of this myself in the past). Mozilla needs to make sure Firefox is keeping pace with Chrome, which they've presumably decided means de-emphasizing extensions.
That said, not sure why Mozilla needs to de-emphasize donation buttons.
>BUT - extensions are also often the cause of a slow and frustrating Firefox experience, which then leads folks to talk about how Chrome is better-performing/faster
IE (used to?) have this bottom notification warning about 'X plugin is slowing IE, would you like to disable it?'. Perhaps Firefox should add similar feature and notify users about slow plugins, maybe even with some actual data instead of a vague slowness claim.
Mozilla does this already, to a degree. Using the Dark Reader extension hangs some sites for several seconds and Mozilla asks me if I'd like to kill it
The issue is more with extensions that don't hang but slows you down throughout your usage. Especially if there are couple of those you feel that the browser is sluggish but don't associate it to the extensions.
At first I thought nice to know, but that won't help most people.
Then I went to check it out and found that I don't remember opening it since it's pretty much useless. It does show how much memory each consume and the _current_ energy impact. Utterly meaningless and doesn't help me at all to understand that a certain extension slows my browsing experience.
There’s a real discoverability issue with those kind of pages. They should be listed somewhere in some submenu. You can’t expect people to go through all the documentation like they used to go through manuals in decades past.
Chrome has chrome://chromeurls and Firefox has about:about (Firefox chrome urls tend to be actual browser resources, not information or settings or debugging. Eg with xul you used to be able to open the toolbars/browser ui itself in a window)
Which browser extension is responsible for making Firefox slow as a slug when deleting large numbers history entries?
I've not checked the source, but my guess is firefox stores the history in a SQLite db and when you select 500 history items then delete them, it's doing 500 DELETEs, maybe even without a proper index. It's seriously slow.
There seems to be a lot of low hanging fruit in Firefox, but not being employed by Mozilla I don't particularly feel like my thoughts or contributions are welcome. The last time reported a bug on bugzilla.mozilla.org (which is a pain in the neck) I was told that accessibility on MacOS wasn't important enough for Mozilla to care about (paraphrasing.)
I think it’s not 500 deletes, but it’s certainly not great. There is definitely an index. If you can repro this, you should file a bug for it, I’ve noticed it being slow too, but couldn’t repro it recently. If you file a bug for this, you can CC me (tcsc at mozilla dot com).
I believe/guess it manifests most noticably when you have a large amount of history, so it might be hard to repro with a fresh profile. I'm on the road away from a real computer, but when I get back I'll give it a shot.
I had a similar problem with Owl, it's because they typically use CSS filters to achieve dark mode. It's frustrating because it's a very bad solution but it's easy to not realize that the extension is causing the problem (especially because browsers work hard to hide it)
That does show up one area that Chrome still eclipses Firefox - the Shift Esc task manager that will usually reveal which tab or extension is cratering things. Firefox is much more opaque about memory and especially CPU use, making it far harder to pin down.
I have a hope of remembering about:performance. I can bookmark it, and it's there in autocomplete. You can make a link to it in your webpage or in a nice plugin (which, once it gets a couple thousand users, you can sell to an honest businessman for tens of thousands).
Shift-Escape? what? I'm supposed to just randomly press every key combination till something happens?
I reset Firefox recently on an ancient Linux laptop and before I got uBlock origin set back up the browser was nearly unusable. I had taken for granted how much it was doing. If I ever get out of this deep financial hole I am sending gorhill a large donation (if he accepts, I recall in the past he wasn't taking any). One of the most, if not THE most useful QOL add-ons in my view.
Dark Reader which is one of my must-haves has a known Firefox performance issue on a LOT of sites that makes Firefox almost unusable for me, so I recently begrudgingly switched back to Chrome.
>Unfortunately Firefox is terribly slow in unpredictable places. I periodically try to find out what exactly makes it work slow in Firefox. For example this change improved twitter.com loading from ~30s to ~1s.
His change[0] was changing array population from repeated concat to push. This is not an unpredictable hot spot but a developer not knowing his tools. Common sense is not premature optimization.
>The Chrome Web Store and the Microsoft Store do not offer features for supporting extension developers.
That doesn't seem right - doesn't Google let developers monetize extensions in the chrome web store?
You can publish Hosted Apps, Chrome Apps, Chrome
Extensions, and Themes in the Chrome Web Store.
Collectively these are called simply "Items". You have
many choices when it comes to making money from items
that you publish in the Chrome Web Store. This page
covers just a few ways to monetize your store item:
- In-app payments
- One-time charge
- Subscription
- Offering a limited trial version of your item
The issue of developers selling out their chrome extensions to 3P (that the author references) probably has more to do with the fact that bad actors get better money for harvesting user PII than the developer would if they maintained the extension as it was originally meant to be. This is a real privacy issue, but it's also why Chrome cracked down on extension APIs recently by restricting what is shared with the extension.
Google's Web Store payments system is terrible in my experience. I haven't been able to export accounting data for https://autoplaylists.simon.codes since April 2018: I spent almost a year badgering support so I could properly file my taxes.
A letter from the New York AG got them to respond, but I still need to email them every time I need my data (they get an engineer to run a db query manually, from what I can tell).
I did get an email today that they're migrating to a new system, so maybe it'll work in the future, but I wouldn't trust them based on what I've seen.
> it's also why Chrome cracked down on extension APIs recently by restricting what is shared with the extension
It'd be nice if they had 'trusted devs' or similar. Even if they provided a paid meatbag extension review service, I'd pay to get the plugins I use reviewed!
That's an interesting idea. I, too, would happily contribute to a funding pool to have a competent human analyze the extensions that I'm using. One would expect this to (loosely) allocate money to checking the extensions that are most used, so the ecosystem would benefit even for people who weren't contributing.
Very nice idea. As an ISV with a freemium open-source extension, I would happily pay for an official security review that I could present to our users. Our extension is secure by design but having a 3rd-party expert (e. g. Google or Firefox reviewer) confirm this and get a "Reviewed" badge would be great. The drawback is that this could slow down extension updates, as you do not want to loose this badge with the next update. But that is manageable.
The Web Store Payments API is trash. I waded through the out-of-date, sparse documentation and examples, trawled stack overflow and 'Chromium Extensions' Google Group. Spent weeks of my life trying to find work arounds to various issues. Thinking of setting up a github repo with documentation about all the issues and workarounds. Shame on Google that they leave this online.
In the end, I couldn't get something satisfactory working, and went with Paddle for payments. Cost per transaction is quite high in our case ($0.75 on a $5 monthly subscription) but it was fairly painless to set up, and they handle VAT/sales tax. Would love to find a way to offer $3/month subscriptions without handling tax ourselves.
The web store ecosystem is atrocious. You cannot rely on Google's browser services to make money. They will randomly take down your extension for a ~month in response to malformed (i.e. invalid and illegal) DMCA notices, and they barely maintain the developer tools - I've watched key parts of the developer dashboard break and go unfixed for months even after reporting them.
If you want to do this stuff you have to do it all from scratch and hope Google doesn't decide to get mad at you.
They also make it very hard to push updates promptly which means if a major bug or security issue is found it can take multiple days for users to get a fix, so you end up having to find your own way to push updates (despite the fact that store policy sort of prohibits doing so).
I've developed apps for Chromeos which share a lot of the same docs as extensions and these are some of the worst docs I've ever used. Incomplete, outdated, confusing, etc.
It feels as if Google doesn't want you to actually make Chromeos apps.
Hi, author here. Certain software may bring greater value for society when it is freely accessible for everyone, without compromising on user privacy, while being partially subsidized by users who can afford to sponsor such projects.
It would benefit us all if browser vendors would enable users to easily support extensions, and do so from a unified user interface, like an extension store.
It sends a different signal for the user when a browser vendor encourages and handles contributions for extensions, instead of leaving developers on their own to build makeshift donation prompts and expect users to give out credit card data or sign up to third-party services just to donate.
Sponsoring your favourite extensions right from your Google or Firefox account would help projects receive more funding, be more user-centered, and further enrich the browser extension ecosystem, while encouraging new developers to publish their own extensions and support user needs.
Redesign reducing visibility of donation button, and no real support for selling / monetizing your extensions in the stores: totally agreed, they can and likely should do better there. I'd be curious to see if the change had any effect tho, and how much. Above-the-fold is valuable real-estate, it's possible that it's better-utilized after the change, just along a different set of priorities.
Direct payment from browser vendor to useful devs: not sure where that money would come from.
Alexa can probably support it since more use of an Alexa likely has a strong correlation with increased purchases through Amazon - they essentially directly profit off popular extensions, in a measurable way because they track everything, since it keeps people using Amazon in general.
I'm not sure Mozilla gets much money from e.g. adblock. Or other popular extensions. Plus they're a non-profit, so their cash-in-hand isn't too likely to change dramatically, unless we can convince more companies to donate (which could allow donating to extension devs).
Chrome and Google not caring or supporting these kind of things I get but Firefox's recent efforts seem to be either gross negligence or targeted moved to destroy their addon ecosystem.
I thought Firefox was going to get better with their redesign but it seems like it just resulted in lost functionality. Their misguided quest to get more market share has been a completely failure and pushed anyone who valued their customizable experience away.
> I thought Firefox was going to get better with their redesign but it seems like it just resulted in lost functionality. Their misguided quest to get more market share has been a completely failure and pushed anyone who valued their customizable experience away.
Well, it got me to switch from Chrome to Firefox on Windows, so there's that at least. Firefox feels much faster to me now, and strongly reminds me of Chrome in the very early days.
I think there’s a certain degree to which needing to implement spectre mitigations (e.g. site isolation) threw a wrench into some of the plans for improving the baseline of the extension apis.
I feel you. I absolutely think that Firefox needs to not follow Chrome's footsteps but instead continue to be the Emacs of the web versus being a gedit.
Been trending that way for years now. Making a browser that does what you want it to do is way easier than making a browser that does what your users want it to do. Sometimes I wonder if the "iterate version integers every six weeks so our e-peen looks bigger" approach is to blame.
That's an interesting thought. It's almost like Chrome and Firefox have been in a "browser cold war" for years now, trying to outdo each other's version numbers, trying to entice users with greener grass rather than the stronger "attacks" of the IE-Firefox "browser wars" of the past, and one side trying to imitate the other.
Chrome realized that if it jumped ahead in version number, it could gain a huge PR advantage, and then Firefox was forced to follow that pattern or appear outdated. Users may have gained some rapid iteration, but in the long term, I think we lost the ability to understand how the browsers are changing (of course, some of that is a matter of the inherent complexity explosion in the Web).
And once you change to the constantly-incremented version numbering scheme, how can you ever go back to something more meaningful? Who's would blink first?
Happily, Pale Moon, for example, retains more modest version numbers. I hope their developers continue doing well. Imagine if it (or a similar project) were the next Phoenix, the way Firefox rose from Netscape's ashes.
Chrome realized that if it jumped ahead in version number, it could gain a huge PR advantage, and then Firefox was forced to follow that pattern or appear outdated.
Personal anecdote, but of all the non-technical people I know (which I define as those who may barely know what a browser is, and only use the computer for browsing a tiny fraction of the Internet), none of them like the constant change, especially when it breaks their workflow, and those who do pay attention to version numbers think the rapid "version explosion" (to quote one) is completely silly. Like a lot of other things in life, they just put up with it because they're powerless.
I really wonder who the browser makers are targeting with the "move fast and break things constantly" attitude, because it's definitely neither the technical nor non-technical users I know.
Certainly isn't me. I'm still salty about Firefox 2 removing the "close current tab" button and putting an X on every tab instead. It was nice having that muscle memory instead of having to hunt down whichever tab you're currently focused on.
I've never used Firefox 1.x so haven't used that UI, but it sounds like something they could've made configurable but didn't want to, for whatever reason.
However, in all the tabbed browsers I've used, Ctrl+F4 closes the current tab.
That's not their core business. It's redolent of the complaints when Twitter etc limit their API/number of tokens per app etc. They're doing it because it no longer serves a purpose. Perhaps Mozilla is slightly different but Google would only benefit from ad/tracker blockers going away.
> but Google would only benefit from ad/tracker blockers going away.
That's a gross mischaracterization of the situation. There are far, far more extensions than just ad blockers.
Google could trivially block ad blockers without killing all extensions, and ad blockers can survive just fine without extensions (pihole being the obvious example of one such alternative).
None of any of this has anything to do with ad blockers nor some hidden agenda to kill them. It's about how selling a hobby project can be disastrous for users, and what (if anything) Google/Mozilla should be doing to prevent those hobby developers from wanting to sell in the first place.
Personally I think that's treating the symptom and not the cause, and a better policy would be something like Google or Mozilla preventing updates to extensions whose backing developer has changed. Although that would be hard to enforce.
> Google would only benefit from ad/tracker blockers going away.
In the long run, this might sadly be true, but I disagree for now. No way Google is doing this because of the goodness of their hearts.
They do it because they haven't completely squeezed out all competitors yet.
Removing or utterly crippling addons now would force users to realize what Chrome is while there still are options, meaning a huge chunk of the users would go to other browsers.
Look to Chrome mobile, the one that they can force ram down the throat of > 50% of mobile users. Chrome mobile doesn't have addons because it doesn't compete.
Sorry to all Googlers here for being so blunt, and feel free to point out one or more examples from the last few years where Google has prioritized their users above quarterly / yearly profits.
I used to be a huge fan but Google has massively disappointed me over the last 5-10 years.
> Sorry to all Googlers here for being so blunt, and feel free to point out one or more examples from the last few years where Google has prioritized their users above quarterly / yearly profits.
No need to apologize =]
An example that comes to mind is the current focus on accessibility. I think from an objective financial/engineering perspective, it's much preferable to just ignore accessibility because it adds complexity and isn't used by the vast majority of users. However, providing access to everyone is the right thing to do.
Of course, I'm sure people will say this is just for marketing or something but in the end, how can one get around that?
I don't think Google is flawless. Far from it! But it's a huge company with way too many products so it's only natural there will be bad decisions and good ones, just as there are bad people as well as good people.
> Look to Chrome mobile, the one that they can force ram down the throat of > 50% of mobile users. Chrome mobile doesn't have addons because it doesn't compete.
I'm not sure I understand.. are you saying that Chrome mobile takes up a lot of RAM? Because if so I would agree with that, but isn't that precisely why extensions shouldn't be allowed? Implementing extensions would add an even greater burden and poorly written extensions would provide a bad user experience.
If anything I really wish we could strip Chrome down. I think people adopted Chrome early on because it was really light and personally I really feel like we let everyone down by letting it get so bloated.
I don't think stripping even more functionality from the already dumb Chrome on mobile is the answer. How about concentrating efforts on making it more performant instead of removing things? Firefox on Android shows it can be done.
To be honest I don't know too much about what's been added but I can only assume new functionality must account for the increased bloat.
I imagine it's support for things like "Chrome Apps" or more generally the desire to get websites to be able to do the same things as native apps. I suspect there's also the fact that Chrome has to support Chrome OS as well.
But I am new to Chrome OS so admittedly I am not too familiar on the history or background =]
Chrome OS was my thought as well. I'm not sure how much of that is included in Chrome itself, and how much is bundled separately as part of the OS though.
For some reason I thought Chrome Apps were deprecated. PWAs can do most of the same things today.
Ah I think you might be right! But to be totally honest, I really don't care for PWAs either.. Maybe I am just too old fashioned but I don't care for my web apps having offline functionality.
That being said, I am not familiar with the technology so this is very much an uninformed opinion!
It's pretty clearly in line with Mozilla's goals for an Open Internet -- and from a pragmatic point-of-view a mass exodus of extension developers from Chrome would be big problem for Google.
I could see this as a way for Mozilla to further distinguish Firefox from Chrome. If Firefox was seen in the developer community as the platform to target if you want to make money, it won't take long for extension developers to start targeting Chrome only as an afterthought, and users would start to shift towards thinking of Firefox as "the one I can extend."
I have no idea what this means, especially capitalized like a brand of some sort, so I don't know how supporting extension developers would help or hinder that.
> users would start to shift towards thinking of Firefox as "the one I can extend."
Users already thought of firefox as the browser you could extend, but mozilla decided that wasn't a priority. I don't see them suddenly reprioritizing that.
I think that's a bit unfair to Mozilla. They previously had prioritized extensibility over security, that is, extensions and plugins had basically direct access to the browser's C code itself. They've now prioritized security over extensibility. That's not to say that extensibility isn't a priority (or that security was previously not a priority).
Their core business is to have a useful/featureful browser. Browsers gain extra features thanks to extensions. One of the reasons that keeps me with Firefox are many of its extensions. They almost lost me as a user when they deprecated a gazilion tons of extensions last year. I would say extensions are an integral part of the browser offering even if produced by third-parties.
I don't think devs should be shamed into not selling their software. That's some questionable 'white-knight' ethics. If you sell something, great. if you don't, also great. if you use ads to monetize or sell data, also great. If you use a freemium model which serves ads to the plebs and asks money from the elite, even better.
For that matter I don't think open browser producers can be expected to foot the bill for it either. their browsers do not cost a thing, after all and browser extensions only impact a very small part of their userbase.
Please remember that not everyone has a problem with ads, 'privacy invasion' and targetting. Some people do and think that everyone should think the same. I find this mentality rather stifling.
> Some people do and think that everyone should think the same. I find this mentality rather stifling.
I feel like people should be more informed over the implications. If they still don't care once I explain the issues, that's their prerogative to not care. I feel like most people don't understand why the "I have nothing to hide" mentality will cost us plenty of freedoms we still have.
I agree with you though, most people aren't like the majority of HN users, they just don't care or don't understand.
> browser extensions only impact a very small part of their userbase
Third or even half of the userbase is not a small part.
> Please remember that not everyone has a problem with ads, 'privacy invasion' and targetting.
Everyone has a problem with this once they understand what's going on and how it can be used against them. It's just most people are not software engineers and security, privacy related issues are hard for them to understand.
Despite having a smaller extension ecosystem, Apple seems to have the right idea: Safari extensions (and soon even system extensions) are discovered and delivered via the App Store like any other app, and their developers can charge for them like any other app.
Personally I think this is sort of missing the forest for the trees. The big picture is, Mozilla and Google don't like extensions or extension developers. They don't like people customizing their browsers. We see feature after feature drop from being a button in the menu, to being an option in the about:config, to requiring an extension, to requiring manual modification of files, to being entirely disabled.
Look at something as simple as putting the tabs below the address bar. If Mozilla respected their users, it would be as simple as hitting the Customize button and then dragging the tab bar to the bottom. Then they stuck it in an about:config option. Then they required you to make a custom userChrome.css. Now guess what, in the newest version userChrome.css loading is disabled by default and you have to manually turn it back on. How long it will take before it's entirely disabled? I have no idea, but the message from Mozilla is clear: "You can use it the way we want you to or you can go to hell".
I know this is tangential-- I would like to write a FF extension -- can anyone point out some good resources for that? Beyond what's on Moz's official site of course.
I just started working on an extension recently with no experience and have found it to be pleasantly unchallenging. If you are familiar with web development already, it's actually a pretty easy transition. Primarily you have the option of injecting some JS into every page, and also running a page in the background. So you just need to design your extension to work that way. Then you have access to some extension-specific APIs for stuff like the little icon in the toolbar or reading cookies.
I think if you already know web dev, you probably don't need a specific resource to figure it out - just dive right into it and look up which parts of API you need for certain things.
If you don't already know web dev, perhaps it would be better to learn that first and then look at extensions.
I know you asked for resources beyond Mozilla's site, but Mozilla's documentation for extension developers is very accessible and includes complete code for example extensions:
Chrome's developer site also contains handy stuff too. Many of the chrome. APIs can be accessed by replacing chrome.x with browser.x. Firefox basically uses Chrome's extension APIs.
One of the things I found most lacking from the official chrome and FF documentation, is how to use NPM with your extension for dependencies and how to automatically build and release to both the FF store and chrome store.
There are a couple of issues that come up if you just plonk a package.json in your root folder, for example - now you the same information like extension name and version number duplicated across two files, the npm package.json and the webextension's manifest.json. Nevermind the fact that it's not obvious at all how to distribute the npm dependencies with the extension once you have them installed on your computer
On all of these issues, the best "tutorial" I've found is just looking at the structure of sindresorhus's "refined GitHub" repo. He and the contributors have totally nailed how to integrate npm, automate the build and manage the package.json files plus much much more, in a very readable way. I would definitely consider mirroring the rough structure of refined GitHub just for sanity reasons. Everything about it makes sense.
And if it helps here's a link to the extension I built using refined GitHub as a model -- https://github.com/spookyUnknownUser/laconic_hover
I tried to implement the most minimally important features of the build and packaging system of refined GitHub in my project.
Since FF and Chrome use almost the same extension API, you can use Google resources to get started, and a lot of it will work on Firefox. The main exception is the identity module, which Chrome requires to be a Google account
I wrote browser extensions in pastime. They are mainly for my needs and happen to be useful for others. I'm lucky that I don't need to write extensions for financial reason, and don't ever plan to sell out. On the other hand, I can understand why some developers choose to do so. People get a family to feed. It would certainly helpful for Google and Mozilla to have greater support for the extension developers financially.
A flat monthly subscription for what exactly? Advanced extensions with UI and extra privacy/security options? There is a reason why this doesn't exist, and people already pay extra money for Windows and Mac OS. If people are already paying for an OS, they shouldn't then be required to pay for a premier browsing experience.
The basic issue is people do not want to pay for software if a 'good enough' free replacement is available. Hence Mozilla having to source money from whomever is willing to give them, and hence the race to the bottom. This has been particularly true in browser space. We usually pay for using programs of similar complexity like PS or AutoCAD etc., but we have always taken it for granted that browsers should be free and/or bundled. This works to the advantage of big players who can sink in the millions involved, which Mozilla is only alive today because of former momentum (user base). Forget about a browser startup or a community-maintained alternative. It has become too huge and complex an undertaking for anyone to bother as long as Chrome/Edge/Safari/Firefox will be available, no matter if they turn into user-hostile mess.
A lot of extensions are made because people need them for themselves, not to live of extension development. And this is something that can exist as a nice open source ecosystem with some oversight, like packages on a typical linux distro. All the development stuff can go into something like AUR on Archlinux, where users have to explicitly participate and accept more risk. And this is something not very evil browser vendor might be willing and be able to do. But creating incentives for extension developers is definitely the opposite of their plans, they'd rather kill extensions altogether.
They're also failing to support users, as hinted by the article. The fact that developers are able to simply hand over control of extensions to a third party, who are going to do god knows what with it, without the user being informed at all, is ridiculous.
I have a few extensions with 10-100,000 users and have received many emails from people asking to buy one. The numbers in the article seem accurate - if you have 100,000 users you could be looking at offers for tens of thousands of dollars. So, it's no surprise that developers cave in and compromise their users' security.
I've experienced slowness / crashes with FF extensions, as some people have described here, annoyingly the problem doesn't seem to be reproducible. I'd optimally like to have 4-5 plugins maximum - key-driven browsing, adblock, CSS overrides and JavaScript injection.
What's the best way to blame / troubleshoot a bad plugin? Because as soon as I add them all I experience 1-2 page crashes/infinity loops per hour
I meant respectfully blame, fwiw. If your plugin crashes my browser and I like the plugin, I'll fix it / send a bug report. If I don't like it, or it's beyond repair, I'll uninstall it.
I have way bigger stones I can grind my axe on, if I ever feel the need.
Why don't developers of addons like gorhill and piro accept donations and hand them out to other addon developers they consider worthy, or some other developers users consider worthy?
It will help addon developers or even bring new developers to support addons whose original developers want to move on to other things.
If you aren't buying the product, then you are the product. Maybe the problem is that extensions stores aren't as monitized as the IOS and Android App stores?
No way anyone google or Mozilla can compete with a potential sale of 30 cents a user. So if that’s truly they case they might was well expect the sales to happen and start to limit the power of extensions or put them behind expert-only gates, like Chrome flags.
Obviously none of us expect to be paid the black market value of extensions. The point is for browser vendors to offer better tools for sponsoring developers, because it benefits everyone.
And no, the reaction to security issues should not be to further limit the extension API and declare war on the concept of general computing.
If it's open source then anyone can fork, right? So sell the extension, fork it, publish a new non-shitty version, and let users know via some non-official means. The only losers are the ignorant people who don't switch and the people you sold it to.
I mean, this is what happened with MariaDB, and over the years more distros have outright replaced MySQL with MariaDB. He made a lot of money selling MySQL too.
I don't condone this idea for browser plugins because the userbase for plugins are usually install and forget. I don't think most devs spend their time reading all the release notes of every plugin they install.
When you install a database server / engine, you take time to figure out if it's the one you want or not. You research the company and other companies using the product.
Between every release making we worry what functionality I'm going to lose and which extensions will stop working, or having all my containers wiped out permanently, Mozilla is failing extension users.
I wrote a security focused javascript, ad and annoyance blocking extension for myself, which is essentially a CSP, script and style injector with keyboard shortcuts. I don't see how utilities can help here.
I think what a lot of comments are missing is that the value of a browser is directly boosted by the value provided by its extensions.
I wouldn't have switched to Firefox from Chrome if most of the extensions I was using wouldn't have had readily available equivalents or workarounds. I would have held off on test-driving the new Edge as my daily workhorse browser if I hadn't noticed an extension for my password manager in the Microsoft Store and found that I can install most extensions from the Chrome Web Store too.
Netscape and Opera prove that the paid browser business model is dead, sure, but that doesn't mean browsers (especially browsers developed by companies with lots of related paid services) don't represent value for the companies developing them -- and that those companies don't profit from that value.
Google especially benefits massively from Chrome's marketshare -- even to the extent that their own web services can get away with treating competitor browsers as second-class citizens. Extension developers contribute to the value driving that marketshare and open source extension developers do so with practically no return on investment.
This is just another example of the true sharing economy of open source clashing with capitalism (which is inherently based on extracting surplus value as profit, not sharing it back). Which would be fine, really, if the people participating in the sharing economy wouldn't also exist in capitalism and have to rely on their success under capitalism to ensure basic subsistence like food, shelter and the means of extension development.
Extension developers using ads, tracking, malware or selling their extensions to malicious entities are just trying to find ways within the system to capitalise at least on some of the value they've provided. That's undesirable and developers shouldn't be in such dire circumstances to be willing to give in, but this is a systemic problem.
Luckily unlike with most systems, this system is almost entirely in the hands of browser vendors. Browser vendors could emphasize donation options -- just look at how big open source projects like some Linux distros push donations while still allowing for freeloading. But browser vendors currently have no direct incentive to do so -- in fact, doing so might actually harm their metrics.
So this is an interesting philosophical question - the market value of the extension is the value of "monetizing" it by stuffing ads, or worse, monitoring/tracking/exfiltration, into the extension. It's the market value of the trust of the extension's userbase. Is that the value of the extension developer's labor?
I would argue not really. The value of a bank, for instance, is not the amount of money in all of the vaults. That money is held in trust for customers, and it is not for the owner of the bank to dispose of. Therefore, nobody who makes a fair offer for the bank should expect those resources in the transaction, so a fair market price for the bank is much less - such as the present value of the interest earned by the bank minus the interest returned to customers.
In particular, the only reason the bank has customers is they expect to get their money back, generally with interest, at some point in the future. If they didn't, they'd put their money elsewhere. So if a bank is willing to sell the contents of the customer accounts, that indicates incomplete information in the market - customers didn't know the bank wasn't trustworthy. The true market value of the bank, in a perfect-information market, would be close to zero.
It seems like the problem here is that we know two ways of compensating browser extension developers: "don't" and "breach your users' trust." Those point to wildly undervalued and wildly overvalued estimates of the fair market value of the developers' work. And we should come up with some fairer way to value their work (or, more fundamentally, to compensate them; we may not need to monetize the extension, necessarily) first, and I'm not totally sure it's the fault of browsers for not having had such a clever idea - it seems like we collectively need to figure that out.