Status

Tech Evangelism
Add-ons
RESOLVED WONTFIX
2 years ago
4 months ago

People

(Reporter: dmitry.redkin, Unassigned)

Tracking

Firefox 47

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160604131506

Steps to reproduce:

I've added ace stream web extension to my FF.
https://addons.mozilla.org/ru/firefox/addon/ace-stream-web-extension/
It was good until june 17, 2016.


Actual results:

Suddenly it started to show banners on some pages. E.g. I caould not login to my cell operator site https://login.mts.ru/ (note HTTPS!) until I completely disabled ace stream. All that time it showed big green banner ontop of the page. It took me 3 hours to figure out which extension causes the problem.
Plaes block this extension!


Expected results:

I thick extension should not change the conent of pages without notice, and NEVER modify https pages.
Showing ads isn't a block-worthy offense, and it's acceptable for add-ons without full review on AMO. The add-on needs a closer look to make sure it's safe and doesn't cause further problems. Adding AMO admins.
(Reporter)

Comment 2

2 years ago
So you think breaking of a base functionality (inablity to login to site) and showing ads without a notice and ablity to turn it off on random pages is normal? 
So many efforts are made by admins to prevent XSS, and here we have absolutely abritrary scripts running an any pages creators of addon choose...
Ok, I'm changing the browser.

Comment 3

2 years ago
Hi Dmitry I'm going to review this now. If it is breaking sites its a bug and they should fix it. The ads should be opt in. If you did not opt in to it and still got it, it should be rejected.

Yes this is an addon like greasemonkey, I will give it a closer look and update you.
(Reporter)

Comment 4

2 years ago
I have to add some notes.
After investigation I've found:
1. Extension from https://addons.mozilla.org/ does not add adware scripts by default;
2. Adware scripts are added after installing official application Ace Stream Media from acestream.org (which, upon installation, also  installs the extension to firefox);
3. I cannot understand which scripts of this bundle are adware and which are required for application to work, deleting all the scripts makes application unusable;

So it's for Mozilla to decide can such behaviour of an official application of extension's developer be accepted or not.

Comment 5

2 years ago
Thanks @dmitry for your notes, really appreciate it. Personally I would not use this addon and would use Greasemonkey. I had approved it in the past but I recall wanting to reject it. But when reviewing I have to be un-opinionated.
dmitry, so the application installs its own addon and there are two separate ones? Can you find that second unlisted add-on and let us know what the id is (or attach it here) ?
(Reporter)

Comment 7

2 years ago
Yes, adware is in the unlisted extension. Here is what troubleshooting info shows:

Ace Stream Web Extension 1.0.0 true acewebextension@acestream.org
Ace Stream Web Extension 1.0.2 true acewebextension_unlisted@acestream.org
(Reporter)

Comment 8

2 years ago
Actually I was a bit wrong. I've found that within AceStream media application there is also "extension for an extension" - a so called AS Magic Player extension with id magicplayer_unlisted@acesteam.org.
There is no need to disable Ace Stream Web Extension entirely, disabling only Magic Plaeyer extension removes all ads, so I think that it is the real source of the trouble.
Mass-closing bugs that relate to legacy versions of add-ons or are otherwise no longer worth tracking. Please comment if you think this bug should be reopened.

Sorry for the bugspam. Made you look, though!
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.