Closed Bug 1386608 Opened 7 years ago Closed 7 years ago

Users should be notified about new policy exception allowing legacy addons to install and launch executables

Categories

(addons.mozilla.org :: Security, defect)

Product:
addons.mozilla.org
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: visco, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.5.17 (KHTML, like Gecko) Version/8.0.5 Safari/600.5.17
Build ID: 20170628075643



Actual results:

First, I'd like to quote from https://bugzilla.mozilla.org/show_bug.cgi?id=1383392#c5 :

"After much discussion, the Add-ons Team decided to make a policy exception for add-ons going through this process. This means legacy add-ons planning to move to WebExtensions APIs that rely on binaries are allowed to install the external binary in anticipation for their migration to WebExtensions. This isn't a great solution, but the alternatives are also pretty bad. This at least ensures a smooth transition for users."

I'm filing a new bug because while the reasons were given, it is still uncertain if there is going to be any action to inform add-on users about them.

As already seen here (https://addons.mozilla.org/en-US/firefox/addon/fireshot/reviews/), not a single one user who left a negative review, including myself, was aware of this silent decision. I guess this lack of information may cause an influx of similar cases and reports both here and at AMO in the near future.


Expected results:

A clear notification about this policy exception should be added to all relevant add-on pages - maybe as a pop-up of some kind.
Also, in my case, I'd been using Fireshot for a long time and had no reason to visit it home page - hence, even if a notification was published there, I'd still have no chance to acknowledge its new policy - this case should ideally be addressed as well.
We don't expect this to come up very often, since it's due to a rare edge case in the migration to WebExtensions. We don't think that notifying end users will help because most won't understand what choice (if any) they are being given. And like I mentioned in the other bug, this action doesn't really have a significant difference in terms of security as the previous versions of the add-on.

More security-conscious users like yourself will certainly notice and possibly complain about it, but we leave it up to the developer to find the right balance between giving users notifications they don't understand and making them aware of everything that's going on. We've made some recommendations to the developer, and will do similarly for others where this applies. However, we don't plan to force any particular UI for this. If it becomes a bigger problem, we will revisit this decision.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.