Mozilla has released a major overhaul to how Firefox add-ons are developed.
In the blog post The Future of Developing Firefox Add-ons, Mozilla product manager Kev Needham said the add-on ecosystem had "evolved through incremental, organic growth over the years," but that there were some "modernisations to Firefox" requiring foundational changes.
One of the biggest changes is the WebExtensions API. Needham comments that Mozilla want add-on development to more closely mirror web development, and that "the same code should run in multiple browsers according to behaviour set by standards."
To this end, Needham says WebExtensions make it easier to develop extensions across multiple browsers. He said:
Extension code written for Chrome, Opera, or, possibly in the future, Microsoft Edge will run in Firefox with few changes as a WebExtension. This modern and JavaScript-centric API has a number of advantages, including supporting multi-process browsers by default and mitigating the risk of misbehaving add-ons and malware.
WebExtensions will behave like other Firefox add-ons; they will be signed by Mozilla, and discoverable through addons.mozilla.org (AMO) or through the developer’s website. With this API, extension developers should be able to make the same extension available on Firefox and Chrome with a minimal number of changes to repackage for each platform.
Also new is a requirement for add-ons to be reviewed and signed by Mozilla before their deployment. Back in April, Mozilla's security lead Daniel Veditz published The Case for Extension Signing, addressing the volume of feedback their announcement had generated from the developer community. Veditz said the internet browsing experience for tens of thousands of people was being shaped by "third party add-ons in ways they did not choose and that benefit third parties, not the user."
Veditz continues that most unwanted add-ons are "advertising-related in some way" and that they can "break fundamental browser security" and violate "Mozilla’s basic principle: Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional."
Although signing will not be enforced until Firefox 42, users of Firefox 40 can already see in if installed extensions are validated.
The developer community has reacted with a range of emotions to the announcements. Commenting on Needham's post, user DMcCunney said they had "profoundly mixed feelings" about the announcement, saying:
I understand the security concerns that prompt a requirement for signing, but just how serious is the problem? How many *verified* reports of users getting hosed by malicious extensions have there been? I haven’t seen any, though it’s possible I haven’t looked in the right places. Is this a solution for a problem that does not, in fact, exist? If there is proof it *is* a problem, please provide a pointer to it.
My biggest concern now is that, sooner rather than later, I won’t be able to run unverified extensions.
In the Reddit discussion The Future of Developing Firefox Add-ons user iamncla was happy at the announcement, saying "I have a very huge Chrome extension with huge user base (300k+ users) and have been neglecting porting it to Firefox just because it has different extension API stuff. This is great for both developers and users that have been wanting a Firefox version of the extension."
Others were less diplomatic in their responses. Nils Maier, author of the downthemall extension, commented on the blog post, saying
I was thinking of abandoning add-on development for a while now, mostly because of the Walled Garden signing approach that went live, which I strongly objected to and still strongly object to...
But “deprecating” XUL-based add-ons with XPCOM access takes the cake. Once that happens, I will abandon ship for sure. Simply because I cannot continue developing most add-ons at all as they will not and cannot fit into any “WebExtensions” API. The flexibility of what XUL-based add-ons can do IS the major selling point of the Firefox add-ons ecosystem and therefore IS one of the last remaining selling points of Firefox itself that isn’t purely ideological.
Needham reassured any developers who were concerned about the changes, saying Mozilla reiterates its "commitment" to the add-on development community, and will continue to work with developers "in porting extensions, designing new APIs, and creating innovative new add-ons that make Firefox great."
Needham also said that Mozilla will continue to post additional resources in the weeks and months to follow that will outline these changes in greater depth, as well as providing support via the Mozilla Developer Network, IRC (in #extdev), and the extension developer group.