By now, the escalating battle
between the NoScript and Adblock Plus Firefox extensions is fairly
well-publicized. In fact, the LWN comment thread on the topic
has attracted an enormous number of comments—though many are rather
tangential to the actual issue. While the original dispute has been
settled, there are still a few issues to ponder from that incident.
For those who didn't follow the dispute, a review is probably in
order. Both NoScript and Adblock Plus are meant to assist
users in controlling the content that their browsers display. As their
and the like, whereas Adblock Plus blocks advertisements. There is some
overlap between the two, of course, because much of the advertising on the
NoScript's author, Giorgio Maone, uses advertising on the NoScript web
pages to help fund development of the extension, which is part of why the
frequently-updated extension opens a tab on the release notes page after an
update. This particular feature—which can be disabled fairly
easily—is quite annoying to some. Part of that annoyance may be
because of the ads on that page. In late April, Adblock Plus added the
NoScript site to its filter list so that its users would no longer see the
ads. That led to an arms race.
The NoScript and Adblock Plus developers went back and forth, with NoScript
circumventing the filters and Adblock Plus adding new filters to block the
ads. This continued until the Adblock Plus filter fundamentally broke the
NoScript site so that users could no longer even see the links to download
NoScript. This sent Maone around the bend, evidently, as his next step was
to add obfuscated code—though the extent of the obfuscation is
disputed—to NoScript that disabled the Adblock Plus filter for his site.
At that point, Adblock Plus author Wladimir Palant wrote a blistering blog
post about the dispute, which brought it to the attention of many.
Maone quickly backed down, offering a detailed and seemingly heartfelt apology.
In the meantime, though, the folks at addons.mozilla.org (AMO) noticed the
problem and are considering
changes to their policy on legitimate extension
It should be noted that AMO did not review the NoScript changes (or,
presumably, the Adblock Plus filter changes) before the updates were made
available to users. As Maone explains, once an extension reaches a certain
level of trust, the AMO reviewers do not check updates—they are
approved automatically. It is unclear how that process works exactly, but
given the number of escalating changes both extensions were making over a
short period of time, some kind of minimal oversight might have noticed
that something was amiss.
For someone of malicious intent, as opposed to someone just exhibiting some
incredibly bad judgment, a Firefox extension makes a pretty tempting
target. Much of what goes on inside the browser involves sensitive information
which users do not wish to have exposed (passwords, browsing history,
etc.). If an extension can get to the point where it can push out
"trusted" updates, without any review, that seems rather troubling.
Some distributions—Debian at least—package Firefox extensions
for their users. Though it isn't a foolproof solution, it does add a level
of review to the code before it gets installed. It probably makes sense
for other distributions to consider doing that as well. Changing the AMO
policy is certainly a good idea, but it will hardly protect against
attackers of various sorts.
While there is nothing wrong with supporting development via advertising,
clearly Maone crossed the line. Adblock Plus users specifically want ad
blocking, so turning that functionality off, even "just" for one site, is
plain wrong. Maone seems to recognize that now and this dispute will
hopefully serve as a warning to other extension authors before they allow
their anger to get in the way of their good sense. For the rest of us,
though, it serves as a reminder that we are sometimes, perhaps even
frequently, installing software in our browsers that has had little or no
to post comments)