My Favorite Firefox Extensions
40 points by alexelcu
40 points by alexelcu
Really the only thing I would describe as indispensable beyond ublock origin is Consent-o-Matic: https://addons.mozilla.org/en-US/firefox/addon/consent-o-matic/ which automatically declines those slimy “cookie consent” dialogs.
I never installed this or similar plugins as I wasn’t sure if they’d actually “decline” these prompts in GDPR-proper way. As in: if the plugin is actually capable of setting all required options to “disable” state and posting it.
Publishers are using dark patterns wherever possible. The “accept” button is always some green or otherwise friendly looking button. The “decline” option” is a shady looking, unpleasant button. Often there’s a dropdown, where the victim has to explicitly unset stuff like “marketing purposes”.
It’s all absolutely user-hostile everywhere. How can I trust an addon/extension can catch up on the per-site hostile requirements and actually do what’s needed?
Consent-o-matic is designed to actually express your consent, including rejecting everything it can.
There are some dodgy just-approve-all extensions, but this isn’t one of them.
You can just enable EasyList Cookies in uBlock Origin, you don’t need other extensions.
Hmmm… I think it’s better to decline than hide, but I’m not sure it’s better enough to justify a whole separate extension.
I have the opposite opinion — it’s better to hide than it is to decline, as long as it doesn’t break the website. And uBO’s lists seem to be well-behaved thus far.
The reason is that, while I love the GDPR, law enforcement has been slow. It does happen, with tangible results, the web is different and better as a result (and I really don’t want to get into that discussion, again, please), however, not all interstitials are lawful.
For instance, the interstitial from IAB tries to claim “legitimate interest” on things that can’t be a legitimate interest. If it’s in the IAB interstitial, it means those are third-parties engaged in an ad-bidding platform, which means any legitimate interest claimed is BS. This is the reason for why I won’t use Microsoft’s Edge browser because when you first open the browser, they claim they’ll share your data with the entire advertising industry (using IAB’s interstitial), while claiming a legitimate interest on things like inferring all devices you use based on your location.
The GDPR is clear — consent is opt-in. If you don’t reply, that’s the same as a “Reject All”. And an explicit “Reject All”, at least in my mind (IANAL, etc.), is an explicit acknowledgement of their bullshit legitimate interests. From a law perspective, it really doesn’t matter, but from a technical perspective, not replying may mean blocking those ad-bidding requests altogether (since they have to wait for an answer first). So, no, thanks, I’d rather hide it if possible.
That, plus if you can afford to hide them, the UX is better because hiding is faster.
OTOH Consent-o-Matic may be more generic or may break fewer websites, but I couldn’t tell, as I haven’t used it for long.
What I think I’d like is an extension that blocks all cookies for a website if a cookie consent popup is detected. (It would also block the popup.)
Pretty much all sites have cookie modals. And these are usually made to be annoying, as some kind of retaliation against privacy protection regulations. Users are deliberately annoyed to blame regulators, not privacy violators. But on the topic at hand: blocking all cookies would render your browser pretty much useless around online stores and even forums. Take lobste.rs as an examples: you possibly wouldn’t be able to post above comment, would your browser not send the “lobster_trap” cookie alongside. Wiping all cookies when you restart your browser is an option, but “blocking all cookies” would render your web experience read-only.
I may check that out. I’ve been using ublock’s cookie list to hide them. Given that I’m in the US I have zero expectation that cookie consent matters for my privacy, but being explicit can’t hurt.
Another one I like & use is Don’t Fuck With Paste, which is useful for getting around those odd websites that still block pasting your password for “security”.
One of the nice things about iOS Safari is that this is built in.
Edit: I was wrong.
I’m pretty sure I’ve run into issues with that on iOS Safari a bunch of times trying to paste passwords from Keepassium, so I just checked again.
Trying to paste into an input like:
<input type=password onpaste="return false;"></input>
doesn’t work for me. I’m long-pressing and then choosing paste, and it just does nothing.
Does that work on yours? How do I activate it?
It’s especially annoying since I can’t use web inspector (requires a macOS device in addition to an iOS device) nor install firefox addons to get around it, like I do on desktop.
I tried on the JSFiddle linked from the extension page and it worked. I’m travelling and don’t have easy access to a page with an onpaste handler like you describe.
Edit: I thought it might be an input method difference, but I get the same behaviour on ios default keyboard and gboard.
Note that the link in the addon description is accidentally wrong, they meant to link https://jsfiddle.net/aaronraimist/6qrnwcjp/ but included extra text at the end.
With the extra stuff at the end, it redirects to a jsfiddle account login page, which doesn’t have anything preventing paste. Maybe you’re pasting into https://jsfiddle.net/user/login/ instead of the user’s jsfiddle?
You’re right. That new link doesn’t work for me on iOS. Sorry to have spread misinformation.
I have a slight fear of browser extensions. What stops one going rogue and sending everything it has access to back to some server? “Talk to a third party server” isn’t even a permission extensions have to request, it’s just always allowed, which seems bad to me!
TBH if you aren’t afraid of browser extensions it’s probably because you haven’t thought it thru all the way. Anyone remember “Stylish”?
I’ve only got three installed, and one of those is packaged by Debian so at least in theory there’s some code review going on. And one is developed by a university, so somewhat less likely to get sold off to a scammer vs something developed by an individual.
And apparently malicious “polymorphic” extensions can also shape shift to impersonate your password manager:
(This is for Chrome but bad enough.)
“Talk to a third party server” isn’t even a permission extensions have to request, it’s just always allowed, which seems bad to me!
I wonder why this is (assuming it is). Firefox seems to be able to block access to other APIs just fine. Apparently Firefox knows whether JS that is being execution is coming from an extension. Even if it is running on the same page in seemingly the same context as other JS. I’ve assumed it is some kind of data tainting.
I wrote an extension called “vi editing mode”, to add vi-style editing to all textareas/inputs on a page, with minimal interference, and with minimal permissions. Access to the clipboard is optional, requested on first use. I made this in part because other vi-related plugins (like vimium) were asking many permissions for all their non-editing functionality. My extension “only” needs “Access your data for all websites”. Which still sounds bad. But you would think “it has access to data, but can’t send that data anywhere, because it doesn’t ask for networking permissions”. How is a user supposed to know that “addon can do arbitrary network requests” is the default? Firefox also doesn’t show all the permissions an application is not asking, so it’s hard to understand the consequences of the permissions it does ask…
Btw, hen installing an addon, Firefox asks for permissions, and has a “learn more” link pointing to https://support.mozilla.org/en-US/kb/permission-request-messages-firefox-extensions. That does not say anything about network access. The explanation about “Access your data for all websites” also doesn’t mention the risk of exfiltration of that data, which to me implies that wouldn’t be possible.
FYI, my addon is at https://addons.mozilla.org/en-US/firefox/addon/vi-editing-mode/. With code at https://github.com/mjl-/vijs and an introductory blog post at https://www.ueber.net/who/mjl/blog/p/vi-editing-mode-addon-for-firefox/. There is also a version for chrome (it’s the same code and I think even (essentially) the same manifest JSON).
It may be that as glesica mentioned you have to specify up front which domains the extension can access. But the user doesn’t get to see these. For example I have a “select text to translate” extension, which must talk to Google. But the only permission it has is the “Access your data for all websites” one.
As you say there’s a huge difference between “access your data, but just process it locally” and “access your data and send it off to these domains” (or any domain). I don’t know why a distinction isn’t made here, it would be really useful.
because it’s basically impossible. If an extension gets the right to modify pages, it does not need to talk to anything itself, it can just make the page do it, e.g. by injecting images loaded from a controlled server with data stuffed into URLs)
I only use extensions with a public repo and preferably a community around them and I try to somewhat keep up with development on the most important ones. Just as with any other software. And when feasible I often prefer userscripts over a full extension since those are easier to review and manage myself.
In theory, you could solve this problem by building extensions from source and only installing the updates after you’d had a moment to review the changes in the last release. But Mozilla makes this a royal pain; they really really want you to install from their signed repository only, to the point where stuff you built and reviewed yourself cannot be permanently installed, it uninstalls when your session ends.
This is potentially a net win for the average user but it’s a huge step backwards for anyone who cares about code review and audits.
Firefox ESR is much less painful in this regard. Before I go forward, I need to point out: I consider Firefox to be spyware nowadays, and am testing out alternatives like LibreWolf and Zen. I don’t recommend using Firefox.
With Firefox ESR, you can write /usr/lib/firefox/distribution/policies.json (Debian - location may differ on your setup) before first browser launch. It’s a headless setup invoked with first browser launch. When launched, it will automatically install defined extensions, disable saving credit card details, telemetry, crapware like Pocket, etc. The only thing that you can’t change via this policy file is the search engine. But, installing DuckDuckGo extension changes the search engine, so you can bake your own extension to do only that.
I have a script that runs Packer to bake EC2 AMIs with fresh Firefox versions, and it injects this policies file. I use these VMs to open potentially dangerous websites, which I don’t want to risk opening on local devices. Packer creates AMI and - when needed - terraform creates disposable EC2 based on this AMI and exposes their desktop via VNC. When I log into these temporary systems, the browser is opened for the first time and briefly installs fresh extensions.
The configurability of this stuff is quite impressive: policy-templates.
if you have a developer account and the chops to do it there’s no reason you can’t install a private extension. i have a bunch of them. what firefox does is kill the open folder, non-packaged or signed developer extensions that are per firefox session.
I’ve built a couple Chrome extensions and, as I recall, I had to specify in the manifest which domains the extension could make requests to. I’m sure there’s a wildcard and that a lot of extensions just request it, but, again, as I recall, the capability to limit that does exist.
With hat: former Tridactyl webextension developer
Even if you limit your permissions to some domains you can still get a lot of information about what the user is doing on other domains from the various browser.* APIs, iirc.
Tab containers is one of the first I install. It’s really useful for separating work and personal accounts for google/ms logins. I also use it for keeping different test users in their own tab. https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
I am a bit surprised to not see NoScript having been suggested yet. Apart from UBlock, this one is essential to my web browsing.
uMatrix is no longer developed but I’m surprised how long it’s continued to function in my Firefox profile. I find it even better than uBlock.
Some of my essentials that are not mentioned in the post:
you don’t need a separate reddit redirector if you have Reddit Enhancement Suite. it includes the old reddit enforcement.
Dark Reader
I choose Dark Mode Website Switcher for testing. It doesn’t make up “dark styles”. It just switches only the browser’s preferred color scheme.
uBlock Origin
It’s hard to imagine how horrible the web would be without this. I should probably try for a day, just to get a feeling for how many people are experiencing the web…
I also have privacy badger and https everywhere. And I’m happy with temporary containers and multi-account containers. Sites that are allowed to keep state get their own (multi-account) container, some URLs automatically open in their own per-site container, but for others with their container I want to have to do so explicitly, defaulting to a temporary container.
You don’t really need Privacy Badger with uBO. It’s no longer dynamic, since that can be used for fingerprinting, and uBO’s lists are up to date.
And HTTPS Everywhere is now baked into the browser. Go to Firefox’s settings and search for HTTPS-only Mode.
It was similar to this one for me: https://smcleod.net/software/2022/05/16/firefox-addons-2022/ Discussed at https://lobste.rs/s/2ubno5/my_recommended_firefox_addons_for_2022
Here’s four more I like I don’t think you mentioned:
A while back I wrote my own extension, too: “What opened this” shows which page I opened a new tab from.
A few years back I adapted the old Aardvark bookmarklet into a Firefox extension Aardvark Deux. It allows in-view editing of pages. Sites without print style sheets or with subpar print style sheets are my main use for it. It can also be helpful for when sites don’t test in Firefox and have some misaligned element above what you’re trying to view. All credit for the idea goes to Rob Brown for writing the original bookmarklet.
Cool list! I have to admit the bangs everywhere extension looks a bit odd to me. You can already do that with the Firefox search settings, for example i have @pcgw for searching stuff in https://www.pcgamingwiki.com/wiki/Home
So I type @pcgw quake to the firefox search bar and it uses that site to search. I think you can set them to start with ! too.
Firefox isn’t synchronizing Search engines. The desktop version supports “keywords” for bookmarks, which are synchronized, but those aren’t supported on Android. I’m using 3 laptops and 2 Android devices, so setting up custom search engines on all of them is a PITA.
Another reason for why I like bangs is that they work as a suffix, too, whereas search keywords only work as a prefix.