About the browser addon privacy and open-source

38kAXHdP · December 20, 2021, 6:35pm

I have Firefox as default browser and my main concern about the add-ons are the privacy as we don’t have some control over which websites can be accessed like in Chrome and LanguageTool is obviously the type of extensions that need access to everything we type to work, which includes potential sensitive data like login credentials. Even Grammarly had some problems in the past with security.

Currently, LanguageTool is one of the recommended extensions by Mozilla, which gives a lot of trust, but I’m still skeptical because of the source code. If there is a direct contact between the devs from Mozilla and LanguageTool, can you share some details ?

Another way to solve this issue, if I understood everything correctly, would be using the special interface that is already available (Request the right permissions | Firefox Extension Workshop). The development burden could be huge, though.

Also, I would love to hear the details on the decision of abandoning the open-source model.

dnaber · December 20, 2021, 8:28pm

Mozilla has access to the source code, and it is reviewed manually for each update. Sometimes, the reviewer (it’s not always the same person) has a question and contacts us.

The server part is still Open Source (minus the Premium features), but we cannot Open Source the add-on, as then competitors would just use it without ever contributing anything back, leaving us with all the development effort and cost.

38kAXHdP · December 20, 2021, 10:27pm

By access to the source code, do you mean a special access with NDA to the codebase you work on (or something equivalent) ? If I remember correctly everyone can access the source of a extension like we can access the “source” of a webpage, which can be obfuscated and etc.

I understand. I just find difficult having to trust blindly in some extension with all these (necessary) permissions when the company is not that large with big customers. 1password is a example of a company with closed-source extension that I trust because we can find a lot of news everywhere when some problem happens, I can’t say the same for LanguageTool.

Anyway, knowing that Mozilla gets to review the code every release would be more than enough for me.

dnaber · December 21, 2021, 8:06am

They get a ZIP file with the source (in a state that can be built with a single command) for every release.

38kAXHdP · December 21, 2021, 9:15pm

For anyone looking for details:

So every extension needs to submit their source code in a readable format. The advantage of the Recommended Extensions are:

Strict adherence to AMO’s add-on policies. If security concerns arise, developers must be responsive to addressing fixes.

Work with staff to polish user experience issues (e.g. copy edits, user flow optimization, etc.)

Address bug fixes in a timely manner.

Another thing is that ordinary extensions don’t need review before every update like how it’s done with Recommended Extensions.

dnaber · December 24, 2021, 10:45am

Hi Graham, there’s no need to post both to the forum and to the github bug tracker. Please post bugs only to the bug tracker.

grahamperrin · December 24, 2021, 12:34pm

Thanks, and apologies, the intention was not to spam.

(I read, somewhere, first, that the Forum is preferred for bugs. Then read that bugs should be posted either to GitHub, or to the Forum. Then read that GitHub is preferred … then GitHub only.)