edit by glacambre on october 22 2019: Steps have been taken to reinstate Tridactyl on Mozilla's addon store. In the meantime, you can still install Tridactyl by following these instructions.

--

An addons.mozilla.org (AMO) reviewer has demanded that we edit every user's user.js to revert any changes they might have possibly made via fixamo. The reviewer has also ordered me to remove fixamo from my RC file.

My position is this:

1. I believe that the mere act of reading user.js without the user's consent is a large breach of trust. The filename alone strongly hints who owns it.
2. Many users will have decided to set these settings themselves (user.js is a good way of keeping your Firefox settings stored under version control and keeping them synchronised between machines).
3. The risks introduced by fixamo are so minor (in my understanding, it could potentially allow extensions to install other extensions and make changes to a user's Firefox profile; i.e. nothing that any old-style extension couldn't do) that it does not warrant this breach of trust.
4. The risks introduced by fixamo would have to be really huge before it was worth the browser being very hard to use on addons.mozilla.org.
5. Blocking Tridactyl would not solve the "security issue" anyway, as it would not revert the change.
6. I would be happy to work with Mozilla to find a compromise solution, with the caveat that I am exceptionally busy this month. I'm already pretty fed up with how much time this has taken up for what I really believe is a non-issue (the proof of which is that I have the fixamo settings still running myself!).

Mozilla's position appears to be:

1. fixamo introduced a severe security issue.
2. Tridactyl did not sufficiently document how severe of a security issue it was before recommending it to users.
3. The issue is so severe that it overrides the "no surprises" AMO policy.

If I can find the time, I'll push an update that mentions this issue on the new tab page so at least some users get some prior warning.

I'll include the full transcript of the discussion with the reviewer below:

More information requested by AMO reviewer 6 days ago

Thank you for removing the "fixamo" command from the add-on (in your repository). Please also remove the command from your rc file (fef58f5#diff-2eee6b5a0e6a1a2d81ecd725b12e2c8dR81-R84). Users should not ever do this, and you do not clearly state the implications and dangers these settings come with. We also need you to automatically revert any changes you made to Firefox profile, as overriding webextension restrictions pose a serious security issue. If you cannot detect whether those changes were made by your add-on or not, you need to revert them for all users. Please provide an update that addresses this within the next two weeks. Thank you.

---

Developer Reply by Oliver Blanthorn 2 days ago

Hi,

Sorry for the delay in replying. I'm right in the middle of writing up my thesis and prodding the other developers to make sure they were OK with this reply took a little time.

Thanks for taking the time to look at Tridactyl. The more eyes on it, the better!

We have two concerns with your requests:

1. My RC file really is my RC file; I don't want to lie to users about what is in it. I see two alternative approaches: I am happy to add a comment of your choosing above the command explaining the issues you see with it; or we can change fixamo in Tridactyl itself to instead redirect addons.mozilla.org to addons.mozilla.org. which is not a privileged site.

2. The idea of editing a file, especially one called "user.js", on a user's machine without their consent makes me deeply uneasy. I would also argue it directly contravenes the "no surprises" policy on the AMO. I instead suggest that we add a command to Tridactyl that reverts the changes and include a prominent message on the new tab page to users who have the native messenger installed (and therefore could have chosen to run fixamo) with wording of your choosing suggesting that the users may wish to run our command that reverts it.

Please let me know if you think this approach is sound and the wording (or link to a blog post etc if one exists?) of any warnings you would like us to supply. Once we agree an approach, the implementation will take of the order of weeks as I'll have to squeeze it in wherever I can fit it.

Thanks,

Oliver & the other Tridactyl devs

---

More information requested by AMO reviewer a day ago

You cannot have the add-on do anything that severely compromises the security of the entire Firefox profile. Therefore, we need you to remove all tooling support for overriding those criticlal preferences.

The "fixamo" command already edited a file on the user's machine without properly explaining the consequences and security implications. To restore the original level of security, the preferences must be reset after install without user interaction.

We reserve the right to start blocking affected versions of your add-on for these severe security violations after August 21.

---

Developer Reply by Oliver Blanthorn a day ago

I do not believe it severely compromises the security of the entire Firefox profile. Add-ons before WebExtensions could access the AMO fine and the sky did not fall in. I am happy to be corrected on this. If you have any specific explanations you would like me to provide to our users, I would be happy to pass them on.

We cannot tell which users ran our command and which did not; user.js is commonly used by our users (they're weird) to make their own modifications. We are not prepared to edit that file without their consent; that would be malware.

As I'm sure you know, blocking affected versions of the add-on wouldn't 'fix' anything, as the file the users chose to change is user.js, which would remain even if the extension was uninstalled. I don't know what you are hoping to accomplish with that threat.

I am prepared to reach a compromise in good faith. I am unwilling to waste any time on this so I will not commence work on the compromise solution I mentioned earlier until we have reached an agreement.

Thanks,

Oliver

---

Reviewer Reply by AMO reviewer about 23 hours ago

If you'd like to explain to users that the add-on no longer offers that functionality, that's fine with us.

As I said before, if you can't tell which users ran the command and which didn't, you have to reset the pref for all users. You already modified the user.js file without proper documentation or disclosure, so you should be able to revert that to re-establish the security boundaries that have been put in place to protect users.

---

Developer Reply by Oliver Blanthorn about 23 hours ago

As I've said before, I am not prepared to edit users' own files on every user's machine just because they may have run a command which I do not believe seriously reduces their security. That would be an disproportionate breach of trust which I am not prepared to commit - unless you can persuade me that it is proportionate.

fixamo was opt-in, so I think having a command which reverts it be opt-in with prominent advertisement is a perfectly reasonable suggestion (and a generous donation of my time given that I genuinely believe this is a non-issue). You would need to do a better job of persuading our users that it is a real security issue worth the considerable inconvenience of their browser UI not working on those pages.

Related: #1773.

As a user who prefers to do "weird" stuff with my machine with full knowledge that it means any issues I run into are my own to deal with, how can I (and others who feel the same) reach out and let whoever is behind this know that I support your position in not messing with my configurations without my explicit concent?

There aren't any official channels. I'd rather not get into the business of directing an angry mob anywhere; on the contrary, I think the less time Mozilla has to spend supporting our weird use-cases, the more likely they'll be to continue to support them. Perhaps giving this issue a thumbs up might help? I guess that could be misconstrued...

The policy on blocking is here - https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/AMO/Blocking_Process - and makes it clear that it's totally at Mozilla's discretion. I posted this issue mostly as a courtesy to our users as it didn't seem right to keep this deadline a secret.

I also wanted some feedback on whether people found the idea of changing files without consent as icky as I did.

I agree changing user.js without user interaction sounds like something to avoid.

As an anecdote, before v1.0.0, qutebrowser used to have a qutebrowser.conf file which got edited automatically in some scenarios (when using :set, but also on upgrades, etc.). This is why the split configuration files approach was introduced: An autoconfig.yml which is adjusted automatically (:set/:bind commands, settings UI, migrations on upgrades, etc.) and an optional config.py file which users can hand-write and qutebrowser never touches unless the user runs specific commands like :config-write-py.

A user.js file sounds like something to be written by hand (and the wiki page you linked confirms that) - so having a :setpref command to change it semi-automatically seems kinda okay, but automatically messing with it definitely does not, IMHO...

I think icky is better than blocked :D
will be annoying for those who really wanted these settings in user.js, but can reapply manually after tridactyl reverts it.
Probably people storing stuff in user.js are advanced users anyway.
Just need to put up warning, on the new tab page, about how the file was changed IMHO

I'm also of the opinion that icky is better than blocked. The suggested prominent note on the new-tab page could help people get the behavior they used to have back, while appeasing the Mozilla security team and keeping tridactyl around.

There doesn't seem to be a solution which keeps the user.js file untouched, and also keep tridactyl in AMO. So I'd rather keep tridactyl in AMO and edit user.js by hand after whatever update makes this change.

I do appreciate that sentiment - one of the core developers is also of that opinion. However, there is another snag: it quite clearly falls foul of the computer misuse act in the UK.

Perhaps if I mention that to the reviewers they will be more willing to find another solution.

I don't like that they are (ab-)using their monopoly position on plugin distribution to try to strongarm you here. That's exactly why a lot of the community disliked the lockdown of the plugin ecosystem. Everything you did was in good faith, and you immediately reacted to their complaint. No reason to start threatening you, especially with such a short deadline.

Regarding a solution: Maybe an active prompt ("Mozilla asked us to remove the fixamo option for security reasons. We noticed that the option xyz is set in your config.js, though we can not confirm that it was set by tridactyl. The mozilla team recommends to remove that option. Would you like to remove it? [Y/n]") would work as a compromise?

Although this is a shitty situation with no perfect solution, I agree on the sentiment that an icky Tridactyl is better than a blocked one. Good luck on your thesis and thanks for doing this outstanding work!

I would say silently changing user.js is very bad. But in the end the users will notice and activate again.

Better alternative would be a big visible red box/banner, on new tab, after the next update. With a shortcut to unfixamo.
Otherwise, saying that the user.js changed automatically With a link to the explanation. And a wiki page to enable it again manually, with the proper "security risks" noted.

Is it possible to backup user.js before resetting it? If so, than it's possible to notify user where his backup file is and what is the recommended change to it. At least this way users won't loose their files. As far as I can see, it also complies with Mozilla demands. Yes users will be a little annoyed by that but it's a lot better than have tridactyl blocked completely.

Regarding a solution: Maybe an active prompt ("Mozilla asked us to remove the fixamo option for security reasons. We noticed that the option xyz is set in your config.js, though we can not confirm that it was set by tridactyl. The mozilla team recommends to remove that option. Would you like to remove it? [Y/n]") would work as a compromise?

It's a good idea, but I'd be worried about how long it would take to implement that. Using window.confirm() would speed it up quite a bit but comes with lots of its own issues (mostly that it would look really really dodgy).

Keeping a backup would be easy but wouldn't make it any less illegal.

You might want to take the angle with the AMO reviewer that the security impacts of fixamo are made obvious to anyone who was actually able to change their user.js through it, because in order to actually do it, people had to install the native client which has the sole and clear purpose of getting around all the restrictions imposed on extensions for security.

Because I don't think the reviewer quite gets this.

Anyway, if they do remove it, seems like someone could just "fork" (wink wink) Tridactyl (is "Petradactyl" taken yet?) with an explicit stated goal and description of being like Tridactyl, but with all features that Mozilla considers security-weakening either removed or behind clear warnings.

It's a good idea, but I'd be worried about how long it would take to implement that. Using window.confirm() would speed it up quite a bit but comes with lots of its own issues (mostly that it would look really really dodgy).

What about: Opening a new tab (like many extensions do on upgrades to show changelogs/project news) and:

• Request the user to choose either option. Maybe even making the config removal button huge, green and focused by default and the "skip" option small and grey with a huge warning (if that makes AMO happier) and require an answer before Tridactyl is enabled.

or

• Tell the user that AMO is requiring Tridactyl devs. to remove such and such settings from user.js. And that to continue using Tridactyl you need to accept its removal and list the changes (about to be) made so the user can revert them back manually?

Both ways would need explicit action from the user, so it would not be illegal anymore.

I repled to the reviewer just now:

Dear reviewer,

How do you feel about the following compromise?

1. Tridactyl 1.17 scans user.js for the fixamo lines if the native messenger is installed
2. If the fixamo lines are there, we immediately open a tab with a large message that explains the issue and has two buttons (large, green and default: "Disable/Comment these lines in user.js and prefs.js", smaller and red: "I understand the risks and do not wish to remove these lines"). Exact text for explanation and buttons can be provided by you.
3. If the user clicks the green button we comment out the old lines and add new code that will set the default values and prompt them to restart. On restart we can confirm that the right values are in prefs.js and remove our lines setting the default values from user.js.
4. If the user clicks the red button we don't scan or ask again.
5. If the user makes no selection we keep prompting them every time they restart the browser (or, if you feel it is very serious, we pick the green button for them after N notifications).

If you are unwilling or unable to disclose why fixamo is so dangerous (for point 2) because of undisclosed bugs, please say so and link those bugs to us when they are disclosed because we are curious :)

We are concerned that altering what is clearly external user configuration without explicit consent (as we believe you have asked us to do) may be a breach of the UK Computer Misuse Act 1990 (Section 3, link below). Our interpretation is that by changing prefs.js and user.js, we will be "impairing the operation" of Tridactyl, Firefox and potentially other add-ons. Additionally, by modifying the files unexpectedly we "impair the reliability of data".

We would also appreciate a response on whether automatically redirecting users who opt-in from e.g. addons.mozilla.org/* to addons.mozilla.org./*is acceptable to you.

Both Oliver and I are very busy. We would appreciate your prompt response on both counts if you would like us to write the code to do this.

Computer Misuse Act: http://www.legislation.gov.uk/ukpga/1990/18/section/3

Sincerely,
Colin

We also hit the front page of hacker news, which is unfortunate. https://news.ycombinator.com/item?id=20716963

I made the following summarising comment there:

I am one of the developers of Tridactyl.

This dispute is because Tridactyl used to provide a function that users could choose to run that would change two of Firefox's settings (the kind you find in about:config). Changing these settings allows addons to run on e.g. addons.mozilla.org and accounts.firefox.org where they otherwise cannot. The change we made is the same change that several blogs had already talked about and suggested.

Here is a relevant bugzilla thread that motivated the creation of the blacklist that we turned off, so you can see what Mozilla thinks: https://bugzilla.mozilla.org/show_bug.cgi?id=1415644

A mozilla employee informally asked us to remove this function for security reasons (and we did). Later, an AMO reviewer asked us to change users' Firefox config automatically to remove these settings. We would rather this were made an explicit choice for Tridactyl users and we're trying to negotiate a compromise with the reviewer.

This is the only plausible route to exploitation of this situation that I know of, assuming a user acting before we removed the fixamo command:

1. You manually install Tridactyl
2. You manually install our native messenger
3. You manually run a command called fixamo or you manually find and install our exemplar RC file that explicitly says at the top that you should read and customise it because it does things you might not like; and then you don't read or edit it
4. You also manually install a malicious addon
5. That malicious addon doesn't have permissions for <all_urls> (otherwise it can steal your banking credentials without tridactyl's help) but does have permission for accounts.firefox.org
6. That addon can then steal your firefox account credentials and use them to e.g. mess with your synced settings and e.g. download your passwords database (if you don't have a master password set).

My view is that you're pretty much fucked if you install a malicious addon with <all_urls> anyway (and many addons request that permission), so this slight extra capability you get if you successfully phish someone in this pool of <1000 people isn't a big deal.

---

Some people have opined that our documentation for the command was not explicit enough. My opinion is that it's good enough and about on par with other resources that talked about the same settings. It would be better if it was more explicit about the security risks, but we provided fairly complete information about what we were doing and a link to the source code.

This is the documentation we provided:

In the "Webextension caveats" section:

"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."

In the docstring for fixamo, partially displayed if you type fixamo in the commandline and also included in the help pages we encourage users to use with e.g. :h fixamo:

"Simply sets

"privacy.resistFingerprinting.block_mozAddonManager":true "extensions.webextensions.restrictedDomains":""

in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."

You can find these messages in src/excmds.ts at commit 92e1b00

We also included a variant of the fixamo command in the exemplar .tridactylrc file (not used unless you have also installed the native messenger and also explicitly found, downloaded and installed the exemplar). This file includes this text at the top:

"Provided only as an example.

Do not install/run without reading through as you may be surprised by some of the settings."

And this text right above the fixamo line:

"Make Tridactyl work on more sites at the expense of some security"

Somebody linked this bugzilla bug in the HN thread too, which is the most complete description of the potential issues arising from disabling restrictedDomains that I know of. https://bugzilla.mozilla.org/show_bug.cgi?id=1415644

We've just had a reply from the reviewer to cmcaine's "forced choice" suggestion mentioned above. I'll quote the reply in full:

This approach is not acceptable for us. The revert needs to happen automatically.

What if someone did not use fixamo to introduce the changes? Should Tridactyl refuse to work within browser configured as so? Because I don't see you working as a remote armed police enforcing specific settings. If Mozilla doesn't like these settings – why do they even exist in the first place?

Anyway – for another solution, convoluted, I know. But maybe Tridactyl could check if the offending settings are present (and there's no Tridactyl OK setting set too – see below), and refuse to work unless:

1. the user manually edits the user.js file to remove the offending settings;
2. Tridactyl on the next start sees that the profile is good to go and sets it's own setting marking the profile as OK to run on (this setting should be of course set on profiles not having the offending settings and just continue working there normally);
3. the user can then manually add these settings on their own, if they choose to do so.

That puts a lot of work in users' hands, but we are power-users and I think we can manage doing it, for the sake of having Tridactyl still running on our browsers. I believe that the userbase having the settings present is not 100% and doing nothing will punish the whole userbase, not only these ones who have this offensive stuff set on.

Based on their latest response, it seems that the only real option that keeps tridactyl in the AMO is to automatically remove the lines from the user.js file, as the Firefox security team is requesting.

As a user of tridactyl, I'd much rather keep tridactyl in the AMO and hand-roll my user.js file over having it taken out of the AMO and then doing...who knows what. I am really happy that tridactyl exists and that I get to use firefox with it, so doing a little manual editing of a file to get advanced functionality is far preferable to not having tridactyl at all.

I defer to the devs, though, for what they are comfortable doing, and have time for.

What does "blocking affected versions of your add-on" mean? The current version does not add anything to user.js, so it seems there would be no grounds for blocking it, only old versions that had the fixamo command. There is no argument that installing the current version of Tridactyl poses any security risk.

What about removing/resetting the setting from the file unless there is a comment in the file matching a specific magic string, like /* tridactyl: I understand and do not want the change Mozilla is coercing you to make to this file */?

If they disable Tridactyl, there's a good possibility I'll be reverting to pre-Quantum and using Vimperator. I feel like Mozilla forcing me to do that is causing a much bigger security vulnerability than fixamo ever could have.

Unsigned extensions can be installed in a variety of ways which we'll be sure to enumerate if it comes to it.

I’m sorry that you are having so much trouble with the mozilla guys.
This is so much bullshit and making me quite angry / disappointed. If they think that “Users should not ever do this”, then why do these settings even exist? This is clearly their responsibility and not tridactyl’s, especially as it was opt-in only.

Tridactyl is honestly the best part about firefox and I wouldn’t be using firefox without it.

If there is anything we can do to help, please let us know.

I found this issue because Firefox wanted to update and my first reaction was, "I wonder how they're breaking Tridactyl this time."

Edit: ...was Tridactyl disabled or broken? So far I'm putting off updating.

Tridactyl may be delisted at the end of Friday this week. Probably central european time.

If Tridactyl is delisted you will notice because it will be disabled (but not uninstalled) in about:addons.

As an existing user you will probably just need to re-enable it.

They might completely blacklist my AMO key from Firefox, in which case you will need to tell Firefox to accept unsigned addons to keep using Tridactyl (there's a shell script that does this by extracting omni.ja and modifying a line or you can use dev or nightly) or wait for a Mozilla-acceptable fork or revision to emerge on AMO.

Updating Tridactyl should be safe whenever. Mozilla will block it by pushing a new blocklist to your browser, which is a different thing to addon updates.

Ah, thanks.

(It was Firefox that I was afraid of updating, not Tridactyl.)

you will need to tell Firefox to accept unsigned addons to keep using Tridactyl (there's a shell script that does this by extracting omni.ja and modifying a line or you can use dev or nightly)

Accepting unsigned addons through use of somebody's sketchy shell script -- what a wonderful security practice Mozilla is driving me towards! (◔_◔)

Thanks again for the update, as well as for the addon, even if it is so very dangerous for all the tech-illiterate elderly folk who habitually install vim emulators for their browsers.

I'm new to Tridacityl, so forgive my ignorance.

I don't really get the rc file part. Is/was that file automatically executed? Did it automatically call fixamo? What was the fixamo even used for? To enable hjkl keys and the rest of the extension on addons.mozilla.org? And in the mean time it enabled any extension to do what it wants. The severity of the security implication is debatable, but I guess it is >0 (i.e. it does introduce some insecurity), and if that is the case, I really don't see why you have/had the fixamo function - or am I the only person who uses addons.mozilla.org 1 every 100 years?

As I said, forgive my ignorance, but as a new user I don't feel I understand the situation 100%.

Also, isn't accepting the address bar popup of installing an addon beyond the control of any addon?

Is/was that [rc] file automatically executed?

Only if you installed Tridactyl's native messenger (an external executable you can install with :installnative) and copied said rc file to either $HOME/.tridactylrc or $XDG_CONFIG_HOME/tridactyl/tridactylrc.

Did it automatically call fixamo?

No, you had to manually add a call to the :fixamo command to your rc file for it to run :fixamo.

What was the fixamo even used for? To enable hjkl keys and the rest of the extension on addons.mozilla.org?

To enable running Tridactyl and any other extension you might have installed on Mozilla's websites. Some of these websites are listed here: https://bugzilla.mozilla.org/show_bug.cgi?id=1445663

I really don't see why you have/had the fixamo function - or am I the only person who uses addons.mozilla.org 1 every 100 years?

Different people, different needs, different security requirements.

Also, isn't accepting the address bar popup of installing an addon beyond the control of any addon?

I think so yeah.

I'll just repeat what cmcaine said above as it is fairly well hidden - the security risk is thus, as far as we know:

This is the only plausible route to exploitation of this situation that I know of, assuming a user acting before we removed the fixamo command:

1. You manually install Tridactyl
2. You manually install our native messenger
3. You manually run a command called fixamo or you manually find and install our exemplar RC file that explicitly says at the top that you should read and customise it because it does things you might not like; and then you don't read or edit it
4. You also manually install a malicious addon
5. That malicious addon doesn't have permissions for <all_urls> (otherwise it can steal your banking credentials without tridactyl's help) but does have permission for accounts.firefox.org
6. That addon can then steal your firefox account credentials and use them to e.g. mess with your synced settings and e.g. download your passwords database (if you don't have a master password set).

I don't believe there is any specific risk with the AMO itself as the other setting we toggle disables the magic parts of the AMO (which is on window.navigator.addon... when you visit addons.mozilla.org).

Mozilla has a point in that we didn't explain the (in my opinion comically tiny) risk to your Firefox account, but they could have just asked us to explain that. There is a possibility that there is some horrendous embargoed bug they're not telling us about, but if that was really the case they should just patch Firefox and not try to use Tridactyl as a weird, slow, backdoor.

I spend a moderate amount of time on the AMO whenever I make a Tridactyl release. fixamo definitely improved my life in a small way.

I hate to say this as I completely agree with your argument and approach, but if Mozilla won't compromise it's best to just do as they say, with the minimum of fuss and effort, user.js backup, and very clear indication to the user of what's being done. The potential strife for the user, the devs, and Mozilla is all much less severe this way than if Tridactly goes off AMO.

Unfortunately capitulation seems to be the best path forward. You've done nothing wrong and the reviewer's tone was very unprofessional, but Mozilla isn't wholly to blame for the situation either; mistakes happen far more frequently than ideal solutions, and since the issue is security the rigid response isn't entirely unreasonable. AMO's hands are likely tied by legal, protocol, manpower, or as you suggest a potential vulnerability and it would be terrible to see harm come to the community over this. Ultimately their demands are what is best for the users now, though it could really REALLY have been handled better... Just remember, at the end of the day Mozilla are good people and we owe 'em a lot, and making the sacrifice here to clean up their mess falls under "act of good will" despite this reviewer's zealous prosecution.

We have sent an appeal to the AMO admins and are awaiting their response.

The text of the appeal message is:

To the AMO admins,

I'm writing to you on behalf of the Tridactyl dev team to request a review of our reviewer's decisions regarding our addon. Our reviewer is one of you, reviewer, which we know is a bit awkward.

I explain the context below, but our requests are these:

1. Please accept our compromise position of prominently notifying all impacted users of the potential risks of the fixamo command and requiring them to opt-in again to the setting if they want to keep it
2. Please clarify that you will not delist or disable versions of Tridactyl that do not contain the fixamo command as a response to this review

We also object that despite us raising several concerns, suggesting alternatives and asking questions of reviewer, they provided no additional comment or justification for their judgements.

Brief context

Tridactyl is an addon that provides a keyboard-driven, more vim or emacs-like, interface to most functionality in Firefox. Because it is frustrating to have your preferred interface not work on some domains, we introduced a command called fixamo that uses our native messenger to set the restrictedDomains config variable to the empty string by editing the user.js file. To mitigate risks to our users, we also set block_mozAddonManager to prevent exploitation of privileged functions on AMO.

If one of our users wanted to run this command, they had to find it in our help pages or discover it with tab complete; install our native messenger; and then run the command. Our documentation for this command explicitly says that it will edit the user.js file and what two config variables it will edit (see appendix A for our documentation).

At the informal request of a member of the firefox security team, we removed fixamo.

reviewer then left a review asking us to automatically restore the restrictedDomains variable for all users who had already run the command.

I summarise that below. The full transcript is available in the review comments for 1.16.2 and 1.16.3 here: https://addons.mozilla.org/en-US/developers/addon/tridactyl-vim/versions

Our understanding of reviewer's position

Changing the restrictedDomains setting can allow malicious addons to get firefox account credentials which can be used to steal passwords, browser history, upload malicious addons to AMO, etc, etc. reviewer believes this is such a big vulnerability that "users should never do" it and that Tridactyl's documentation didn't document the risks well enough so users have not made an informed choice. reviewer believes that we should restore the default values automatically without asking the user and that if we cannot detect whether those changes were made by us, we need to revert them for all users.

Our position

We do not think that delisting Tridactyl or blacklisting versions that do not contain fixamo fixes the reviewer's complaint about the risks of restrictedDomains, so we don't think that those actions are justified as responses to this review.

We are willing to show a prominent and annoying notification to our users until they decide if they want to undo fixamo or not. We are happy for you to give us some text for us to quote here.

We do not agree that "users should never do this". We think that using our interface on addons.mozilla.org especially is quite useful to us (the developers) and to some of our users and that the marginal risk that a malicious addon can steal a user's firefox account instead of just their amazon, paypal, banking, etc. accounts is a reasonable risk to take.

We do not want to edit the user.js file without the explicit consent of the user unless the security issue is very serious and urgent. Users of our native messenger put a lot of faith in us to not misuse that power and we think that automatically reverting changes that a user has made to a file that we otherwise only edit in response to explicit user action is an unexpected behaviour.

In addition, we are concerned that altering what is clearly external user configuration without explicit consent may be a breach of the UK Computer Misuse Act 1990 (Section 3, link below). Our interpretation is that by changing prefs.js and user.js, we will be "impairing the operation" of Tridactyl, Firefox and potentially other add-ons; and by modifying the files unexpectedly we "impair the reliability of data".

Computer Misuse Act 1990 Section 3: http://www.legislation.gov.uk/ukpga/1990/18/section/3

Appendix A: our documentation of fixamo

In the "Webextension caveats" section:

To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains.

In the docstring for fixamo, partially displayed if you type fixamo in the commandline and also included in the help pages we encourage users to use with e.g. :h fixamo:

Simply sets "privacy.resistFingerprinting.block_mozAddonManager":true "extensions.webextensions.restrictedDomains":""
in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites.

You can find these messages in src/excmds.ts at commit 92e1b00

We also included a variant of the fixamo command in the exemplar .tridactylrc file (not used unless you have also installed the native messenger and also explicitly found, downloaded and installed the exemplar). This file includes this text at the top:

Provided only as an example.
Do not install/run without reading through as you may be surprised by some of the settings.

And this text right above the fixamo line:

Make Tridactyl work on more sites at the expense of some security

I'd like to suggest making the warning visually different in the new-tab text. I must admit that I rarely read what's there, because it's never why I opened the tab in the first place. I only noticed it today.

Thanks for trying to come to an amicable outcome with Mozilla's reviewers. Being the Grumpy Reviewer myself in other contexts, I can appreciate that they're also trying to keep their users on the safe side as well.

Thanks

I am curious if there is anyway to overstep AMO's authority? If not, an angry mob should be deployed to settle the discrepancy. Did I mention, I am really good at making protest signs? If you need me, my markers and crayons await.

I need tridactyl in my life...

Did it already get de-listed?

Because I just installed Firefox on a new computer and Tridactyl doesn't seem to be showing up in the addon/extension search for me (I don't sync settings between devices, I install extensions manually anew on each computer, in case that matters).

Please someone tell me that I'm just being dumb and missing something.

@mentalisttraceur Yup, looks like it has been delisted. I think you can still install the betas though: https://tridactyl.cmcaine.co.uk/betas/?sort=time&amp;order=desc

@glacambre Yep, that works, thank you!

And with that: I've kept my comments to strictly the issue at hand so far, but at this point I have to rant a bit:

I'm now a Firefox user only by coercion - while no one is intentionally coercing me, not having any better option is circumstantial coercion.

Mozilla has shown a persistent pattern over several years now of breaking use-cases of users like us.

Across a variety of actions, bug report discussions, and design decisions, their thinking is not meaningfully distinguishable from willful non-compassion and flawed reasoning about users like us.

Whether or not that is actually the case, or just the side-effect of them making hard but perfectly rational and ethical choices given what they have to work with, for me as a user, the effect is the same:

A proven risk that at any moment they will break my ability to have a web browser that meets my needs, again, and then again, over and over with no end in sight.

The moment that Qutebrowser or another contender is reliably usable on each system I use, I'm switching to that, unless there is a committed change in direction from Mozilla.

A Vimperator/Tridactyl style extension is so essential to efficient powerful browser usage, so all of us are painfully affected.

What do we do now?

Is Tridactyl still fighting to exist?
So do we wait?
or petition a letter of complaint to Mozilla?

Or is the termination of Tridactyl final?
-In which case, where is the recommended place to migrate to?
-Vimium on Chromium?
-Or does Pentadactyl still exist and producing "nightly builds"? (though I don't know how to install these)
Or is there another similar app?

For now, I've downloaded a beta "xpi" file, and installed tridactyl manually (surprisingly easier than expected).

-Vimium on Chromium?

FYI, Vimium also exists for Firefox, and seems to work fine.

Or is there another similar app?

https://github.com/qutebrowser/qutebrowser#similar-projects has a list (and qutebrowser itself of course).

As far as I understand, Tridactyl has just been hidden on the AMO and people with it currently installed are fine. I imagine I'd have more upset people on here if it had been removed from all installations.

The beta XPI is subject to exactly the same policy as the one (no longer) listed on the AMO, so could well be blocked whenever Mozilla feels like. It's really quite stable and we have many thousands of users who use it happily.

Even if Tridactyl was totally blocked by Mozilla, it wouldn't be the end of it. There are many ways to install extensions which have not been signed. It might be slightly trickier to use Tridactyl in a corporate environment with a particularly draconian security policy.

Honestly, the thing I'm most upset about here is the hundreds of positive reviews that have been wiped off the face of the earth (edit: unless we can persuade Mozilla to relist Tridactyl). That just seems cruel.

I would interested in the followup communication after the appeal. It seems to me that Tridactyl devs acted pretty responsibly and the demand from Mozilla to overwrite user.js contents without warning was not responsible.

There was reddit thread that was deleted right after an AMO reviewer went on a tirade. I'm really disappointed. What the hell is going on? Is this something personal between devs and reviewers? https://www.reddit.com/r/firefox/comments/cwikeh/tridactyl_has_been_removed_by_mozilla_from_amo/

No. Our interactions with all reviewers assigned to our case have been polite and professional. I don't know what was up with /u/rctgamer3. I think they're probably just a rude fool and I encourage you to join me in paying them no mind whatsoever.

Sorry for the lack of updates.

The short of it is that our appeal was unsuccessful and the second reviewer also wants us to remove set csp clobber and any other features that "weaken the security of Firefox".

With some reluctance, the balance of core tridactyl developers agreed that we would amend the addon so that it can be listed on the AMO again.

Probably I will release a PR for this sometime next week, but I am extremely busy and this is not a priority to me.

To my knowledge, no existing tridactyl users should have had their addon disabled or removed and the betas still work fine, so that should tide people over until we get around to resubmitting and the AMO reviewers reapprove us (assuming that they do not decide that some other thing requires adjustment).

For a little more detail, here is an excerpt from a post I made on HN:

After appealing the first reviewer's decision, we appealed to the amo-admins who basically said "we agree with reviewer 1 and will reject affected versions of the addon".

Apparently they have decided that all of our addon versions ever are affected (which is not really true) and have delisted the entire addon.

Further, they have asked us to also remove another opt-in feature that disables some CSP protections so that Tridactyl can insert its own UI into e.g. raw.githubusercontent.com. This is required because webextension content can still be blocked by a site's CSP setting, supposedly this is fixed in Firefox 69, but our testing is inconclusive and the new Firefox ESR is 68 anyway.

Our intention is to make tridactyl compatible with the AMO reviewers' requests for the sake of our users, but we're all very busy and none of us really wants to make these (in our opinion) overly invasive and unnecessary changes.

Our understanding is that users who have already installed Tridactyl will continue to have it installed and that new users will not be able to install it or find it on the AMO (where it has been removed with no explanatory text), but they can follow instructions on our github repo to install it fairly easily.

We believe that the AMO reviewers' choices do not serve the community and that a more suitable response would be to ask us to display prominent warnings over these features for our users and ask for their re-informed consent for their continued use.

We also note that loads of other extensions (including Mozilla-recommended addons) talk about the very same config settings that we have been delisted for on their AMO pages

Just deleting the features and undoing the changes for all users (as Mozilla has asked us to do) means that Mozilla is forcing our users to adopt a risk model and level of risk aversion that I think is not actually appropriate for the majority of our users. If we want to trade a little security for functionality we should be able to do that.

And, for the record, here are the emails from the second reviewer:

Hi Colin,

thank you for getting in touch. I have reviewed your case and consulted with my team. Unfortunately I come to the same conclusions as reviewer 1.

I feel that the documentation around that command does not sufficiently highlight the risks, and changing these prefs in itself impairs the safe operation of Firefox. Removing the prefs will allow a malicious add-on to sign add-ons on behalf of the user, install any number of further add-ons without user consent, among other consequences.

Users without the technical background knowledge will only understand that the command makes your add-on work for addons.mozilla.org, which seems favorable, without being made aware of the risks.

Our preferred solution would have been for you to revert the prefs only for those users who have run the fixamo command. If you don't have data about this we will need you to do the next best thing, reverting the changes for all users.

If you are concerned about user expectations, you can provide a prominent notice that you are resetting the preference, but it must not provide for a way for the user to cancel reverting the changes. I am happy to review the wording.

I understand your frustration about this issue, it is always dissatisfying when asked to make changes you don't agree with. Please understand we consider changing these prefs a serious security risk, which is why we are asking you to revert these changes.

We will need you to post a new version that resolves these issues on the timeline previously mentioned. On Monday I will proceed to reject the versions affected. Our page at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/What_does_review_rejection_mean_to_users provides more information on what this means for your users.

I'm sorry I couldn't respond with a different resolution and hope for your understanding.

Kind Regards,
reviewer 2

My response:

Hi reviewer 2,

Thanks to you and your team for your quick response.

Would you be willing to sketch out some text for our users on why the resetting has to be automatic rather than something they can choose?

Could you also clarify what versions of Tridactyl you consider to be affected?

Kind regards,
Colin

Their response:

Hi Colin,

if you could make a proposal for us to review I'd appreciate. I will have to check on Monday which versions are affected.

Their comment on AMO review:

As previously announced, I am rejecting all affected versions. Please upload a new version that doesn't contain any policy issues nor provides means to circumvent Firefox security features. On a related note, I've come across https://github.com/tridactyl/tridactyl/blob/master/src/lib/requests.ts#L21-L31. Changing and removing CSP directives this way is also considered a security issue that needs to be resolved. To be clear, the next version must not contain any measures that will weaken the security of Firefox.

Despite the comment on that function, a close reading will demonstrate that we only change the style-src and sandbox property and that we chose not to adjust the script-src settings. On an unrelated note, this code also uses my csp-serdes library, which I quite like ;)

Changing sandbox is potentially dangerous, but unfortunately required on e.g. raw.githubusercontent; changing style-src isn't too bad. Personally, I do not use csp clobber. If you need it, I'd recommend only using it on select sites (:h seturl) that you know won't be affected too much.

I am frankly astonished that a developer is trying to negotiate and push back after a browser vendor said "you've silently compromised our users."

@StoneCypher your language betrays flawed anaysis. Firstly the computers belong to the users who chose to install Tridactyl. Presumably the technical users who opted in to running fixamo could probably read. Secondly nobody was compromised. I don't think that word means what you think it means.

@StoneCypher, I am frankly astonished that a user tried to complain and push back after a browser vendor very helpfully informed them about USA Network's hit new drama series Mr. Robot. You know, since we're apparently ignoring the possibility that a browser vendor might ever be wrong.

@StoneCypher I have explained in this thread why we think this is a very minor vulnerability and what our documentation for the feature was.

I also dispute that we did anything silently. The feature was opt-in and our documentation was actually better and the suggestion to use the feature was less prominent than in many other addons who feature the advice on their store pages on AMO. Some of those addons are recommended by Mozilla, so one has to imagine that they have been reviewed.

This feature isn't actually all that dangerous. What is dangerous is installing a malicious addon and once you do that you already lose all your credentials on almost any site you sign into. Setting restricteddomains just upgrades that "almost" to include some firefox sites as well.

Fuck Mozilla, being as bad as Google thinking that the Internet has to be homogenized like this.

I've hidden a comment on this thread. Please don't use this thread for venting about Mozilla.

They're a good company making great open source software. The AMO rules and processes aren't what we want, but I believe the reviewers do just want users to be safer. They just have differing opinions about how unsafe users should be allowed to make themselves and what counts as properly informed consent for security-weakening actions.

I have a question to maintainers regarding this issue. Will you create a lite version for AMO in case no compromise solution with reviewers will be found? I want to use a AMO in order to have a sync of my settings

@Crandel see cmcaine's comment a few posts up:

With some reluctance, the balance of core tridactyl developers agreed that we would amend the addon so that it can be listed on the AMO again.

Probably I will release a PR for this sometime next week, but I am extremely busy and this is not a priority to me.

I think both the beta and stable versions currently still have access to the sync storage. Do you have evidence to the contrary?

It was brought to my attention earlier today that the delisting from the AMO has probably broken updates on the stable branch. Last time we checked we had a large number of users (approx 1 in 4) on versions of Tridactyl that had a serious security issue, thanks to the confusing way the AMO handles updates for both developers and users.

We have two branches: for Firefox stable, anyone reading this on 1.15.x should update immediately to the latest version (see readme.md for links - you can just open the XPI with Firefox and it will update).

For Firefox ESR (most likely Debian users), anyone on 1.14.0 <= v <= 1.14.6 should use this file which I had to source from a user (thanks ecksun :) ) as we had assumed the AMO would be a safe place to store them. You can be sure it's genuine as it has been signed with our key.

Both AMO and beta can use sync storage, but they keep separate storages, which may have been what Crandel was talking about.

I actually find out tridactyl in reddit post about it's removal from AMO and I found this project very interesting and powerful. I have a lot of firefox instances and would like to have this extention everywhere. Sorry for this noob question(

Please don't use this thread for venting about Mozilla.

Aww, but what if I really need to vent?
http://www.weike1000.net/wp-content/uploads/u/u-alluring-air-venturi.jpg

;-)

Do I get it right that in your "fixed" version you will reset the mentioned prefs for all your users, and do it exactly the way Mozilla insist (enforce it on everyone without consent)? If you will, will there be a separate non-beta version without any malware enforced by Mozilla, albeit not in the store?

The preferences will only be reset if they're set via user.js, which is an uncommon way of setting it. Most people would have set it via about:config. We'll probably not revert anything if there's anything other than the lines from fixamo in that file as that's reasonable evidence that Tridactyl didn't put them there. We'd do the same thing with the beta version because that's easier and Mozilla have asked us explicitly. We would do it via a config upgrade so it would only ever run once and if people had not had Tridactyl installed before. We would tell people loudly what we've done if we did revert anything and why we did it. (I still maintain that this appears to contravene the Computer Misuse Act but apparently I'm the only person old-fashioned enough to care about that sort of thing).

We may provide unsigned builds and submit them to various distribution repos some day as the AMO makes it difficult to maintain multiple versions at once.

There are lots of other places to discuss Mozilla. Every reply to this issue is sent to about a hundred people.

I've started writing the fix.

We will try to identify only users who have run the fixamo command and have not otherwise modified their user.js (AMO reviewers may ask us to change this).

We will show these users a page explaining what we've done, the security implications of the setting in case they didn't already know, and ask them to restart to apply the change. We will specify exactly what changes we have made, so if our auto detection failed or you're sure you don't want the changes, you can revert them easily enough.

We will only do this once per firefox profile (we'll save a flag in local storage or something).

The process for csp clobbering will be similar but without a restart and a different security message (it would be nice to try to establish the real risk level, but I'll probably just say that some sites you visit may be vulnerable to XSS if you clobbered csp).

I don't know what remedy will be available for users if they really want tridactyl to work on sites with csp = sandbox. The easiest one is just wait for firefox to fix the bug (but our preliminary testing suggests it is still broken in FF70). Another reasonable option is to loosen the CSP in a way that is very safe, but that requires some thought and experimentation, and who knows whether the AMO reviewers would accept it anyway.

Intrepid users will always be able to roll their own with creative use of jsb if they really want (because jsb can do almost anything a webextension with tridactyl's permissions can), but I don't know if we will provide instructions.

I believe Mozilla doesn't understand that users who install an addon like tridactyl perfectly understand what fixamo does, even from its name.

When Mozilla decided that some tabs are special, I already considered it a bug that needs to be fixed.

Anyway, a message of Mozilla's choice before fixamo is harmless. It's a pitty this is not enough for them.

What I'm more pissed about regarding Mozilla's reaction is that they noticed what they consider to be a serious security threat, and instead of fixing it on their side, i.e. update firefox in such a way fixamo just doesn't work, they ask you to fix their mess, without even really fixing the supposed security threat on firefox side.
I mean... if they don't want to put the hours to fix it on their side, why would they expect their users to do it.

Everything they say is reasonable until "If you cannot detect whether those changes were made by your add-on or not, you need to revert them for all users."

ffs

Would automatically reverting these changes, followed by a passive-aggressive page opening that says "at the demand of a certain Mozilla, we have reverted changes you may have made with our extension via fixamo, as the addon would not be available if we didn't. If you understand the risks these changes entailed, click here to restore them."

It's fucking absurd that you'd be required to do that, but it's the best option if they'd accept it.

I don't think that would be acceptable to them.

As a brief update: I'm currently at a conference so I don't have much time to work on Mozilla's requests. cmcaine said the revertion was proving to be a little more technically difficult than he had expected.

1.17.0 containing code to fiddle with user.js without user interaction as Mozillians wished has been submitted to AMO for review. Thanks to glacambre and cmcaine for arranging it - it couldn't have happened without them.

1.17.0 also removes set csp, another of Mozilla's demands. We'll add our own web request helper so users can recreate that and much more as soon as possible, probably within the month.

Thank you for moving forward.

how long do you expect it to take for the extension to return to AMO? it still doesn't show up in the search...

We didn't pass the first review. I'm waiting for a reply to a query - it appears they want us to remove the resistFingerprinting setting too and I wanted to make sure they were aware of any security implications of that. From past experience that will take a couple of days.

Then it'll be another few working days before we are reviewed again. In total, probably a week or two from now if all goes well.

You are able to install the AMO version of Tridactyl outside of the AMO if you so desire in the meantime - just look back up in this thread.

it appears they want us to remove the resistFingerprinting setting too

I think you meant restrictedDomains because unfixamo currently reverts resistFingerprinting but not restrictedDomains.

@depressed-pho what makes you say that?

@bovine3dom Oh... I think I saw an old diff. Sorry for the confusion.

Hmm still not on amo yet sadly.

Welp... guess I'm going back to Chrome (ick!) which at least has half-baked add-ons that can do some of Vimperator's functionality. Mozilla forced me to leave Firefox when they broke Vimperator and now Tridactyl is gone... so thanks for stepping on users and developers, Mozilla.

Took me a bit but I figured out how to install the tridactyl beta. Firefox and Mozilla drive me insane.

Unfixamo2 blew away some manual changes I'd made to users.js. It's pretty clear your hands are tied on this one, but it would be nice to offer a backup option.

Edit: I'm on the beta, which is why this ran a second time for me; ironic, in that I was running the beta to avoid this issue.

I am really sorry about that. Mozilla repeatedly said that we weren't allowed to provide any options that left the settings intact. I'm not sure commenting them out would have satisfied them.

Could you confirm that it was just block_mozAddonManager and restrictedDomains? Anything else is a serious bug.

Beta was always going to have to have had Unfixamo running: Mozilla would block it from Firefox if we didn't. We could have ignored their demands for the Arch unsigned build but I didn't want yet another permutation of Tridactyl to maintain. I suppose in future we could use AMO signing as a switch to provide Mozilla-compliant code.

@bovine3dom I'm reasonably sure it was just those settings, and if it wasn't, they weren't memorable enough that I'm super concerned. Just wanted to give you a heads-up that the previously-set "I've Already Run Unfixamo" setting was getting overridden, which I presume is already known.

It's finally been added back 🎉
https://addons.mozilla.org/en-US/firefox/addon/tridactyl-vim/

Yep! I submitted a new version late last week. It was accepted this afternoon.

Most of the delay was our fault. The manual reviews from the AMO reviewers only take 2-3 working days.

The update blew away some manually edited things for me too. Mozilla seems to have forgotten what motivated me to use Firefox in the first place: being in control of my own browser.

This information in the README is outdated:

I'm reading this years after the fact after coming up on it in the documentation, and I already like Tridactyl even more for having read this. Have used Qutebrowser on and off as a secondary browser for a few years now and can't believe I just discovered Tridactyl. Your accountability is very, very refreshing...firefox, not so much. Still never sure how to feel about Mozilla...but it's the lesser of two evils currently...

@hrfried Well put, extremely well put. Firefox is the lesser of two evils. Tridactyl is the only way to experience the web. Been using it for years, and it continually gets better. I cannot imagine life without it. Well... intelligent life anyway.