Apple, Mozilla, Google, Microsoft Form Group To Standardize Browser Plug-Ins

An anonymous reader quotes a report from AppleInsider: The new WebExtensions Community Group will try to forge a common architecture for future web extensions, and is inviting developers to join the effort. The new group, shortened WECG, consists of members from each of the major browser developers. Member chairs are held by Timothy Hatcher of Apple and Simeon Vincent of Google. Current participants include employees from Apple, Mozilla, and Microsoft.

The WebExtensions Community Group has two goals: Make extension creation easier for developers by specifying a consistent model and common core of functionality, APIs, and permissions; and Outline an architecture that enhances performance and is even more secure and resistant to abuse. The group doesn't want to specify every aspect of the web extensions platform or stifle innovation. Each browser vendor will continue to operate independently with their own policies. Developers and browser vendors interested in contributing to the group can join via the W3C website. The WECG has a dedicated GitHub repository with the community charter and work.

Goodbye ad-blockers?

[bluescrn]

If all browsers have the same plug-in system, they can crack down on ad-blocking (without losing users to a browser with better ad-blockers)

Re:Goodbye ad-blockers?

[PsychoSlashDot]

If all browsers have the same plug-in system, they can crack down on ad-blocking (without losing users to a browser with better ad-blockers)

It's wider than that. Any API or ability that any of the partners doesn't want won't make the spec. So what we'd all get is the least feature set accepted by each of them.

Worse, we lose the existing extension ecosystem. Again.

Standards are a great thing most of the time. This time I'm not so interested.

Re:

[markdavis]

>"Standards are a great thing most of the time. This time I'm not so interested."

Agreed. It would be better if the framework is compatible, allowing plug-in writers an easier time porting. But if this proposal is to have some "oversight board" that enforces what plug-ins can and cannot do, I am extremely opposed.

Re:

[Anonymous Coward]

To be fair Microsoft and Apple have been heavily supporting ad-blocking as they see it as a way to weaken their opponents - Google and Facebook.

As such, I'd be amazed if they'd willingly give up what is a clear competitive advantage.

Re: Goodbye ad-blockers?

[fred6666]

They are so supportive of adblocking that internet Explorer never supported it. Mobile Safari doesn't either. Does the desktop version finally support it?

Re:

[EvilSS]

You could get ad blockers for IE, not that it has been in active development for what, 6 years now? Also not sure where you got that mobile safari doesn't support ad blockers. Ad blockers are about the only plugins it does support.

Re:

[fred6666]

I do not have an iPhone, so you must be right. I just remember I read it was not possible at some point. Good thing if they changed that.

Re:

[colonslash]

Relevant xkcd [xkcd.com].

Re:

[thegarbz]

Any API or ability that any of the partners doesn't want won't make the spec.

At present other than Apple the APIs are incredibly bloody similar across the board as it is, as is the capabilities of plugins. If some nefarious crackdown were wanted it would have happened already.

Re:

[mjwx]

If all browsers have the same plug-in system, they can crack down on ad-blocking (without losing users to a browser with better ad-blockers)

I suspect it'll fall apart as each group wants different things, Apple will kick up because it won't get control, Google wants ad revenue, Microsoft wants relevance, each one trying to take what they want from the others.

At best we have yet another standard that no-one will end up using.

Re:

[markdavis]

>"Apple will kick up because it won't get control, Google wants ad revenue, Microsoft wants relevance, each one trying to take what they want from the others."

And Mozilla would want privacy/security/freedom. Google and Apple would be the worst participants. Microsoft, probably more neutral.

Re:

[jenningsthecat]

And Mozilla would want privacy/security/freedom.

Mozilla is circling the drain, thanks to many years of thumbing their nose at the suggestions and desires of formerly-loyal users. Also, it's now impossible to configure it to NOT search from the URL bar. They make it look possible by allowing you to have a separate search box; but the damned thing still searches from the URL box, and about:config doesn't allow you to have a null entry for default search.

So AFAIC they already have one foot over the line into their own vision of privacy invasion. I suspect i

Re:

[fahrbot-bot]

And Mozilla would want privacy/security/freedom.

Mozilla is circling the drain, thanks to many years of thumbing their nose at the suggestions and desires of formerly-loyal users. ...

Are they still on-track for their goal of 0% market share by 2023? :-)

Re:

[lexios]

I'm not a fan of some (actually most) of the recent changes in Firefox either, but it's not quite correct that you cannot disable searches from the address bar. I've got a seperate search bar and I disabled search from the address bar a long time ago, that setting has not been modified/changed with the latest update.

Mozilla support: turn off search in address bar
https://support.mozilla.org/en-US/questions/1219899 [mozilla.org]

The new tab view has a search box in the page, and when you start typing there, it actually

Re:

[jenningsthecat]

Thanks for this. I have a pretty good eye for figuring out the appropriate about:config entry to change just about anything in FF, since for me there's so much that needs changing. So I didn't actually search the Web for a solution, probably because I only use FF when Pale Moon isn't up to the task. Because of a lack of support for plugins I depend on, and the silly UI changes, Firefox simply isn't usable any more as a daily driver for me.

Re:

[bill_mcgonigle]

> If all browsers have the same plug-in system

As long as they offer a core set of API's it's fine. Individual browsers can offer additional API's.

Re:

[AmiMoJo]

If they had any intention of doing that they would have done it years ago.

Besides it's just a standard, nobody has to follow it. Same as, for example, many browsers ignore the standards in cookie handling in order to improve privacy for the user.

Re:

[Dusanyu]

There will always be the forks with built-in ad blocking, those will just become more popular

Re:

[thegarbz]

Oh please. If they actually wanted to crack down on Adblocking they could do so simply at any time. Each vendor has their own product they control and if this kind of cooperation was needed (by companies with wildly different views on ads and tracking and profit motives thereof) then they'd have done so long ago. Also none of this in any way precludes someone just forking one of the open source projects and reincorporating adblocking, so even if your evil advertising illuminati were actually a thing it won'

Welcome to the Chromium web

[xack]

This will just consolidate more of Google’s control. The superficial differences of webkit and Gecko will disappear as they will be required to conform to the same specifications as Chromium from now on.

Expect cross browser malware to be developed. Now Firefox has a fisher price tab system most people will be FLOCing to Chromium based browsers.

Re:Welcome to the Chromium web

[arglebargle_xiv]

Was just going to say the same thing. With Mozilla's endless churn of Firefox as they attempt to drive away any remaining users, about the only reason to stick with it is the extensions. Once yet another breaking API change is implemented it'll be a repeat of the XUL break, half the extensions will never be rewritten for the new API and the other half, since they work just as well with Chrome, will negate even more of Firefox's reason for existing.

Re:

[0xdeaddead]

if I wrote pluggins after the XUL debacle, and the RUSTING thing I'd give up and write for Chrome since it won.

Re:

[markdavis]

>"Was just going to say the same thing. With Mozilla's endless churn of Firefox as they attempt to drive away any remaining users, about the only reason to stick with it is the extensions"

it is important but certainly not the only remaining reason. Firefox still respects privacy/freedom more than Google. There are also more options for customizing it. And, the most important reason is browser diversity- it isn't Chom* (all other major, multiplatofrm browsers that are not Firefox) so it acts as an impo

Re:

[DarkRookie2]

Yes, for now and it there use to be a lot more
I remember a time when you didn't need to edit UserChrome.css and that Classic Theme Restorer actually worked.
How much longer before they stop allowing you to edit UserChrome? I am surprise they didn't remove it in this release.

Re:

[Anonymous Coward]

There's still a few browsers (Palemoon and TOR browser come to mind.) that may not adopt the new API. But, I have to wonder if Chromium's engine getting 99% market share might lead to outsized influence over the W3C and changing html in ways that extinguish remaining dissent.

Re:

[arglebargle_xiv]

Google's already doing that with IETF standards groups (e.g. HTTP/2, 3, TLS 1.3, and QUIC), so it's no surprise they're doing it with browsers as well. Soon it won't be the Internet any more, it'll be the Google Internet.

Re:

[The Wily Coyote]

Fairly sure that most people don't switch browsers because tabs have a slightly different visual appearance.

Re:

[LordHighExecutioner]

> is for somebody to write a full browser as a browser plug-in.

But will the plugin-browser accept plugins ?

Re:

[tepples]

is for somebody to write a full browser as a browser plug-in.

That'd be sort of difficult for resources transcluded from sites that don't provide an Access-Control-Allow-Origin header.

Thats enough evil in one room

[ClueHammer]

to really do some damage and screw us all over.

Re:

[QuietLagoon]

That is why those participating companies like it.

FILESYSTEM ACCESS

[drinkypoo]

The hardest thing to do right...

The thing that both Chrome and Firefox gave up on...

The feature I want.

Extensions used to be able to save web pages in their entirety AS DISPLAYED. This is crucial for researchers (and others) who want to save data from the web without turning it into a PDF, which creates all kinds of other problems.

Then they killed filesystem access for extensions because they were having a hard time getting it right, and anything hard is apparently not worth doing.

Frankly the web is going t

Re:

[lessSockMorePuppet]

It is difficult to get a man to understand something, when his salary depends on his not understanding it.

- Upton Sinclair

Re: FILESYSTEM ACCESS

[bubblyceiling]

Do you really want another backdoor to your files?

Websites are nothing more than unverified code running on your machine.

Re:

[billyswong]

Do you really want another backdoor to your files?

Websites are nothing more than unverified code running on your machine.

In the older days, html+javascript is the easiest platform that children and students can get into. Type / copy&paste plain text into any text editor (e.g. notepad), save it as .htm or .html, double click, and it runs in browser.

But things are harder now. Many scripts won't run correctly if the files aren't served by web server. Modern browsers worry of "unverified code" accessing local personal files without user consents, thus blocking many scripts functionality regarding that.

The wish in grandpa

Re:

[drinkypoo]

Allowing extensions to access filesystem arbitrary is indeed security nightmare. But I believe people are only wishing for a way for an extension to load / save files from a "chrooted" directory.

You got it in one. In olden days FF extensions could still only write to their own subdirs. I also want quota enforcement per-extension.

Re:

[bubblyceiling]

Sounds good in theory, but chroot jails are not impenetrable, as we have seen in the past

Re:

[billyswong]

All web servers are running some form of chroot. Filesystem API for browser add-ons do introduce extra attack surface, but its risk is no more than a ftp server, webdav server, samba server, or nfs server. (pick the safest you want). In theory such server, hosted in a virtual domain, should be invisible and inaccessible to webpages in real domains.

Re:

[bubblyceiling]

Are you trying to tell me Chroot breakouts are not a thing?

Re:

[billyswong]

Are you trying to tell me Chroot breakouts are not a thing?

As said, allowing any form of limited filesystem access "introduce extra attack surface", so I did acknowledge the risk. But breakout of chroot only happens after security hole is found and privilege escalation has occurred. Security hole and privilege escalation can happen to browser with or without filesystem API for add-ons. When those holes and escalation happens and when those holes let malware run arbitrary code, then filesystem API doesn't matter. Even virtual machine is not perfect containerization

Re:

[lexios]

I'm not in anyway associated with this add-on, but I have used it a few times and it seems to do what you want.

Save a complete web page (as currently displayed) as a single HTML file that can be opened in any browser. Save a single page, multiple selected pages or a list of page URLs. Automate saving from command line.

Save Page WE
https://addons.mozilla.org/en-US/firefox/addon/save-page-we/ [mozilla.org]

Re:

[antdude]

Start a new company like when Mozilla after Netscape. Start over! Phoenix v2.

So remember the people from great land of freedom

[junglee_iitk]

This is what cartel looks like. Not the first time, but probably first on the internet.

It is a good thing

[youn]

I am amused about all the posts about nefarious intents and consequences from this move

Here are a few thoughts:
_ For a very long time we had one browser extension API, the netscape plugin API and it was a good thing, it made the development easier
_ Even assuming any browser vendor has malicious agenda, what's to stop them now without a standard
_ This should help smaller developers bring out extensions
_ The fact we have multiple extension standards has not stopped bad actors from creating malicious ones as of today, bringing them together is not gonna magically make things worse

Browser creators have cooperated all the time since the inception of the web. Sure they innovate and go in multiple directions but they have an interest in interoperability and everyone benefits

so yeah, it's a good thing

Re:

[Chozabu]

The concern is that google and others have a good deal of motivation to limit the extension API, breaking adblockers
Whats to stop them now without a standard? nothing https://www.ghacks.net/2019/05... [ghacks.net]
Not sure if the adblock limiter ended up in chrome, and such a limitation on the browser side of the API wouldn't be an issue for FF and others

Overall, I think this kind of standard could be great, but it makes sense that people are concerned about the ways it could go wrong - intentional or not.

Re:

[thegarbz]

The concern is that google and others have a good deal of motivation to limit the extension API, breaking adblockers

A concern which we would take very seriously had they actually done it in their own browser. But they haven't, so we didn't.

Re: It is a good thing

[bubblyceiling]

Absolutely. Extensions have little to no oversight currently.

Re:

[Gravis Zero]

_ Even assuming any browser vendor has malicious agenda, what's to stop them now without a standard

Because competing browsers allow the implementation of ad blockers. If one browser does something evil to block ad blockers then you can move to a new browser. If everyone uses the exact same API then you cannot flee to another browser because you have the exact same problem on every browser.

One more brick in the wall

[FrizzyHairBear]

This isn't about making browser plug-ins better for users.

Attack on ad blockers

[sinij]

This is nothing but a disguised attack on ad and tracker blockers. Which won't be allowed to operate under this new standard.

Re:

[Spamalope]

Also anything that might compete with established players plans/existing arrangements. Imagine a plugin that piggy backs on FB access and allows P2P messaging to anyone else on your FB friends list who also has the plugin, allowing untracked/monitored/thought policed/creepered messaging. (if you can send naughty pics without also giving them to Zuck/Tim Cook/Goog etc that's a selling point for these kids today for starters)

Finally!!!

[bubblyceiling]

Extensions have long been an overlooked part of web security. They have a large amount of control over the browser & the content it displays, and it is overdue to get some standards around them.