Firefox's massive overhaul moves to beta

I agree that baseline performance comparisons should be done with stock and fresh instances. You want to eliminate as many variables as possible, including some that may reside outside of a profile and/or involve other software (AV for example). You also have to adjust for feature differences, rule out different content being served to different user agents, so forth. At the end of the day, "performance" is important. Yet you don't want to put too much emphasis on that. Security, privacy, and sometimes even convenience features are virtually always of same or greater importance (when you stop to think about it).

I think @summerheat your comment is worded in a way which would lead people to believe that pref modification (by legacy addon or user) is the likely culprit in terms of degrading performance. I acknowledge that said might be involved in some scenarios. However, I think the far higher probability, and typical cause in addon scenarios, would be addon processing. As in the use of addons that manipulate requests, responses, content and/or UI. Some of which have specific features and/or numerous rules that literally must impact performance.

Mozilla is going from one extreme (all extensions can access/modify all prefs) to the other extreme (no extensions can access/modify any prefs). Which does not equate to "more secure". What it does, like a number of other WebExtension restrictions will do, is improve security/privacy in some ways & scenarios while degrading security/privacy in some other ways & scenarios. Without allowing the user (who is the only one who would know their priorities) to decide where/when an addon having related privileges would make sense and benefit them. That path is a dangerous one. If Mozilla doesn't meaningfully back-fill the gaps that are being created, we're one step closer to the restrictive smartphone problem. Smartphone are "much more secure" according to some, yet in reality and practice they are literally the worst platforms for others. It doesn't have to be, and shouldn't be, that way.

Sorry for the little rant, I'm just very concerned. I'd point out that FF57 is scheduled for Nov 14, 2017. When many will enter a period of less free time plus increased exposures due to holiday shopping etc. That isn't a good time to have to cope with unexpected loss of functionality, especially the non-obvious kind. I hope users are planning ahead.

 

Yes, you're right, my wording was not precise - it's not always modifications in about:config. For example, the trouble caused by Noscript was not caused by a specific setting in about:config but by a bug in its XSS filter.

I disagree here. An add-on that has full access to all prefs can indeed impair the stability and security of the browser. And I don't think that Mozilla is going to the other extreme: There are APIs that will grant specific needed permissions to add-ons. And Mozilla has said several times in the past months that APIs that go beyond the Google Chrome model will be added if needed. It's certainly possible that not all needed APIs will be available in FF 57 but the world won't stop there - development will continue. If you look at bugzilla you'll see that developers like @gorhill are involved in many bug reports. And my impression is that Mozilla is listening to them. But perhaps @gorhill can better comment on that. Btw, another rationale for webextensions is that they will be running in their own sandboxed process(es) which enhances the browsers's security and stability even more - I don't think that would be possible with legacy add-ons.

I know that many users are concerned. But I honestly think that Mozilla didn't have many alternatives to develop a faster, more secure and stable browser (which will still offer many more configuration options via about:config than any other browser). And regarding the tight schedule till Nov 14: As of today AMO shows about 3,500 add-ons compatible with FF57. And I'm sure that many more are in the pipeline of the approval process.

And regarding "planning ahead" - I wonder in which direction? Certainly not Chromium-based browsers as the offer considerably less configuration options. Palemoon? I don't know how many developers they have. But I seriously doubt that they will be able to maintain such a huge code base on their own for the long haul.

 

Look at the bookmark manager in Vivaldi and Opera 12, they are both better, believe me.

 

That's certainly true for me. I use Firefox because there are unique extensions for it that improve usability, for instance Tab Mix Plus. It loads a tad slower than Chrome, maybe because I have far fewer extensions in Chrome, but those few extra seconds don't matter.

 

and that is currently wrong. there are only around 250/260. those you linked are flagged from author as compatible to 57 - in foresee for the legacy model.
but also the other number is too much - go AMO, download a overviewable number of extensions which are flagged as 57 and checkout if it contains a webextension core. i would bet you wont find much - i did not found so many true webextensions.

but there are too much believers to those fanboys.

not the news, but relevant
https://blog.mozilla.org/addons/2017/02/16/the-road-to-firefox-57-compatibility-milestones/

 

Such an extension has the potential to:

1. Make modifications that are harmful
2. Make modifications that are beneficial
3. Not make any modifications to prefs associated with the browser or other addons and just put some of its own settings there. Which bothers some purists yet is welcomed by others (it enables user.js and/or autoconfig to address both browser and extension settings, and also makes it easier to find items of interest through an about:config search).
   
4. Not make any modifications to prefs, but just READ prefs to provide benefit. Such as monitoring for unsafe changes (which may come from Mozilla), auditing, exporting, comparisons
   
5. Other, such as simply providing an improved UI to about:config and applying the user's changes.

I'm kicking myself because about two weeks ago I deleted something I started to create and could post right here. A list of extensions which are doing 2 through 5 things. IIRC, I found two dozen during a quick pass (mostly recognizable names that have been mentioned by people here). I'm sure there were more to be found, plus the unknowable number of private addons and those that are not publicly listed at AMO.

Its dandy to red flag #1 and focus some attention on: what can we do about this? But you have to acknowledge and blue flag the others too: those are legitimate use cases that provide security/privacy/maintenance/other benefits. It is worth noting that addons are an easy to work with format that is cross-platform and can provide GUI and switchable behavior. Which has advantages over static, typo-vulnerable, user.js and autoconfig formats which most users would find daunting.

Only the "specific needed permissions" that Mozilla wants to be supported. They have said that "access to about:config or the preferences" is "very unlikely" and every statement and conversation I've seen has reinforced that. I think it fair to call that swinging to the other extreme, but since we're talking some more and it does relate: There is [planned] some very limited ability to indirectly affect prefs. Examples being Privacy API and Browser Settings API. IIRC, the documentation on those indicated no ability to detect when they change (which is pretty important). I don't think those who are familiar with the richness of the pref system would be impressed by what is implemented or planned at this point. It is a shame they don't leverage a/the permission framework to allow users to decide if it is appropriate for a WebExtension to have full access to prefs.

Well, some controversial decisions have already been made and Mozilla is saying STOP ASKING FOR THIS, NOT GONNA HAPPEN. That includes some functionality that is important to security/privacy addons. A related mindset of some people in decision making positions: addons shouldn't be able to interfere with browser functionality. IOW: addons won't be able to monitor/police the browser. Which would be a major loss, because you want layers and checks/balances. A last example: the logistical/resource nightmare of reviewing all addons & updates plus assuming everyone is a child whose hand needs holding. If an API, feature, permission, whatever is simplistic enough and globally applicable to users and can be automatically reviewed, it may stand a chance. If it isn't, I think there is cause for concern. Some potential consequences for security/privacy addons again.

 

mozilla is gaining control again over its browser - to bad it collides with servo - two deep cuts. under the hood firefox acts like firefox. i don have nbumbers how many percent users are using x extensions. some of them already have a replacement, but 99% have not. the time to develop was to short. something to rant that they are able to run webextension with copy&paste from chrome store - without the chrome store and its authors new firefox 57 would be a total desaster, mozilla never would have cosidered this major change. there is no comparison for that api engine but code can do same and is still not ready to offer (limited) access to the UI. thats why TMP is not fully working or session manager or ... or... 3 month to go. it would need another 3 month to have serious extension base to rely on and firefox will lose user base, for sure.

 

Without responding to all your arguments, let me say just this: I think Firefox is probably the software project that underwent the biggest changes in a relatively short timeframe. Firefox had become a dinosaur - certainly with its merits but still a dinosaur: slow, unstable and insecure compared to newer browsers. Some years ago they started a massive and, at the same time, difficult overhaul: They launched Electrolysis and abandoned it again as they decided to make Firefox faster as the first step. After that move achieved good success they re-launched Electrolysis (e10s) in order to introduce multi-processing with the goal to make FF more stable and safe and to provide the basis for introducing sandboxing. Concurrently with this they started the Servo project where large parts of the code are being rewritten in Rust in order to make Firefox even faster and even more secure.

I think these changes for such a big software project within only a few years are phenomenal, and I sincerely admire the Mozilla engineers for that - particularly against the backdrop of the ecosystem of countless extensions that were incompatible with those changes. Given these massive changes it's quite normal, IMO, that people critisize various aspects - you can't be everybody's darling.

Regarding your remark above: I think it's understandable that Mozilla tries to come to an (preliminary) end of this phase of transition and, hence, does not accept all requests right now. But as I said earlier: development doesn't stop once FF57 is out. And don't forget: There is the Tor uplift project which aims to add all Tor browser patches to mainline Firefox. This confirms that they still take privacy seriously, and that's why I think we can be optimistic that (perhaps not until November) more APIs will be added which are needed for security/privacy add-ons.

 

I would add that I've had electrolysis enabled for the last few stable releases of Firefox with all of my tabs running in separate processes; it has been very stable and I only lost compatibility with one extension

 

Same here. As a matter of fact I'm running Firefox with dom.ipc.processCount = 16 without any problems.

 

Regarding adding APIs: There is a gHacks article today which says:

That article also contains a link to an interesting statement by @gorhill :

 

uBo WebExt
https://addons.mozilla.org/de/firefox/addon/ublock-origin/versions/beta

filter scripts by content is not no longer possible with a webextension (like chrome)

will mozilla pay for it? NO!
google wants a 5 dollar payment to verify authors - mozilla dont. mozilla will get webextensions for nothing, stealing code i would say if not author will submit it. as i wrote (not sure if here) - but mozilla has fortune that webextensions already have been invented otherwise it would be disaster - whether or not the invent a new API for firefox ui (which chrome has not).

all i can say for now that i have to re-vitalize my upcoming firefox profile with features mozilla dropped with the legacy extension model. my chromium is like my current working profile and it is running fine, i dont really miss something (except the BMM). i could start ranting but i'm fed up.

 

I'm not sure that I understand what you're referring to. Do you mean this?

 

yep - to bad i will truly miss it.

 

We will certainly miss your frequent rants

 

wow - beta1 has/had 5 candidates.

 

Again about missing APIs: This site points to

• right now 72 approved design decisions regarding APIs Mozilla would like to have
• right now 35 design decisions regarding APIs where more discussion is needed.

This confirms that a lot of improvements are on their way. If all of them will be ready for FF57 is another question, though.

 

Here is a very interesting article about Quantum CSS (aka Stylo) which is becoming the new super fast CSS engine in FF as the first big technology which comes from the Servo project.