Not to worry, the Legacy extensions will be a thing of the past once Firefox 57 is released.

Of course you should be careful when installing add-ons and check their described functionality and reviews, just as when you install other kinds of software. This is true of both Legacy extensions and Firefox 57-compatible extensions.

In addition to new extensions with no reviews yet, some extensions have loads of fake-looking reviews. I don't install those.

One would think that Firefox would review add-ons and extensions for security assurance, however, it seems Firefox actually is warning users that with convenience comes loss of privacy. Thanks for the info.

Extensions are reviewed, but the process allows some practices with full disclosure. For example, you can have ads in an extension if it is disclosed in the description. So you do need to read up on each one as you consider them.

Why would an extension/add on MODIFY your browser history?? What kind of MODIFICATION are we talking about here?- adding to, deletions, WHAT?? dark sided.

Barcarolle said

Why would an extension/add on MODIFY your browser history?? What kind of MODIFICATION are we talking about here?- adding to, deletions, WHAT?? dark sided.

According to the documentation, the history permission is needed to allow an add-on to view, add, and remove history entries. What extension wants to do that?

https://developer.mozilla.org/Add-ons/WebExtensions/API/history

That said, it might only be a subset of the permission to read and modify data on all websites. Where is the documentation on all this?

What do you mean "where is the documentation on all of this?"?? Most of the add ons have permissions to : read, remove, (add??), modify browser history; read and modify DATA on websites ....My question is WHY does an app/add on/extension have to MODIFY browser history, and access all data in order to function as an app/extension- when in the previous firefox versions, you could download an extension WITHOUT them having to have any permissions.. All YOU have to do is go to the Add on/ get add ons page and download any app like download videos and read the list of permissions for yourself.

Barcarolle said

My question is WHY does an app/add on/extension have to MODIFY browser history, and access all data in order to function as an app/extension- when in the previous firefox versions, you could download an extension WITHOUT them having to have any permissions..

Legacy extensions had 100% permissions. They could read and write anywhere on your computer! New extensions are more restricted and need to declare themselves. So now you see the ugly truth that was hidden from you before.

Anyway: Downloads are stored in history, so if the extension makes lists of your past downloads, that's probably the reason for the permission.

Legacy extensions had 100% permissions?? From Mozilla/Firefox, but not from the end user! The ugly truth that was hidden ... That an app/extension could read/write ANYWHERE on a PC without the end user's knowledge...that's evil. Now that I know the ugly truth, it makes me see Mozilla/Firefox in a whole new light. Is Firefox just another Inet Explorer? (that was rhetorical)

Barcarolle said

Legacy extensions had 100% permissions?? From Mozilla/Firefox, but not from the end user! The ugly truth that was hidden ... That an app/extension could read/write ANYWHERE on a PC without the end user's knowledge...that's evil. Now that I know the ugly truth, it makes me see Mozilla/Firefox in a whole new light. Is Firefox just another Inet Explorer? (that was rhetorical)

Well, it was never as dangerous as ActiveX...

You always have to be careful when you install any kind of software or script. Firefox's add-on system was slammed by security experts over the years for being too permissive. Mozilla always reviewed extensions to try to keep the bad ones out. A while back, extensions were barred from including compiled components that the Add-ons team couldn't inspect (that's why the Norton password vault was gone for a year). Now there are more drastic restrictions, and more notifications.

But security experts also debate whether it's worth showing users permission dialogs because we can't always understand what they mean and seeing them over and over numbs us. How many times do you even finish reading this phrase before clicking: "Click here to acknowledge you read and understood this phone book length agreement"?

The more you think about it, the worse it is. So let's talk about something else now.

I know you'll think I'm flogging a dead horse, but my question wasn't really answered: WHY would an extension have to MODIFY Browser history in order for it to function. It can read data, but WHY must it also WRITE? And if it can read anything/data on your PC, what's to keep it HONEST? Instead of reviewing all extensions before offering them, you could write parameters of allowable 'behavior' of the apps, and filter all apps/extensions within these parameters. Any app/extension that would require EXTRA permissions would have to give detailed app function, and meet some (ethical?) standard. Of course, Mozilla/Firefox seems to have the end users (internet) interests at heart..I've been using Firefox since 2005, and prefer it to IE and Chrome.

Barcarolle said

I know you'll think I'm flogging a dead horse, but my question wasn't really answered: WHY would an extension have to MODIFY Browser history in order for it to function. It can read data, but WHY must it also WRITE?

I don't know, it's part of a cross-browser standardization push. Maybe that kind of distinction could be added.

The bottom line is, if you download a Firefox add-on and it warns you that if you agree to download the app you give them permission to access all data for all websites, and access browser activity during navigation, you can bet your privacy is gone and off to third party advertisers and /or Mozilla user reports in exchange for online convenience.

I think a lot of extension developers have no interest in exfiltrating your data. You need to review them on a case-by-case basis.