FastForward taken down from Firefox Add-ons?

[Guanran928]

Body

I just switched to Firefox (for privacy ofc) and wanted to install FastForward, I tried to open the add-on page but Mozilla threw me an error instead of the download page. https://addons.mozilla.org/en-US/firefox/addon/fastforwardteam/

Version

-

What browsers are you seeing the problem on?

Firefox

What OS are you seeing the problem on?

Windows

Anything else?

[zubairmh]

can also observe this issue

[ooTruffle]

The devs explained on This Thread that it was taken down due to the mv2 version puling from a external source and them not seeing the email till it was taken down

[undeadjess]

From mozilla:

Add-ons must be self-contained and not load remote code for execution. Also, using a custom CSP to allow remote code execution is not allowed. Please remove all remote hosts from the CSP ‘script-src’ declaration, if any.

src\js\content_script.js - line 146

Variable res.injectionScript is in fact remote information and is added to the script, which means the script is no longer local. It's remote.

FastForward pulls the latest bypasses from the file injection_script.js in this github repo, to ensure you always have the latest bypasses. mozilla doesnt like this because it mean that the extension can be changed over time without them approving it, which, while true, is kinda how the current structure of the extension operates. The way we plan to resolve this is with our MV3 versions of FastForward, where the bypasses are included in the extension itself and are not automatically updated. this is not ideal, as we will have to regularly update the extension on the stores which is time consuming. it does, however, mean that we will be allowed back onto the firefox store, and potentially even the chrome web store if we remove the linkvertise bypass from that build. we are working hard to make this happen, and we should be ready to submit a version to the mozilla addons store soon.

[S8D]

From mozilla:

Add-ons must be self-contained and not load remote code for execution. Also, using a custom CSP to allow remote code execution is not allowed. Please remove all remote hosts from the CSP ‘script-src’ declaration, if any. src\js\content_script.js - line 146 Variable res.injectionScript is in fact remote information and is added to the script, which means the script is no longer local. It's remote.

FastForward pulls the latest bypasses from the file injection_script.js in this github repo, to ensure you always have the latest bypasses. mozilla doesnt like this because it mean that the extension can be changed over time without them approving it, which, while true, is kinda how the current structure of the extension operates. The way we plan to resolve this is with our MV3 versions of FastForward, where the bypasses are included in the extension itself and are not automatically updated. this is not ideal, as we will have to regularly update the extension on the stores which is time consuming. it does, however, mean that we will be allowed back onto the firefox store, and potentially even the chrome web store if we remove the linkvertise bypass from that build. we are working hard to make this happen, and we should be ready to submit a version to the mozilla addons store soon.

It is true that in terms of convenience and speed, directly embedding the link bypassing the domain name into the host to download it is convenient for users, but it is difficult to censor for Mozilla as well as Google, so it should be blocked. If so, have to use the auto-update version scripts, or add the auto-update option from the URL (and there will be a hint of the URL).

[Katzenwerfer]

Just my opinion, but I think an ideal way to tackle this would be through a series of lists with bypass "filters" that the user can choose from. In a similar manner to uBlock Origin (or userscript extensions).

[Katzenwerfer]

That way, while stuff of the extension can still be updated remotely, is user choice for that to be allowed. Would probably be a good idea to consult that with Gorhill to see how his extension can get away with that without issues on Mozilla's side.

[aicynide]

How to install .xpi in firefox android?

[ooTruffle]

You cant

On 13 May 2023 9:36:04 am NZST, aicynide @.***> wrote:

How to install .xpi in firefox android?

-- Reply to this email directly or view it on GitHub: https://github.com/FastForwardTeam/FastForward/issues/920#issuecomment-1546331308 You are receiving this because you commented.

Message ID: @.***>

[Dragodraki]

I look really forward to use this addon again too...

[Void2258]

I hope this gets updated soon. Addon isn't really bypassing anything currently.

[Asrum]

can also observe this issue

https://github.com/FastForwardTeam/FastForward/issues/920#issuecomment-1484281031

[Asrum]

Play-store.chrome.google.com

[Asrum]

Body

I just switched to Firefox (for privacy ofc) and wanted to install FastForward, I tried to open the add-on page but Mozilla threw me an error instead of the download page. https://addons.mozilla.org/en-US/firefox/addon/fastforwardteam/

Version

What browsers are you seeing the problem on?

Firefox

What OS are you seeing the problem on?

Windows

Anything else?

Play.Google-Store.com

[runxel]

Any news on that situation?

[AliahX]

We've sent the mv3 version to the firefox webstore so hopefully soon we will get added back! we were just added back to the chrome webstore too.

[Mishasama]

the mv3 version

I see that Chrome came back, and the Edge was updated too. Any drawback between mv2 for now?

[Void2258]

At the current time fast forward isn't really fast forwarding anything.

[Asrum]

At the current time fast forward isn't really fast forwarding anything.

[Asrum]

Thais for us do!

[AliahX]

At the current time fast forward isn't really fast forwarding anything.

currently the latest available firefox version is still in mv2, and that still has lots of bypasses. I'm not sure what you're talking about

[Void2258]

At the current time fast forward isn't really fast forwarding anything.

currently the latest available firefox version is still in mv2, and that still has lots of bypasses. I'm not sure what you're talking about

I haven't skipped a single page in a while. Or if I have, it's been invisible, and there are about a dozen unskipped pages with countdown timers behind a lot of links, in which case I don;t want to think about how many "15 seconds" I would be going through if nothing was skipped.

[Mishasama]

At the current time fast forward isn't really fast forwarding anything.

currently the latest available firefox version is still in mv2, and that still has lots of bypasses. I'm not sure what you're talking about

The mv3 still lack on bypass? It looks can't self update the rule anymore.

[Sohail-XD]

It has not been published to firefox yet :(

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. To undo this, make some activity on this issue or create a new one.

[ilike2burnthing]

Looks like the stalebot has been having fun with the repo.

[lostdusty]

Update on this one: Mozilla on it's on words said:

You need to create a consent dialogue, that's shown at install time and the user has to be given the right to opt-in. The consent dialogue is basically an extension page. The choice to collect the tab url cannot be enabled by default. In the consent dialogue, you also need to add a summary explaining the data collection and why you're collecting the tab url. If the user declines the data collection, then you can redirect him to the uninstall flow, which is to remove the extension. For more information, please check out https://extensionworkshop.com/documentation/develop/best-practices-for-collecting-user-data-consents/ and https://extensionworkshop.com/documentation/publish/add-on-policies/#data-disclosure-collection-and-management

We collect the tab url so the user can add the current website they're visiting into the whitelist, we have explained this and they still refused our extension.

Will we comply with Mozilla request? Likely no.

You can ask for more details on this one by tagging @BS-zombie and @AliahX.

You can still manually install the extension by building it or downloading from releases.

[voruti]

Will we comply with Mozilla request? Likely no.

What is the argument (other than the effort of implementing) against the introduction of the proposed system?

[aicynide]

Update on this one: Mozilla on it's on words said:

You need to create a consent dialogue, that's shown at install time and the user has to be given the right to opt-in. The consent dialogue is basically an extension page. The choice to collect the tab url cannot be enabled by default. In the consent dialogue, you also need to add a summary explaining the data collection and why you're collecting the tab url. If the user declines the data collection, then you can redirect him to the uninstall flow, which is to remove the extension. For more information, please check out https://extensionworkshop.com/documentation/develop/best-practices-for-collecting-user-data-consents/ and https://extensionworkshop.com/documentation/publish/add-on-policies/#data-disclosure-collection-and-management

We collect the tab url so the user can add the current website they're visiting into the whitelist, we have explained this and they still refused our extension.

Will we comply with Mozilla request? Likely no.

You can ask for more details on this one by tagging @BS-zombie and @AliahX.

You can still manually install the extension by building it or downloading from releases.

But I use firefox in andr-

[AliahX]

I was thinking of making a really sarcastic dialogue when you first install the extension that give the extension "permission". something like "warning!! are you sure you want this button to do what it says it does? the side effects may include: the current url going into the text box here -->. here at fastforward we care about your privacy and want to make sure you don't accidentally put the current url in this text box because that could be disastrous. are you sure you want this button that you don't have to press to function when you press it? this message was brought to you because of mozilla :)"

[lostdusty]

What is the argument (other than the effort of implementing) against the introduction of the proposed system?

Is it really necessary to implement another check for adding the current tab on the whitelist? By click on the button to add to whitelist you're already giving consent to the extension... makes no sense to have a confirmation.

[voruti]

Is it really necessary to implement another check for adding the current tab on the whitelist? By click on the button to add to whitelist you're already giving consent to the extension... makes no sense to have a confirmation.

I thought of a one time confirmation, right after installation of the add-on.

[driedpampas]

What is the argument (other than the effort of implementing) against the introduction of the proposed system?

Is it really necessary to implement another check for adding the current tab on the whitelist? By click on the button to add to whitelist you're already giving consent to the extension... makes no sense to have a confirmation.

Even Mozilla knows that would be bs, I also think they were referring to a page like this that open after installing with the consent dialog. Here's a mockup:

[lostdusty]

We gonna merge the PR when its ready.

Also, guess what: Mozilla wants to remove the MV2 extension from their store again.

[driedpampas]

We gonna merge the PR when its ready.

Also, guess what: Mozilla wants to remove the MV2 extension from their store again.

wait it was on the store :sob:

[MasterKia]

Mozilla wants to remove the MV2 extension from their store again.

Could you share details?

[0xc60f]

Mozilla wants to remove the MV2 extension from their store again.

Could you share details?

These are all the reasons that Mozilla listed in their removal.

[driedpampas]

Functionally, the consent page PR is ready #1108

[lostdusty]

The PR has been merged! Now we just wait for @BS-zombie to push it to FF store.

[lostdusty]

Also say thanks to @driedpampas! :clap:

[driedpampas]

You mentioning me is the first notification the GitHub app has sent me ever 🥹

[lostdusty]

:eyes: (from bs_zombie @ ffhq)

[aicynide]

I want to install in Mull. Add in AMO asap

[driedpampas]

What's the AMO publishing status like?

[lostdusty]

We are back to the store again!