Added optional Bitwarden addon

[Morpheus0x]

According to this forum post, I extracted the extension id from the manifest.json file. The contribution wiki doesn't say how to further integrate this json to show up in the Addons page of the profile maker. Please let me know, how to do this, because I am planning on adding a couple additional useful addons. Please let me know if that is unwanted, but in my case it would be awesome to have all needed extensions installed from the start. The two extensions that come to mind are cliget and Offline QR Code Generator

[allo-]

Hello!

Addons need to be placed in an "extensions" folder in the folder from which you run the program for the zip downloads and have the name from the manifest + .xpi. You're missing the file extension there. The enterprise policy method looks good.

But I am sorry, I do not have interest in this pull request and don't want to add the other two addons either. I've got a lot of cool addons installed myself and would not add them here. Some points (in no specific order) are:

• The generated profiles strive to be minimal. I do not include huge dumps of user.js files either, because I'd like to generate profiles that contain the minimal changes necessary for good privacy
• Adding an addon means taking a lot of responsibility. The addon could be insecure, make Firefox unstable or just slow.
• The addon author could do a lot of things that are not in the interest of the user (e.g. adding ads from companies that use tracking in their ads) in the future.
• Once we start adding addons, everybody wants their favorite addon included.
• Let's keep the focus on security and privacy (Here, the QR-Code addon doesn't fit in)
• Bitwarden seems to use a commercial service.

I encourage you, to use the software on your own computer to generate profiles and add all the addons you'd like to have. If you're mostly interested in the addons, you can also hand-write (or copy & paste) lines in the enterprise policy, what is probably the most elegant way to install addons.

In addition, one Infrastructure goal is to allow the user to upload own settings files and profiles that can be used with the website. Then everyone could write his own presets and distribute them like users now distribute their user.js files. Sadly, this is not implemented yet.

[Morpheus0x]

Hi!

Yes that sounds reasonable. I was also thinking about security, because I remember that there was an extension similar to cliget which had malware included. Bitwarden can be used commercially but the beautiful thing is, that it's open source and you can host the server yourself. In that sense, I wouldn't describe Bitwarden as a commercial service, but rather as a self hosted alternative to LastPass etc.

How would you feel about an input field where the user can paste a link to an extension and add it that way to the profile? This would solve the everybody wants their favorite addon included issue. Adding a warning below the input field that other addons may track your usage or be insecure and that you should only add trusted, open source addons.

And as a side note, yes the QR-Code addon doesn't fit into the security and privacy aspect at first glance, but I would argue that by using this addon, instead of a website to generate a qr code greatly improves your privacy. For me personally, this addon is the golden solution to quickly "send" something from my pc to my smartphone. That may also include sensitive information.

[allo-]

In general, I'd like to generate the shortest possible configuration, which provides the useful privacy features. The rationale is, that many people share user.js files, which contain many options that may be surprising for other users or even detrimental, e.g., when I dump my config your would suddenly start using my favorite fonts.

The same is true for addons, but here even more things can be surprising when someone does not know the addon before. And updates can change things at any time. In addition, only the enterprise policy installation way is clean, but requires the permission to access the Firefox installation directory and then installs the addons into all new profiles. The other way is kind of hacky because Mozilla tries (for security reasons) to prevent external programs from installing addons. I wonder if they will eventually try to block it completely.

Furthermore, the addons in the generated zip file are always outdated and may be insecure until the first update. Together with the option to disallow automatic addon updates, a generated profile can be insecure because of the outdated addons, what is a another reason to try to keep it minimal here.

How would you feel about an input field where the user can paste a link to an extension and add it that way to the profile?

This would be a nice idea, but one probably would like to parse the Website-URL on addons.mozilla.org and then extract the xpi Link. For enterprise policies it would be easy, but for the zip creation the website would probably need to act as reverse proxy.

I can recommend the Enterprise Policy Generator addon by Sören Henschel here. I use it, for example, to make sure that temporary profiles have an adblocker installed. It is also great to see how new enterprise policies work to integrate them into this project.