We did actually set another firefox setting that means that webextensions cannot access the privileged JS environment on AMO (to my knowledge).
We have invited Mozilla several times to provide some text for us to share with our users explaining what the issue is and they have demurred.
I think for 99% of users, if a webextension can run on all pages (which many do) it can hurt them a lot more by stealing credentials (which is quite easy) than by installing other addons (which is hard).
Sure, we could have included some more warnings but 1. we did document clearly what we were doing if anyone wanted to check up (we were just automating the advice given in several blogs); 2. I think I talked to some mozillian's about it at the time, and they were unconcerned, but maybe not, could have been a similar other issue; 3. last time I looked there was no good explanation of why this is actually dangerous anywhere.
For reference, the exact messages provided to users were:
"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."
We did actually set another firefox setting that means that webextensions cannot access the privileged JS environment on AMO (to my knowledge).
We have invited Mozilla several times to provide some text for us to share with our users explaining what the issue is and they have demurred.
I think for 99% of users, if a webextension can run on all pages (which many do) it can hurt them a lot more by stealing credentials (which is quite easy) than by installing other addons (which is hard).
Sure, we could have included some more warnings but 1. we did document clearly what we were doing if anyone wanted to check up (we were just automating the advice given in several blogs); 2. I think I talked to some mozillian's about it at the time, and they were unconcerned, but maybe not, could have been a similar other issue; 3. last time I looked there was no good explanation of why this is actually dangerous anywhere.
For reference, the exact messages provided to users were:
"To make Tridactyl work on addons.mozilla.org and some other Mozilla domains, you need to open about:config, run fixamo or add a new boolean privacy.resistFingerprinting.block_mozAddonManager with the value true, and remove the above domains from extensions.webextensions.restrictedDomains."
And
"Simply sets
"privacy.resistFingerprinting.block_mozAddonManager":true "extensions.webextensions.restrictedDomains":""
in about:config via user.js so that Tridactyl (and other extensions!) can be used on addons.mozilla.org and other sites."
---
You can find these messages in src/excmds.ts at commit 92e1b005c47995e3d24f61a7d4c3935df8437f1a