[ale] noscript and adblock & FF

Paul Cartwright ale at pcartwright.com
Sat May 9 17:25:29 EDT 2009 

well, this just about shows why I had issues with noscript & adblock..

http://arstechnica.com/open-source/news/2009/05/mozilla-ponders-policy-change-after-firefox-extension-battle.ars
<SNIP>
Mozilla goes to great lengths to mitigate the symptoms of this problem by 
establishing all kinds of protective barriers that help users avoid unwanted 
and unsafe extensions, but little can be done to address the problem itself. 
Extensions still regularly break each other by accident and mess up the 
browser in all kinds of unintended ways. This is a well-known problem that 
has been explored elsewhere in detail. A more pernicious problem emerges when 
extensions break each other intentionally as a result of conflicting 
interests and ideologies.

NoScript is a widely-used extension that is designed to block browser 
scripting and plugins. NoScript's behavior is regarded by some experts as a 
major security improvement because it reduces the browser's exposure to 
untrusted JavaScript. NoScript developer Giorgio Maone recently had a 
controversial altercation with Wladimir Palant, the developer behind AdBlock 
Plus, an extension that uses a blacklist to selectively prevent websites from 
displaying advertisements.

Maone funds the development of NoScript by placing advertisements on the 
extension's official website and by receiving donations from end-users. In 
order to prevent AdBlock Plus from undermining the financial sustainability 
of his project, Maone modified the NoScript website and circumvented the 
block. Palant responded by instructing the AdBlock Plus filter list 
maintainer—an individual known as Ares2—to add a filter that would 
specifically block ads on Maone's domain. Maone found new ways to work around 
the filters, but Ares2 consistently retaliated by adding increasingly 
draconian rules to the filter list.

Eventually, Ares2 added rules that fundamentally broke the NoScript website. 
Maone lost patience and decided to use his own extension to fight back. He 
added a feature to NoScript that surreptitiously disrupted AdBlock Plus. He 
used encoded strings so that the hack would not be immediately discernible to 
other developers who inspect NoScript's internals. Users were furious that 
this change was made without any warning or notification. They brought the 
matter to the attention of Palant who responded by writing a scathing blog 
entry that excoriates NoScript. The blog entry attracted an enormous amount 
of attention and significantly increased the visibility of the conflict.

Mozilla personnel tasked with maintaining order in the add-ons ecosystem were 
not happy with the situation. They responded by proposing a new policy that 
describes some basic principles which define boundaries for appropriate 
extension behavior. According to the proposed policy, extensions should not 
arbitrarily modify user settings without proper disclosure. It says that 
major changes should be opt-in only and that the original settings should be 
fully restored when an extension is uninstalled.

Maone decided to agree to these principles and has issued an updated version 
of NoScript to completely revert the controversial changes. In an apologetic 
blog entry published on Monday, he expressed deep regret for his conduct and 
acknowledged that his attempt to surreptitiously disrupt AdBlock Plus with 
his own extension was inappropriate.

"I had this crazy idea of retaliating against EasyList 'from the inside', and 
in my blindness I did not grasp that I was really retaliating against my own 
users and the Mozilla community at large," he wrote. "I beg you to accept my 
most sincere apologies and believe in my shame and contrition."

Although Maone has received most of the criticism and scrutiny in this 
conflict, the actions taken by Ares2 are also troubling. The overzealous 
filter updates that were pushed to AdBlock Plus users made it impossible for 
them to download the NoScript extension from the NoScript website. That looks 
like a breach of user trust that is at least as egregious as what Maone did.

The conflict is over, but it raises a lot of really tough questions about the 
implications of the extension system and whether developers can be trusted 
with the level of access to the program's internals that it affords them. As 
always, users need to exercise caution and be mindful of how deep extensions 
can reach into their browsing experience.
-- 
Paul Cartwright
Registered Linux user # 367800
Registered Ubuntu User #12459

More information about the Ale mailing list