1. 95
  1.  

  2. 35

    A few months ago I upgraded my Linux system and Firefox stopped using my dark GTK theme and fell back to the default “adwaita” theme. Firefox tries to avoid dark themes, with special settings in about:config and even env vars to control whether it should allow them. I tried enabling all of these to no avail (I later figured out the problem was due to the GTK/XDG directory paths being wrong)

    When I asked in #firefox in IRC I was advised to install the Stylish extension and pick a dark theme for it. I pointed out that it seemed like overkill, since it would be adding theme engines on top of theme engines, but tried it anyway. When the extension asked for permission to access all of the information from every page I visit, I promptly deleted it, went back to IRC and pointed out that I’d rather have ugly widgets than leak so much info to a purely cosmetic extension. I was told that it’s fine, I should just click “accept” since loads of people use it, etc.

    I feel vindicated now :)

    1. 5

      Was this the one on freenode? If so I’m pretty sure that’s unaffiliated with Mozilla and you’ll get better advice asking on a topical channel from irc.mozilla.org.

      1. 2

        Can’t remember, but yeah I was aware it was enthusiastic volunteer users (I’ve often played that role) rather than anything official.

    2. 21

      Stylus is using the same theme database without collecting your history:

      1. 7

        +1

        But the problem is: how to ensure that Stylus (or any alternative) won’t become the next “Stylish”?

        1. 7

          I’ve written a couple of my own extensions, partly for this reason. For certain complicated or common needs (like ad-blocking) I have no choice but to find an extension I trust and use it. But in other cases I just end up writing my own because I can’t find something that doesn’t feel sketchy.

          Ironically, one of my extensions was recently removed from the Firefox store because there was some incidental code in a dependency (that isn’t used at runtime) that makes a network request.

          1. 1

            I’ve written a couple of my own extensions, partly for this reason.

            This is the “hacker’s approach” that I prefer.
            Everyone should be able to hack software for his own need.

            For certain complicated or common needs (like ad-blocking) I have no choice but to find an extension I trust and use it.

            Well, actually you can also review them, if the sources are available.

            1. 6

              Well, actually you can also review them, if the sources are available.

              Certainly an important part of the process, but both major browsers push updates to extensions silently, and there’s no guarantee that the code my browser runs is the same code that was in the OSS repository. It’s a crap situation all-around, really.

              1. 4

                This is the “hacker’s approach” that I prefer.

                I prefer it too, but as far as I can tell webextensions goes out of its way to make this tedious and annoying.

                I’ve tried building webextensions from source, and as far as I can tell there is no way to permanently install them. You can only install them for a single session at a time. (Hopefully there’s a workaround someone can suggest, but I didn’t find one at the time.) It was pretty appalling from a hackability/software-freedom perspective, so I was pretty surprised to see it coming from Mozilla.

                1. 2

                  Idk about mozilla, but I made my own permanently installed extension for an appliance with chromium. Precisely to avoid the risk of updates or unavailability due to internet outages.

            2. 4

              Consumers should demand that extensions don’t improperly use personal info, and that the browser vendors only allow extensions that adhere to these rules.

              1. 17

                Consumers should demand that extensions don’t improperly use personal info

                Do you know any consumer that want extensions to sell their personal info?
                I mean, it’s like relying on consumers’ demand for pencils that do not explode.

                Yes, they might ask for it… if only they knew they should!
                (I’m not just sarcastic: perfect symmetric information is the theoretical assumption of free market efficiency)

                1. 2

                  I was being half sarcastic. Marketing is basically information arbitrage, after all.

                  But as a practical matter I believe voluntary regulation is the way forward for this. Laws are struggling to catch up, although it would be interesting to see how GDPR applies here.

                  1. 5

                    I believe voluntary regulation is the way forward for this.

                    Gentlemen agreements work in a world of gentlemen.
                    In a world wide market cheating is too easy. It’s too easy to hide.

                    GDPR reception shows how much we can trust companies “voluntary regulations”.

                    Laws are struggling to catch up

                    True. This is basically because many politics rely on corporate “experts” to supply for their ignorance.

                2. 3

                  In theory the permissions system should govern this. For example, I can imagine a themeing extension needing permission to access page content; but it should be easy to make it work without any external communication, e.g. no network access, read-only access to its own data directory (themes could be separate extensions, and rely on the extension manager to copy them into place), etc.

                  1. 2

                    It can leak data to its server by modifying just css, not even touching DOM, by adding background images for example. I don’t know if it’s even possible to design browser extensions system so extension effects are decently isolated.

                    However, these exfiltration hacks might attract attention easier than plain XHR.

                    1. 1

                      Hmm, yes. I was mistakenly thinking of a theme as akin to rendering given HTML to a bitmap; when in fact it’s more like a preprocessor whose result is sent to the browser engine. With no way of distinguishing between original page content and extension-provided markup, you’re right that it’s easy to exfiltrate data.

                      I can think of ways around this (e.g. setting a dirty bit on anything coming from the theme, or extending cross domain policies somehow, etc.) but it does seem like I was being a bit naive about how hard it would be.

                3. 2

                  Theoretically, you could audit the GitHub repo (https://github.com/openstyles/stylus) and build it yourself. Unfortunately that doesn’t seem too feasable.

                  1. 1

                    For this reason I install the absolute minimum extensions. I usually only have privacy badger installed as I’m fairly sure the EFF won’t sell out.

                4. 16

                  Thanks for reporting this. There is a bug tracking this https://bugzilla.mozilla.org/show_bug.cgi?id=1472948

                  Update: The offending extension has now been removed! Thanks to Mozilla for the speedy response.

                  1. 2

                    Hopefully they’re also hardening their review policies.

                    1. 2

                      I found some posts from around the time the “analytics” code was originally introduced, mentioning that it only applied to the Chrome version and not the Firefox one. I’d be surprised if this did actually make it through addons.mozilla.org’s review process.

                  2. 6

                    I’ve reported the chromium version https://chrome.google.com/webstore/detail/stylish-custom-themes-for/fjnbnpbmkenffdnngjfgmeleoegfcffe?hl=en

                    lets see if it gets removed as fast as the firefox one.

                      1. 1

                        I have literally installed this application two days ago. How lucky of me!