When Add-Ons Wage War
Conflicts in the Open Source world — as in the proprietary world — are hardly a surprising phenomenon. Indeed, our community can't even agree over what to call one of its most popular projects — a fight we have no interest in entering, particularly not here. What is perhaps more surprising is when these disputes escalate like a deleted scene from Fatal Attraction — escalate so far that the powers-that-be must intervene.
While NoScript surely has NoFriends among the attackers it helps to thwart, AdBlock Plus has a much less sinister group of opponents. Because it blocks advertisements, which site owners use to generate the funds that allow the site to continue operating, many site owners object to the extension's use, and some even make attempts to circumvent the extension. Giorgio Maone, the developer of NoScript, is one such site owner — his project is funded by donations, and by revenue from ads placed on the NoScript website. Frustrated with his ads being blocked by AdBlock Plus, and reportedly feeling that his project was at financial risk, Maone implemented measures to prevent AdBlock Plus from preventing his ads from displaying.
Palant, meanwhile, took exception to his extension being bypassed and instructed the individual who maintains AdBlock Plus' list of filters — the means by which the blocking is achieved — to add a new filter specifically designed to block ads on NoScript's domain. AdBlock filters are generally rather generic, blocking any images from URLs used by ad providers — users have the ability, though, to craft their own rules, and even to use the extension to block normal HTML elements on a page. Once Maone discovered that Palant was circumventing his circumvention, he introduced new methods to block the ads. The AdBlock Plus filter maintainer — known only as Ares2 — retaliated with more and more severe filters until eventually the NoScript website was inaccessible to users of AdBlock Plus.
Until this point, the dispute was fairly transparent — users are able to view, alter, and disable the filters enabled in their browser, and Maone's actions to circumvent the extension on his site would have been apparent to any AdBlock Plus user who visited the site. However, once Ares2 introduced filters that broke his site, Maone left transparency behind. He introduced new code into NoScript which disrupted the operation of AdBlock Plus — something made possible by the broad ability Firefox extensions have to alter not just the content of websites, but the browser itself, and any other add-ons that might be installed.
Generally, as is the case with most Open Source projects, extensions are scrutinized by hundreds, thousands, possibly more developers who ensure the extensions are safe for users to install — indeed, Mozilla maintains a formal process for approving extensions. To prevent the code from being discovered, Maone encoded it in a way that obscured it from other's inspection. No notice was given to NoScript's users, nor was there any option to prevent NoScript from affecting AdBlock Plus. What could not be obscured, however, was the user's experience, wherein it was obvious that something was disrupting AdBlock Plus' operations.
When users discovered the cause of AdBlock Plus' sudden malfunction, the reaction was swift and severe. They were outraged that one extension would deliberately be used to disable other add-ons with which the developer disagreed, were even more irate that it had been done with no notice or opt-out, and supremely enfrothed that the offending code was intentionally obscured — a cardinal offense if there is one in the Open Source world. Once brought to Palant's attention, he assailed the practice in an entry on the AdBlock Plus blog, an entry described as a "scathing" one "that excoriates NoScript." As one might expect, once the dispute was revealed to the greater public, an overwhelming amount of attention quickly followed.
As a result of the incident, the powers-that-be at Mozilla — or at least those responsible for keeping the peace among extensions — have proposed a new policy for add-ons to be accepted into the official addons.mozilla.org repository. Under the proposal, add-ons may only be approved if all changes to the user's home page and search preferences, as well as any changes to other extensions, can be justified as required by the core function of the extension. Once that test is met, the add-on must further disclose, in the add-on description, what changes will be made, and any changes must be opt-in rather than opt-out, requiring specific action by the user to enable them.
Finally, once the add-on is uninstalled, any settings that were altered must be returned to their original state — the proposal is not clear on whether this means the settings must be returned to a default state, that is, as the browser was shipped, or whether the extension will be required to keep a record of what settings it changed and their values, and restore them to their state before the extension was installed. The proposal is also quick to point out that the points set out are a minimum standard, and do not ensure that every extension that meets them will be approved. Community comment is requested, with indication that the Mozilla Development newsgroup is the preferred location.
As for the AdBlock Plus-NoScript feud, Maone issued an apology, acknowledging that using his extension to disrupt another was inappropriate, and asking that users "accept my most sincere apologies and believe in my shame and contrition." The offending code has been removed, with Maone writing that "I had this crazy idea of retaliating against EasyList 'from the inside', and in my blindness I did not grasp that I was really retaliating against my own users and the Mozilla community at large."
A cursory review of Palant's original entry shows three updates, the first noting the removal of the NoScript code and thanking users for helping to bring about the policy proposal at Mozilla. The second regards the closing of comments, and the third acknowledges and links to Maone's statement. Two additional entries to the blog, which appear to have drawn a great deal of comment, appear to propose a whitelisting system for AdBlock Plus, to give users more options of which ads to block. The relevant posts, which with their comments are quite lengthy, can be found on the AdBlock Plus blog.
For our part, we are deeply saddened by any schism, however quickly redressed, that affects our community. We would invite readers to share in the comments their thoughts, not only about the specific incident reported here, but also on the greater issue of how to maintain, if not community unity, then at a minimum a fair and civil environment for all Open Source projects.
Justin Ryan is a Contributing Editor for Linux Journal.
|The True Internet of Things||Sep 02, 2015|
|September 2015 Issue of Linux Journal: HOW-TOs||Sep 01, 2015|
|September 2015 Video Preview||Sep 01, 2015|
|Using tshark to Watch and Inspect Network Traffic||Aug 31, 2015|
|Where's That Pesky Hidden Word?||Aug 28, 2015|
|A Project to Guarantee Better Security for Open-Source Projects||Aug 27, 2015|
- Using tshark to Watch and Inspect Network Traffic
- The True Internet of Things
- September 2015 Issue of Linux Journal: HOW-TOs
- Problems with Ubuntu's Software Center and How Canonical Plans to Fix Them
- Concerning Containers' Connections: on Docker Networking
- Firefox Security Exploit Targets Linux Users and Web Developers
- Where's That Pesky Hidden Word?
- A Project to Guarantee Better Security for Open-Source Projects
- Build a “Virtual SuperComputer” with Process Virtualization
- My Network Go-Bag