Whenever there is a dispute between two parties, discovering all of the important facts regarding the dispute can be difficult. There are two sides to every story about disputes between two parties. Those on one side of the dispute may accuse those on the other side of it of not being perfectly honest when giving information regarding facts about the dispute. And individuals on both sides tend to tell the truth when they accuse those on the other side of not being completely honest. When the dispute occurred between two of the best-known Firefox extensions, NoScript and Adblock Plus, the difficulty in determining what actually happened must have been evident to even those who had not followed this dispute very closely. In this entry, I give the relevant facts about this dispute, and I try to be as impartial as possible in doing so.
As those familiar with Adblock Plus (often abbreviated as ABP) know, it blocks web page content by using sets of filters. JavaScript content, Flash animations, and groups of image files are examples of what can be blocked by these filters. Any content that matches certain patterns in the source code of web pages can be blocked with ABP’s filters. As end users prefer to have web content filtered for them automatically, users can subscribe to filter lists. These lists are maintained and updated by individuals who look for content that users may want to have blocked. These lists tend to be modified over time, and users who subscribe to these lists have their lists updated periodically. Users who subscribe to these lists trust those who maintain these lists to block content that these users would want to have blocked.
NoScript is a Firefox extension that blocks much content of web pages by default. NoScript relies on the donations of users in order to fund the project, and this is done through advertising on websites run by NoScript creator Giorgio Maone. Those who have subscribed to a filter list for ABP known as EasyList may have found that some of the page content on sites run by Maone had been blocked. Maone responded to this by updating the pages on these websites so that those ads could again be viewed by those who used EasyList. Then these filters continued to be updated so that those ads would be blocked again. To Maone, it seemed as though the site content that helps create funding for the development of NoScript was being deliberately targeted by the EasyList filter for ABP. In fact, according to Maone, filter rules were implemented that would even prevent the download of NoScript from those websites. This is what led to a response from Maone that was highly controversial, and was one that he would understandably regret very much.
Firefox extensions are not “sandboxed” in the browser, meaning that there is nothing preventing them from interfering with each other. Maone took advantage of this fact. NoScript was modified so that it would actually modify ABP’s filter list so that the four websites that were targeted would be whitelisted. This interference with another extension was done rather surreptitiously. Information on this was added to the release notes of the NoScript version that performed this action. However, not many users may have read this, and Maone later admitted that he should have done more to inform users about this. One extension interfering with the operation of another, without explicitly asking for user consent, was considered a very questionable action on the part of Maone.
Some may want to read the official statements on this conflict that were written by the authors of these extensions. ABP creator Wladimir Palant’s comments about this issue can be found in this blog post. Maone’s response can be read here.
It was only in the last entry that I wrote here two weeks ago that I mentioned how NoScript could be used to defend against XSS attacks. There were many who considered NoScript a trusted extension, and it may have been considered one of the most trusted Firefox extensions in existence. In fact, all Firefox extensions can be considered trusted after they are reviewed and approved by staff members at addons.mozilla.org, a website that is often referred to simply as AMO. All extensions uploaded there are considered “experimental” before their code gets reviewed. Theoretically, the trust that users would have in non-experimental extensions could be betrayed by individuals who could write extensions that get approved, only to be later modified to surreptitiously perform actions undesired by its users. One would certainly not expect an extension written by someone who seemed motivated to prevent websites from doing anything without user consent to be such an extension. However, this is what happened, and it is the reason for the recent backlash against NoScript and for its creator’s apologies. If anything good can come from this dispute, it is that this could lead to sandboxing of extensions within the Firefox web browser.
There are those, however, who would say that Palant should also admit to wrongdoing. When users install Adblock Plus, it is with the expectation that advertising that is considered intrusive will be removed by it. When viewing the four sites run by Maone, one can see that the advertising there is unlikely to be considered a reason for the existence of ad blocking software. Targeting of Maone’s sites, which Palant admitted to doing, seemed questionable. However, it seemed as though there should have been more communication between individuals on the two sides of this dispute. There had to have been a way to avoid the cycle of filter updating followed by evasion of those filters.
Both Maone and Palant have faced backlash from many users. Maone, however, has admitted to wrongdoing, and has removed the code that was the reason for his apologies. And after checking the EasyList filter list, the filters Maone mentioned no longer seem to be there. I believe that the individuals on both sides of this dispute could have done better in trying to prevent it. Those who write Firefox extensions seem to be motivated by simply making Firefox a better browser, and thus one would not expect them to have such disputes as they try to reach their common goal. It seemed as if Maone and Palant might have lost their focus, and are now not as trusted as they had previously been. However, over time, I believe that we might be able to trust these individuals and their extensions again. In any case, I hope to not have to write about a conflict between Firefox extension developers again.