Disabled by Mozilla #26
Comments
|
I have written amo-admins@mozilla.com per the terse instruction of Andreas Wagner..
|
|
|
|
I am angry, Jeremiah: your add-on is marvellous - and obviously secure. Thanks for your work, anyway. |
|
I'm an American living in Stockholm. It pains me to have to use Chrome regularly now when interacting with Swedish government websites. I wish I had a better option for myself and to share with you. |
|
Bad News :-( Yandex isn't the best translator (I prefeer DeepL, Micosoft Translator or Apertium.org) but for the moment is the unique option without page-translator extension |
|
Thanks to some kind folks on Reddit I was able to get the add-on back up and running, but the steps are complex enough to deter most users (extracting, editing, and re-compressing the XPI, plus having to be on a developer version, plus having to edit about:config). Hope Mozilla changes their minds on this soon (and hopefully Google isn't pressuring them to remove this in any way). |
|
I was looking for an extension just like this one, and came across with the bad news. Hope Mozilla fixes this issue, and saves me from using Chrome whenever I need page translation. |
|
You might try this extension: https://github.com/andreicristianpetcu/google_translate_this It does the same thing in the same way as Page Translator and likely will be blocked by Mozilla, but this is a cat and mouse game worth playing if you rely on full-page in-line language translation. |
|
Hi Jeremiah! The other pressing issue is that users have lost the right to run private extensions in the release version of Firefox, without needing to hand over their source code to Mozilla. While there are security benefits to disallowing unsigned extensions by default, it is not clear why there is no option to turn off this behavior, perhaps by making it configurable only with administrator rights. There is a workaround though that does not require you to compile Firefox or use a different edition. This is how you allow unsigned extensions in Firefox on Arch Linux, the same files can be edited on Windows and macOS, restart the browser after changes: sudo tee /usr/lib/firefox/defaults/pref/config-prefs.js &>/dev/null <<EOF
pref("general.config.obscure_value", 0);
pref("general.config.filename", "config.js");
pref("general.config.sandbox_enabled", false);
EOF
sudo tee /usr/lib/firefox/config.js &>/dev/null <<EOF
// keep this comment
try {
Components.utils
.import('resource://gre/modules/addons/XPIDatabase.jsm', {})
.XPIDatabase['SIGNED_TYPES'].clear();
} catch (ex) {
Components.utils.reportError(ex.message);
}
EOFIf any Firefox engineers are reading this, please don't try to subvert the above workaround, it requires multiple steps and administrator rights to set up, and we must all agree that it is of little sense for Firefox to try defending against unwanted programs or malware that has root access on the device. It would be best to offer an official way to allow installing local, unsigned extensions, and make the option configurable only by root, while also showing appropiate warnings about the potential risks of installing unsigned extensions. We must consider introducing sensible default options in Firefox, while also educating users and allowing them to override certain features, instead of placing marginal security benefits above user liberties and free choice. |
|
Response from Mozilla:
|
|
I wrote about the situation: https://www.jeremiahlee.com/posts/page-translator-is-dead/ Vote up on HN: https://news.ycombinator.com/item?id=21328470 |
|
A Firefox engineer has disabled the above configuration option, less than two hours after I posted the workaround in this thread. I appreciate the vigilance, but it would be even better to actually publish a technical reasoning for why do you folks believe Firefox is above the device owner, and the root user, and why there should be no possibility through any means and configuration protections to enable users to run their own code in the release version of Firefox. https://phabricator.services.mozilla.com/D50136 I will need to find a workaround for one of my private extensions that controls devices in my home network, and its source code cannot be uploaded to Mozilla because of my and my family's privacy. |
|
I believe that beginning to distribute tools that patch Firefox and give back power to users and allow them to install unsigned extensions is necessary when an organization is taking away our rights without giving us a compelling reason for doing so. |
|
The issue for disabling the config option that gives us a workaround for running unsigned extensions is tracked here: https://bugzilla.mozilla.org/show_bug.cgi?id=1514451 |
|
It should be possible to implement the functionality of page-translator via a more popular extension that is designed to inject arbitrary data into websites, including remote code, e.g. https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ . |
|
The addon works for me on Firefox 69 stable with |
|
@dessant somewhat off-topic: there are a number of Mozilla-approved ways to install unsigned extensions, especially on Linux. See tridactyl/tridactyl#1927 |
|
Thanks @bovine3dom, I'll consider releasing a cross-platform patching tool for Firefox to make the workarounds accessible for everyone if Mozilla goes forward with forcing the AutoConfig sandbox in release builds. All of the workarounds require administrative access, though AutoConfig is the most convenient. I do not understand what is the threat model of not allowing the root user to configure Firefox, since malware could just replace the entire Firefox binary. Blocking users from installing unsigned extensions without offering a cross-platform way to disable the feature brings minimal security benefits while concentrating power in the hands of the browser vendor. Not even Google is this heavy-handed, they allow installing local extensions in Chrome after users enable an option, although a warning is shown on browser restarts about the presence of external extensions, which can be dismissed. Forcing signed extensions in the release version of Firefox is also uncompetitive, because it prevents third-party browser extension stores from gaining foothold. |
|
For #27; for
With respect, -1 – because it's too risky a workaround; I should not recommend it to anyone. |
While I agree that it is a terrible workaround, for now it's the only one that works on stable and beta channels. |
|
I responded to Mozilla:
Response from Mozilla:
This is it. I'm done with Page Translator, but you don't have to be. Fork the repo. Distribute the code yourself. This is now a cat-and-mouse game with Mozilla. Users will have to jump from one extension to another until language translation is a standard feature or the extension policy changes. |
|
Thank you for the work you put into this. You extension was always my favourite for web translations. And you are right... chrome it is... for now at least. |
https://blog.mozilla.org/addons/2019/10/31/firefox-to-discontinue-sideloaded-extensions/ |
|
Sadly, the extension I had been recommending since Page Translator got killed was just killed for the same reason. andreicristianpetcu/google_translate_this#19 As I've said, I'm done with Mozilla's user-hostile game. Switch to Edge on Windows or Chrome elsewhere when you need translation. |
|
Well since I only use a select few curated extensions in Firefox anyway, I guess it's fine to disable |
|
No problem here. Screen recording – Chrome Store Foxified, Firefox Developer Edition and a non-signed extension: |
I am using the stable release though, with |
|
Thanks,
Can you install Firefox Developer Edition alongside Firefox? From https://discourse.mozilla.org/t/s3-translator/48247/2?u=grahamperrin:
– the same is true for Firefox. |
I tried your method. The extension asked permission for Collection of statistics immediately after installation. So whatever problems Mozilla had with S3.Translator still stands.
I absolutely do! That is the whole point of this discussion. Mozilla doesn't trust S3.Translator or jeremiahlee but I do. They blocked page-translator for pedantic reasons. Which is why I want the option to override their decision to specifically install few extensions that I'm okay with. Also, your question is phrased incorrectly. I never said I don't trust Mozilla, that was Shadowex3. I mentioned in my previous message that Mozilla is leagues ahead of the rest when it comes to respecting users. What I don't like is how they've killed so many useful extensions without any sane method of overriding their decisions. Well, we've gone over this a couple times now. Mozilla isn't going to change their stance and will probably take a while to come out with their own translation service. Until they do, we've got to make due with the alternatives mentioned above. |
Any number of extensions might request this.
Not necessarily. https://discourse.mozilla.org/t/s3-translator/48247/7?u=grahamperrin some history and comparisons. https://discourse.mozilla.org/t/s3-translator/48247/8?u=grahamperrin invitation to inspect code. From recent private discussion I know that Mozilla is aware of the topic. Whether they have reviewed the code, I can't guess. |
|
Avira Browser Safety has 400k Firefox users, the extension uploads the user's browsing history and executes arbitrary remote code from the publisher, not a third-party trusted source. The extension appears to have been unlisted from Firefox Add-ons, without receiving a hard block. https://palant.de/2019/12/11/problematic-monetization-in-security-products-avira-edition/ |
|
@grahamperrin I appreciate your efforts to make many things work again here and there (including your sharings about Waterfox on Reddit). |
|
Equal thanks to everyone else who offered workarounds … |
|
From #26 (comment):
True; it's important to observe posts from Mozilla. The 10th June changes were publicised on 2nd May:
In addition to Mozilla's posts, which may have been overlooked, there was publicity elsewhere, for example:
The ZDNet article began with this headline:
– and was very well publicised. Anyone who was aware of the security concern (two years before the block) might have asked Mozilla whether the changes to policy, which became effective on 10th June, might have an impact on Page Translator …
I guess that the significance of Mozilla's posts (and related publicity) was simply lost in the coincidental frenzy around armagadd-on 2.0. I reckon that it was:
– no disrespect intended. Given the unfortunate coincidence, it's almost entirely understandable that everyone concerned lost sight of Mozilla's forewarning. HTH |
|
Have you considered turning it into a Waterfox extension instead? By that I mean changing the name or whatever is necessary so that it no longer trips the blocklist and then simply not submitting it to Mozilla to be signed at all? Surely Mozilla wouldn't go to the trouble of updating their blacklist to block extensions that don't even run on (vanilla) Firefox at all due to never having been signed in the first place. |
|
The block list does include non-signed extensions. |
Does it include extensions that were both written after signing became mandatory but were never submitted to Mozilla for signing? Because that just doesn't make sense unless they are trying to "protect" Waterfox and Pale Moon users as well. |
Would that work? If so I really hope someone can do it. |
|
Just can sign the extension for private use... (having a acc in mozilla) and will be work |
|
how to sign, I wanna use it personal too
…On Fri, 31 Jan 2020, 07:35 Mitezuss, ***@***.***> wrote:
Just can sign the extension for private use... (having a acc in mozilla)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#26?email_source=notifications&email_token=AM7RIM7Z3ZKHVY2RHNUDMCDRANP3ZA5CNFSM4JC5QN22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKM6TFY#issuecomment-580512151>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AM7RIM2TSQYATB6PECC3EFLRANP3ZANCNFSM4JC5QN2Q>
.
|
|
Check https://extensionworkshop.com/documentation/publish/signing-and-distribution-overview/
https://extensionworkshop.com/documentation/publish/submitting-an-add-on/
Before sign, need edit the manifest.json and edit applications": { Changing the ID (at least a digit) for exclude from the blacklist regards Edit: the default ID is "id": "{79f4bfc6-b1da-4dc4-85cc-ecbcc5dd152e}", So, you just change a letter (HEX code), for sample: (7 -> 4) "id": "{49f4bfc6-b1da-4dc4-85cc-ecbcc5dd152e}", Note: there should be not installed another addon with same ID, because, if there are, will be problem. Too can rewrite all the ID, for sample: "id": "pagetranslator@itisback.org", remember this addon need be signed FOR OWN USE Ps: sorry i have bad english =) (not my lang) |
|
Appreciate it. Much love. Will check it out.
TBH, I haven't got an alternative as good as this OG. This method might
work.
…On Fri, 31 Jan 2020, 12:30 Mitezuss, ***@***.***> wrote:
@devjao <https://github.com/devjao>
Check
https://extensionworkshop.com/documentation/publish/signing-and-distribution-overview/
Distributing your add-on
https://extensionworkshop.com/documentation/publish/submitting-an-add-on/
Need set ON YOUR OWN
Before sign, need edit the manifest.json and edit
applications": {
"gecko": {
"id:":
Changin the ID (atleat a digit) for exclude the blacklist
regards
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#26?email_source=notifications&email_token=AM7RIMZTVUVEOUYTA2BHJMLRAOSOBA5CNFSM4JC5QN22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKNOITQ#issuecomment-580576334>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AM7RIMY4BQRFB6NHBY3IZJTRAOSOBANCNFSM4JC5QN2Q>
.
|
|
I'm interested to know if this works as well. Would be the best way forward for me since I still haven't gotten used to the workarounds. |
|
I am interested to... |
|
Another alternative is add a bookmark with the URL: javascript:{d=document;b=d.body;o=d.createElement('scri'+'pt');o.setAttribute('src','https://translate.google.cn/translate_a/element.js?cb=googleTranslateElementInit');o.setAttribute('type','text/javascript');b.appendChild(o);v=b.insertBefore(d.createElement('div'),b.firstChild);v.id='google_translate_element';v.style.display='none';p=d.createElement('scri'+'pt');p.text='function%20googleTranslateElementInit(){new%20google.translate.TranslateElement({pageLanguage:%22%22},%22google_translate_element%22);}';p.setAttribute('type','text/javascript');b.appendChild(p);}void%200 Just press the bookmark and the "google translator" will appear. |
|
Is there a way to just publish the add-on without the signature that's on the blacklist so we can all just use that version? |
Yes but it just just gets blocked again |
|
How would it get blocked by Mozilla if Mozilla doesn't know about it? |
|
I assume people report this as well as every other clone addon of this that gets published. There have been others that are pretty much clones of this and they all get blocked eventually, it's a cat and mouse chase |
|
If this is the case, I will save the OG xpi for our next planet.
…On Mon, 3 Feb 2020, 14:58 ꜱᴩʀɪᴛᴇ①, ***@***.***> wrote:
I assume people report this as well as every other clone addon of this
that gets published
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#26?email_source=notifications&email_token=AM7RIM6A3YQT6ZWSUNC6OZDRA66ABA5CNFSM4JC5QN22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKSW2LA#issuecomment-581266732>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AM7RIM6VCSOKCGGWVMT27VTRA66ABANCNFSM4JC5QN2Q>
.
|
How do you write it in the file? If one just write «javascript: (etc.: the end of your code)» in a file text, even with an .js extension, it does'nt work ! |
|
@Armand68 what file? You just right click on the bookmarks bar and create a new bookmark then paste the code here: As for me, I prefer it sitting on the address bar as a tiny icon which is why I opt to use the addon instead |
|
Oh yes, it's works perfectly. Many many thanks... |
|
@jeremiahlee, I sympathize with you, the lack of openness to discussion from Firefox (Andreas Wagner) is unfortunate. For now, I'm using the Simple Translate extension which seems to be just enough for my basic translation needs. Hopefully they won't block it as well, provided it uses just REST API calls (I didn't check that myself). |
|
Just found Translate Web Pages, which seems to do translations using Google's API instead of executing remote code. It works perfectly for me so far and probably won't be blocked by AMO. Give it a go! |
and others
tl;dr Use Microsoft Edge browser when you need in-page translation.
tl;dr Switch to Google Translate This extensionMozilla blocked that tooOct 24, 2019:
I wrote about the situation on my blog.
Vote up on
Original post:
Page Translator, the self-distributed variant hosted here, has been remotely disabled by Mozilla. The reason is listed as "executing remote code".
https://bugzilla.mozilla.org/show_bug.cgi?id=1589974
I have reached out to Mozilla in the above Bugzilla ticket and on Twitter.
Page Translator—as described—loads external JavaScript from Google or Microsoft to translate a page in-line. As noted in #12, Mozilla AMO prohibited extensions distributed through AMO from loading external JavaScript. However, self-distributed extensions were permitted to load external JavaScript.
If this policy has changed, I was not aware of it. It is possible the policy for AMO-distributed and self-distributed add-ons has merged.
I want my Page Translator extension to be made irrelevant by Firefox having built-in language translation, like Google Chrome and Microsoft Edge. It is a critical feature used by millions of people daily. It bridged a feature gap. Mozilla killing this add-on without replacing it hurts users.
The text was updated successfully, but these errors were encountered: