Whitelist Attack!

[SurelyHatIngTheTACO]

Firefox's TACO add-on update to v3.01 altered my NoScript Whitelist without my permission. Even after I uninstalled TACO, the “abine:” protocol is among the mandatory items, (e.g., “about:”), on my NoScript Whitelist. How do I fix this?

Especially if you uninstalled TACO v3.0, check your NoScript Whitelist!

[SurelyHatIngTheTACO]

seems like this "attack" violates Mozilla Policies on "Changing of Defaults and Unexpected Features"

TACO changed settings or features in other add-ons (NoScript) and wrongly does so as an update (v2.0 -> v3.0) of an already public add-on (TACO)

AND

Did not clearly state what changes TACO makes to NoScript
Change is NOT 'opt-in'
No 'opt-in' dialog
Uninstalling TACO did not restore NoScript settings

see policy at https://preview.addons.mozilla.org/en-U ... es/reviews

"If you have a question about an Editor's review of an add-on, want to report a policy violation, or want to suggest that your add-on be recommended, please email amo-editors@mozilla.org ." https://preview.addons.mozilla.org/en-U ... es/contact

if other people have similar issues, someone should complain to Mozilla. . .

[Alan Baxter]

Firefox's TACO add-on update to v3.01 altered my NoScript Whitelist without my permission. Even after I uninstalled TACO, the “abine:” protocol is among the mandatory items, (e.g., “about:”), on my NoScript Whitelist.

Confirmed with TACO 3.02. Seems to happen only if NoScript is already installed when TACO is installed or updated.

How do I fix this?

I don't know.

Especially if you uninstalled TACO v3.0, check your NoScript Whitelist!

Yup. It's still there, even after TACO is uninstalled.

@Giorgio:
What's the significance of this change? I'd like to be able to say if I complain to AMO about TACO's apparent effect on NoScript.

[Giorgio Maone]

@Giorgio:
What's the significance of this change? I'd like to be able to say if I complain to AMO about TACO's apparent effect on NoScript.

IIRC the Abine guys asked me how to add the abine: protocol (which they use for UI stuff) to the whitelist, and I explained the API but also told them about the need of warn the user before making any change (otherwise this is a clear violation of the No Surprises Policy).

[Andrew@getabine.com]

What's happened? In trying to respond quickly to user requests around NoScript and TACO interactions we added a change to the NoScript whitelist to account for the operation of the privacy controls of Abine.

The version with this change should have had more user notification. Furthermore, we fail to remove this setting upon uninstalling - we definitely should clean up everything on un-install. We are working on fixing this right now. We'll make this update available in one hour at the link below, as well as part of the next update. Until then just directly remove "abine:" form "noscript.mandatory" in about:config.

http://www.getabine.com/updates/

Our apologies -- making this change was an attempt to quickly address user concerns, but really should have been done in a different way.

-Andrew
andrew@getabine.com

[Guest]

. . .we added a change to the NoScript whitelist to account for the operation of the privacy controls of Abine.
. . .
-Andrew
andrew@getabine.com

It seems to me that such a change to NoScript by Abine's TACO "cannot be introduced into an update of an already-public add-on; you must have the opt-in change process as part of the initial public nomination." https://addons.mozilla.org/en-US/develo ... n-defaults

If what Abine did violates Firefox add-on policy, I do not care what excuse Abine offers, as that is irrelevant. The only question that remains for me is whether Abine's TACO is treated now by Mozilla consistent with Mozilla add-on policy. Otherwise, my trust in all add-ons, in Firefox and in Mozilla will be further eroded, as it already has been somewhat by the entire Abine TACO fiasco to date.

[Guest]

Mozilla’s continued inaction in the Abine TACO debacle may be a harbinger of doom for Firefox; although I hope not.

Did anyone complain to amo-editors@mozilla.org about Abine TACO policy violation?