policy-templates VS browser

There is no such thing as a "known trusted extension" ever since they killed sideloading extensions and forced auto-updates. 10 years ago not force updating extensions was also a thing they moved behind a flag, and then just dropped.

Also - if you want to blacklist certain extensions from certain sites, you abso-freaking-lutely can already... see: https://github.com/mozilla/policy-templates/blob/master/READ...

you want the `restricted_domains` field.

It gets worse - Mozilla is the fucking worst at checking submitted extensions. They tried to the play into the whole "app store" thing that Google/Apple were doing, but those are justifiable cost centers at those two companies in a way that just doesn't work for a player like Mozilla.

Mozilla's store checks for extensions are fairly pathetic. You can submit a near empty shell with excessive permissions, get approved the first time, then auto-update to a new release (which will deploy to users immediately thanks to auto-updates). That new version has to pass a battery of useless automatic SAST checks, which will happily highlight all sorts of things it doesn't like (it flags words like "hello" because it contains a curse word) but which won't do shit to check if you're hoovering up credentials, browsing data, tracking users, etc.

If you're unlucky, at some point in the next 24 months you'll trigger a real review from Mozilla and get caught.

To be blunt - I have 15 years experience writing extensions. I don't like Google. If you think Mozilla is better you're wrong.

You can do that with policy templates. Use the Discussion tab at the top of the GitHub page if you need help setting them up.

Policy Templates for Firefox

They very well could do this for a a company that requires really strict privacy and security, but unfortunately in its current state Firefox doesn't have nearly the corporate sysadmin-friendly tooling that Chrome and especially Edge do.

When I was tasked with implementing CIS browser hardening policies at a previous job a few years ago, this was just a matter of enabling some Group Policy template settings for Chrome and Edge, but for Firefox this involved distributing a prefs.js file to all the workstations. In any corporate environment it's very likely going to be point and click Windows admins that are implementing browser standards, who tend to be allergic to anything resembling code and are already used to using GPOs for just about everything.

Yes, Firefox does have GPO templates but it's not nearly as rich as Chrome and Edge. Edge has even more GPO templates than does Chrome iirc, Chrome already had a lot to begin with and then Microsoft added even more of their own on top of that.

https://github.com/mozilla/policy-templates/blob/v4.11/READM...

https://learn.microsoft.com/en-us/deployedge/configure-micro...

That alone already puts Firefox at a huge disadvantage for corporate deployment, the other thing that makes it even less attractive, even to companies where privacy/security is a huge requirement (like my previous job) is that Edge is already bundled with the OS, and is one less thing that needs to be manually patched. In high security corporate environments, just keeping things patched is always a huge task so it's very hard to convince someone that they need to put in more work to keep an extra piece of software patched (which is already very difficult considering how frequently browsers are updated). To make things even worse, just about all vendors will only support Chromium-based browsers for whatever SaaS they sell you, so Firefox is a nonstarter for getting support, even if it will work just fine 99.9% of the time.

For all these reasons, I lost the battle to keep Firefox around, which is a huge shame because of how much I love it and wanted to fight the Chromium monoculture. So I guess for a corporation to support Firefox despite how corporate-friendliness the alternatives are, they'd have to reaaaally want to.

You can see the relevant JSON code in the changelog. As I said, you can post a comment on this page to remind Mike to update the documentation for policy templates.

This GitHub repository has a Discussions tab where you can ask questions about deploying Firefox: Policy Templates for Firefox.

Check out the official documentation here: Policy Templates for Firefox. You can use the Discussions tab if you have any questions.

Here

emerge --infoPortage 3.0.45.3 (python 3.11.3-final-0, default/linux/amd64/17.1/no-multilib/hardened, gcc-12, glibc-2.36-r8, 6.1.22-gentoo-dist x86_64)=================================================================System uname: Linux-6.1.22-gentoo-dist-x86_64-AMD_Ryzen_7_7700X_8-Core_Processor-with-glibc2.36KiB Mem: 64950064 total, 50016344 freeKiB Swap: 0 total, 0 freeTimestamp of repository gentoo: Thu, 08 Jun 2023 16:00:01 +0000Head commit of repository gentoo: 542a08aa11a48d3724f90c64729ad80cd0e2bfa4Head commit of repository librewolf: d5cc5c9ec8f029c7f095a93a78baaba925e6838bTimestamp of repository zugaina: Tue, 19 Jul 2022 00:31:49 +0000Head commit of repository zugaina: d71b224f2cf0478022f7e13d54f1751cc7148c74sh bash 5.1_p16-r4ld GNU ld (Gentoo 2.39 p6) 2.39.0app-misc/pax-utils: 1.3.5::gentooapp-shells/bash: 5.1_p16-r4::gentoodev-lang/perl: 5.36.0-r2::gentoodev-lang/python: 3.11.3::gentoodev-lang/rust: 1.69.0-r1::gentoodev-util/cmake: 3.26.3::gentoodev-util/meson: 1.1.1::gentoosys-apps/baselayout: 2.13-r1::gentoosys-apps/openrc: 0.46::gentoosys-apps/sandbox: 2.29::gentoosys-devel/autoconf: 2.13-r7::gentoo, 2.71-r5::gentoosys-devel/automake: 1.16.5::gentoosys-devel/binutils: 2.39-r5::gentoosys-devel/binutils-config: 5.5::gentoosys-devel/clang: 15.0.7-r1::gentoosys-devel/gcc: 12.2.1_p20230428-r1::gentoosys-devel/gcc-config: 2.10::gentoosys-devel/libtool: 2.4.7-r1::gentoosys-devel/lld: 15.0.7::gentoosys-devel/llvm: 15.0.7::gentoosys-devel/make: 4.4.1-r1::gentoosys-kernel/linux-headers: 6.1::gentoo (virtual/os-headers)sys-libs/glibc: 2.36-r8::gentooRepositories:gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 volatile: False sync-rsync-verify-metamanifest: yes sync-rsync-verify-jobs: 1 sync-rsync-verify-max-age: 24 sync-rsync-extra-opts: librewolf location: /var/db/repos/librewolf sync-type: git sync-uri: https://gitlab.com/librewolf-community/browser/gentoo.git masters: gentoo volatile: Falsezugaina location: /var/db/repos/zugaina sync-type: git sync-uri: https://github.com/gentoo-mirror/zugaina.git masters: gentoo volatile: FalseACCEPT_KEYWORDS="amd64"ACCEPT_LICENSE="@FREE @BINARY-REDISTRIBUTABLE"CBUILD="x86_64-pc-linux-gnu"CFLAGS="-march=znver4 -O2 -pipe"CHOST="x86_64-pc-linux-gnu"CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"CXXFLAGS="-march=znver4 -O2 -pipe"DISTDIR="/var/cache/distfiles"EMERGE_DEFAULT_OPTS="-A --jobs=16 --load-average=16"ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME"FCFLAGS="-march=znver4 -O2 -pipe"FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live candy config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"FFLAGS="-march=znver4 -O2 -pipe"GENTOO_MIRRORS="ftp://ftp.ntua.gr/pub/linux/gentoo/ http://ftp.ntua.gr/pub/linux/gentoo/"LANG="el\_GR.UTF-8"LDFLAGS="-Wl,-O1 -Wl,--as-needed"LEX="flex"MAKEOPTS="-j16"PKGDIR="/var/cache/binpkgs"PORTAGE_CONFIGROOT="/"PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"PORTAGE_TMPDIR="/var/tmp"SHELL="/bin/bash"USE="X acl amd64 btrfs bzip2 cet cli crypt dbus dri elogind fortran gdbm gnome gtk hardened hwaccel iconv ipv6 libtirpc ncurses nls nptl openmp pam pcre pie readline seccomp split-usr ssl ssp test-rust unicode xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2021" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 aes avx avx2 avx512bw avx512cd avx512dq avx512f avx512vbmi avx512vl f16c fma3 pclmul popcnt rdrand sha sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_11" PYTHON_TARGETS="python3_11" RUBY_TARGETS="ruby30 ruby31" VIDEO_CARDS="amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS

LibreWolf Portable and the LibreWolf WinUpdater by @ltguillaume are now included optionally in the windows installer. If you have any problems or feedback please leave it here.

I'm not sure what's going on with that, as I've never used it. I filed a ticket #352.

For the build changes and changes to the source code we have a very infrequent and non-exhaustive change log here https://gitlab.com/librewolf-community/browser/bsys6/-/releases, changes to the browser settings are documented in a better way in https://gitlab.com/librewolf-community/settings/-/blob/master/docs/Changelog.md