One of the greatest strengths of the Firefox Web browser is its powerful extension system, which gives third-party developers the ability to expand the browser's capabilities. Although this extensibility delivers a lot of value to Firefox users, it also creates some thorny problems. The darker side of Firefox add-ons was exposed last week when a conflict between the developers of the two popular extensions got out of hand. The situation has compelled Mozilla to propose a policy change aimed at curbing bad behavior in add-ons.

Firefox's extension system is really just an officially supported mechanism for monkey-patching the browser. Extensions are not isolated or sandboxed. They are broadly permitted to manipulate the browser's behavior and user interface at will and can easily tamper with the functionality of other extensions. This approach to extensibility is a double-edged sword. Although it allows developers to create extremely useful extensions that can deeply integrate with virtually any aspect of Firefox, it simultaneously opens the door for troubling security problems and compatibility issues.

Mozilla goes to great lengths to mitigate the symptoms of this problem by establishing all kinds of protective barriers that help users avoid unwanted and unsafe extensions, but little can be done to address the problem itself. Extensions still regularly break each other by accident and mess up the browser in all kinds of unintended ways. This is a well-known problem that has been explored elsewhere in detail. A more pernicious problem emerges when extensions break each other intentionally as a result of conflicting interests and ideologies.

NoScript is a widely-used extension that is designed to block browser scripting and plugins. NoScript's behavior is regarded by some experts as a major security improvement because it reduces the browser's exposure to untrusted JavaScript. NoScript developer Giorgio Maone recently had a controversial altercation with Wladimir Palant, the developer behind AdBlock Plus, an extension that uses a blacklist to selectively prevent websites from displaying advertisements.

Maone funds the development of NoScript by placing advertisements on the extension's official website and by receiving donations from end-users. In order to prevent AdBlock Plus from undermining the financial sustainability of his project, Maone modified the NoScript website and circumvented the block. Palant responded by instructing the AdBlock Plus filter list maintainer—an individual known as Ares2—to add a filter that would specifically block ads on Maone's domain. Maone found new ways to work around the filters, but Ares2 consistently retaliated by adding increasingly draconian rules to the filter list.

Eventually, Ares2 added rules that fundamentally broke the NoScript website. Maone lost patience and decided to use his own extension to fight back. He added a feature to NoScript that surreptitiously disrupted AdBlock Plus. He used encoded strings so that the hack would not be immediately discernible to other developers who inspect NoScript's internals. Users were furious that this change was made without any warning or notification. They brought the matter to the attention of Palant who responded by writing a scathing blog entry that excoriates NoScript. The blog entry attracted an enormous amount of attention and significantly increased the visibility of the conflict.

Mozilla personnel tasked with maintaining order in the add-ons ecosystem were not happy with the situation. They responded by proposing a new policy that describes some basic principles which define boundaries for appropriate extension behavior. According to the proposed policy, extensions should not arbitrarily modify user settings without proper disclosure. It says that major changes should be opt-in only and that the original settings should be fully restored when an extension is uninstalled.

Maone decided to agree to these principles and has issued an updated version of NoScript to completely revert the controversial changes. In an apologetic blog entry published on Monday, he expressed deep regret for his conduct and acknowledged that his attempt to surreptitiously disrupt AdBlock Plus with his own extension was inappropriate.

"I had this crazy idea of retaliating against EasyList 'from the inside', and in my blindness I did not grasp that I was really retaliating against my own users and the Mozilla community at large," he wrote. "I beg you to accept my most sincere apologies and believe in my shame and contrition."

Although Maone has received most of the criticism and scrutiny in this conflict, the actions taken by Ares2 are also troubling. The overzealous filter updates that were pushed to AdBlock Plus users made it impossible for them to download the NoScript extension from the NoScript website. That looks like a breach of user trust that is at least as egregious as what Maone did.

The conflict is over, but it raises a lot of really tough questions about the implications of the extension system and whether developers can be trusted with the level of access to the program's internals that it affords them. As always, users need to exercise caution and be mindful of how deep extensions can reach into their browsing experience.