Intent to unship: window.external.AddSearchProvider

267 views
Skip to first unread message

Mark Banner

unread,
Apr 23, 2020, 6:43:54 AM4/23/20
to dev-pl...@lists.mozilla.org
As of Firefox 78, I intend to change `window.external.AddSearchProvider`
in Firefox to be a dummy function. This will be a preference switch
initially, with the original implementation code being removed fully in
Firefox 79.

/Status/:

*

The HTML Standard specifies this method
<https://html.spec.whatwg.org/multipage/obsolete.html#external>as
"must do nothing".

*

Internet Explorer: This feature was supported in IE7-9 but
deprecated in IE10+ and not present in Edge.

*

Chrome: Changed to no-op in 54.

*

Safari: No support.

Product: Mike Connor.

Bug to unship: Preference disable
<https://bugzilla.mozilla.org/show_bug.cgi?id=1632447>, Remove code and
preference <https://bugzilla.mozilla.org/show_bug.cgi?id=1632448>.

Reasons: `AddSearchProvider` allows adding OpenSearch providers from a
website page. This has been deprecated by the WHATWG, and IE and Chrome
no longer support it. As far as I know it has never been supported on
Mobile.

This API allows a website to put up unsolicited repeated prompts to
users. It is vulnerable to potential DoS
<https://bugzilla.mozilla.org/show_bug.cgi?id=615761>attacks
<https://bugzilla.mozilla.org/show_bug.cgi?id=1276704>.

For websites wanting to provide their own engines, the alternative is to
include the <link rel="search"> tag, or to provide their own add-ons
which add search engine providers.

Add-ons that use the API would no longer work. Of the two add-ons we
have found that use the API, they are both ways of adding custom search
engines. They both have small numbers of users. Whilst we acknowledge
this will remove some functionality for users, we would encourage users
to request that websites provide their own search integrations which
would have the advantage of being maintained by the website, and being
available to everyone.

Tom Schuster

unread,
Apr 28, 2020, 11:22:55 AM4/28/20
to Mark Banner, dev-pl...@lists.mozilla.org
As the author of one of these extensions for adding a custom search
engine (https://addons.mozilla.org/en-US/firefox/addon/add-custom-search-engine/)
I am of course disappointed, but not actually surprised. This is
basically round two from about a year ago. I would like to point out
that it would be very simple to only expose this API to extensions. I
am going to fallback to <link rel="search"> for now, which is sadly a
lot less obvious to users.

One reason the previous try of deprecating this API was reverted was
the usage of AddSearchProvider by mycroftproject.com/. I see you
didn't address this issue in your intent to unship.

I agree that we should probably remove this API for normal web-pages
considering the potential for abuse and just the general annoyance of
prompts. But again my plea: please consider adding proper custom
search engine support to Firefox itself. Even Fenix has support for
adding custom search engines! Not even talking about probably every
other Chrome based browser on Desktop. This is seriously a missing
piece of customization in Firefox.

Best,
Tom
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform

Mark Banner

unread,
May 21, 2020, 11:37:27 AM5/21/20
to dev-pl...@lists.mozilla.org
On 28/04/2020 16:22, Tom Schuster wrote:
> As the author of one of these extensions for adding a custom search
> engine (https://addons.mozilla.org/en-US/firefox/addon/add-custom-search-engine/)
> I am of course disappointed, but not actually surprised. This is
> basically round two from about a year ago. I would like to point out
> that it would be very simple to only expose this API to extensions. I
> am going to fallback to <link rel="search"> for now, which is sadly a
> lot less obvious to users.
One of the problems with addSearchProvider is that it is basically a
loophole for extensions to do things we wanted to be able to stop as
part of the move to WebExtensions - namely being able to install search
engines that survived removal or block listing of the add-on. We've seen
many malicious add-ons, and cutting down the potential routes is a
benefit to users.
> One reason the previous try of deprecating this API was reverted was
> the usage of AddSearchProvider by mycroftproject.com/. I see you
> didn't address this issue in your intent to unship.
We did not feel it necessary to call out the Mycroft Project
specifically, as Telemetry suggests usage is limited (especially if you
exclude clones of Google). We did specifically give options for
websites, which would also be available to the Mycroft project, even if
they are more complex to make work.
> I agree that we should probably remove this API for normal web-pages
> considering the potential for abuse and just the general annoyance of
> prompts. But again my plea: please consider adding proper custom
> search engine support to Firefox itself. Even Fenix has support for
> adding custom search engines! Not even talking about probably every
> other Chrome based browser on Desktop. This is seriously a missing
> piece of customization in Firefox.

Customisation of search keywords/aliases/engines is something we are
planning on looking at later in the year. We have no specific details at
this stage.

Mark.

Reply all
Reply to author
Forward
0 new messages