Firefox 3.6 Beta Blocks Third-Party Add-ons from Components Directory

Mozilla has added an extra wall in Firefox 3.6 to block third-party add-ons from loading in the browser's application components directory.

The change prevents third-party applications from adding code to Firefox's components directory—which houses much of Firefox's own code—and will thereby keep developers and software vendors from silently installing Firefox add-ons without the user's permission. It also will reduce the number of crashes, according to Mozilla.

Components installed by the addition of third-party code to the component directory cannot be managed by users through the add-ons manager or disabled if they are causing problems, Mozilla Human Shield Johnathan Nightingale wrote on the Mozilla Security Blog Nov. 16.

"What's worse, components dropped blindly into Firefox in this way don't carry version information with them, which means that when users upgrade Firefox and these components become incompatible, there's no way to tell Firefox to disable them," Nightingale continued. "This can lead to all kinds of unfortunate behavior: lost functionality, performance woes and outright crashing—often immediately on startup."

Though the components directory will be only for Firefox, "Third-party applications can still extend Firefox via add-ons and plug-ins," he wrote. Developers accustomed to "dropping components directly ... [will] need to change to an XPI-based approach," he added. To help with that, Mozilla has released a migration document that outlines the necessary changes.

"The good news is that once you've done this, your add-on will actually be visible to users and will support proper version information so that our shared users are guaranteed a more positive experience," Nightingale wrote.

Mozilla Firefox 3.6 Beta 3 is available for download here.