Mozilla Pulls Trigger, Blows Foot Off By Killing XUL-based addons

Everybody’s favorite browser has already blown its foot off and is reloading to try again. Come November, the “temporary” support for “Legacy” extensions will be removed from current Firefox releases, leaving Firefox a shell of the grand browser it once was.

We all saw trouble coming when the Chrome-like transformation started with Firefox Australis (Firefox 26). The backlash against Australis was immense - resulting in the creation of Pale Moon (a fork).


With the removal of XUL-based extensions, Firefox’s transformation into a Gecko-based Chrome clone is complete. Fan favorites like DownThemAll!, NoScript, uBlock Origin, and FlashStopper will be removed by Mozilla in November.

What Now?

Enter Pale Moon, a fork of Firefox based on pre-Australis Firefox with backported engine updates.

It’s compatible with most of the Firefox addons (sometimes requiring an additional tool to install). I was able to get uBlock Origin, NoScript, and Hide Caption Titlebar Plus running just fine.

Pale Moon has builds available for Windows and Linux. Mac users are out of luck.

left: Firefox, right: Pale Moon


Is there some disadvantage to the WebExtensions API which prevent people from porting the most useful addons? I mean, Mozilla announced the XUL deprecation two years ago.

Otherwise, since the browser is open source, I expect people to go fork crazy for versions which still use XUL.


WebExtensions basically limits you to fiddling with how the current tab is rendered, rather than allowing you access to the Firefox backend. “More secure” they say, but you’re also limited to simply hiding elements instead of blocking ads, etc etc.


had to look it up:

As a Mac user, I guess I’m fucked, but my old computer will not support modern OSes, therefore my FF version is really old, too. But I run Ublock and NoScript just fine. I won’t get the latest versions of those, and therefore open to attacks, but presumably the attacks will target the latest OS and browser versions, too? How screwed am I, here?


The good news is that at least some of the primary ones are being ported. The bad news is that they’re not all done yet with two and a half months left. And many others may not be ported (or at least not for awhile) if there’s no incentive for their maintainers to do so. At least the ones critical to me are close.

Ublock Origin’s status:

Noscript’s status:

And a general list:

1 Like

Did Bill ever make it here after his epic departure from the other place? I’d be curious to here his thoughts on this transition.

I’ve been running an older version of FF for months because two plugins that I use, that are pretty critical to the way I use the web, haven’t been ported to the new framework and are unlikely too as the developers both fell off the face of the Earth as best I can tell. I understand that the Extended Support builds supposedly contain a way to turn off the signature check for plugins so I might need to investigate that more thoroughly before November rolls around.

1 Like

i don’t want to pry, only: which two?

super curious. i rotate through browsers depending on what kind of work or reading im doing, but i don’t use many extensions.


He was pretty much anti-any firefox fork.

I considered Pale Moon at the time and decided against it, but in November a lot of extensions are going to break for me with no sign of fixes (and a few developers have explicitly said they won’t update) so I am in the process of making the move.


I don’t know about being anti any fork, but I know that he had some specific trouble with Pale Moon where there was some controversy and it might have gotten a bit personal.

There probably is an element of “yours is a derivative project, if you don’t like what we do, then write your own source code” behind it. I can see both sides - I am critical of current Firefox directions, but I know that they aren’t obliged to change it for me.

and able to be supported into the future. The legacy extension system is a nightmare of legacy code and security problems. It structurally kept Mozilla from moving Firefox over to multiprocess, for example (and this support is necessary for better sandboxing, all things Chrome has had that make its security and performance much more future proof), and other changes that are necessary to continue to move Firefox forward. There was a huge legacy code debt around XUL.

People seem to forget that elements of the Firefox architecture and core code go back to the 1990s. Even Microsoft had to eventually switch to Edge because of legacy issues with old code and architecture just holding things back in the post-2015 era. What is your suggested solution to that if it is “Don’t ever change anything I like in Firefox forever?” I mean, if people felt that strongly, they could make Ice Weasel into a fork that doesn’t follow this change and put real resources onto developing it (they won’t though. People never put in real resources, they only complain about a free product they’ve been using for about 13 years without understanding why the changes are happening).

Firefox 57 also brings in things like Stylo, which required changes like the extension ones: (this link has lots of under the hood Firefox 57 “quantum” discussion)

BTW, I wouldn’t trust my security to Pale Moon. It is running an ancient fork of Firefox ESR with hand ported patches by one guy… As has been pointed out, I have had some run-ins with their dev before (because of active shit talking by folks on his forum about Mozilla and Firefox) and think he’s kind of a jerk but my main issue is that basing your entire browser on hand back porting a bunch of changes every six to eight weeks because you don’t like a UI we switched to a few years ago is dumb and unsafe. I don’t know what he’s going to do after the next ESR jump (currently ESR is based off of Firefox 52), which will be forked from Firefox 58 since it will be post-all of the quantum changes. I suspect Pale Moon will be stuck back on old ESRs forever, which will make it more and more unsafe over time as they are unable to port core changes and security updates from Mozilla. Since Pale Moon’s dev team is one guy, they just don’t have the resources to really write a secure browser on their own.


Ublock Origin is out now as a webextension.

1Password’s web extension (for a password manager) is out in beta (and I don’t know what took them so long).


Bill being me, I assume? :slight_smile:
For the record, my name isn’t Bill.
Enso works here.

I do find it amusing that I realized I hadn’t been here in a month, drop in, and immediately find a thread of obvious interest to me where I’m indirectly name checked. I should come more often.


It’s also that some types of extensions are totally impossible on Firefox (57+). I don’t give a damn about the UI. I do give a damn for DownThemAll - which is a multi-threaded download manager, available only for pre-57 *Fox.

Without that, I may as well use Vivaldi or any number of the Chrome forks.

Pale Moon evangelicals (“Lunatics”) are almost as infuriating as the guy who pushes Slackware as the cure for computing’s ails.

NPAPI based plugins were the security risk. XUL didn’t rely on NPAPI. It was ripped out because they didn’t want to rewrite the support for XUL in Rust. (That, and the whole UI being single-threaded).

EDIT: don’t even bring up Konqueror.


I was recently wondering about what was going on with Konqueror, when I was installing a KDE distro.


I was a user of it too and it is well established that some type of extensions are impossible in 57. Web Extensions don’t offer the deep capability (with the associated performance impact and security risks) of old style extensions. The problem is that you can have a good sandbox for security, performance, multi-process Firefox or you can have legacy extensions. Which is it? This is literally an issue with architecture and technical debt. Contrary to some BS claims out on the Internet, this isn’t about aping Chrome but about making Firefox work moving forward. Web Extensions happen to be a standard and have a developer base so that was chosen as the solution.

It’s a bit more complicated than that. I’m a ten year Mozilla employee. I’ve been there since Firefox 2.0 days. This isn’t a “oh, Mozilla could do it…they just didn’t want to do it” thing.

Every time, just about, someone on the net rails on and on about how unperforamnt Firefox is for them, it turns out that they are running a shitty extension (usually five to ten of them) and THAT is what’s causing the performance and stability issues they see.

It’s not 2007 anymore. It’s 2017. This train is moving forward or Firefox won’t even exist in another 10 years. It is open source. A dedicated group could fork the codebase from any arbitrary point in the the last ten years if they wanted to do so. You’ll notice there is not a SINGLE group of people lining up to do that so, basically, everyone is happy to complain but no one is so willing to say Mozilla is making the wrong choice that they’re willing to fork the project and prove Mozilla wrong unless you want to say that Pale Moon is the one doing that and, really, it is one guy. I’m sure not trusting my browsing security to a single developer working on a code base that he’s never contributed a patch back to.


So what is the open source replacement to Firefox that everyone is switching to?

(That sounds more confrontational than I actually intend. It is a real question though.)


Well, current ESR builds are forked off of Firefox 52. Once Firefox 58 is out, an ESR58 will be released at the same time. After two release cycles of that (when Firefox 60 is out along with ESR58.2) the current ESR52 support will end. At that point, AFAIK, there will be no version of Firefox supporting legacy extensions.

BTW, I’m not anti-any Firefox fork. I’ve just never seen one really. Ice Weasel is pretty much just a branding thing for Debian. There aren’t any real Firefox forks out there unless you consider Pale Moon to be one and I’m pretty sure Pale Moon doesn’t have a public code repository and doesn’t have more than a single developer, who makes his living (I think?) off of it.

1 Like

The alternatives, to me are:

Forking is hard.

I’m currently knee deep in spaghetti code from the FOnline Project, attempting to rewrite the (server-side) code-base to have features a fork of it had years ago (before said fork stalled). It’s even worse when said code is written in Cyrillic. Not even kidding. You can see my progress on it at

For most people, the amount of effort it takes to learn a codebase, they feel is better spent developing their own damn codebase instead.

I recognize that browser development is hard. The fine folks at Mozilla are brilliant engineers and I doff my cap to them. Every release of Firefox has been faster and better than the previous one. Mozillia’s many projects have driven the field of internet computing forward, from the ill-fated Firefox OS to Rust (take that, Golang!).

The reason I stuck it out with Firefox on my devices comes down to extensibility. Not speed. Don’t get me wrong - I love the speed of modern firefox - but speed was never my primary consideration. Firefox has a massive ecosystem of addons that (may they rest in peace) allowed you to completely alter the user interface, add a native reading mode, add a night mode, and completely muck with rendering if you wanted. It’s been a wild decade-and-a-half of Firefox for me.

It’s just, for me… without the extensions I relied on, Firefox has nothing outstanding left to make me use it as my primary. I’ll probably be stuck using a (sandboxed and isolated) virtual machine with Pale Moon to do my primary browsing because screw JDownloader and its many relatives. Try downloading Libreoffice in Firefox - and then try it in Firefox with DownThemAll!.. No comparison. Hands down, DownThemAll is the single most important thing to me.

Let me put it this way: I’d pay good money to have Firefox 58 with the improvements from DownThemAll.

No DownThemAll, no life.


1 Like

Replying to note that Pale Moon dev team (~3 regular contributors) have blacklisted AdNauseum as malware - their reasoning being that AdNauseum is essentially clickfraud.


My bad. I used to think of your old handle as All Bill (All the Time).

I think the path forward it to forget about the concept of a primary browser. I already do this on my tablet where I have five different browsers installed, each one used for and adapted to a different purpose. On my laptop I’ll be able to further customize them, leading to a collection of tools that have a similar use, and maybe a shared history, but are distinct from one another.