Facebook Container for Firefox

Firefox has a nifty extension—made by Mozilla—called Facebook Container. It does two things.

First of all, it sandboxes any of your activity while you’re on the facebook.com domain. The tab you’re in is isolated from all others.

Secondly, when you visit a site that loads a tracker from Facebook, the extension alerts you to its presence. For example, if a page has a share widget that would post to Facebook, a little fence icon appears over the widget warning you that Facebook will be able to track that activity.

It’s a nifty extension that I’ve been using for quite a while. Except now it’s gone completely haywire. That little fence icon is appearing all over the web wherever there’s a form with an email input. See, for example, the newsletter sign-up form in the footer of the Clearleft site. It’s happening on forms over on The Session too despite the rigourous-bordering-on-paranoid security restrictions in place there.

Hovering over the fence icon displays this text:

If you use your real email address here, Facebook may be able to track you.

That is, of course, false. It’s also really damaging. One of the worst things that you can do in the security space is to cry wolf. If a concerned user is told that they can ignore that warning, you’re lessening the impact of all warnings, even serious legitimate ones.

Sometimes false positives are an acceptable price to pay for overall increased security, but in this case, the rate of false positives can only decrease trust.

I tried to find out how to submit a bug report about this but I couldn’t work it out (and I certainly don’t want to file a bug report in a review) so I’m writing this in the hopes that somebody at Mozilla sees it.

What’s really worrying is that this might not be considered a bug. The release notes for the version of the extension that came out last week say:

Email fields will now show a prompt, alerting users about how Facebook can track users by their email address.

Like …all email fields? That’s ridiculous!

I thought the issue might’ve been fixed in the latest release that came out yesterday. The release notes say:

This release addresses fixes a issue from our last release – the email field prompt now only displays on sites where Facebook resources have been blocked.

But the behaviour is unfortunately still there, even on sites like The Session or Clearleft that wouldn’t touch Facebook resources with a barge pole. The fence icon continues to pop up all over the web.

I hope this gets sorted soon. I like the Facebook Container extension and I’d like to be able to recommend it to other people. Right now I’d recommed the opposite—don’t install this extension while it’s behaving so overzealously. If the current behaviour continues, I’ll be uninstalling this extension myself.

Update: It looks like a fix is being rolled out. Fingers crossed!

Have you published a response to this? :

Responses

Šime Vidas

Re adactio.com/journal/18328 “I tried to find out how to submit a bug report about this but I couldn’t work it out … so I’m writing this in the hopes that somebody at Mozilla sees it.” The extension’s website is shown on the about:addons page.

# Posted by Šime Vidas on Tuesday, August 3rd, 2021 at 10:29pm

2 Shares

# Shared by Gunnar Bittersmann on Tuesday, August 3rd, 2021 at 10:23am

# Shared by SELFHTML on Tuesday, August 3rd, 2021 at 10:45am

Previously on this day

3 years ago I wrote Greater expectations

Some anecdata about installation expectations for progressive web apps.

5 years ago I wrote Extensible web components

Web components are supposed to extend the web, not replace it.

6 years ago I wrote Podcasting the future

I’m doing a podcast series in the run-up to this year’s dConstruct.

8 years ago I wrote The United States of August

Road tripping.

16 years ago I wrote Sour Apple

Hot on the heels of the updated iBooks and Mac minis, Apple have announced an all-singing, all-clicking mighty mouse.

17 years ago I wrote Migratory patterns

I’ve mentioned before just how stressful and nerve-wracking it can be to move web hosts. That’s why I’ve been putting off the long-overdue migration of The Session from the hell that is WebServePro.

19 years ago I wrote Weebl and Bob

Want Pie now!

19 years ago I wrote Real World Style

CSS layouts, tips, tricks, and techniques.