I'm not trying to argue that Firefox shouldn't have deprecated XUL or NPAPI. I'm one of the people who didn't depend on any add-ons which aren't available anymore; I just had to update the add-on I wrote to work with the new API, which was easy because it's one of those add-ons which essentially just needs some javascript to be injected into all web pages.
I'm just saying that when Mozilla decided to break the browser for many people, it wasn't "good for" the people who ended up with a browser which doesn't let them do what they want. It's not even "good for" the people who "only" had to invest hours into learning a new workflow with a new set of add-ons. Pretending that it is, is harmful; there are very real drawbacks which have to be weighed up against the advantages of a cleaner API which it's easier to maintain and which might be more secure. I think Mozilla absolutely made the right choice; I just don't think we can focus exclusively on the benefits and pretend that the costs don't exist.
I'm also kind of curious about how the security angle works. Currently, any WebExtension which asks for the proper permission can just read the content of your banking websites if it wants, and send what it finds (your social security number, your password, your bank account numbers, etc) to an attacker. With the new API, you still have to make sure not to install malicious add-ons. How is that different between XUL and WebExtensions?
I'm just saying that when Mozilla decided to break the browser for many people, it wasn't "good for" the people who ended up with a browser which doesn't let them do what they want. It's not even "good for" the people who "only" had to invest hours into learning a new workflow with a new set of add-ons. Pretending that it is, is harmful; there are very real drawbacks which have to be weighed up against the advantages of a cleaner API which it's easier to maintain and which might be more secure. I think Mozilla absolutely made the right choice; I just don't think we can focus exclusively on the benefits and pretend that the costs don't exist.
I'm also kind of curious about how the security angle works. Currently, any WebExtension which asks for the proper permission can just read the content of your banking websites if it wants, and send what it finds (your social security number, your password, your bank account numbers, etc) to an attacker. With the new API, you still have to make sure not to install malicious add-ons. How is that different between XUL and WebExtensions?