Firefox browser comes with Pocket extension built-in and the Settings option does not disable the service completely. The option merely hides the "Recommended by Pocket" section from the new tab page. Many people dislike the Pocket extension for the following reasons:
- Pocket icon is still visible in the omnibox in the Firefox chrome and other parts of Firefox UI.
- Pocket service still might occasionally connect to Pocket servers, violating user's expectation of privacy.
- Pocket services still consume some amount of computing resources to update the extension information.
1. Add a simple and intuitive option in Firefox Settings to disable Pocket extension entirely:
1.1. Visual changes:
- remove Pocket icon from the omnibox in the browser's chrome.
- remove "Save page to pocket" from the omnibox "Page actions" menu.
1.2. Internal changes:
- ensure that Pocket components are not loaded when Pocket is disabled
- ensure that Pocket sites and API endpoints are not queried without user's explicit intent. API endpoints include, but are not limited to:
* getpocket.com and api.getpocket.com
2. Make people aware of the new option (e.g., add links to it in appropriate places in the UI).
3. Enable Pocket only after user's explicit intent to use Pocket, e.g., after asking user during the initial setup.
The researcher also created a tool that lets users test if their extensions also contain vulnerable APIs that can be exploited by malicious websites. More details about Somé's work are available in a research paper entitled "EmPoWeb: Empowering Web Applications with Browser Extensions," available for download in a PDF format from here or here .