Slashdot Mirror

Chrome might have "process per tab," but Firefox creates container processes for plugins. All isolated from the page they are rendering to so if they go down they don't take out Firefox. Might not be as robust, but it works. Also, time to update your knowledge, kittlings. Electrolysis has been in development for almost a year and is available in Firefox nightly builds right now. Still buggy but FF is well on its way.

https://wiki.mozilla.org/Elect...

Lua: http://kripken.github.io/lua.v...
"Lua is implemented in portable C. It is possible to run C compiled to JavaScript at speeds approaching that of a native build (using the asm.js subset of JavaScript), which means that you can in principle run C code that happens to implement a VM at high speed as well. Of course this is theoretical until it is actually attempted - that is the point of this project."

A Sql.js demo: http://kripken.github.io/sql.j...

3D, just amazing Doom-clone: https://developer.mozilla.org/...
"BananaBread is a 3D first person shooter that runs on the web. It takes the Cube 2: Sauerbraten engine, which is written in C++ and OpenGL, and compiles it using Emscripten into JavaScript and WebGL so that it can run in modern browsers using standards-based web APIs and without the need for plugins. The project has several goals. First, to serve as a testcase for running a demanding 3D game in browsers: Having a working testcase lets us try out new browser features and to profile performance in order to make browsers faster. Another goal is to prove that games of this nature can run in JavaScript and WebGL, which many people are skeptical about. Finally, all the code in this project is open (and practically all the art assets), so others can learn from this effort and use this code to create their own browser games. The latest update of this demo uses asm.js for additional speed, and WebRTC for multiplayer."

The author's GitHub site, where there is a tool to compile LLVM output like from C to JavaScript: https://github.com/kripken
https://github.com/kripken/ems...

By others (MineCraft-like): http://voxeljs.com/

It's been said JavaScript is much better than we deserved... It's great to see all these advances. And I think you are right, the next two years will see the further spread of all this.

My own JavaScript experiments towards a social semantic desktop, with the idea that you could have a simple backend and do most of the heavy lifting of processing and displaying information locally in the browser.
https://github.com/pdfernhout/...

Errorhandling and exceptions are great, because they don't ignore errors, but force you to deal with them. Javascript just runs and you never know the correctness of the state.

Have you tried to use strict? That should turn more silent failures into the "error handling and exceptions" that you prefer.

"Thinks that you can NOT do in HTML5"

Except for local storage, maybe tilt & shake, simply not true.

Not only can device location be done, it is commonly done. Some implementations are better than others though.

Audio and video recording are both pretty simple, as long as you don't mind using Flash to do it.

Text to speech is also quite doable, as long as you don't expect it in realtime... and maybe even then. You just do the conversion on the server, and play the file via HTML5.

There are really very few things you can't do via HTML5, with the exception of recording audio and video directly. They're working on that, and in the meantime you can get around that with Flash. The problem is not that these things can't be done; the problem is that it's a pain in the ass, and not very practical at this time.

Automatic restoring of tabs from last time is implemented in all browsers. If you mean something more sophisticated, there's Session Manager extension for Firefox.

I've had to use a lot of different code/languages for my little Firefox Plugin and it's not that hard to keep up with. For the most part I can find libraries (I use Poco and QT) that do all the heavy lifting when I'm in C/C++. For my site a little jquery goes a long way.

For the most part there's only minor syntax differences in modern languages anyway. It's all arrays, hashs/dictionaries iterators and if statements with a bit of gui programming.

Heck, even the gui programming follows the same basic paradigm. Again, wrote a few toy Android apps and found I was using Java to do the same stuff I do with HTML/JavaScript. e.g. Get a reference to a gui element then call methods to get/set it's state and attach a callback to it.

What I'm finding is that until you're writing math heavy programs everything is more or less the same :P

is it possible to block bitcoin spam from slashdot?

maybe try something like https://addons.mozilla.org/en-...

not sure if you could filter out entire articles (i haven't bothered looking at slashdot html) but you could at very least replace the word "bitcoin" with something less annoying, like maybe "frosty piss"

either that or write your own little slashdot browser using a socket... that way you could filter however you like, and maybe block out all the ads, js, images, css bullshit as well. probably would be a real hit if you released it.

I agree that the rush for width in browser windows drives me nuts, especially when the web designer forces it on you.

But I'm not sure understand why this requires Regions? Multi-column has been done for quite a while.
Mozilla has some examples here: https://developer.mozilla.org/...
and CSS3 have examples here http://www.w3schools.com/css/c...

Are these the same thing as regions? Or are they using other concepts all together?

https://developer.mozilla.org/...

Not sure if joking...

http://noscript.net/features#o...
https://www.eff.org/https-ever...

A lot of the sslstrip stuff is based off of people not noticing the page has changed to insecure, modern browsers try to address that by making it more visible than it was in the pre-FF3 era, e.g.:
https://support.mozilla.org/en...

Perhaps once on the mozilla map page (linked in TFS) you might have selected Project overview to see what they had in mind if it wasn't yet clear.

The telecomms industry isn't well known for being at all helpful even when being paid.

You obviously also didn't look at my UID :-)

It's "opt in or else". If you don't opt in, it messes up your browser and is hard to uninstall.

No, Firefox isn't safer. Mozilla sold out last year.. This came up when Wips bought up a number of plug-ins, including BlockSite, and installed spyware with a ransomware "opt-in" feature. (Opt in, or we block Flickr, etc.)

Mozilla policy: "These features (spyware, etc.) cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review."

Jorge Villalobos, Mozilla management-level employee: That's outdated, since we don't enforce that policy. As long as the feature is opt in, it is acceptable to introduce it in an update.

63 add-ons from Wips were found by a search last year.

No, Firefox isn't safer. Mozilla sold out last year.. This came up when Wips bought up a number of plug-ins, including BlockSite, and installed spyware with a ransomware "opt-in" feature. (Opt in, or we block Flickr, etc.)

Mozilla policy: "These features (spyware, etc.) cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review."

Jorge Villalobos, Mozilla management-level employee: That's outdated, since we don't enforce that policy. As long as the feature is opt in, it is acceptable to introduce it in an update.

63 add-ons from Wips were found by a search last year.

1. All addons hosted by Mozilla get reviewed.
2. Open source is not required, but source disclosure to Mozilla is.
3. Any update to the addon triggers a new review cycle.

to my Firefox extension and they were all kinda shady. Extension development is kinda niche to begin with, so I figured they were planning something like this. I'm just surprised it took so long for people to notice.

I don't see it as a huge problem though. Most extension developers are like me, hobbiests and enthusiasts. There's really only a few big ones (like Adblock Plus and Firebug) and those are big enough they're not a target for these sorts of things.

A good 10 years ago now (or was it 11?) the Mozilla folks were touting the "browser is the platform" and suggesting that people right their applications to target the browser to get cross-platform portability.

They had a good point, since Firefox was and is cross-platform.

Not volunteers but paid developers. This is a common misconception. Check this post for a quick summary of the contributors to the Linux kernel. Linux and many big open source projects started as volunteers's efforts and eventually turned into joint ventures between companies ruled by FOSS licenses instead of by thousands of pages of contracts. Shared development is a major money saver for all parties involved and is a very efficient way to invest resources.

The same applies to distributions, which are ofter owned or substantially backed by for profit companies (Canonical, Red Hat, etc).

/rant-mode Nevertheless even paid developers have schedules. I just wonder why nobody's schedule includes this 2007 Thunderbird bug. Well, maybe I'll have to wait for the 12th year or learn the relevant technologies and fix it myself (won't happen, i got other stuff to do.) /end-of-rant

What I appreciate with Linux and open source in general is that they have public bug trackers. I can open bugs, vote them up, contribute information, see how fixes progress. Bugs in closed source programs and OS are usually managed in a very opaque way. Those money you pay don't buy you any insight unless you pay really big money and get into some special support program.

It may not be obvious to the /. crowd, but nobody uses ad blockers. Of the people I know, I am the only one who does.

So wait, you are telling us that the collective wisdom here is wrong because of your personal anecdotes?

Adblock is the #1 downloaded extension to firefox. 18 million users which is 3x times the #2 most popular extension.

https://addons.mozilla.org/en-US/firefox/extensions/?sort=users

Aaaaand, done.

Just add "http://www.tigerdirect.com/sectors/nojs/index.asp" to the NoRedirect list.

The mere fact that many sites host executable content does not mean you need to execute that content. Calling people 'luddites' and 'clueless' when they recognize this is... rather clueless.

Most sites hosting executable content work partly without that content. Some things might not look like they would had that executable content been given free reign, but so what? Some sites overlay the static page with warnings about the lack of functionality when you block their executable content. Right-mouse-button-click on 'Remove this object' and voila... the site works fine. For those sites which really, really insist on having their scripts run there is always CTRL-w.

While the old GTK vs QT and C vs C++ debate continues, the interesting stuff is really happening in the Web space with projects like Mozilla Servo where the UI is parallelised as much as possible. Servo might be rendering HTML at first but it could just as easily render another XML dialect designed for apps like XUL. Actually, it would be nice if they could move away from XML and move to JSON but I digress.

A tag to disable active content was proposed more than ten years ago. http://lists.w3.org/Archives/Public/www-html/2002May/0021.html

Mozilla proposed CSP some years later: https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465

If this sort of thing was widely implemented this malware thing might have been easily blocked - apparently the malware ads didn't require the victim to click! And many of those XSS worms in the past might not have spread.

But nobody really cares about security.

Hey, just noticed this after xmas.
I'd seen discussion of this in the announce, and seems pretty clear the intent in the spec, but anyway, here's the landing patch.
https://hg.mozilla.org/mozilla-central/rev/b3d85b68449d#l29.613
Note that section.

I recall reading that spam makes up some 70% of internet traffic. Get your keywords into spam, and your noise propagation will massively skyrocket. Can you take over a botnet and repurpose it? That should be your goal, if so. If not, you might get involved with encryption of some kind. There's plenty of room for extra noise in encryption streams; throw in a few keywords into headers or tack it onto hash algorithms and you might have something as well.

I don't think you're going to get much traction with getting people to add something new to their work routine; at the scale we need, you're not even going to be above the noise floor. We already have noise generators which are of dubious effectiveness (mind you I run that one anyway).

Alternatively, do something to improve Linux usage in general. Once it becomes more widely used by Grandmas of the world, it's easier to close holes that allow the NSA to do what it does, or for knowledgeable people to write high-level versions of the kind of programs you're talking about. Think of having Tor relays on by default in more or less every neighborhood in the US. It's already a thorn in the side of snoopers; if it becomes a default option in for example Ubuntu, then the wider Linux is deployed, the greater effectiveness that change will have.

Sadly, I have little hope for change on the grassroots front. Specific projects like the Truecrypt code review and similar things no doubt happening en mass in Linux are going to be the major drivers for change as far as I can tell

I think ASM.JS is dead out of the water as Google refuses to support it.

No, that's not true. You maybe have things backwards. Mozilla refuses to support NaCl, which is Google's similar-goal-different-approach technology.

Why do you think that single process has anything to do with this ? The Mozilla developers clearly want to do this, it just is a massive effort to change their code to suite the model.

Really? You're saying the Mozilla developers "clearly" want to switch to Pepper/PPAPI? Because I don't think that's very clear at all.

As for NaCl, Mozilla has been pretty adamant that it's not interested.

Actually, that is what is going on.

asm.js is that potential bytecode and TypedArrays are the first step.

There are things being added to ECMA standard which allow for things other languages can already do (I forgot which ones right now. I don't want to spend the time to look them up right now).

Lots of other things are also available or being worked on:
- WebGL == OpenGL ES
- http://www.w3.org/TR/WebCryptoAPI/ exposes some of the browsers cryptographic functions as an API.
- WebRTC is encrypted video and voice (kind of like VoIP) and Peer2Peer networking.
- WebAPI is about giving you access to hardware and networking: https://wiki.mozilla.org/WebAPI
- https://payswarm.com/ and https://wiki.mozilla.org/WebAPI/WebPayment are about adding "inApp-/webstore payment" system to the web.

That is just from the top of my head. And I didn't even mention all things that went into HTML5 or related standards.

Actually, that is what is going on.

asm.js is that potential bytecode and TypedArrays are the first step.

There are things being added to ECMA standard which allow for things other languages can already do (I forgot which ones right now. I don't want to spend the time to look them up right now).

Lots of other things are also available or being worked on:
- WebGL == OpenGL ES
- http://www.w3.org/TR/WebCryptoAPI/ exposes some of the browsers cryptographic functions as an API.
- WebRTC is encrypted video and voice (kind of like VoIP) and Peer2Peer networking.
- WebAPI is about giving you access to hardware and networking: https://wiki.mozilla.org/WebAPI
- https://payswarm.com/ and https://wiki.mozilla.org/WebAPI/WebPayment are about adding "inApp-/webstore payment" system to the web.

That is just from the top of my head. And I didn't even mention all things that went into HTML5 or related standards.

If you want threading in Firefox, then go vote up the bugs related to Electrolysis.

I've maintained a goofy little firefox plugin for a few years now and put together a few simple Android apps. It helps me keep my programing skills up while I'm working in IT, and the plugin's big enough I do a little project management on it :). Besides, I get bored playing video games all day long :).

One of the major problems is that currently no limits to what a CA can sign, and even though there is a urgent need to do major revamp to the protocol, I would like see first that TLS 1.next would at least fill that gap.

Can someone, please, if they can justify why for example Türktrust can sign a certificate for a *.gov and .*mil domain? Or why Spanish CA issued a wildcard *.google.com to someone, please?

Limiting that to happen, should be a minimum short distance goal, implementation shouldn't be delayed many years but possibly starting from beginning 2015.

There are many ways to implement these. Adding OID's to root certificate stating policy TLD's which CA is authorized and then also verified from TLD controlling party DNS query asking RR's for that CA whether policy is current and not revoked. The protocol could be lightweight DNSCurve for example. But like I said, there are many ways doing it. Hardest one to solve would be those where no connection exist to network before offered certificate, such as 802.1x/EAP, without chicken-and-egg problems.

IMHO, now founded new work group should concentrate longer period development, but first things first. The big gaping hole in current implementation should be fixed ASAP.

Two years ago a post (Honest Achmed's Used Cars and Certificates) to apply root CA from Mozilla was funny, but not any more. The there are so many incidents with falsely issued certificates, even root certificates, that they could have admitted root to Achmed and his brother who knows few things about computers and situation wouldn't have been much worse by now.

I agree with some of your points, especially regarding SPDY. But I have to put this out there: Pepper is not a real API. PPAPI is essentially just a crapton of exposed inner Chromium guts. There's a reason that other browser vendors don't support PPAPI: it's because the only realistic way to implement that support is to pull in half of the Chromium sources, then keep up with changes. That's insane. You can't expect people to do that. Not only that, but the PPAPI doesn't exactly have great documentation, either. Unfortunately, I can't name a specific reference for this, but reportedly, over 50% of PPAPI calls in Adobe's Pepper version of Flash are undocumented. I'll fully admit that NPAPI has problems, but that doesn't mean that PPAPI doesn't also have very serious issues. See also the Mozilla bug on implementing Pepper support: https://bugzilla.mozilla.org/show_bug.cgi?id=729481

Or use WebRTC, it's encrypted by default with the other encrypted RTP protocol: SRTP.

There is even a system where you can be sure who you are talking to and be sure there is no man-in-the-middle, with an RFC draft to tie it into oAuth or BrowserID protocols:

http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-07

https://air.mozilla.org/intern-presentation-seys/

With BrowserID/Persona your privacy will also be preserved.

Persona is the first implementation by Mozilla of the Mozilla developed protocol.

You can also play games with your browser sessions. Both firefox and chrome support multiple browser sessions running simultaneously. I have one just for google searches, another just for youtube, another just for banking, etc. That keeps your cookies and other fingerprinting information like extensions, browser history, etc unique to each task.

If you run firefox with these arguments it starts up with a picker that lets you choose which profile to run:

firefox --ProfileManager --no-remote

I give each profile a different theme and change the titlebar to start with a prefix (like "GOOGLE: xxx" or "BANK: xxx") with the customize_titlebar add-on to make it easy to visually distinguish between different sessions.

I also use the user-agent switcher extension to give each browser session a different user-agent. I usually set them to say the OS is Windows (I'm on linux) to blend in better with all the other Windows users and then each one is set to report a slightly different version of firefox (like 25.0 or 25..0.1 or 24.0 etc).

It is not just about hiding yourself it is about polluting their databases. Switching the user-agent isn't 100% -- some javascript can figure out the browser version via other means. But it is low-hanging fruit because the user-agent gets transmitted with every single http request your browser makes, so anyone passively sniffing the wire will get whatever you set it to.

https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

There is a similar add-on for chrome by a different author, haven't used it myself:
https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg?hl=en-US

For firefox you have to make an additional change in about:config in order to have your user agent stick permanently because java gets confused on startup if it is spoofed. Create a new preference 'useragentswitcher.reset.onclose' and set it to false.

You can also play games with your browser sessions. Both firefox and chrome support multiple browser sessions running simultaneously. I have one just for google searches, another just for youtube, another just for banking, etc. That keeps your cookies and other fingerprinting information like extensions, browser history, etc unique to each task.

If you run firefox with these arguments it starts up with a picker that lets you choose which profile to run:

firefox --ProfileManager --no-remote

I give each profile a different theme and change the titlebar to start with a prefix (like "GOOGLE: xxx" or "BANK: xxx") with the customize_titlebar add-on to make it easy to visually distinguish between different sessions.

I also use the user-agent switcher extension to give each browser session a different user-agent. I usually set them to say the OS is Windows (I'm on linux) to blend in better with all the other Windows users and then each one is set to report a slightly different version of firefox (like 25.0 or 25..0.1 or 24.0 etc).

It is not just about hiding yourself it is about polluting their databases. Switching the user-agent isn't 100% -- some javascript can figure out the browser version via other means. But it is low-hanging fruit because the user-agent gets transmitted with every single http request your browser makes, so anyone passively sniffing the wire will get whatever you set it to.

https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

There is a similar add-on for chrome by a different author, haven't used it myself:
https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg?hl=en-US

For firefox you have to make an additional change in about:config in order to have your user agent stick permanently because java gets confused on startup if it is spoofed. Create a new preference 'useragentswitcher.reset.onclose' and set it to false.

http://en.wikipedia.org/wiki/Dynamic_Adaptive_Streaming_over_HTTP

It is worth mentioning that the Youtube Center browser extension can disable DASH and make many other improvements to Youtube's interface. Firefox Chrome

That allows ASM.JS to do C64 emulation in a much more cross-browser compatible way.
Meanwhile Here's the Unreal 3 engine running using ASM.JS

Zenimax wouldn't allow it.

You could try to Reset Firefox https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems/ and start afresh with the personal data automatically carried over.

I think all of that is solid advice. I would add

5. Use RequestPolicy [1]
6. Do NOT use ghostery or any other proprietary software...

[1] https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/?src=search

Try Self-Destructing Cookies. It doesn't give you those problems, and there's basically nothing to using it. You can even install it on the browsers of non-technical family and friends.

This firefox plugin deletes the PREF cookie and all the others as soon as you close a tab. This means that it's created again every time with a different value.

I went to youtube and got this (I must split the values with spaces because /. complaints about long strings of letters)
google.com PREF ID=b59d89f696da3efa:FF=0: TM=1386759139:LM=1386759139:S=mRC2qiDMZ3ir_5JK
google.com NID 67=c1dV2B25sq3P2XdfPrBzGx9yb89H089A9yORn8UeoYGlGbjOUIbHPs03t_7JesDo_7NcnT UlDm90BZEpoSPX9A7FmbYORqBl5WwLmUiCzjreycq2wGE1rAMOSuXlFaZg

I closed the tab, waited for the cookie destruction message, went to google.com:
google.com PREF ID=024924c1c44d8beb:U=9b9ed7f900bfc1f0:FF=0: TM=1386758246:LM=1386759139:S=GCtQO6AoyqL-fqze
google.com NID 67=lPuV792TXm6MLVCnzVYUN-U2Q7B-XRd1d5xCYp7DXjvXvKzEjxtn99DTIbvaFFIg9a8uk2 AmkokD1TaYRnXL3iNA9SrPc1hj3611xY66gObS6pCY4jTTMeQpF6YHLJnn

Different. Well, mostly different. That LM=1386759139 in both PREF worries me. I should understand what it is for.

In short, it's already experimentally in Webkit browsers, and Mozilla is finding some time to get it into Firefox. If more people asked for it, it would have been possible much sooner. For instance, see here: https://bugzilla.mozilla.org/show_bug.cgi?id=846931

Firefox and Chrome extension to see how much you are worth are available @ https://team.inria.fr/privatics/yourvalue/
FF plugin directly from Mozilla: https://addons.mozilla.org/en-US/firefox/addon/rtbwatcher/

statistics so far from http://yourvalue.inrialpes.fr/
Average price of users $0.001200
Price of the cheapest user $0.000076
Price of the most expensive user $0.008000

WTF is it with the Gecko engine and "senior moments"?

That's caused by the lack of a multi-process model in Firefox. Mozilla is working on it under the codename Electrolysis (e10s). It's still incomplete, but you can try it out by opening about:config, turning on browser.tabs.remote, and restarting Firefox. One drawback is that click-to-play is broken, as are "many plugins".

Depending on the site (eg. if it overlays the content with something else), you might be able to get the content back if you use the Nuke Anything Enhanced extension - https://addons.mozilla.org/en-US/firefox/addon/nuke-anything-enhanced/ and 'nuke' whatever is blocking the content.

You can work around that with YouTube Center. I've linked to the Firefox version of YouTube Center but it's available for various browsers.

We studied doing this for Flash as well. Check out the user research study. We determined that the vast majority of users would merely be annoyed by making Flash click-to-play, and we wouldn't actually be improving security or performance for most users.

As noted in other comments here, you can mark Flash as click-to-activate yourself in the Firefox addons manager, or get more fine-grained control over which Flash actually runs by installing an addon like Adblock.

Our long-term strategy is to make it so that nobody needs to use plugins by adding new web APIs; to reimplement content like PDF and Flash in JS so that we can have control over the performance; and to use the mobile web as leverage to get new sites to use native HTML APIs like <video> to wean the world off of plugins.

We studied doing this for Flash as well. Check out the user research study. We determined that the vast majority of users would merely be annoyed by making Flash click-to-play, and we wouldn't actually be improving security or performance for most users.

As noted in other comments here, you can mark Flash as click-to-activate yourself in the Firefox addons manager, or get more fine-grained control over which Flash actually runs by installing an addon like Adblock.

Our long-term strategy is to make it so that nobody needs to use plugins by adding new web APIs; to reimplement content like PDF and Flash in JS so that we can have control over the performance; and to use the mobile web as leverage to get new sites to use native HTML APIs like <video> to wean the world off of plugins.