Slashdot Mirror

This is a great idea, and I'm ready to contribute.

If you do a lot of reading, paragrasp is excellent for highlighting the current paragragh, list entry, etc. This is a must have! The thought of following my RSS feed without is ... oh wait. Right. It doesn't work any more with firefox. *sigh*.

No matter, I got really good at organizing tabs with the tab group feature that Mozilla build into the browser. Then Mozilla removed it, but the functionally was maintained and improved as an addon. It's not for everyone, but once you start creating groups for topics (the car, open pandora software and reading, software for controlling my guitar multi-effects processor) there's no replacement. Oh wait. That's stopped working too. And there really was no replacement.

But still there are good addons to take advanage of. I've been using tabmix plus for about as long as there has been addon support in firefox. That's been one of the most popular addons I can think of. And ... oh, that's still being "ported".

Well, there are still little things you can do with addons. For instance firefox has the nasty mis-feature of putting really useful key binding for things like switching tab or close the current tab right next to the "kill all my web browsers with fire and don't ask twice!" button. There used to be options to disable this or at least force a confirmation, but no more. Then comes an addon to the rescue! to disable Ctrl-Q so you never close the browser by accident. Genius! ... Well if you aren't on Linux. ... These kind of addons haven't worked on Linux since the addon API was "improved". But no worry! There is a bug report for it. It's been there for 2 years and the most recent comment from 9 months ago when further comments got locked because there was too much advocacy chatter in the bug report for them to be able to fix it. And they aren't sure if they want to fix it. Well, I didn't expect that. Depressing. https://bugzilla.mozilla.org/s...

Then there are the really nifty plugins that made firefox more powerful in all sorts of wonderful ways like Chatzilla, Poster, FireFTP ... oh. Those kind of things are all gone too I guess.

Well. Perhaps I'm not the one to help with the curated collection of current addons. Still, firerfox is still good. They care about privacy. Well more than any of the other browser makers. And they support an open web. Well more than the others, only giving in and supporting DRM like EME when they "have no choice".

Three cheers for the power, flexibility and principles of the community browser!

https://support.mozilla.org/en...

To make the HTTP resource secure on a HTTPS page we can link to the resource and provide a hash of the asset or file in the HTML. HTML already supports this.

Mozilla calls it "Subresource Integrity"

NGIX has supported their own version of secure_link since back when we thought MD5 was secure:
http://nginx.org/en/docs/http/ngx_http_secure_link_module.html

This is how you make mixed content HTTPS cache friendly without giving all your security to Cloudflare or similar.

Fuck off Goolag.

Next problem please.

https://www.freepress.net/news...

https://blog.mozilla.org/blog/...

https://gizmodo.com/nearly-eve...

Hope that helps. There are places that do polls so you don't have to, and what they show is a persistent, long term, high majority desire for net neutrality.

Can't you just encase the link in Javascript and get the clicked link that way? Or do webpages not do that very often?

Problem is that any kind of AJAX request made before or during a page navigation is liable to be terminated by the browser as the page gets unloaded.

But besides the old ping there are also beacons. Both offer an important point: the request won't be terminated.

The problem here is fully custom pointers. It's highly unlikely any non-game "web-based software" would be significantly affected by being restricted to only the non-url forms of this.

Your software can have access to system standard cursors without a security issue.

No Classic Theme Restorer.

Rearrange the UI elements. You'll get used to it.

Or Download Statusbar.

CTRL-SHIFT-Y to pop the downloads window.

Also there's a UI element to show total download progress baked-in to the firefox interface. It's kinda small but if you really need to see details, that's what the downloads window is for.

And if you really need it:
https://addons.mozilla.org/en-...

Or a status bar that will let me run things from it.

Unsure what that is. If you miss the ability to run javascript: from the location bar, just press CTRL-SHIFT-K for the javascript console.

Apple has supported a native fullscreen mode in Mac OS since 10.7, better known as Lion. It's a fundamental feature, and helps keep windows well-sorted on laptops in particular. It works pretty well in every major Mac application -- except Adobe's.

Mozilla chooses to ignore it, too. Here's the relevant Bugzilla entry, in case anyone wanted to vote, not that it's going to do any good. Their game plan seems to be "wait until everyone who cares about this bug changes OSes or browsers so they don't care anymore".

Actually that exists in native CSS: https://developer.mozilla.org/...

Alas, as long as you need support for dreaded IE11, you're out of luck: https://caniuse.com/#feat=css-...

No, it is NOT needed. You should be doing this in JavaScript -- not in a (static) layout language.

Where will this bloat end? Adding a scripting language??? Because there will always be some "wouldn't it be nice to be able to do ...". We _already_ have requestAnimationFrame for smooth, jank free 120 Hz animation. To see if your browser supports 120 fps check use testufo.

>"In WebRTC case, it is Firefox that is broken: https://bugzilla.mozilla.org/s..."

Mozilla has been waiting for the correct 1.1 standards before fixing/coding something to something that was already dead and not working well. Besides, this is not the reason for the vast majority of "Chrome Only" sites starting to appear.

Firefox does throttle CPU in background tabs. For a very long time APIs like setTimeout have been throttled aggressively.

There has been quite recent work on using OS APIs to reduce the priority of processes running background tabs: https://bugzilla.mozilla.org/s...

There is no reason keys can't be stored in security modules or "smart cards" or even USB sticks for those dumb enough to require the security nightmare that is USB for user authentication.

If you're doing the signing on the computer, an attacker can copy the private key on its way from the module to the computer or copy it out of the browser process once it is in the computer. If you're doing the signing on the module, that is exactly what FIDO aims to do. What am I missing?

This is impossible to fix right? A completely new protocol is required to address this because browsers don't offer obvious sign out buttons for certificate and http auth.

I notice the sarcasm. It's required in a browser only because as of first quarter 2019, more customer-facing websites support FIDO than TLS client certificates.

All systems require a key to work. Whether on a USB stick or a smart card or embedded in a computers security module it's the same issue. Nothing prevents portability and regardless of which one you select the same keying material is being guarded.

The structure of FIDO ensures that the private key never leaves the device, unlike with a TLS client certificate whose key pair must be copied into the TLS stack's address space to be used. As I understand it, this safeguarding of the private key is necessary for the device to be considered a second factor, as "something you have" rather than "something you know", in case someone compromises your password manager.

They are not domain based they are signer based.

Who is the signer in common uses of TLS client certificates? In hypothetical use thereof on customer-facing websites, who would be the signer? How does the deprecation of the <keygen> element change this answer?

This is commonly used by "enterprise" systems rather than customer facing web sites.

In order to improve the usability of TLS client certificates to the point where customer-facing websites can use them, an overhaul of the user interface is needed. Feel free to contribute a pair of pull requests, one to Firefox and one to Chromium, that does this.

On this topic, I was thinking about the Thunderbird email client. It's been pretty stable, with no major changes in years as far as I can tell.
Does that mean it's "done", or is it too complex for people to work on?
The latter case seems to be hinted at in this blog post.

Thunderbird is a big, complex project that isn’t easy to jump into. So, as we closed out the year I opened a bug where we can detail what documentation needs to be created or updated for new members of the community – to ensure they can dive into the project.

Has anyone here contributed to it and if so, any comments? I love Thunderbird but when I looked at the code several years ago it was fairly daunting.

There's a couple of problems with working on Thunderbird. It's built on Mozilla (Firefox) code base, which is huge and fast changing at times, especially lately as they replace big chunks, so right there is a huge learning curve including learning how a bunch of stuff works under the hood,
Ant then there is the Comm-central (Thunderbird and SeaMonkey) code, which much is old and complex as well as intertwined with Mozilla code.

They are being forced to rewrite much due to Firefox having large chunks ripped out and rewritten. Luckily they seem to have some money to hire a few full time developers, as it is a full time job just keeping up with the changes in Mozilla, including porting stuff that Mozilla has ripped out to Comm-central, keeping add-ons working while moving to the new crap etc.

For a while it did seem pretty mature wit chunks that needed a rewrite but no one to do it. Now they're forced to keep up.
SeaMonkey is fairing a lot worse in the keeping up stuff.

On this topic, I was thinking about the Thunderbird email client. It's been pretty stable, with no major changes in years as far as I can tell.
Does that mean it's "done", or is it too complex for people to work on?
The latter case seems to be hinted at in this blog post.

Thunderbird is a big, complex project that isn’t easy to jump into. So, as we closed out the year I opened a bug where we can detail what documentation needs to be created or updated for new members of the community – to ensure they can dive into the project.

Has anyone here contributed to it and if so, any comments? I love Thunderbird but when I looked at the code several years ago it was fairly daunting.

You can only block IP addresses on your router, of which I'm sure Facebook use hundreds as part of their CDN.

Kashmir Hill at Gizmodo did a series where she spent a week each blocking Amazon, Facebook, Google, Microsoft, and Apple from her life (devices and internet sites), then a week blocking them all. (link to series) She had a friend setup a VPN for her devices configured to block access to the provider(s) and she noted in the articles how many IPs each controlled: Amazon: 23 million, Apple: 6 million, Facebook: 122,880, Google: 8 million, Microsoft: 21 million -- there's a link in each article to the data. She noted that blocking / not using Amazon was virtually impossible.

Browsers are moving towards dns over http, which bypasses your hosts file.

Don't know about Chrome (or other browsers), but this can be controlled and/or disabled in Firefox by setting "network.trr.mode" to 0. From my Firefox / Thunderbird "user.js" file:

// https://blog.nightly.mozilla.o...
// https://wiki.mozilla.org/Trust...
// 0: Off by default, 1: Firefox chooses faster, 2: TRR default w/DNS fallback,
// 3: TRR only mode, 4: Use DNS and shadow TRR for timings, 5: Disabled.

user_pref("network.trr.mode", 0);

You can only block IP addresses on your router, of which I'm sure Facebook use hundreds as part of their CDN.

Kashmir Hill at Gizmodo did a series where she spent a week each blocking Amazon, Facebook, Google, Microsoft, and Apple from her life (devices and internet sites), then a week blocking them all. (link to series) She had a friend setup a VPN for her devices configured to block access to the provider(s) and she noted in the articles how many IPs each controlled: Amazon: 23 million, Apple: 6 million, Facebook: 122,880, Google: 8 million, Microsoft: 21 million -- there's a link in each article to the data. She noted that blocking / not using Amazon was virtually impossible.

Browsers are moving towards dns over http, which bypasses your hosts file.

Don't know about Chrome (or other browsers), but this can be controlled and/or disabled in Firefox by setting "network.trr.mode" to 0. From my Firefox / Thunderbird "user.js" file:

// https://blog.nightly.mozilla.o...
// https://wiki.mozilla.org/Trust...
// 0: Off by default, 1: Firefox chooses faster, 2: TRR default w/DNS fallback,
// 3: TRR only mode, 4: Use DNS and shadow TRR for timings, 5: Disabled.

user_pref("network.trr.mode", 0);

Which is why JavaScript ALSO supports WebWorkers -- run scripts in background threads

The point is the OP is clueless about modern JavaScript.

to help journalists learn to code.
Do the art work for computer courses that teach code to journalists?
Create an Ada OS?
Help with CUDA like support on Linux?
Mixed Reality & VR https://research.mozilla.org/m...

Translation: "After a year of open discussion we didn't notice until now,"

Here for example is an overview of memory usage reductions related to Fission, from July 2018: https://mail.mozilla.org/piper...

What you suggest is in fact being done. Servo is the project to rewrite Firefox's engine in Rust, a modern language focusing on provable thread safety through abstractions with zero runtime cost. Quantum is the project to replace parts of Firefox's engine written in C++ with the parts of Servo that are completed.

Except those settings haven't worked since 63v because they decided to complicate autoplay configuration even further: https://support.mozilla.org/en... [mozilla.org],

What can I say.. no autoplay on any site I visit.

Except those settings haven't worked since 63v because they decided to complicate autoplay configuration even further: https://support.mozilla.org/en...

There's actually a setting to block that in the current release of Firefox

https://support.mozilla.org/en...

It just stopped working properly a few releases ago.

Has it occurred to you that maybe they are [listening to their users]? Believe it or not, people have different opinions about what they want out of Firefox.

Mozilla's bugzilla installation has a feature where people can vote on bugs (i.e. express their interest in getting a bug fixed or feature implemented), and this feature of the bug tracker has been there for 15+ years.

I can't remember the last time a bug with lots of votes was resolved.

In fact, I can't remember the last time a bug that was filed by a non-developer got resolved.

Here is a list of currently open bugs with at least 100 votes.

(My memory might be playing tricks on me, but I remember there being much more votes on bugs. Thousands, at least. The current number one has 571 votes. Perhaps they did a user purge which wiped out votes? It would certainly explain why the list is dominated by WebExtensions bugs -- a recent feature.)

There are bugs that haven't been fixed for decades and they regularly WONTFIX many bugs.

A lot of things that people think are bugs are really just design decisions they don't prefer. While Firefox is certainly not perfect I don't see any of the other browsers being meaningfully better about dealing with their faults.

Exactly. For example, Firefox 65 dropped support for the preference "browser.urlbar.suggest.history.onlyTyped" -- only suggest URLs that were actually typed -- saying the behavior was "not-so-useful" (and, apparently, because their "typed implementation is a mess"), while *I* found it extremely useful.

That does not appear to be how it works. From reading the patch: if it fails to connect to the Firefox update service then it records the issuer of the cert that the update service presented. Then, if a future TLS connection fails with an unrecognized issuer and the unrecognized issuer matches the issuer that was recorded from the update service, then it displays the MITM error instead of the unrecognized issuer error.

(The code is here and here.)

The check piggy-backs on one of Firefox's existing phone home mechanisms, and it doesn't involve reporting every cert you see to some third party.

From the actual bug report and commit in HG: it appears that this is only a new error page that appears instead of SEC_ERROR_UNKNOWN_ISSUER when Mozilla's update service detects a non-built-in cert.

So: this error will only appear if the current version displays unknown issuer error, and mozilla's update service detects that it has a MitM proxy.

From the actual bug report and commit in HG: it appears that this is only a new error page that appears instead of SEC_ERROR_UNKNOWN_ISSUER when Mozilla's update service detects a non-built-in cert.

So: this error will only appear if the current version displays unknown issuer error, and mozilla's update service detects that it has a MitM proxy.

From the actual bug report and commit in HG: it appears that this is only a new error page that appears instead of SEC_ERROR_UNKNOWN_ISSUER when Mozilla's update service detects a non-built-in cert.

So: this error will only appear if the current version displays unknown issuer error, and mozilla's update service detects that it has a MitM proxy.

https://support.mozilla.org/en-US/kb/error-codes-secure-websites?redirectlocale=en-US&redirectslug=troubleshoot-SEC_ERROR_UNKNOWN_ISSUER#w_kaspersky

The most common causes are security software scanning encrypted connections or malware listening in, replacing legitimate website certificates with their own. In particular, this is indicated by the error code "MOZILLA_PKIX_ERROR_MITM_DETECTED" if Firefox is able to detect that the connection is intercepted.

Third-party antivirus software can interfere with Firefox's secure connections. We recommend uninstalling your third-party software and using the security software offered for Windows by Microsoft:

I guess it didn't occur to the Firefox developers that one reason that users install 3rd party antivirus software is to check for, you know, MITM attacks on their https connections. So basically, now you have the browser's MITM attack detection of the anti-virus's MITM attack detection, which causes the annoying error message about a MITM attack to pop up. And Mozilla's solution to this annoyance? Get rid of your favorite antivirus product and just go with Microsoft's offerings. Yeah, no.

No, there is no mention of Edge. The "beast" is Firefox. The first sentence is talking about Firefox 57's new UI and the Quantum project generally. The second sentence is talking about the use of Rust in Firefox.

This entry from the Book of the Mozilla is "11:14" because Firefox 57 was released on the 14th of November, 2017. All the entries correspond to a release date.

No, there is no mention of Edge. The "beast" is Firefox. The first sentence is talking about Firefox 57's new UI and the Quantum project generally. The second sentence is talking about the use of Rust in Firefox.

This entry from the Book of the Mozilla is "11:14" because Firefox 57 was released on the 14th of November, 2017. All the entries correspond to a release date.

What extensions do you want to use that still aren't updated and have no alternatives?

Keybinder does not work with Firefox 57 or later, and the feature that it relied on (XUL keymaps) has no counterpart in WebExtensions because of bug 1325692.

That's the feature I was talking about. In Firefox you by default have to type ' (single quote character) first, as per their manual. But link-only searching can be made into the default by going to about:config and toggling the preference "accessibility.typeaheadfind.linksonly" to "true".

The only extensions that didn't make the jump were either abandoned, or those whose authors preferred to loudly complain and join sone "anti-WebExtensions resistance" instead of trying to work out a solution.

This is a blatant lie.

There are plenty of extensions that are still waiting on updates to the WebExtensions framework so that they can be ported over. There are dozens or hundreds of bugs in bugzilla with requests for this. Just a couple that come to mind are around session management (there are no decent session managers for Nu-Firefox, and Michael Kraft's excellent Session Manager which was maintained and worked perfectly for years was left in the ditch) and tab management (Tab Mix Plus is only "dead" because Mozilla killed it).

This is only two among many others. Instead of waiting a year or so for WebExtensions to catch up, Mozilla in their rush to make Firefox become Chrome as fast as possible, threw the baby out with the bathwater without regret. It's what happens when people who don't actually care about a project or users take control.

Stop shilling for them.

The only extensions that didn't make the jump were either abandoned, or those whose authors preferred to loudly complain and join sone "anti-WebExtensions resistance" instead of trying to work out a solution.

This is a blatant lie.

There are plenty of extensions that are still waiting on updates to the WebExtensions framework so that they can be ported over. There are dozens or hundreds of bugs in bugzilla with requests for this. Just a couple that come to mind are around session management (there are no decent session managers for Nu-Firefox, and Michael Kraft's excellent Session Manager which was maintained and worked perfectly for years was left in the ditch) and tab management (Tab Mix Plus is only "dead" because Mozilla killed it).

This is only two among many others. Instead of waiting a year or so for WebExtensions to catch up, Mozilla in their rush to make Firefox become Chrome as fast as possible, threw the baby out with the bathwater without regret. It's what happens when people who don't actually care about a project or users take control.

Stop shilling for them.

https://www.mozilla.org/en-US/firefox/new/

These two are ad characteristics that cannot be directly controlled by the publisher via the placement of code:

- autoplaying audio (other than preroll before relevant video)

<video autoplay muted>

- animated ads that include flashing elements

If the publisher can approve or veto creative before it appears on the site, the publisher can veto creative incorporating flashing. If the publisher cannot approve or veto creative before it appears on the site, the publisher can switch to a different ad network or exchange, switch to publisher-hosted ad delivery without any network or exchange, or not use video as a format.

As a publisher myself, I don't want to show such ads, but first, there is no option in a network that says "don't show animated ads with flashing elements"

You could drop animated ads altogether. If your network doesn't allow that, you could drop your network and sell your ad space through a form on your site. A sponsor interested in your site could upload creative for approval and purchase page views. Then you could approve or reject the creative. See for example how ads work on Daring Fireball.

Plus "Main content portion" is subjective, and some algorithm could whack you on that.

Acceptable Ads criteria define "primary content" in terms of how HTML5 expects the <main> element to be used. In this respect, Better Ads Standards are more lenient than Acceptable Ads criteria, which require inline ads to take up zero percent of primary content.

it seems easy to break that rule inadvertently, for example, with a page that has less content than normal.

Then the ad serving script needs to measure the body of each article before ads are inserted into that article.

What is scary here is that there is no appeal process

Any webmaster who successfully claims control of a site in Google Search Console can clean up ads on that site and submit a request to have that site reevaluated.

combine it with Firefox, with tracking limiting controls enabled

Sure, but what does tracking limiting do? According to their blog it simply limits cookies identified by Mozilla as tracking cookies. Are Google ones included, considering that Google is still a major funder of Mozilla? Somehow I doubt it. Is the HTTP referrer scrubbed? Doesn't appear to be when I tested it.

So Google still gets all the same information, maybe with a limitation on some cookies, which I never factored into my original analysis anyway. They get the following information from the 75% of sites that use Google analytics and/or advertising:
1) They know they served up web site X as part of search results they sent to startpage.com, and they know the search terms
2) Depending on how they are hooked into the end web site, they may (probably) get the referrer information from where you came from, and Firefox's tracking protection does not appear to block the referrer
3) They definitely get your IP address on the end page visit
4) They know other responding variables like the ranking of the sites they serve up in the search results, they know when you click on "next page" on startpage.com for more results, and most importantly, they know the know the length of time between 1 and 3

No amount of tracking blocking can eliminate 1, 3, or 4 above. They have to get the search terms from startpage.com, they know what results they serve up, and they have to get the IP addresses of people who visit the end site on any site they have hooks into. No amount of cookie filtering can stop that information flow. And that is enough to link the search terms to visitors, especially if you click more than one link to more than one destination Google has hooks into. Which means, the more you use Startpage.com, the easier it is for Google to link your search terms with your IP. You do a search and suddenly one IP shows up at three sites they have hooks into that all just appeared on search results they already served up? Then they serve up new search results and that same IP shows up at one of those sites. Sorry, but regular use of startpage.com is no better than using Google itself.

Hey whitroth! Why are you posting this here? Mozilla has a bug reportor. Try that, and maybe those bugs will be addressed. Otherwise, great post! Keep up the good work, we're all counting on you! Don't let us down!

about:config

network.dnsCacheEntries 0
network.trr.mode to 5 (SHUTS IT OFF)
network.trr.uri (set to 208.67.222.222)
extensions.pocket.enabled = FALSE

APK

P.S.=> FF will 'respect' hosts again too & HTTPS bullshit also causes HASSLES in logging into sites(or modems) minus https://blog.mozilla.org/tanvi... (search this there security.insecure_password.exception_ranges= to see how to handle THAT & override it too (all that 'secure socket' SHIT just gets broken in the end anyhow (SSL to TLS anyone?) & certs get FORGED or STOLEN also (code signing does too))... apk

If what other people say and do really bothers you, do something which solves the problem. Simply install an extension which auto-converts Imperial units to metric. You will never have to see Imperial units in your browser again.

Do you remember when "web browser chrome" used to refer to different visual themes for user interface the that you could write yourself and choose between in the Mozilla web browser?
There were quite a few of them to choose between on a section on Mozillazine called The ChromeZone. The barrier to entry was quite low, all themes as images and as text files written in the XML-based language XUL. I had contributed a web browser UI theme to The Chrome Zone myself.

But the full-fledged Mozilla browser was known to be stupidly slow and got abandoned for the slimmed-down Firefox.
Firefox used native widgets, that were consistent with other programs on the platform that it ran on. On Linux (or other OS with X) the native widgets were GTK+ widgets, which had its own theming system -- also user-made in text format, with low barrier to entry and with many to choose from.

... and later Google snatched both the names "Chrome" and Chrome Zone for themselves.

Facebook Containter

It would be nice if it were true, but no. When you open a bug on Firefox, either you're ignored, or you're lectured by a pompous developer on how his spyware knows more than your bug report.

>"Firefox, or any other browser for that matter, could easily recapture the web browser market by blocking auto-play videos."

Firefox already does (Chrome does NOT, because it can only block NON-MUTED VIDEO). In Firefox, you just have to turn it on. Has been in several versions for months. Perhaps they just need to market that feature?

media.autoplay.default;1
media.autoplay.allow-muted;false

Block autoplay by default: Double-click the media.autoplay.default preference and set it to 1
Some people suggest you also: Double-click the media.autoplay.allow-muted preference to switch the value from true to false

Allow autoplay by default: Double-click the media.autoplay.default preference and set it to 0 (or right-click > Reset)

Ask on a site-by-site basis: Double-click the media.autoplay.default preference and set it to 2 and Double-click the media.autoplay.ask-permission preference to switch the value from false to true and Double-click the media.autoplay.enabled.user-gestures-needed preference to switch the value from false to true

The UI way is new, too (I haven't seen/used it yet, I just set about:config to what I want): https://support.mozilla.org/en...

They specifically address that. Firefox does not send your data to Mozilla. Your own copy of Firefox makes the recommendations based on your usage.
https://blog.mozilla.org/blog/...

What add-ons are you missing, by the way?

Keybinder. It was canceled due to deficiencies in WebExtensions that remain unfixed a year later, particularly Bug 1325692.

DuckDuckGo has a few thousand shortcuts for site:example.com domains.

Not quite correct. They have shortcuts to the built-in search of various web sites. If you use these shortcuts, it'll redirect you to the site (which will perform the search itself.)

So if I enter !discogs foo, DDG will redirect me to https://www.discogs.com/search...

They're exactly like Mozilla keywords: https://www-archive.mozilla.or...