Slashdot Mirror

Crashing an application from a remote system means that application is not filtering [its] input correctly

Wrong. This crash has more to do with layout data structures than "filtering input".

and is subject to a remote compromise.

Only some types of crash bugs are exploitable. If this happened on Mac, we'd probably already know whether this crash was exploitable.

Firefox is only about 2/3 better (3 pages vs. 8 pages) judging by number of CVEs*.

Your link is broken (I get a cert error), so I can't tell you what's misleading about this particular vulnerability-counting scheme.

Mozilla has considered dangling pointer use to be "probably exploitable to run arbitrary code" for a long time. I even blogged about that fact, describing what types of dangling point use are most likely to be exploitable. If other software companies refuse to prioritize those bugs until the reporter supplies a demonstration exploit that launches calc.exe or Calculator.app, they've been asking for trouble for years.

You should be able to super-geek-power-activate this into a greasemonkey script in no time flat, giving MySpace all the blandness that you seek:

https://www.squarefree.com/bookmarklets/zap.html#z ap_style_sheets

(I'm not terribly fond of the styles of most MySpace pages, but your commentary is just a hair overwrought.)

Filing a report requires a special version of Firefox with an included memory leak detector that can write reports at any time. If I was able to compile Firefox, I wouldn't be complaining about the program as a whole and would instead complain about a specific aspect of it.

Speaking as someone who has filed memory leak bug reports, I can assure you that you do not need any special version of Firefox to file a memory leak bug report. If you merely come up with a sequence of steps that can cause Firefox to use much more memory than other browsers, or a sequence of steps that can cause Firefox to continue consuming more memory without limit, you can file a bug report on the problem.

At most, people generally use the Firefox memory leak detection tool. All you need to do is set one or two environmental variables and run a standard version of Firefox. Then after quitting Firefox, you run the leak detection tool. After finding a leak, you then come up with a sequence of steps that can cause Firefox leak memory.

I use opera to browse pr0n.

It's got a nice zooOOM feature.

And it didn't release the memory until you actually closed the program and opened it again. So you could open 12 pages, close all but 1 and it'd still be using the memory equivalent to those eleven closed pages.

Although Firefox does have memory leaks, what you're describing is far worse than any confirmed memory leak. Perhaps what you're seeing is that memory use reported by the operating system is not going down when you close tabs, but Firefox is at least releasing and reusing memory internally. If what you describe was really what most Firefox users experienced, most users would not be able to use Firefox for more than a few hours before they would have to restart it. There's no way Firefox could get the 14% usage share it has today with such a serious memory problem.

In summary, Firefox does have some memory leaks, but it doesn't leak anywhere nearly as badly as you're describing for the vast majority of users. For most users, it takes many days of use before memory leaks become readily apparent by looking at memory usage numbers alone. The real memory leaks are far more subtle than what you describe, and usually require some sort of memory leak detection tool to track down.

You betcha.

The only content filtering/editing that I have running(on top of popup blocking) is Flashblock.

https://addons.mozilla.org/firefox/433/

I also have nuke anything enhanced:

https://addons.mozilla.org/firefox/951/

and plain text links:

http://ted.mielczarek.org/code/mozilla/textlink/

installed, in addition to a bunch of bookmarklets:

http://www.squarefree.com/bookmarklets/
http://1024k.de/bookmarklets/video-bookmarklets.ht ml

Flash is annoying, and I like to be able to edit what I am looking at in lots of ways, but I don't like the feeling I get of not seeing what is being presented when automatic filtering goes on. I experimented with privoxy at one point, had the same feeling, and also got sick of it breaking things. So yes, I mostly avoid ads by avoiding sites that run ads, and as a result, I see lots of ads.

One bug I'd like to see fixed is to get the damn middle button working on OS X. I mean, Opera and Safari let me open a link in a new tab by middle clicking it. And middle-clicking opens a link in new tabs on Linux and Windows.

What version are you using? This was fixed in Firefox 1.5 (Nov 2005!), at least for middle-clicking on a link. Among the bugs fixed in that release:

151249 - [Mac] Middle click on link does nothing on Mac OS X (should open link in new tab).

I haven't heard anything about it regressing in later 1.5 releases or in 2.0. The only Mac I use regularly is a laptop, and I usually just use the trackpad, so I haven't tried it recently. I guess tonight I'll plug in the mouse and test this again.

PageRank is not obsolete or broken. It's actually one of the few trust metrics for which you can make a useful statement about attack-resistance. See my blog entry and class paper on the topic.

"There is nothing inherently evil about JavaScript, get a hold of yourself."

You never visit dodgy sites? No, wait a minute, you just stay on your company Intranet? 'Normal' users that get around a bit and prefer to be responsible won't subscribe to that. Try reading Security tips for Firefox users ... Clue: Those tips don't just apply to Firefox users. You'd have to be daft to to allow javascript on any random site. If a site needs javascript and you deem it important enough then it's simple enough to allow them through the Noscript extension (temporarily or permanently) - in it's default mode Noscript will reload the page right there and you've got you cascading menus and links and whatnot working in two seconds.

If you don't feel like installing the extension, you can get by with a bookmark:

http://www.squarefree.com/bookmarklets/webdevel.ht ml#shell

These also come in handy:

http://www.squarefree.com/bookmarklets/zap.html

Zap Style Sheets can make myspace quite a lot easier to read.

If you don't feel like installing the extension, you can get by with a bookmark:

http://www.squarefree.com/bookmarklets/webdevel.ht ml#shell

These also come in handy:

http://www.squarefree.com/bookmarklets/zap.html

Zap Style Sheets can make myspace quite a lot easier to read.

It may be convenient, but it's also a severe security hole. If you paste anything from an untrusted site into a terminal window or into mIRC, you're owned. (I make this point on Security tips for Firefox users.) If web sites were able to put data on your clipboard without your knowledge (e.g. without you pressing Ctrl+C), it would be even worse.

Do you know what other "security holes by design" Flash has? Or other widely used plugins, for that matter?

I first became aware of this particular one when mkaply filed bug 360950, and I've been trying to figure out how to incorporate it into Security tips for Firefox users.

From: http://www.squarefree.com/burningedge/

2006-12-13 Trunk builds:
        * Fixed: 300030 - Refactor intrinsic width computation out of nsIFrame::Reflow (land dbaron's reflow branch).

This is a huge change that David Baron has been working on for about two years. It involved changing 201 files, simplifying many of them: a diff showed 8726 insertions but 18253 deletions, for a net removal of 9000 lines of code. It improved speed on page load tests by 3-5% and fixed over hundred bugs, including:

        * Fixed: 69745 - Auto-width left float containing only nested right float is too wide.
        * Fixed: 129346 - Fieldset renders incorrectly with style="float: left;" or any other shrink-wrap situation.
        * Fixed: 269643 - When clicking link, page redraws with different layout, click is ignored.
        * Fixed: 291126 - Intrinsically sized (shrink-wrap, auto-width) absolutely positioned element containing right float is too wide.

The reflow branch landing fixed the last remaining issues with the Acid 2 test, so Firefox trunk now passes the test.

Gecko developer Boris Zbarsky answered this question last December. Firefox 3 will support Acid 2, while Firefox 2 could not have supported it without being delayed until around the time Firefox 3 will ship.

This argument is unclear. One of the antiphishing modes uses a blacklist and the other submits URLs to Google. So it at worst is not both weak and privacy-violating at the same time.

It's still a blacklist if it's on the server. Blacklists are limited in effectiveness against targeted attacks or phishing pages distributed across a botnet.

I'm not sure why the author of the article is unhappy with this. The arguments I've heard are (1) advertising that Firefox includes anti-phishing may make users complacent in checking the URL before entering a password, and (2) it would be nice if Firefox could also (or instead) use some heuristics to detect things that look like phishing sites.

I don't think (1) makes having blacklist-based anti-phishing worse than not having it at all. (2) is wishful thinking given CSS and JavaScript.

But IMO, browser makers can't rely on blacklist-based protection. We need to improve the UI for authenticating sites (e.g. highlight part of the hostname in the address bar) and should do things to educate users (make sure they know what a hostname is, how a phishing attack works, and why relying on The Law to protect them will not work).

(Of course, given that Google doesn't actually do anything with this data other than feed it into their anti-phishing database, I don't consider it a violation of privacy regardless, but we have options precisely because not all users will feel this way.)

That's good to know. Google loves to sell other aggregate data, so it's nice to know that they've promised to keep this data extra-private.

It does seem suspicious that in the "server-side blacklist" mode, we're sending Google much more data than they need in order to implement blacklist-based anti-phishing. See comments on http://weblogs.mozillazine.org/asa/archives/2006/1 0/sometimes_its_j.html and http://www.squarefree.com/2006/10/28/san-diego-fir efox-party/ for how it could be improved. But I'm willing to attribute that to being rushed rather than being sneaky.

Two small advantages to using XHTML:

Firefox includes a fairly easy way for JavaScript to tell you whether some XML is well-formed or not. So if you use a WordPress blog (which defaults to XHTML) and this user script, you can get a helpful but unobtrusive warning when a blog post you're about to submit isn't well-formed. (This trick works even if you plan to serve the XHTML as text/html.)

With XHTML, you can embed SVG, MathML, and XUL elements if the browser supports them. With HTML, you can't (except using JavaScript and document.createElementNS).

And in the future, I imagine that browsers will be able to parse XHTML a bit faster than HTML. But for now, Firefox is slower for XHTML (see bug 18333).

You can even do this with a bookmarklet.

[...] Does anybody know if development efforts for Firefox 2 have included memory management? I can't seem to find any record of that online.

Maybe this MozillaZine Knowledge Base article about memory problems in Firefox holds the answer:

Memory leaks can cause Firefox not to release memory that it is no longer using, especially with older versions. There has been a lot of effort to reduce the leaks in recent versions, and Mozilla developers have have created tools to detect them. [4] [5] To minimize leaks, you should upgrade to the most recent version. The most common memory leaks appear to be fixed in Firefox 2. [6]

In case you haven't come across it:

http://www.squarefree.com/pornzilla/

Not what you are asking for, but maybe a place to start.

I know you were joking.

... no correct ACID2

I don't know about Yahoo, but for other websites that prevent password saving, use the bookmarklet at http://www.squarefree.com/bookmarklets/forms.html to change the form parameters before you submit it.

Here's a nice web page with a simple "IDE" for playing with JavaScript. Without too much effort, it could be extended to provide a nice enviroment for learning the language.

http://www.squarefree.com/jsenv/

You're a known troll, and I'm pretty sure I've replied to a very similar troll of yours before, but I'll bite for the benefit of anyone else reading this thread.

1. Maybe this bug is fixed in the nightly build.
That's because dozens of bugs are fixed every day and there are usually a lot of days of development between the released version and the latest nightly builds at the time someone reports a bug. If it's not trivial to reproduce, it's not a good use of the developer's time, since hundreds of bug reports are filed daily. If each reporter takes 5 mintes to try a nightly build, the average per-user time is going to be 5 extra minutes. If developers have to try convoluted steps to reproduce per bug, it's going to be hours of wasted time per developer.... even if the steps to reprdoce are simple, if the developer doesn't experience the bug in a nightly build, it's a valid question. The bug is either fixed in that nightly build, or other factors make it a works-for-me for the developer (for example, a changed preference setting). The only way to tell the two apart is to ask the user to test in a newer build.

2. Yes, this bug exists, but other things are more important.
What, you think that just because an icon that's off by one pixel somewhere bothers you a lot, they should fix that before they fix actual functionality issues, or accessibility issues, or crashes, or add new features that will benefit hundreds of thousands of users? What kind of stupid complaint is this? Everybody intelligent prioritizes tasks.

3. No one has posted a TalkBack report. [If they had read the bug report, they would know that there is never a TalkBack report, because the bug crashes TalkBack, too, or a TalkBack report is not generated.]
I've DEFINITELY responded to this before.

4. If you would just give us more information, we would fix this bug.
I've responded to this too. I guess you just drop this list on any bug that mentions Mozilla. Anyhow, as I would have said before, do you think developers are clairvoyant? If you file a bug that says, "The URL bar is broken", what do you expect? If the developers don't have enough information to reproduce your bug, or can't reproduce it themselves, well, they need more information.

5. This bug report is a composite of other bugs, so this bug report is invalid. [The other bugs aren't specified.]
I'm not going to point out further comments I've addressed before. This is a legitimate reason a bug is invalid. However, it is fair to complain that whoever closed the bug did not specify the bug #s. Do it in the bugs, not on slashdot, because it will be seen if it's in the bug report. Complain on IRC if it's specific people doing it.

6. You are using Firefox in a way that would crash any software. [But the same use does not crash any version of Opera.]
I don't recall seeing anyone say that. Where you deleting random files in the Firefox directory or something?

7. I don't like the way you worded your bug report. [So, I didn't read it or think about it.]
I don't recall seeing anyone say that. However, if your bug report is unreadable, it makes sense for the developer to move on to something he/she can actually understand...while at the same time letting the reporter know that he/she needs to write clearly for the problem to be understood so it can get addressed.

8. You should run a debugger and find what causes this problem yourself. [Then when you have done most of the work, tell us what causes the problem, and we may fix it.]
Well, if no developers can reproduce it and the symptoms/steps to reproduce don't make it apparent where the problem lies, they can't do anything unless someone who can reproduce it does use debugging

You can download nightly builds of Firefox from the trunk (branded as Minefield to indicate use at your own risk) so you can see exactly how Firefox 3.0 is progressing. As for IE8 we can't see the current status of that so who knows how much work is left to be done on IE8?

For updates on thr trunk (which will become Fx3.0) see The Burning Edge

clicky

You can choose which folder is used as the bookmarks menu. Many plugins and service menus exist at kde-apps.org. There is also the Universal Sidebar thinger that works in both Konqueror or as an actual panel, and there are plugins for that as well (e.g. a del.icio.us plugin, Amarok control, generic media player controls, history, bookmarks, file browsing, remove servers/services, etc.). I used to use Firefox exclusively, but since I got tired of Firefox's GNOME-ness (especially that motherfucking piece of shit open file dialogue), I tried out KDE and was amazed at how well it integrates with other KDE apps. It even has AdBlock built in! I'll admit that the implementation is still pretty basic (you need to access the AdBlock settings to modify filters), but it is powerful. Besides, you can just save the Filterset.G updates, import them, and you've got a good filter list already (it supports regexp filters).

For porn, however, I still recommend using Firefox. Ever heard of Pornzilla?

• Advanced javascript debugger that includes XMLHttpRequest debugging (on par with Venkman + Firebug)
• Network request trace (LiveHTTPRequest) with optional ability to tamper with requests (Tamper Data)
• DOM Inspector (DomI / Firebug / MouseOver DOM Inspector / WebKit's DOM Inspector)
• A Javascript console at least on par with Firefox' Console/Firebug, and that includes Firebug's console interface, invaluable for trace-debugging
• A Web Developer Toolbar (just hire Chris Pederick or something)
• A Javascript CLI/shell (like Squarefree's JS Shell)

(between parens are existing equivalents to the request, mostly firefox extensions with the exception of the Mouseover DOM Inspector and the JS Shell -- bookmarklets -- and Webkit's DOM.I)

These are all tools that'd make the Opera Experience much more interresting from a dev standpoint. Just provide an alternate "dev" version of Opera with all these goodies included so that they don't bloat the "customer" version, but provide these, they make creating complex sites so much easier.

Yahoo! used to run a service called PayDirect (along with HSBC Bank). In 2000 or 2001, it had no fees and was better than PayPal in several ways. They shut it down in November 2004.

You need Zap Bookmarklets (I just use the "Zap" one)

Pornzilla
Easier porn surfing

Caution: Do NOT use these extensions while eating cheetos.

Pornzilla
Easier porn surfing

Caution: Do NOT use these extensions while eating cheetos.

And I'm already tired of Mozilla team not addressing the most critical issue - memory hogging.

Actually, they've been whacking memory leaks in each of the ".forget-it releases," except for 1.5.0.3 which was just one security fix.

Firefox 1.5.0.1 Changelog
Firefox 1.5.0.2 Changelog
Bugzilla query: fixed in Gecko 1.8.0.4/Firefox 1.5.0.4 (remember, Bugzilla doesn't allow direct links from ./, so you'll have to copy that URL and paste it into your browser).

I believe more major work on memory fixes is going into 2.0, which can accept larger changes.

And I'm already tired of Mozilla team not addressing the most critical issue - memory hogging.

Actually, they've been whacking memory leaks in each of the ".forget-it releases," except for 1.5.0.3 which was just one security fix.

Firefox 1.5.0.1 Changelog
Firefox 1.5.0.2 Changelog
Bugzilla query: fixed in Gecko 1.8.0.4/Firefox 1.5.0.4 (remember, Bugzilla doesn't allow direct links from ./, so you'll have to copy that URL and paste it into your browser).

I believe more major work on memory fixes is going into 2.0, which can accept larger changes.

Unless i'm mistaken, that probably won't happen. The 1.5.x tree has essentially been dropped from active development and now consists entirely of bugfixes. Firefox 2.x and Firefox 3.x are were active development is atm. You can see progress being made in trunk at The Burning Edge blog

There is also the bookmarklet. Of course, it doesn't work on this story.

http://www.squarefree.com/bookmarklets/zap.html#pr inter_friendly

i've had a number of candidates who can't talk about refactoring (in spite of its IDE support), can't talk about design patterns beyond "Singleton" (I make that an exception to the "Describe a design pattern" question), can't even write simple pseudo-code on a markerboard to draw a "tree" or write (or even just *use*) an iterator from a collection. to the work they've done they are very "productive" with an IDE, and are probably ok programmers.

but they've gotten so slaved by the IDE they've really lost the ability to think about programming to the level I need to see. these are "senior" developer candidates who don't know what i would consider to be the basic minimums of software development and the level of programming skills it requires.

they can use the IDE but they have no clue why it works.

No, I don't care. The validator is a mechanical tool. It's inherently flawed, understanding nothing of semantics, easily tricked into validating things which never should validate, and in a number of cases throwing incorrect warnings and errors. Having your website validate is a first step. A guideline to doing things the right way. It's not completely necessary. The <canvas> element (as specified by the WHATWG, and implemented by Opera, Mozilla/Firefox/SeaMonkey and Safari (I'm reasonably certain)) will cause errors to be thrown, yet one can imagine cases where its use is already perfectly acceptable. (Just as long as you don't use it on a client website, or at least not without full understanding of the implications by the people there of using something which can change out from under them at any moment, and their responsibility to track those changes.)

Yes, I care. I'm a professional web developer. Of course my website validates, besides also being completely accessible and being as semantically meaningful as it can possibly be. It's just a little showcase of my technical expertise. And yes, I care, as in: if you as a fledging web developer come to me on IRC or on some mailinglist for help with your website, you'd better be damned certain that your website validates before bothering with me, as I'm not going to spend any time on what would otherwise almost certainly turn out to be a problem caused by your invalid code.

Those two points made: wow, what's with the harping on ACID 2? Yes, it's a nice test to spur browser makers on to come closer to being perfectly interoperable, but it tests a pretty arbitrary range of rendering bugs, and all browsers save for IE are pretty much interoperale on it at this point. (Firefox only on the reflow branch, to be sure, but that's set to land Real Soon Now, and as has been explained often, ACID 2 came at the worst possible time in the Mozilla development cycle.

Go to this http://www.squarefree.com/bookmarklets/ page,
download the bookmarklets in the ZAP section.

If you are bothered by "postcard" website like TFA,
just use "zap->style-sheets", voila!
Picture moved to the top, text was black on a white background.
No more stylish layouts.

These bookmarklets are really handy for reading obnoxious sites.

They have actually removed existing features also to make it not-bloated. And about polishing, what do you think places is? It is an attempt to improve existing feature to make it better. They are also planning to improve the search-engine for user to be able to edit the search engine list with more easily way, isn't that polishing? They also fix bugs all the time, including memory leaks: http://www.squarefree.com/2006/02/04/memory-leak-p rogress/

In Firefox 3.0 they are also planning to switch to Cairo, which is an attempt to increase speed. They are also fixing bugs that can potentially cause crashes or other problems, as you can see from this list: http://scan.coverity.com/

You could've used one of the zap bookmarklets ("zap" or "zap colors" would work) to make the page readable. I've found it very useful for reading poorly designed webpages (*cough*MySpace*cough*)

http://www.squarefree.com/bookmarklets/zap.html

'zap cheap effects' *bliss*

I also like zap colors, zap plugins, restore context menu, and restore selecting. Lots of nice bookmarklets there. I put a small folder menu of those on my toolbar for easy access for dumb sites.

Any time I visit a Myspace page I use my "Zap" http://www.squarefree.com/bookmarklets/zap.html bookmarklet to quiet the damn thing down

The developers say that the memory cache explains the leaks.

THEY ARE LIEING.

We've also said bugs in popular extensions cause some of the leaks. http://kb.mozillazine.org/Problematic_extensions

But anyone who watches the project will see that we know leaks are bugs and are actively fixing them. Look in bugzilla, or look at the change logs of recent releases, for example: http://www.squarefree.com/burningedge/releases/1.5 .0.2.html

From Burning Edge:
http://www.squarefree.com/burningedge/releases/1.5 .0.2.html

I'm neither a mozilla adept nor evangelical, and I cannot address your concerns about lusers the whole world over, but there are ways to keep your own box reasonably secure.

An xpi file is only a zipped archive. Rename one to zip and try it, if your zip program doesn't recognize the extension.

What is inside the compressed xpi archive will differ from extension to extension, but many of the files are 'human readable'. (rdf, js, manifest, xul, etc...)

Where you may need another program to read the xpi archive's files are the *.jar files, which are sometimes a part of an extension's archive, but they are also archives, which most compression program can handle, and they too are usually archives of 'human readable' files.

It takes a bit of work, but hey, it is after all, your box, not mine.

Also, for the security conscious:

• only download XPIs from the secure firefox estension site
• be wary of extensions which are in conjuction with a specific internet site, unless you trust the site before loading up the extension
• use a program which monitors and lists your net connections now and then

In a bit of opposition to the second recommendation above, I use and have been happy with a few of MR Tech's Mozilla Extensions, especially the local install extension.

The Mr Tech website also has a public board for mozilla-based extensions.

Also, check out available bookmarklets for functionality you are looking for, and avoid extensions if a bookmarklet does the trick. A few possible places for applicable bookmarklets are, one, two, three and four.

You may be interested in Nuke anything enhanced. It adds an right-click option to remove chosen content, but for loaded flash content, because of the way it steals the right-click content menu on focus, you need to learn the right-click sweet spot trick which is best for you. I've found two methods that work best for me, depending on the layout. One is to right-click just outside of where the right-click content menu gets jacked, the other is to highlight an area with the start/end embed code tags included, but that is sometimes tricky.

I also used this extension on my previous, RAM challenged box, and it gave me no grief.

Alternately, peruse the Squarefree bookmarklet section, ZAP. Some nice features to eliminate annoyances, which do not require piling on extensions within the program itself.

There are actually very few memory leaks in Firefox (I know because I've been trying to hunt them down). Mostly memory leaks are because of extensions. Sometimes people also incorrectly assume some settings to be memory leaks, as they reserve quite a bit of memory. You propably want to read about this article:

http://www.squarefree.com/2006/02/04/memory-leak-p rogress/