Slashdot Mirror

I use bookmarklets to handle rot-13 encoding when I find it. Highlight, click bookmark, read as plain text. Simple.

Enjoy!

How is that "better" than a browser open you can Alt-Tab to and refresh in two keystrokes?

It's not. It's just a pretty animation designed to make people think it's better because it looks fancy. This should appeal to people who buy "hologram wristbands" to promote health and wellness. Or people who consider Dreamweaver experience a "skill."

Cognitively it looks like a mess, and I don't see the benefits, even after RTFA and WTFV.

It reminds me of the shell game. You make a change and then see if your eyes can follow the element while it slides around. Most real world HTML files are going to be long enough that you won't fit all the code on one page, so the element you're trying to find will keep sliding off the screen. You'd be far better off just using CTRL-F or CMD-F to find the element in the code.

Or use a "real-time" HTML editor that updates your view of the page in a separate frame as you type. The only downside to this is that you can't use the tab key to indent lines, because it'll switch you to the other frame.

As a side note, it would be nice if the Gliimpse software could also do spell checking. You press the hot key, and your misspelled words morphs into a hand that facepalms the screen with an option on each finger you can choose to replace them with real words that are similar. For instance, if you're naming your app, and you type "Gliimpse," a hand appears, facepalms the screen and appears to have words tattooed on each finger: Glimpse, Gimps, Gimp, Goatse, and "Click here for $1 off a sandwich at Blimpie's."

I triaged bugs back in 2000, too. What was your username or email address in Bugzilla? :)

Nowadays my focuses are security and finding bugs.

In 2009 I wrote about how to make triage more efficient and more effective. (Tyler linked to my post). And I actually triaged a subset of bugs that way when I was tasked with bringing down the number of crash bug reports.

Actually, what I want from the Mozilla devs at the moment is not new features, but a solution to Firefox's memory problems.

Then you'll be happy to know that the "latest and greatest" includes some pretty big memory improvements. Do a find-in-page on The Burning Edge for "memory" or read Nick Nethercote's blog.

It seems that it's easier to motivate Mozilla developers to work on memory issues when the fixes will reach users in months rather than years.

I'm using Nightly (7) and I'm having trouble getting Firefox to use more than 400MB (explicit) even after a day of heavy use, with Gmail and Reader and Twitter as app tabs. You should try it out and report any bugs you encounter. Yes, we finally have tools that allow users like you to report useful memory leak bugs.

This page:

https://www.squarefree.com/bookmarklets/pagelinks.html

has some neat bookmarklets, one of which removes redirects.
I don't use it all the time, because some sites depend on the ad revenue.
But if the site abuses redirects, I have it as an option.

Several other nice bookmarklets there.

Pick a large, active open-source project and try to help with the problems its developers have. You will be loved.

Here are some of the problems I'm aware of within the Mozilla project.

Speed of development

'make' doesn't scale. An incremental build, even with no changes, takes at least a minute. (In contrast, just checking whether any files have changed takes 'hg' less than 10 seconds.) Maybe help us move to 'scons', or help improve 'pymake', or just help us get our dependency generation right.

'ld' is slow. Once a developer makes a change to any c++ file, the incremental build is going to take several minutes while the linker uses up all her RAM. Maybe help us move to another linker such as 'gold', and contribute any necessary changes back to the 'gold' project.

'hg' merges are confusing. hg's developer-facing user interface could be improved, both while doing a merge and after doing a merge.

Automated testing

We've built an interesting interface around hg-pushlog (which is itself a Mozilla extension to hg) and buildbot that lets us see which tests failed after each change. I'd love to see these tools generalized to the point where other open-source projects can use it and contribute back to it.

As we require unit and integration tests for more and more components of Firefox, we're finding that a small number of tests failing intermittently can make it difficult to move quickly. We could use better tools for tracking test failures, and for record-and-replay debugging to help us figure out the intermittent failures, and probably for other things we haven't thought of.

Programming languages

We need a decent low-level programming language. Something that lets programmers implement sneaky fast algorithms, but lets programmers do it without constantly shooting themselves in the foot with security holes. Something you'd want to write (difficult parts of) a web browser or OS in.

I don't know if the answer is adding more and more to the type system (like in Cyclone), or integration of assertions with static analysis (like in D), or simply making it easy to integrate low-level code with high-level code (like in C#, or with ctypes or jsctypes).

Mozilla is doing interesting things with custom static analysis of C++ code.

Making collaboration tools support workflow and GTD

We have a crash analysis system and a bug-tracking system with lots of information, but the workflow is poor, so much of the information is not acted upon.

It's hard to come up with a good workflow (and make the tools support that workflow) in a large project where many of the contributors are volunteers who decide themselves what to work on, but I think we can do better.

It's great that JavaScript can be used from within a web browser. However, doing anything meaningful using JavaScript with a web browser requires at least a working knowledge of HTML and the DOM. I'd rather focus on the basics of programming separate from that first.

Not necessarily. You can get a instant simple read-eval-print loop by pointing your browser here: http://www.squarefree.com/shell/

Or, if you've got a JRE (and there's not many machines that can't have one), you can download Rhino (http://www.mozilla.org/rhino/ ) and have an interpreter (with access to all the Java libraries) that you can run interactively or on files.

(You can also build Mozilla's SpiderMonkey or Google's V8 standalone to similar effect, but it's a bit more involved.)

Everyone knows that you better use a different user profile with pornzilla installed into it for that.

There is a simple, baroque way to do it:

Get a javascript shell:

https://www.squarefree.com/bookmarklets/webdevel.html#shell

Launch it (make sure to get the bookmarklet and open the shell while viewing the page you want to interact with) and run the following command:

$('#audio').remove()

That will only work for this particular demo though (well, any demo that uses 'audio' as an id for the audio element), and it isn't exactly convenient.

Of course there is no reason this is still not fixed (by being able to disable a:visited style)

If the issue were so simple, why has no major browser implemented a proper fix for this yet, despite the fact that we've known about the issue for nine years ?

A:visited is very useful to the user in some circumstances, so it's unacceptable to turn it off for every user in every circumstance. Firefox 3.5 added a hidden preference in case some users want to turn it on sometimes, but that solution doesn't work for 80% of the people out there. Personally, I think applying the "same origin" policy to a:visited is a better solution, but that hasn't been integrated into any mainline either.

Get a style zapper:

https://www.squarefree.com/bookmarklets/zap.html#zap_style_sheets

It doesn't reach the point of fixing the problem, but it pretty much makes it really tiny.

I got the common representation of 32 bit signed ints wrong though. Fortunately, statuses 2147483647 (the largest 32 bit signed int) and 2147483648 (which should trigger the overflow) do not exist, so I linked the correct tweet, if only by accident.

If you look at all of nk's tweets ( http://twitter.com/nk ), it becomes apparent that he works at Twitter, and if you work down from ...649, it becomes apparent that they fudged it in. That they did it on purpose takes away some of the magic. He also got the representation wrong: http://twitter.com/nk/status/2137112302 so I guess I shouldn't feel bad about it (I mean, I'm the one who doesn't even work as a programmer, let alone on a massively visible public service).

(The easy way to work down is to use a bookmarklet: https://www.squarefree.com/bookmarklets/misc.html#decrement )

You can add those buttons to most modern browsers:

https://www.squarefree.com/bookmarklets/zap.html

Bookmarklets are a lighter weight alternative, with the (potential) advantage that they default to not running, you just activate them when a web page is broken (so for webpages that are always broken, greasemonkey wins, but there are advantages to knowing that the current page has not been monkeyed with).

I got a lot of the bookmarklets I use from here:

https://www.squarefree.com/bookmarklets/

When will they implement http://www.squarefree.com/pornzilla/

Microsoft is currently blaming plugins (Flash, Java, QuickTime, etc) for security problems. These typically come with your computer, and if you uninstall them, some sites stop working. On Windows, each one uses a different automatic update mechanism, each of which is confusing and/or evil in its own way, resulting in the majority of users having outdated plugins.

Firefox fans on Slashdot have blamed extensions (Adblock, Forecastfox, etc.) for memory leaks. Plenty of people use Firefox without extensions. Most extensions do not interact with data from web pages, so while they can cause memory leaks, they rarely cause security holes. When an extension does have a security hole, Blake Kaplan improves APIs to make similar holes less likely in the future.

I work for Mozilla, and I agree with Microsoft that plugin security holes are a major problem.

I like to read text, on a monitor, green on black (or white on black). I would like to format a web page the way I want to see it.

This is what user style sheets are for. By using !important (in particular), the user can override the styling (see also the spec). Something like this might do the trick:

* {
background: white none !important;
color: black !important;
}
As far as making a user stylesheet is concerned, this might help you with that.

Chrome is currently faster than Firefox at most things even when Tracemonkey is enabled. I mostly work with browser based math/finance apps, and one of the most intensive things that can be done is a numerical integral. No other browser even comes close to Chrome in terms of speed. The only drawback is that it isn't cross platform yet. From what I hear, Tracemonkey is working really well on different processors so it will be an interesting match up. Try pasting this code into JavaScript Shell from Chrome and Firefox for a comparison.

Math.precision=function (x, eps) { var dec = Math.pow(10, Math.floor(Math.log(1 / eps) * Math.LOG10E)); return Math.round(dec * x) / dec; };function asr(f, a, b, eps) { var c = (a + b) / 2; var h = (b - a) / 6; var fa = f(a); var fb = f(b); var fc = f(c); return Math.precision(recursive_asr(f, a, b, c, eps, h * (fa + fb + 4 * fc), fa, fb, fc), eps); };function recursive_asr(f, a, b, c, eps, sum, fa, fb, fc) { var cl = (a + c) / 2; var cr = (c + b) / 2; var h = (c - a) / 6; var fcr = f(cr); var fcl = f(cl); var left = (fa + 4 * fcl + fc) * h; var right = (fc + 4 * fcr + fb) * h; if (Math.abs(left + right - sum) <= 15 * eps) { return left + right + (left + right - sum) / 15; } return recursive_asr(f, a, c, cl, eps / 2, left, fa, fc, fcl) + recursive_asr(f, c, b, cr, eps / 2, right, fc, fb, fcr); };asr(Math.sin,0,100,1e-15);

For those who don't want to install the plugin, you can use a bookmarklet to rot13 selected text. https://www.squarefree.com/bookmarklets/pagedata.html

Have some more.... https://www.squarefree.com/bookmarklets/pagelinks.html

This presentation was how to get around features that try to prevent exploitation of memory safety bugs in applications. The intent of these features is that even if you find a buffer overflow in Notepad, you won't be able to do anything other than make Notepad crash.

These compiler and OS features try to disrupt the exploitation of memory safety bugs in various ways. Some work by detecting memory corruption (e.g. checking "stack cookies" before returning from a function that uses a string buffer). Others work by making it hard for an attacker to place shell code at a predictable memory address (e.g. DEP or ASLR).

The presenters demonstrated clever ways to get around many of these protections, but by showing how tricky it was to do so, they actually showed how effective the protections are against applications other than web browsers. To create memory that was both under their control and marked as executable, they had to take advantage of weird behavior of .NET controls (IE-only), Flash, and Java applets. The .NET control behavior looked like a bug Microsoft could fix without breaking any controls, since it involved lying about the .NET version a control was created for. The Flash behavior (a missing compiler flag) is already being fixed. The Java issue is that all Java memory is marked as executable; I don't know how hard that would be to fix, but I imagine most Slashdot users don't have to worry about this because they have already disabled Java applets.

I don't think this is devastating even to web browsers. I work on Firefox, and I know these protections haven't made us complacent about looking for and fixing memory safety bugs. Meanwhile, not all web browser security holes are memory safety bugs, so most browsers all have automatic update systems in place to ensure users receive new versions quickly.

(I attended the Black Hat presentation but did not read the full paper.)

That's probably a duplicate of other bugs that have already been resolved. The answer seems to be "yes" for providing a way to disable this behavior.

No, it's not a duplicate--at least not of any of the bugs you link to.
The bug I linked was to have the FF2-like "match-only-the-first-characters-of-the-URL" functionality. The bugs you referenced have "search only in URLs," which is a step in the right direction, but still doesn't address the fundamental issue that if you perform a search--any search--you're breaking the expected, predictable functionality of the location bar.

That's probably a duplicate of other bugs that have already been resolved. The answer seems to be "yes" for providing a way to disable this behavior.

a large part of which does not like this behavior

Reference, please.

FWIW, they are planning to allow the option to bring back the old behavior. It's already in the trunk, so it will probably make it to 3.1.

Already available as a bookmarklet: http://pastebin.com/m21e4f5c3

Written by Jesse Ruderman, https://www.squarefree.com/bookmarklets/

You can always check out http://www.squarefree.com/burningedge/ It's not quite up to date right now but it's great for keeping track of development. He maintains this list which may be helpful: http://www.squarefree.com/burningedge/releases/trunk-for-firefox-3.html

You can always check out http://www.squarefree.com/burningedge/ It's not quite up to date right now but it's great for keeping track of development. He maintains this list which may be helpful: http://www.squarefree.com/burningedge/releases/trunk-for-firefox-3.html

What do you think about the Mozilla dialogs when installing an extension or downloading a file? The affirmative button is disabled for a random amount of time (3-5 seconds), so the user actually has to read the message before they can do anything. (source)

Of course, they don't /have/ to read it, but that's their own damn fault.

I agree that it's not a perfect solution, but it's better than nothing.

You can actually take something like JavaScript Shell and add JSON based query features to it. This would allow things like command line based search, news... etc and has the advantage of using JavaScript as command syntax. You can write JavaScript functions to access and manipulate JSON variables. (easier said than done, from someone whose done it )

I am familiar with the site. These are my favorites:
https://www.squarefree.com/bookmarklets/zap.html

What if they have a secret decoder ring? There is decent one here:

https://www.squarefree.com/bookmarklets/pagedata.html#rot13_selection

I'd also like to comment that I'm very concerned with the keep-piling-on-features mentality in Firefox. I want a web browser - not an OS/desktop-in-a-window. The whole reason that firefox was born was that everybody was tired of Mozilla having 47 huge features that nobody needed. Let's stick to the basics and do them right. If they want to come out with a few other apps that can tightly integrate with firefox, that's great - but let's let the stand-alone browser be a stand-alone browser...

I'm surprised to hear this. I had the impression that Firefox 3 was much heavier on improvements (speed, memory, security, stability, OS integration) and lighter on new features than any other recent version, despite the long development cycle.

Even the 40 or so "new features" I listed in my unofficial changelog are mostly replacements for, or subtle enhancements to, existing features. That's a drop in the bucket compared to the hundreds of speed and memory improvements and over 16000 total bug fixes.

Are there any new features that you think are especially "bloaty" or damaging to the user experience, or any aspects of quality that you feel have been neglected?

From http://www.squarefree.com/burningedge/:

"Fixed: 430530 - [Linux] Excess disk IO when updating the url-classifier."

Give it another shot.

http://www.squarefree.com/burningedge/ lists some of the changes. The beta 5 code freeze was apparently March 19th.

http://www.squarefree.com/burningedge

No, the relevant security decision was making double-click mean both "display" and "launch". Showing extensions only helps people who have memorized the meaning of dozens of extensions and check the extension every time.

In case you're like me and don't know how to edit your user stylesheet:
http://www.squarefree.com/userstyles/user-style-sheets.html

Thanks for the tip, Bogtha!

Have you seen these image browsing bookmarklets?

Many of them are even useful for other things than what they suggest. :)

What should the browser do if a user requests the generated source while it is changing it? A built in feature needs to answer that question in an unambiguous way and the answer will inevitably make somebody unhappy. Fortunately, a user added feature doesn't face those problems:

https://www.squarefree.com/bookmarklets/webdevel.html#generated_source

The 'glitch' in Experts Exchange is that the answer is available in the page source and their obfuscation is happening client side. This is related to Google in that the answers provide good search words and Googlebot gets upset if you do User-Agent gaming to feed it special pages.

At the moment, I can't find a solution that isn't simply displayed at the bottom of the page(so either the obfuscation is turned off or it isn't working in Firefox 3 Beta 3), but I have zapped their style sheets in the past:

https://www.squarefree.com/bookmarklets/zap.html#zap_style_sheets

(Which is sometimes easier than messing around with the page source)

Actually that functionality exists in the Mozilla Suite as well as the built in Google translate. I dislike that fact that they have removed some of these features. For the record; there isn't an extension that was as functional as the "Translate" function that was built in the old Mozilla Suite (and SeaMonkey).

Here are your links for your request in Firefox w/out the use of an extension:

http://kb.mozillazine.org/Location_Bar_search
http://www.squarefree.com/2004/09/09/googles-browse-by-name-in-firefox/

Regards,
Anonymous Coward.

• Memory leaks
  • 333078 - XPCOM Cycle Collector. (Cycle collection has similar goals to tracing garbage collection but integrates better with reference counting. Turning on cycle collection fixed entire classes of leaks, both in Firefox and in extensions.)
  • 330128 - Calling cancel() on a timer doesn't drop reference to callback.
  • Many more: 331 bugs fixed on trunk with the "mlk" keyword.
• Code size and memory use
  • 296818 - Don't hold onto decoded image data for so long.
  • 143046 - Reduce memory use for animated GIFs by storing frames other than the first at the original 8 bits.
  • Take a string constructor out of line. (From 345517.) (1% code size win.)
  • 332174 - Drop SOAP support. (2% code size win.)
  • 313309 - Provide table-driven QI mechanism.
  • 407459 - [Windows] Switch from default MSVC malloc to jemalloc for better memory allocation speed and lower fragmentation.
  • Many more: 100 bugs fixed on trunk with the "footprint" keyword.

I don't think you'll find a full feature list anywhere. My changelog and the release notes mention a lot of the new features, but if you want to know whether a specific bug got fixed or feature got added, you'll need to check Bugzilla.

In this case, it's bug 334987, and it looks like it won't be done for Firefox 3.

By the way, it would be both hard to fix (because sound comes from plugins) and controversial (because some users like to leave pandora.com playing in the background while they do other things).

You might wanna check this site out, it's awesome if you like to keep track of development.

Maybe this site has it indexed too.

Actually, many Firefox devs now use Macs as their primary desktops.

That's the problem. FF2 is based on Gecko 1.8.1, which is now over 2 years old. FF3 (the first beta should be out in a few weeks) will be based on Gecko 1.9, which will have a mind-bogglingly large number of refactorings and core fixes (literally, several thousand bug fixes/enhancements and several millions of lines of code changed). The Mac graphics code now uses Cocoa widgets on top of Quartz (through Cairo) as opposed to Carbon widgets on top of Quickdraw; there's a new Mac theme, and HTML forms are now rendered as native widgets. The result is that FF3 now looks and feels like a native Mac app. Oh, and Linux support will see many improvements in FF3; see this blog post for details, and this one for information on what needs to happen next.

As for memory use, Gecko 1.9 has seen a lot of memory-related work, including a cycle collector for XPCOM (their COM system). Memory leaks seem to be way down. One dev thinks some memory problems might not be due to leaks but rather memory fragmentation. Planned for the big Mozilla 2 rewrite (to be in FF4 or later) is the whole new Tamarin VM (based on that big contribution from Adobe), which will perform garbage collection on the entire codebase.

For now, though: Often memory leaks are caused not by FF itself but by extensions; try running through a typical browsing session in Safe Mode and see how the memory usage compares.

Did baby boomers use scrolls, too?

Even more tools for easier porn browsing with Firefox can be found here: http://www.squarefree.com/pornzilla/

Crashing an application from a remote system means that application is not filtering [its] input correctly

Wrong. This crash has more to do with layout data structures than "filtering input".

and is subject to a remote compromise.

Only some types of crash bugs are exploitable. If this happened on Mac, we'd probably already know whether this crash was exploitable.

Firefox is only about 2/3 better (3 pages vs. 8 pages) judging by number of CVEs*.

Your link is broken (I get a cert error), so I can't tell you what's misleading about this particular vulnerability-counting scheme.