Firefox - The Platform

Strudelkugel writes "Business 2.0 reports Firefox is becoming a problem for Microsoft. But FF is not just a problem as a browser; its potential as a platform is significant. From the article: 'It all adds up to a business opportunity for startups, established software companies, and Web giants alike. Though Ross and the nonprofit Mozilla Foundation don't stand to make money, Firefox's open platform gives it enormous potential to hatch a new class of applications that live on the desktop but do business on the Web.'"

Re:let it be just a browser

[FuzzzyLogik]

It is a browser. But the components that were used to BUILD the browser are very cross platform (hence you have firefox on 3 major different platforms, windows, linux, and mac). in doing so the backend of all of this is cross platform and can be used to create other applications besides just a web browser. you only really need to know javascript, xul, and a few other things and you can use the stuff that was used to build firefox and make your own application. it's a novel idea and hopefully it'll be put to good use.

Re:Worries me..

[damiam]

FireFox is already extremely bloated (on Windows) compared to other Windows applications

Firefox is a 4.5MB download. That may be bloated compared to sol.exe, but it's tiny compared to IE, and not much bigger than Opera (3.5MB).

Re:Worries me..

[spuzzzzzzz]

FireFox is already extremely bloated (on Windows) compared to other Windows applications and the source code is hundreds of meg in size, the reason - it has an entire platform.

I'm not quite sure where you get that "hundreds of megs" thing. As a gentoo user, I have source tarballs available and they're all about 30 meg:

$ ls /usr/portage/distfiles/firefox-* -l
-rw-r--r-- 1 root portage 33945173 Aug 6 00:06 /usr/portage/distfiles/firefox-0.9.3-source.tar.bz 2
-rw-r--r-- 1 root portage 32396291 Sep 14 17:27 /usr/portage/distfiles/firefox-1.0PR-source.tar.bz 2
-rw-r--r-- 1 root portage 32380173 Oct 2 16:07 /usr/portage/distfiles/firefox-1.0PR.1-source.tar. bz2

In addition, the source tarballs contain lots of non-code stuff. The actual executable on my system is less than 80 kB. There are quite a few supporting libraries, of course. Oh, and the binary download is 8.1 megs (for linux/x86).

Firefox is just a browser. That's all it does. The point of this article is that we can use a browser as a platform for other stuff. This doesn't involve bloating the browser; it involves writing applications that run on top of it.

Re:What about security?

[jsebrech]

However, I'm becoming increasingly dismayed by the sheer amount of security holes being found. I mean - shockingly - if you look at sites like Secunia, there have been _MORE_ vulnerabilities in Firefox than IE in the last six months!

The reason there have been more security vulnerabilities is because of the security bug bounty, which rewards people monetarily for finding security bugs. They're simply trying to shake out the security bugs in advance, before it goes big.

Plus, there's been more interest in firefox recently from security firms who see it as a rising star, and think they can get some fame and draw to their consulting business by finding and
publicly revealing security bugs.

I doubt mozilla/firefox is as insecure as IE. It doesn't have the same structural design problems, like activex, and "zones".

Mozilla Amazon Browser

[CanadaDave]

"Amazon (AMZN) could build a search application into the browser that lets users buy books without visiting its website."

That already exists! Ok, it doesn't let people buy book yet, but you can search. I wonder if the author of the article knew that. Check it out here and here. I've actually tried it out and it works really well.

Get the firefox extension here.

Re:Worries me..

[shadowmatter]

FireFox is already extremely bloated (on Windows) compared to other Windows applications and the source code is hundreds of meg in size, the reason - it has an entire platform.

Maybe the Mozilla suite, but not Firefox. In my downloads folder at work:

FirefoxSetup-0.8.exe: 6348KB
FirefoxSetup-0.9.exe: 4845KB
Firefox Setup 1.0PR.exe: 4630KB

These are the setup executables for Windows. And if memory serves me correctly, the Thunderbird client has been getting smaller with each new version even more dramatically...

- sm

Re:A few really good Apps could make the differenc

[CosmicDreams]

Does anyone know if someone is writing a webmail client in XUL?

Yes, http://xulwebmail.mozdev.org/

Re:Huh? Who isn't online yet?

[cduffy]

Your bank? Check. Your brokerage? Check? Your government? Check. Your doctor? No, but thats because your doctor is still using Win95 and Office 97. Once someone consolidates the IT operations of law offices and medical practices, this will happen too...the cost of handling paper records is killing these industries.

It's not all that bad. Practice management systems (for patient scheduling and billing) have almost 100% market share already. It's only electronic medical record systems that are next to unheard of -- and there are plenty of folks (such as the startup I work for) working hard to fill that gap.

Re:What can the platform do?

[Coryoth]

Does it give me the ability to have processing in a webpage on the desktop? The ability to open windows with controls that look like "normal" (read: non-HTML) Windows-windows? The ability to create my own controls and use those on any desktop?

Um, pretty much, yeah. Open this in Firefox or Mozilla, or better yet, go here and click on the "launch in its own window" link.

Jedidiah.

Re:no, the cat HASN'T got my tongue.

[Fnkmaster]

No, they are fundamentally different in intention and use. XPI entensions are installed into your browser to give you extra functionality. In that sense they are much more like browser plugins than ActiveX objects - plugins that have access to browser structures, DOM tree, menus, etc. Since many of these things are by definition browser specific structures, it doesn't really make sense to talk about cross-browser browser extensions.

You will never go to a random company's web page and see an XPI object on the page. And FF won't even let you install or use an XPI object from a random page as a security measure - by default you can only download them from the officially maintained archive. You have to override this if you want to download XPI files from some other source.

You may some day go to a random company's page and see a XUL application as part of their interface in the same way that ActiveX is used sometimes today. But A) XUL is a standard (I don't know if it's de facto or de jure at this point) that others can implement if they choose and B) doesn't suffer from the kinds of broken-by-design security model that ActiveX has, C) will in practice probably never be used as the only way to do something, just a way to enrich existing web UIs, whereas ActiveX is used as a crutch for things like delivering 'secure' video and audio content.

XUL as an Application Platform

[SendBot]

This is shamelessly ripped from http://xulplanet.com/tutorials/whyxul.html
I think it presents a concise overview of firefox as a development platform.

XUL and Gecko make an excellent choice for building sophisticated Web applications. It provides a rich user interface toolkit, an HTML and CSS renderer with excellent standards-compliance and support for web services, all completely cross platform.

Work is ongoing with the Gecko Runtime Environment (GRE), which aims to make Gecko a snap to drop into a standalone application, complete with your own executable, if you desire. The idea is to allow the right version of the GRE to be installed automatically with the application if necessary. If the GRE is already installed, there is no need to install it again, or even download it. For those that are interested, the GRE is about 5 to 10 MB, depending on your platform, which is quite small compared to other application platforms. It's also possible to have Gecko run directly from a network drive or CD.

Since XUL may be used on Web sites, it can be used with server-side architectures such as PHP and JSP to build dynamic content. This allows Gecko to be both a two-tier or a three-tier application model depending on your needs. There are projects in development now which aim to integrate Java, Python and other languages into Gecko directly.

Re:no, the cat HASN'T got my tongue.

[Apro+im]

Netscape uses the same engine as Firefox - any "platform" changes on Firefox quickly find their way into Netscape.

Opera, maybe?

Re:no, the cat HASN'T got my tongue.

[swillden]

so is it the concept or the implementation [of ActiveX] thats flawed?

Yes.

The concept is fundamentally bad (for everyone other than Microsoft): using operating system and hardware-specific code to build web sites is a bad idea, unless your goal is to promote eternal lock-in to that platform. From a security standpoint, the notion of running automatically-delivered-over-the-net native machine code that runs outside of any kind of protective sandbox is sheer insanity, and code signing doesn't really help much, because since *all* ActiveX controls have to be signed to have any chance of being safe, the user has to either get used to zombie-clicking the approvals or else just configure the damned thing to assume that every signed control is safe.

Not to mention (getting back to lock-in and monopoly preservation here) that whoever controls the signing process and keys has a semi-veto power over what can or cannot be done with the platform.

The implementation sucks primarily because it's integrated into such an insecure environment to begin with.

But even if the implementation were perfect, and even if we didn't care about the platform lock-in aspectes, the basic idea is just bad. With Java and Javascript, the downloaded code runs in a protected environment. Malicious code has to first break out of that jail before it can even begin trying to compromise the system. Javascript further provides "data tainting" to reduce privacy risks. Most importantly, because 95% of the useful stuff you'd like to do in a web-based application doesn't require breaking out of the sandbox, signed Java applets that do are rare, so users can be appropriately cautious about them (actually Java applets are rare, and for good reasons, but that's another rant). Javascript + XUL actually has no way to break out of the sandbox, AFAIK (someone please correct me if that's wrong).

Work on security issues

[jeti]

It has the potential to be great, but we need to get past all this "add more features" and fix security programs.

Maybe Firefox is not yet as secure as it should be. But people are intensely at work tightening things up.
According to The Burning Edge no less then 10 security related bugs have been fixed in the last week.
The developers are obviously using the random HTML script, and the security bug hunting program seems to pay off.

I'm under the impression that Firefox developers are working very hard to provide a secure version 1.0 of Firefox.

Re:no, the cat HASN'T got my tongue.

[CaptainZapp]

and code signing doesn't really help much, because since *all* ActiveX controls have to be signed to have any chance of being safe

Even if signing the code would be secure it doesn't help a hell of a lot if the good burgers at Verisign hand out the keys to every pimply faced teenager walking in.

This advisory describes this spectacular goof in detail. I quote:

In mid-March 2001, VeriSign, Inc., advised Microsoft that on January 29 and 30, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation". The ability to sign executable content using keys that purport to belong to Microsoft would clearly be advantageous to an attacker who wished to convince users to allow the content to run.