Developing Firefox Extensions with GNU/Linux

← Back to Stories (view on slashdot.org)

Developing Firefox Extensions with GNU/Linux

Posted by Zonk on Saturday September 10, 2005 @08:33AM from the extend-the-browser-extend-the-fun dept.

QT writes "Ars Technica has a lengthy but useful introduction to developing Firefox extensions with GNU/Linux. This guide comes hot on the heels of the RC for Beta 1 of Firefox. The article is a little more thorough than necessary, but I can't complain about anything that spurs Firefox development." From the article: "What can you do with a Firefox Extension? Firefox extensions can modify the Firefox user interface. This includes adding buttons to tool bars and menus; changing fonts, colors, and icons; capturing events in the client interface like page loads and clicks; and modifying web pages after the browser loads them and before the user sees them. All of this functionality comes with the aspect-oriented facility of overlays. Extensions also have as much access to the file system as the user running Firefox. Extensions can add protocol handlers, hooking actions to URLs like icq://, aim://, or stantz://. Extensions have UniversalXPConnect privileges, allowing them to harness any XPCOM component. Firefox comes with a rich library of XPCOM components that permit your extension to drive very low-level functionality like sockets from Javascript. You can also augment the XPCOM library with Firefox extensions by adding Javascript, linkable libraries, or XPIDL."

16 of 146 comments (clear)

Min score:

Reason:

Sort:

this reminds me... by QunaLop · 2005-09-10 08:36 · Score: 2, Insightful

since these things have full access to the local machine, remind me why we love extensions and hate activex?
1. Re:this reminds me... by jd142 · 2005-09-10 09:17 · Score: 4, Insightful
  
  They don't have full access to the local machine, they only have the user's access to the local machine. There's an important difference.
2. Re:this reminds me... by moonbender · 2005-09-10 09:35 · Score: 4, Insightful
  
  Simple: ActiveX was and is often used by websites to extend website functionality. For instance, Microsoft uses it to implement the functionality of its Windows Update website. Trend Micro uses it to implement the functionality of its house call anti virus service. And so on. Of course there isn't anything inherently bad about it, both examples are very useful. It would be very insecure, though, to allow untrusted sites to extend their functionality this way, and it would have been very bad if ActiveX had been a standard repertoire of web design in the way that Flash is, for example.
  
  Firefox extensions are quite different. They typically extend the functionality of the browser, independent of the web sites you might use. I say typically because there are counterexamples, for instance extensions designed to make working with Wikipedia easier. But this is the exception, not the norm. Firefox extensions aren't "meant" to be used by a lot of different web site, and people would find it quite strange if they were required to install an extension for viewing just one web site.
  
  So maybe the technology is similar (I wouldn't know), the way they are typically used, and were designed and meant to be used are quite different.
  
  --
  Switch back to Slashdot's D1 system.
3. Re:this reminds me... by NutscrapeSucks · 2005-09-10 09:39 · Score: 2, Insightful
  
  Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.
  
  In theory, Firefox is a browser for the masses and is designed to supplant Internet Explorer. If Firefox has a userbase that's more technically sophisticated than other browsers, that only means that there's more work to do.
  
  So please quit blowing yourself by thinking Firefox is l33t d00d software -- it isn't. The whole goal is stripped down and simple for the ordinary IE user.
  
  Now it is true that Extentions are "elite", and they are generally only found on one or two sites. The questions is if the security model will hold up when Firefox gets more popular and users get used to instaling extentions from a varity of sources. I'm sure at some pont a signing mechanism like Authenicode will be deemed necessary.
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
4. Re:this reminds me... by baadger · 2005-09-10 10:20 · Score: 2, Insightful
  
  "I'm sure at some pont a signing mechanism like Authenicode will be deemed necessary."
  
  Just like signed ActiveX?
  
  Anyone can sign something. For signing to work you need a trusted registry/organisation to cryptographically sign things and use a whitelist system to reject untrusted signitures, just like SSL certificates. But we aren't talking about certificates we're talking about code. Anytime someone sticks an official stamp on something people start expecting the official stamper/supposed quality assurer to take responsibility when shit hits the fan.
  
  No, the best bet is to show a blatant warning when the user installs an extension and produce a centralised link to somewhere (like addons.mozilla.org) where users can discuss an extension and decide if they trust it for themselves. This would be the open source community bit. A blacklist of bad extensions/spyware might be a good idea too.
  
  Theres not much you can do to improve the way ActiveX components are installable except to educate users and provide easily accessable resources (as above). The security model underneath ActiveX apparently sucks (no personal experience)...but then firefox extensions can be a pain too.
  
  You shouldn't worry too much about anything beyond personal assessment and a warning IMHO. It's a definate slippery slope to spyware removal tools for Firefox. It's gonna happen unless someone makes a revelation.
5. Re:this reminds me... by FST777 · 2005-09-10 10:29 · Score: 2, Insightful
  
  Exactly what I was thinking. Asume Firefox has 90% market share. One gets an (spam-)mail in, asking it to visit stated link. The link gives the user a request to install a certain Firefox extension. The user thinks it is save, because that is the sole reason he/she installed Firefox in the first place (with the upcoming IE 7 there really aren't any more standing reasons yet). And there you go, a fully open browser, with access to the filesystem, throwing all the information needed for anything nasty, right trough our beloved extension system.
  
  This wouldn't be an exploit if the parent's parent of this post is right: "Firefox users should be the most intelligent people on the earth". But that is not the goal of Firefox at all (at least, AFAIK). If it is, it would be the very same additude which kills Open Source in many situations (yes, *** is complicated, but hey, if you don't understand it, it's just not made for you!)
  
  And to think that I talked so many people into Firefox, just to prove that Open Source could be for them too... (and apart from this additude, the update-system proved me wrong... good to hear that they are tackling that one!)
  
  --
  Free beer is never free as in speech. Free speech is always free as in beer.
6. Re:this reminds me... by NutscrapeSucks · 2005-09-10 10:36 · Score: 2, Insightful
  
  No, I don't think signing is a cure-all, but it does minimize one social exploit. Whatever you think about ActiveX, I've never heard about an evil control that pretends to be Windows Update or Macromedia Flash.
  
  If firefox become popular, it's possible there would be a ton of fake "Ad Block" and "Tab Browser" extentions, and signing is pretty much the only way to stop it.
  
  If you want to see an example of this in action, search Google for "eMule", the opensource filesharing client. About 90% of the links go to fake sites which are probably spyware-laden clients. Too bad the official Emule installer doesn't use Authenicode -- I would defiantly check it.
  
  Now it would be nice if code-signing was extended so that things could be "Certified by So-N-So to be Spyware-Free!". But even then, if it's an open system, fake certifiers will come about.
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
7. Re:this reminds me... by NutscrapeSucks · 2005-09-10 11:45 · Score: 2, Insightful
  
  The trust ratings and user comments need to be safe from poisoning and therefore moderated
  
  Keep in mind that Kazaa was the run-away most popular filesharing client for years, despite all of the well-known spyware it came with.
  
  If you want to moderate all of the "wrong" opinons or just plain spam on this proposed BBS, you might as well just skip a step and put the Cabal directly in charge. (Whether that would be mozilla.org is unlikely, I think.)
  
  And since your proposal relies on hashes, browser support, and some sort of authority, you might as well accept that you've just proposed code signing and you agree with me :)
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
8. Re:this reminds me... by Anonymous Coward · 2005-09-10 13:50 · Score: 1, Insightful
  
  I like to try out extensions from time to time, and yet, somehow I'm still safer than I ever could be using IE.
  
  That safety is an illusion. I saw one extension (or it might have been a Greasemonkey script; the difference isn't important as it could have been either for this vulnerability to work) that was intended to serve as a browser-based single sign-on. It passed all the passwords to Javascript dynamically loaded from an external site. Purportedly, this was because it started out life as a bookmarklet, which has space limitations. Tell me how Firefox's superior security prevented that from happening? Oh wait, it didn't. Tell me how the social factor prevented that from being used? Oh wait, smart people were recommending it.
Where's my bittorrent:// ? by Anonymous Coward · 2005-09-10 08:38 · Score: 3, Insightful

Where's my bittorrent:// protocol??!?!

I would love to simply do a bittorrent from firefox. I think that'd spur alot more users and make it easier to... um... *LEGAL* download torrents... (like knoppix, fedora, etc.)

Bring on the torrents!!!
"hot the heals"? by Anonymous Coward · 2005-09-10 08:39 · Score: 1, Insightful

A grammar mistake and a spelling mistake in the same phrase. Learn English, guys.

And that statment "RC for Beta 1 of Firefox" without the "v 1.5" modifier implies that Firefox is something new that is about to be released. Does no one even try to edit these things?

You do realize that these mistakes distract readers' attention from the actual article content, right?
In other words... by nmb3000 · 2005-09-10 08:48 · Score: 4, Insightful

Firefox extensions are are useful and powerful tools when used correctly, yet have the ability to easily become malicious and destructive if the user doesn't pay attention.

Hmmm, sounds a lot like ActiveX. While the main intent for the two is a little different (browser tweaking vs. client-side scripting & server interaction), both require users to make informed decisions. People going on about how Firefox is so much safer because it doesn't support ActiveX might need to consider dropping that argument. As Firefox's market share grows, so will the number of websites that advertise Firefox plugins, and unaware users will be just as susceptible to malware and viruses as they were with IE.

--
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Danger Will Robinson! by Elrac · 2005-09-10 08:53 · Score: 5, Insightful

All of this functionality comes with the aspect-oriented facility of overlays. Extensions also have as much access to the file system as the user running Firefox.
But... but... isn't it just this extreme flexibility that represents the biggest Achilles heal (sic) of Outlook and IE? Isn't this what Mozilla proudly avoids?

I realize that there are some differences, such as the fact that the red carpet is only rolled out for extensions the user trusts, but... when you advertise Firefox to dummies, your trusting users will BE dummies!

--
When one person suffers from a delusion, it is called insanity. When many people suffer from a delusion it is called Rel
Re:HORRIBLE idea..(and my inability to close tags) by Noksagt · 2005-09-10 09:36 · Score: 2, Insightful

The problem is he probably ISN'T a spambot. The FROM header is very easily spoofed. His machine need not be the sender for the message to claim it came from him.
Re:HORRIBLE idea..(and my inability to close tags) by radish · 2005-09-10 09:49 · Score: 2, Insightful

I'm not a spambot you moron. Go read up on SMTP and some back when you know what you're talking about. The FROM and REPLY-TO headers are spoofed (trivially easy) and the spamees aren't checking my domain's SPF records. Nothing to do with me whatsoever, other than getting me flooded with bounce messages.

--
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
My thinking on the subject by TheSpoom · 2005-09-10 10:58 · Score: 4, Insightful

When should you use a Firefox extension?

Only when you're EXTENDING FIREFOX.

If your website requires an extension (or, for that matter, ActiveX) to work, you're simply coding it incorrectly.

Possible exceptions includes Windows Update, but even then, Microsoft coded that as part of the OS in XP, so the web portal really isn't necessary.

--
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs