Slashdot Mirror

← Back to Stories (view on slashdot.org)

Developing Firefox Extensions with GNU/Linux

Posted by Zonk on from the extend-the-browser-extend-the-fun dept.

QT writes "Ars Technica has a lengthy but useful introduction to developing Firefox extensions with GNU/Linux. This guide comes hot on the heels of the RC for Beta 1 of Firefox. The article is a little more thorough than necessary, but I can't complain about anything that spurs Firefox development." From the article: "What can you do with a Firefox Extension? Firefox extensions can modify the Firefox user interface. This includes adding buttons to tool bars and menus; changing fonts, colors, and icons; capturing events in the client interface like page loads and clicks; and modifying web pages after the browser loads them and before the user sees them. All of this functionality comes with the aspect-oriented facility of overlays. Extensions also have as much access to the file system as the user running Firefox. Extensions can add protocol handlers, hooking actions to URLs like icq://, aim://, or stantz://. Extensions have UniversalXPConnect privileges, allowing them to harness any XPCOM component. Firefox comes with a rich library of XPCOM components that permit your extension to drive very low-level functionality like sockets from Javascript. You can also augment the XPCOM library with Firefox extensions by adding Javascript, linkable libraries, or XPIDL."

4 of 146 comments (clear)

  1. Re:this reminds me... by XO · · Score: 1, Interesting

    Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.

    On the other hand, I allow all of my software to update themselves automatically, I allow every thing that has extensions to install them automatically when I request an extension, and I trust that virtually any program I run across will be ok.

    And I've only seen two viruses in the last 2 decades (except on my brother's Amiga), both of which were on computers or hard drives that I inherited from someone else.

    --
    "Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
  2. Re:In other words... by Leffe · · Score: 2, Interesting

    How is "download virus.xpi here idiot" any different from "download virus.exe here idiot"?

    Stupid people are stupid, they make the Internet and the world a worse place for all of us. It's too bad I don't have the time to spend to revoke all of their life certificates.

  3. Re:this reminds me... by baadger · · Score: 2, Interesting
    "Whatever you think about ActiveX, I've never heard about an evil control that pretends to be Windows Update or Macromedia Flash."

    Very very true. The problems with ActiveX all stem from uninformed users clicking yes to that XXX Toolbar popup.

    I definately think it'd be a good idea for Mozilla to implement a community page for every extension any firefox browser anywhere tries to install from a remote location. Something much like the current extension directory, but inclusive of extensions not even hosted there (even any commercial extensions that may arise in the future). It could work something like this:

    1. The browser hashes the extension code minus any fuzziness, whitespace etc (or better yet hash the bytecode) to try and ensure malicious authors don't try to scatter negative feedback.
    2. Offer the user a friendly details link to http://extensions.mozilla.org/?lookup=hash on the warning screen when they try to install the extension
    3. The user can read other peoples warnings, doubts, or happy reviews see the extension rating, how many people have installed it, etc and can then decide for themselves whether it's trustable enough to install.
    4. The hash links could be redirected to proper extension pages with names, descriptions and version #'s etc once the extension is well established and rated to be 'safe' by the community.
    5. For users too lazy to 'waste' time checking the feedback pages thoroughly, the warning dialog could show any immediate threat or trust rating and whether the code for this extension has been peer reviewed.


    Problems:
    • Successfully identification of extensions could be tricky if a malicious author tries to dodge the system.
    • The trust ratings and user comments need to be safe from poisoning and therefore moderated
  4. Re:anti-ActiveX by Noksagt · · Score: 3, Interesting
    They are better sandboxed than IE ActiveX controls used to be.
    Here, I made a (rightly well-criticized) mistatement. I'm wrong. Both XPCOM and ActiveX can execute with full user-priviledges.

    As I said, though: webpages could tell IE (at least used to) where to download an ActiveX control. If the control was not already installed, IE would automatically download and install the control from the specified source. In firefox, the page must me whitelisted before extensions could be downloaded. Can someone tell me if IE has changed to the whitelist model yet? Last I heard, they were even maintaining a list of malicious ActiveX controls. This seemed inance to me, as there is most likely more malicious junk out there than truly useful controls.