Developing Firefox Extensions with GNU/Linux

← Back to Stories (view on slashdot.org)

Developing Firefox Extensions with GNU/Linux

Posted by Zonk on Saturday September 10, 2005 @08:33AM from the extend-the-browser-extend-the-fun dept.

QT writes "Ars Technica has a lengthy but useful introduction to developing Firefox extensions with GNU/Linux. This guide comes hot on the heels of the RC for Beta 1 of Firefox. The article is a little more thorough than necessary, but I can't complain about anything that spurs Firefox development." From the article: "What can you do with a Firefox Extension? Firefox extensions can modify the Firefox user interface. This includes adding buttons to tool bars and menus; changing fonts, colors, and icons; capturing events in the client interface like page loads and clicks; and modifying web pages after the browser loads them and before the user sees them. All of this functionality comes with the aspect-oriented facility of overlays. Extensions also have as much access to the file system as the user running Firefox. Extensions can add protocol handlers, hooking actions to URLs like icq://, aim://, or stantz://. Extensions have UniversalXPConnect privileges, allowing them to harness any XPCOM component. Firefox comes with a rich library of XPCOM components that permit your extension to drive very low-level functionality like sockets from Javascript. You can also augment the XPCOM library with Firefox extensions by adding Javascript, linkable libraries, or XPIDL."

100 of 146 comments (clear)

this reminds me... by QunaLop · 2005-09-10 08:36 · Score: 2, Insightful

since these things have full access to the local machine, remind me why we love extensions and hate activex?
1. Re:this reminds me... by XO · 2005-09-10 08:40 · Score: 1, Interesting
  
  Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.
  
  On the other hand, I allow all of my software to update themselves automatically, I allow every thing that has extensions to install them automatically when I request an extension, and I trust that virtually any program I run across will be ok.
  
  And I've only seen two viruses in the last 2 decades (except on my brother's Amiga), both of which were on computers or hard drives that I inherited from someone else.
  
  --
  "Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
2. Re:this reminds me... by generic-man · 2005-09-10 08:45 · Score: 1
  
  Because Firefox has no security vulnerabilities that would allow extensions to be installed without the user's explicit consent. Because Firefox is open source, any security vulnerability will be patched immediately and delivered seamlessly to every Firefox user.
  
  Because Firefox has such a low market share, it is simply not profitable to deploy spyware extensions for it.
  
  --
  For more information, click here.
3. Re:this reminds me... by jd142 · 2005-09-10 09:17 · Score: 4, Insightful
  
  They don't have full access to the local machine, they only have the user's access to the local machine. There's an important difference.
4. Re:this reminds me... by Noksagt · 2005-09-10 09:23 · Score: 1
  
  Because Firefox has no security vulnerabilities that would allow extensions to be installed without the user's explicit consent.
  Are there open IE bugs that allow this? Both products are susceptible to any worm/trojan dropping a malicious extension into the user's profile and/or whitelisting other sites.
  Because Firefox has such a low market share, it is simply not profitable to deploy spyware extensions for it.
  Security through low marketshare?! There have been malicious ads/extensions that have targeted firefox.
5. Re:this reminds me... by Liam+Slider · 2005-09-10 09:30 · Score: 1
  
  Well, on a Linux or Unix system, it gets nicely sandboxed by the permissions system. Running a program as user simply doesn't give the program root authority.
  
  ActiveX on the other hands, runs on Windows, and has basically full root access to the machine.
  See the difference?
6. Re:this reminds me... by e_xworm · 2005-09-10 09:31 · Score: 1
  
  oh goodie... so a mallware extension would only erase all my files, my projects, my photos and leave the rest of the machine intact.. phew.. now i feel much better
  
  --
  X~
7. Re:this reminds me... by moonbender · 2005-09-10 09:35 · Score: 4, Insightful
  
  Simple: ActiveX was and is often used by websites to extend website functionality. For instance, Microsoft uses it to implement the functionality of its Windows Update website. Trend Micro uses it to implement the functionality of its house call anti virus service. And so on. Of course there isn't anything inherently bad about it, both examples are very useful. It would be very insecure, though, to allow untrusted sites to extend their functionality this way, and it would have been very bad if ActiveX had been a standard repertoire of web design in the way that Flash is, for example.
  
  Firefox extensions are quite different. They typically extend the functionality of the browser, independent of the web sites you might use. I say typically because there are counterexamples, for instance extensions designed to make working with Wikipedia easier. But this is the exception, not the norm. Firefox extensions aren't "meant" to be used by a lot of different web site, and people would find it quite strange if they were required to install an extension for viewing just one web site.
  
  So maybe the technology is similar (I wouldn't know), the way they are typically used, and were designed and meant to be used are quite different.
  
  --
  Switch back to Slashdot's D1 system.
8. Re:this reminds me... by NutscrapeSucks · 2005-09-10 09:39 · Score: 2, Insightful
  
  Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.
  
  In theory, Firefox is a browser for the masses and is designed to supplant Internet Explorer. If Firefox has a userbase that's more technically sophisticated than other browsers, that only means that there's more work to do.
  
  So please quit blowing yourself by thinking Firefox is l33t d00d software -- it isn't. The whole goal is stripped down and simple for the ordinary IE user.
  
  Now it is true that Extentions are "elite", and they are generally only found on one or two sites. The questions is if the security model will hold up when Firefox gets more popular and users get used to instaling extentions from a varity of sources. I'm sure at some pont a signing mechanism like Authenicode will be deemed necessary.
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
9. Re:this reminds me... by rm69990 · 2005-09-10 09:51 · Score: 1
  
  Yes, because Firefox is a Linux/Unix only program. Gotcha. I totally understand now :)
10. Re:this reminds me... by LnxAddct · 2005-09-10 09:52 · Score: 1
  
  You have to install an extension.
  Regards,
  Steve
11. Re:this reminds me... by NutscrapeSucks · 2005-09-10 09:58 · Score: 3, Informative
  
  Or not so important, because Windows users generally run with administration privledges, and that's where the virus problem lies.
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
12. Re:this reminds me... by Bogtha · 2005-09-10 10:02 · Score: 1
  
  Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.
  
  Sounds like double-standards to me. "ActiveX and Firefox extensions are fundamentally the same thing, but one is good and one is bad because Firefox users are smarter". Surely the same "educated user" would also have no problems with ActiveX, in which case, where's the real difference?
  
  --
  Bogtha Bogtha Bogtha
13. Re:this reminds me... by karstux · 2005-09-10 10:09 · Score: 1
  
  As someone else already pointed out, there's no way to install them without user interaction and consent.
  
  Also, Mozilla extensions are inherently open-source. You can simply unzip the .xpi, then unzip the .jar and look at the code. And that's all that they are - ECMAscript and XUL. That makes them cross-platform, too.
  
  They're a lot easier to trust and a lot more likeable than ActiveX controls, don't you think?
  
  --
  Don't whistle while you're pissing.
14. Re:this reminds me... by NutscrapeSucks · 2005-09-10 10:13 · Score: 1
  
  Good point -- it always helps to clear up the termonology before diving too deep into a flamewar. Mozilla has developed a bunch of technologies that have rough equivilance to IE tech:
  
  Netscape Plugins =~ ActiveX control
  XPInstall =~ "ActiveX Web Distribution" (may not be the official name)
  Firefox Extentions =~ Browser Helper Objects (BHOs)
  
  The confusion I think is that most BHOs use ActiveX Distribution as the installation mechanism.
  
  (And the other confusin is that MS has defined the term "ActiveX" in 9 different ways. Tons of stuff in Windows use COM/ActiveX, but the think people bitch about is the installation mechanism.)
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
15. Re:this reminds me... by NutscrapeSucks · 2005-09-10 10:16 · Score: 1
  
  Correction -- ActiveX Distribution is officially called "Internet Component Download". Again, this is the thing people dislike the most about IE, not necessarily "ActiveX".
  
  http://msdn.microsoft.com/workshop/delivery/downlo ad/overview/overview.asp
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
16. Re:this reminds me... by maxume · 2005-09-10 10:17 · Score: 1
  
  A big part of it is that extensions are mostly managed and installed and what-not by users, not by webmasters, or whatever it is you call the guy that is building the website. That way, people without the extension aren't left out in the cold, they can still access the content, just without whatever spiffiness the extension provides.
  
  --
  Nerd rage is the funniest rage.
17. Re:this reminds me... by baadger · 2005-09-10 10:20 · Score: 2, Insightful
  
  "I'm sure at some pont a signing mechanism like Authenicode will be deemed necessary."
  
  Just like signed ActiveX?
  
  Anyone can sign something. For signing to work you need a trusted registry/organisation to cryptographically sign things and use a whitelist system to reject untrusted signitures, just like SSL certificates. But we aren't talking about certificates we're talking about code. Anytime someone sticks an official stamp on something people start expecting the official stamper/supposed quality assurer to take responsibility when shit hits the fan.
  
  No, the best bet is to show a blatant warning when the user installs an extension and produce a centralised link to somewhere (like addons.mozilla.org) where users can discuss an extension and decide if they trust it for themselves. This would be the open source community bit. A blacklist of bad extensions/spyware might be a good idea too.
  
  Theres not much you can do to improve the way ActiveX components are installable except to educate users and provide easily accessable resources (as above). The security model underneath ActiveX apparently sucks (no personal experience)...but then firefox extensions can be a pain too.
  
  You shouldn't worry too much about anything beyond personal assessment and a warning IMHO. It's a definate slippery slope to spyware removal tools for Firefox. It's gonna happen unless someone makes a revelation.
18. Re:this reminds me... by FST777 · 2005-09-10 10:29 · Score: 2, Insightful
  
  Exactly what I was thinking. Asume Firefox has 90% market share. One gets an (spam-)mail in, asking it to visit stated link. The link gives the user a request to install a certain Firefox extension. The user thinks it is save, because that is the sole reason he/she installed Firefox in the first place (with the upcoming IE 7 there really aren't any more standing reasons yet). And there you go, a fully open browser, with access to the filesystem, throwing all the information needed for anything nasty, right trough our beloved extension system.
  
  This wouldn't be an exploit if the parent's parent of this post is right: "Firefox users should be the most intelligent people on the earth". But that is not the goal of Firefox at all (at least, AFAIK). If it is, it would be the very same additude which kills Open Source in many situations (yes, *** is complicated, but hey, if you don't understand it, it's just not made for you!)
  
  And to think that I talked so many people into Firefox, just to prove that Open Source could be for them too... (and apart from this additude, the update-system proved me wrong... good to hear that they are tackling that one!)
  
  --
  Free beer is never free as in speech. Free speech is always free as in beer.
19. Re:this reminds me... by Pierce · 2005-09-10 10:30 · Score: 1
  
  His argument did sound like that...for me it has to do with implementation. With ActiveX the code is loaded when I visit the page, for the average user there is no choice if the code will run; since the default settings typically aren't changed.
  
  With Firefox extensions I have to install the code, the page I am visiting does not make that choice for me. It is possible to install from different sites, but that requires changing the default settings...which most users won't do.
  
  There is also the issue that an insecure ActiveX control that is signed can be used in almost every instance of IE, where an insecure extension for Firefox may only be installed in a small fraction of the userbase.
20. Re:this reminds me... by NutscrapeSucks · 2005-09-10 10:36 · Score: 2, Insightful
  
  No, I don't think signing is a cure-all, but it does minimize one social exploit. Whatever you think about ActiveX, I've never heard about an evil control that pretends to be Windows Update or Macromedia Flash.
  
  If firefox become popular, it's possible there would be a ton of fake "Ad Block" and "Tab Browser" extentions, and signing is pretty much the only way to stop it.
  
  If you want to see an example of this in action, search Google for "eMule", the opensource filesharing client. About 90% of the links go to fake sites which are probably spyware-laden clients. Too bad the official Emule installer doesn't use Authenicode -- I would defiantly check it.
  
  Now it would be nice if code-signing was extended so that things could be "Certified by So-N-So to be Spyware-Free!". But even then, if it's an open system, fake certifiers will come about.
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
21. Re:this reminds me... by NoMoreNicksLeft · 2005-09-10 10:37 · Score: 1
  
  Sounds like reality. I've yet to see an evil extension, and you're welcome to create a proof of concept for us. Strangely, even if you succeed, it will be news and a frontpage story here on slashdot... and within a few days, we'll have protections against it.
  
  Never mind that you can't install any extensions by default anyway, unless they're from a trusted domain... and you can't even click through.
  
  When the game of evil is over, and the score tallied, its activeX 1,635,498 vs firefox extensions 2. That should tell you something.
  
  I expect this to hold true, even if Firefox becomes mainstream.
22. Re:this reminds me... by demo · 2005-09-10 10:38 · Score: 1
  
  It's often a good idea to have a archive-user to own a lot of those types of files - and the repository files for projects. Just to prevent accidental removal.
  
  --
  ---
23. Re:this reminds me... by Bogtha · 2005-09-10 10:54 · Score: 2, Informative
  
  With ActiveX the code is loaded when I visit the page, for the average user there is no choice if the code will run; since the default settings typically aren't changed.
  
  What you say simply isn't true. I just booted up XP to check. The default settings are to prompt the user for signed controls and to ignore unsigned controls altogether.
  
  --
  Bogtha Bogtha Bogtha
24. Re:this reminds me... by Bogtha · 2005-09-10 11:10 · Score: 1
  
  I've yet to see an evil extension
  
  So? You aren't seriously suggesting that it's difficult or impossible, are you? The Greasemonkey extension introduced a vulnerability by accident. You don't think the same thing can be done on purpose? Or is your opinion that it's just unlikely for anybody to do it? That's security by obscurity.
  
  When the game of evil is over, and the score tallied, its activeX 1,635,498 vs firefox extensions 2. That should tell you something.
  
  ActiveX has been in use for almost a decade, and Firefox reached 1.0 last year. It should also tell me that you like to make numbers up - or do you have a source for the 1.5 million vulnerabilities statistic?
  
  Seriously, there are enough reasons to avoid Internet Explorer without inventing bogus ones.
  
  --
  Bogtha Bogtha Bogtha
25. Re:this reminds me... by baadger · 2005-09-10 11:22 · Score: 2, Interesting
  "Whatever you think about ActiveX, I've never heard about an evil control that pretends to be Windows Update or Macromedia Flash."
  
  Very very true. The problems with ActiveX all stem from uninformed users clicking yes to that XXX Toolbar popup.
  
  I definately think it'd be a good idea for Mozilla to implement a community page for every extension any firefox browser anywhere tries to install from a remote location. Something much like the current extension directory, but inclusive of extensions not even hosted there (even any commercial extensions that may arise in the future). It could work something like this:
  
  The browser hashes the extension code minus any fuzziness, whitespace etc (or better yet hash the bytecode) to try and ensure malicious authors don't try to scatter negative feedback.
  Offer the user a friendly details link to http://extensions.mozilla.org/?lookup=hash on the warning screen when they try to install the extension
  The user can read other peoples warnings, doubts, or happy reviews see the extension rating, how many people have installed it, etc and can then decide for themselves whether it's trustable enough to install.
  The hash links could be redirected to proper extension pages with names, descriptions and version #'s etc once the extension is well established and rated to be 'safe' by the community.
  For users too lazy to 'waste' time checking the feedback pages thoroughly, the warning dialog could show any immediate threat or trust rating and whether the code for this extension has been peer reviewed.
  
  Problems:
  
  Successfully identification of extensions could be tricky if a malicious author tries to dodge the system.
  The trust ratings and user comments need to be safe from poisoning and therefore moderated
26. Re:this reminds me... by ultranova · 2005-09-10 11:34 · Score: 1
  
  Sounds like reality. I've yet to see an evil extension, and you're welcome to create a proof of concept for us. Strangely, even if you succeed, it will be news and a frontpage story here on slashdot... and within a few days, we'll have protections against it.
  
  Against what ? If extensions can write to disk (which they can, downTHEMall! being a good example), they can write nasty things there. You disable that functionality, and DownTHEMall! stops working.
  
  These are not Java applets we are talking about here. These are extensions, which extend the basic browser by adding functionality - like plugins in other programs. There is no way to allow them to extend functionality and keep them from extending functionality in malicious ways, because there is no way for computer to tell what is malicious and what is not.
  
  Do you understand ? You can't run an extension in a sandbox, since that would keep it from doing anything usefull. All you can is stop pages from being able to pop up prompts asking you to install an extension X to view the page.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
27. Re:this reminds me... by WWWWolf · 2005-09-10 11:36 · Score: 1
  
  Right on. Firefox extensions are NOT equivalent of ActiveX per se. They're equivalent of BHOs (Browser Helper Objects).
  
  Of course, there's a distinct difference there as well. MSIE users first learn of these "BHO" things when run their favorite anti-spyware program and discover they have quite a few more BHOs than they thought.
  
  MSIE makes it easy to install BHOs. Perhaps too easy, leading to drive-by downloads.
  
  Firefox .xpi install mechanism has been used to spread spyware too (a long long time ago), but they kind of crampedh the spyware folks' style when they added install host permission list and made it always abundantly clear to the user that stuff was being installed and they should pause and confront themselves. No drive-bys, the user really needs to want to get that thing in, and often it's very easy to get rid of the extension too (I've heard Windows nowadays has a clear way of getting the BHOs nuked, but previously, I had to sit hours in front of MSIE to get rid of some particularly troublesome spyware bits).
28. Re:this reminds me... by Forbman · 2005-09-10 11:45 · Score: 1
  
  Hmm... no, the Windows Update ActiveX control is used to ensure that only IE is used to access Windows Update. The ActiveX control is able to exceed user's security privileges to provide back certain system information that might not otherwise be possible to do otherwise for a given user.
  
  it would have been very bad if ActiveX had been a standard repertoire
  
  Well, MS *did* want it to be the way to do what Flash does now, because it wasn't as limited compared to downloaded Java controls. But I'm going to guess that it's far easier to do 80% of what Flash does in Flash, and the other 20% is equally as complex as ActiveX, with the benefit that the Flash stuff will work on Macs, Windows, etc. (as does the development environment...).
29. Re:this reminds me... by NutscrapeSucks · 2005-09-10 11:45 · Score: 2, Insightful
  
  The trust ratings and user comments need to be safe from poisoning and therefore moderated
  
  Keep in mind that Kazaa was the run-away most popular filesharing client for years, despite all of the well-known spyware it came with.
  
  If you want to moderate all of the "wrong" opinons or just plain spam on this proposed BBS, you might as well just skip a step and put the Cabal directly in charge. (Whether that would be mozilla.org is unlikely, I think.)
  
  And since your proposal relies on hashes, browser support, and some sort of authority, you might as well accept that you've just proposed code signing and you agree with me :)
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
30. Re:this reminds me... by NoMoreNicksLeft · 2005-09-10 11:47 · Score: 1
  
  Yeh, I understand, you don't. Again, you keep talking about _when_ firefox extensions do something bad, I'm still in _if_. That's its theoretically possible, no one denies... all software is theoretically exploitable.
  
  You people like to talk about marketshare being the significant factor (it just hasn't happened yet, because no one uses it). Me, it's starting to seem like maybe there is another factor, a social one that's a (the?) significant factor. Maybe good intentions do count for something.
  
  I like to try out extensions from time to time, and yet, somehow I'm still safer than I ever could be using IE. I wonder why.
31. Re:this reminds me... by Pierce · 2005-09-10 11:47 · Score: 1
  
  Then that's a recent change, are you running SP2? I have a machine running Windows but the settings were changed from the defaults too long ago to know what SP2 might have altered in that respect.
  
  In thinking about this a little more there is also the issue of users checking the box to trust code signed by the same source. For example, all code signed by Microsoft; which could then open them to insecure code that had been previously signed....unless their browser is also set to check revocation lists (and the lists are used).
32. Re:this reminds me... by roman_mir · 2005-09-10 11:51 · Score: 1
  
  So please quit blowing yourself by thinking Firefox is l33t d00d software -- it isn't. The whole goal is stripped down and simple for the ordinary IE user. - 0h, p|3453, 5ur3 17 15 |337 d00d 50f7w4r3!
  
  --
  You can't handle the truth.
33. Re:this reminds me... by NutscrapeSucks · 2005-09-10 11:56 · Score: 1
  
  The [Windows Update] ActiveX control is able to exceed user's security privileges to provide back certain system information that might not otherwise be possible to do otherwise for a given user.
  
  Umm, no. Windows Update can only be run by Administrator users, and administrators can (directly or indirectly) do anything to a system.
  
  ActiveX has enough real problems that there's absolutely no need to manufacture ridiclous falsehoods in order to talk it down.
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
34. Re:this reminds me... by Bogtha · 2005-09-10 12:18 · Score: 1
  
  Find me someone that was nailed by the accidental vulnerability.
  
  So it is security by obscurity that you are preaching?
  
  Maybe you're just one of the naysayers
  
  Actually, I'm a Firefox user, I just don't feel the need to assert its superiority at every available opportunity, regardless of its merits.
  
  it always strikes me how firefox issues always end up being theoretical.
  
  Malware writers tend to target the most popular software. Firefox has been targeted too, though. Here's the first reference to it that Google turned up. Here's another.
  
  Yeh, I like to make numbers up, but I forgot to label it sarcastic. Fuck you, loser.
  
  I'm a loser because I dare to point it out when you make stuff up to prop up stupid arguments? Have some dignity and just back off when you are wrong instead of resorting to name-calling. Don't be so childish.
  
  --
  Bogtha Bogtha Bogtha
35. Re:this reminds me... by ikkonoishi · 2005-09-10 12:29 · Score: 1
  
  I think the svg/canvas support could quickly become a reason.
  
  Check this out for a simplistic demo of canvas support. (Must have Deer Park Beta 1 or greater)
  
  Check the source code. Everything is written in javascript. Security doesn't sell browsers to non tech people. Cool widgets sells browsers to people.
  
  The insecurity of the extensions can be fixed. Even right now firefox has a "OMG WTF THIS COULD BE BAD!!!" screen when you are installing an extension from a new site. You have to go through 3 pages to add that site to your allowed list.
36. Re:this reminds me... by Zebra_X · 2005-09-10 12:51 · Score: 1
  
  Recent as in last year... Yes - keep in mind that by the time firefox had been published with such functionality - the lesson had already been learned by MSFT users around the globe. Thus its incredibly easy to say "oh firefox already HAD that".
  
  The *idea* of self installing extensions is a good one really. Its unfortunate that our trust as end users continues to be exploited.
37. Re:this reminds me... by NoMoreNicksLeft · 2005-09-10 12:54 · Score: 1
  
  >>Find me someone that was nailed by the accidental vulnerability.
  
  >So it is security by obscurity that you are preaching?
  
  Security by obscurity has a simple definition. It's "microsoft keeps bugs secret, so hackers can't use them!". Firefox, and its extensions, are open source. There is no such thing, dufus. What I meant is "show me the victims". It would be astronomically unlikely for there to be no victims for no other reason than "good luck". So if there are none (and you haven't produced any), then there must be something other than guardian angels swooping out of the heavens to protect users of extensions.
  
  >>it always strikes me how firefox issues always end up being theoretical.
  
  >Malware writers tend to target the most popular software.
  
  Yeh, so you and every other troll claims. Truth is, you *could* be right, not enough examples yet to know, now is there...
  
  But.
  
  The one example we do have is IIS vs. Apache. Maybe the first nascent example is just a fluke, who knows?
  
  Loser.
38. Re:this reminds me... by extrasolar · 2005-09-10 13:00 · Score: 1
  
  As we all know, the elite don't run browsers. We use telnet.
39. Re:this reminds me... by Anonymous Coward · 2005-09-10 13:50 · Score: 1, Insightful
  
  I like to try out extensions from time to time, and yet, somehow I'm still safer than I ever could be using IE.
  
  That safety is an illusion. I saw one extension (or it might have been a Greasemonkey script; the difference isn't important as it could have been either for this vulnerability to work) that was intended to serve as a browser-based single sign-on. It passed all the passwords to Javascript dynamically loaded from an external site. Purportedly, this was because it started out life as a bookmarklet, which has space limitations. Tell me how Firefox's superior security prevented that from happening? Oh wait, it didn't. Tell me how the social factor prevented that from being used? Oh wait, smart people were recommending it.
40. Re:this reminds me... by hellanacho · 2005-09-10 15:22 · Score: 1
  
  "Security through low marketshare?!"
  
  works for Apple.
41. Re:this reminds me... by Bluey · 2005-09-11 02:12 · Score: 1
  
  people would find it quite strange if they were required to install an extension for viewing just one web site.
  
  I think the proliferation of ActiveX-based spyware installations on IE-enabled PCs debunks this theory. Uninformed Joe tends to see a dialog to install something in order to view the website, and since they want to view the website, they install it. I don't think this is a function of what web browser they run in the slightest. Until they're educated on what spyware is and why they shouldn't install everything they find on the internet, users just don't know to do otherwise.
  
  Extensions, plugins, activex, they're all the same thing: downloading code to be executed on your PC. I think the key difference with ActiveX was the ease with which developers could add rich functionality to websites viewed in the most commonly used browser in the world. This led to ActiveX controls becoming more common (before everyone started shying away from them), installing them more routine for users, and users less like to think anything out of the ordinary was going on when asked to install one.
  
  Firefox extensions look to be aimed more at enhancing the browser UI than adding rich content to a website. It remains to be seen if it will stay that way though, especially if Firefox's market share increase significantly.
42. Re:this reminds me... by XO · 2005-09-11 08:59 · Score: 1
  
  How about just have the browser automatically check the URL of the extension the user has asked to install (wether knowing so or not) with some database on mozilla.org, at which point, it will automatically bring you anything known about that extension, and it would be required that you at least acknowledge it?
  
  --
  "Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
43. Re:this reminds me... by XO · 2005-09-11 09:02 · Score: 1
  
  I didn't say that Firefox users should be the most intelligent. I said that it's automatically assumed that Firefox users will be more intelligent. Why is this? Because it's developed by open source developers. I have never found a single open source project that had "ease of use for non-developers" as any point that it was ever striving for.
  
  --
  "Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
44. Re:this reminds me... by XO · 2005-09-11 09:07 · Score: 1
  
  default on XP pre-SP2 (I just checked, as I don't have SP2 on this box) is to ask for any code.
  I think it was 5.5 IE that had the defaults to run anything signed automatically, and prompt for unsigned.
  
  --
  "Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
45. Re:this reminds me... by baadger · 2005-09-11 22:22 · Score: 1
  
  That'd work but I suspect the first wave of dodgy scam URL's that are smart enough to exploit firefox users would also be smart enough to thawte this just by introducing a random string into the URL on each hit.
  
  Theres also no gaurentee the domain/IP will remain the same..and then there's the privacy issue of sending mozilla url's of extensions you're trying to install.
  
  Thats why i suggested some kind of heuristic/hash mechanism on the code.
Where's my bittorrent:// ? by Anonymous Coward · 2005-09-10 08:38 · Score: 3, Insightful

Where's my bittorrent:// protocol??!?!

I would love to simply do a bittorrent from firefox. I think that'd spur alot more users and make it easier to... um... *LEGAL* download torrents... (like knoppix, fedora, etc.)

Bring on the torrents!!!
1. Re:Where's my bittorrent:// ? by dzarn · 2005-09-10 08:59 · Score: 1
  
  Where's my bittorrent:// protocol??!?!
  
  Waiting for you to write it?
2. Re:Where's my bittorrent:// ? by brsmith4 · 2005-09-10 09:01 · Score: 5, Informative
  
  http://firepuddle.mozdev.org/ might help sometime soon...
3. Re:Where's my bittorrent:// ? by MSch · 2005-09-10 09:03 · Score: 2, Informative
  
  Opera 8.10 has integrated bittorrent support.
4. Re:Where's my bittorrent:// ? by drsquare · 2005-09-10 09:38 · Score: 2, Funny
  
  Well, Opera usually seems to be a few years ahead of Firefox when it comes to functionality, speed and ease of use, so we should see integrated bittorrent support for Firefox somewhere around 2009.
5. Re:Where's my bittorrent:// ? by TeknoHog · 2005-09-10 10:20 · Score: 1
  
  I would love to simply do a bittorrent from firefox.
  You can do this now, as long as you have bittorrent installed. You can instruct Firefox to open torrent files in the application, just like we do with many other file types such as postscript.
  I don't really see a need for the bittorrent:// protocol specifier; with the current system, torrents are files that are usually downloaded with http. Of course BT is another protocol in itself, but this would mean rather messy URLs because the contents of the torrent file would be needed after bittorrent://. It's like sending mail by writing smtp:// in a browser. We don't do that kind of thing in a _web_ browser, even though it's technically possible.
  It's a lot simpler to download the torrent via http, and then launch an application to handle it. The application itself could be a Firefox extension, if you like. I think this is how it works wit Opera.
  Personally, I like to keep torrents separate from a browser, and rather run them on my server in screen. But I would also like to see much more user of bittorrent, and to enable that we should have BT functionality in browsers.
  
  --
  Escher was the first MC and Giger invented the HR department.
6. Re:Where's my bittorrent:// ? by NutscrapeSucks · 2005-09-10 10:24 · Score: 1
  
  Yup, Firefox isn't using enough memory right now -- let's run Bittorrent in the same process space too! Memory protection is overrated anyway.
  
  How would a bittorrent:// protocol and accompanying extention provide a better experience the current system of http, a torrent file, and a stand-alone client? It's only two fricking clicks to download something -- not like that's preventing people from installing Linux.
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
7. Re:Where's my bittorrent:// ? by MobyTurbo · 2005-09-10 13:05 · Score: 1
  
  Where's my bittorrent:// protocol??!?!
  Ubuntu Linux has pre-configured bittorent (or rather, a GNOME GUI front-end) to automatically activate if you click on a bittorrent file.
"hot the heals"? by Anonymous Coward · 2005-09-10 08:39 · Score: 1, Insightful

A grammar mistake and a spelling mistake in the same phrase. Learn English, guys.

And that statment "RC for Beta 1 of Firefox" without the "v 1.5" modifier implies that Firefox is something new that is about to be released. Does no one even try to edit these things?

You do realize that these mistakes distract readers' attention from the actual article content, right?
Re:XPIDL? by Sduic · 2005-09-10 08:47 · Score: 1

...XPCOM library...

"XPCOM: OS Defence" being the most popular.

--
*this space intentionally left blank
"One of the four pointers saying 'come and see', and I saw, and beheld a white
In other words... by nmb3000 · 2005-09-10 08:48 · Score: 4, Insightful

Firefox extensions are are useful and powerful tools when used correctly, yet have the ability to easily become malicious and destructive if the user doesn't pay attention.

Hmmm, sounds a lot like ActiveX. While the main intent for the two is a little different (browser tweaking vs. client-side scripting & server interaction), both require users to make informed decisions. People going on about how Firefox is so much safer because it doesn't support ActiveX might need to consider dropping that argument. As Firefox's market share grows, so will the number of websites that advertise Firefox plugins, and unaware users will be just as susceptible to malware and viruses as they were with IE.

--
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
1. Re:In other words... by Unordained · 2005-09-10 09:19 · Score: 3, Informative
  
  It seems like it'd be nice if apps like Firefox were routinely (!) run as a user with fewer privs than the actual user sitting at the terminal. I know it needs -some- disk access for cache, etc. and some access to the user's files (when uploading or downloading specific files) but on the whole it'd be nice to have some sort of mechanism in place to keep apps from accessing things when they shouldn't. The view that an app should only have access to the current user's files is okay, but not ideal -- users still don't want their own setup trashed by some tricky extension, even if the rest of the host computer is fine. In a multi-user environment, that's not so easy ... creating a new user, for every app/user combination, that provides exactly the access required by the app and no more. Lots of maintenance.
  
  I'm not sure that users would be very accepting of an environment in which they were asked each time an app requested a new file handle -- "would you like to allow Firefox to access /home/unordained/file1.txt in read-only mode?" ... "would you like to allow p2p-app-1 to open a socket to ip xxx.xxx.xxx.xxx?" ... "would you like to allow some-app-2 to change the following registry keys?" ... but that is, (without the annoyance) what I'd like. Our computing environments are just far too unsafe for the average user.
  
  Suggestions? Existing (partial) solutions? (This is your opportunity to go on at length about your preferred, overly-safe-for-you operating system, and for others to trash it on grounds of any remaining work-arounds.)
2. Re:In other words... by Leffe · 2005-09-10 09:40 · Score: 2, Interesting
  
  How is "download virus.xpi here idiot" any different from "download virus.exe here idiot"?
  
  Stupid people are stupid, they make the Internet and the world a worse place for all of us. It's too bad I don't have the time to spend to revoke all of their life certificates.
3. Re:In other words... by Anonymous Coward · 2005-09-10 09:54 · Score: 1, Informative
  
  Extensions can never be installed without you knowing it. For a website to install an extension, you have to manually add that website to a whitelist, and then you have to stare at the installation dialog for three seconds and then click install.
  The only site on the whitelist by default is addons.mozilla.org, where each extension is thoroughly checked that it works ok.
  
  If someone is dumb enough to get a malicious extension installed with these security measures, he deserves to have his machine compromised.
4. Re:In other words... by Bogtha · 2005-09-10 10:07 · Score: 1
  
  It seems like it'd be nice if apps like Firefox were routinely (!) run as a user with fewer privs than the actual user sitting at the terminal.
  
  Suggestions? Existing (partial) solutions?
  
  Internet Explorer 7 will have something called "low-rights IE". Another follow-up is on the IE weblog.
  
  --
  Bogtha Bogtha Bogtha
5. Re:In other words... by SeeTheLight · 2005-09-10 10:15 · Score: 1
  
  What would be nice is if there was some sort of support for "sub-users", or some sort of sub-level type of users that are limited within one's user account with less privileges than the main user. So user "bob" and "joe" can each have a sub-user named "firefox" (that the app sets up for every account on the system when installed by the admin) that is limited to a small set of dirs inside the user's home directory. If the app tries accessing any dirs outside the default set of allowed dirs, the O/S should display a dialog saying that the app is trying to access areas outside where it is allowed and give the user a choice to "allow" or "deny" that (just once for the duration of the app being open). That dialog should also outline how unsafe it is to grant an app full access to one's files and offer an option to "always allow the app full access to my files". Once an app is granted access to all the user's files, its titlebar or the window border should change to a different color so the user knows the app has more privileges than another app.
6. Re:In other words... by NutscrapeSucks · 2005-09-10 10:51 · Score: 1
  
  The upshot is to really do it right, you need operating system support for an application-based security model. No current desktop OS currently supports this kind of security -- they are all firmly rooted in the user-based security model inherited from time-sharing systems.
  
  That means either waiting for Vista or waiting for someone to add this security model to Linux/X11. Hopefully Firefox (and other internet software packages) will mimic IE and also have "low-rights" support on Vista.
  
  --
  Whenever I hear the word 'Innovation', I reach for my pistol.
7. Re:In other words... by cortana · 2005-09-10 11:31 · Score: 2, Informative
  
  You are describing SELinux. :)
8. Re:In other words... by jesser · 2005-09-10 11:42 · Score: 1
  
  would you like to allow Firefox to access /home/unordained/file1.txt in read-only mode?
  
  Make the file picker return a capability to access the file, not just the filename. Then if I want to upload a file using the web browser, picking it automatically gives Firefox permission to read it.
  
  would you like to allow some-app-2 to change the following registry keys?
  
  Firefox uses the Windows registry to set itself as the default handler for several protocols (e.g. http:) and default handler for several file types (e.g. .html). Turn these into operating system dialogs, and then a less-privileged process can ask to set itself as the default browser with about the same amount of user interaction as the confirmation dialog that's already part of Firefox.
  
  --
  The shareholder is always right.
9. Re:In other words... by Ed+Avis · 2005-09-10 20:50 · Score: 1
  
  Yes - and while you're at it why not do this for all applications not just Firefox?
  
  It's another reason why the file picker should be part of the desktop environment (like the window manager or panel) and not implemented separately by every application.
  
  If your apps are GNOME apps or KDE apps then of course they use a library to display the file picker dialogue, but it's still running as part of the application. This means that the app needs to run with permission to view the whole directory tree and open any file the user can open. Whereas if the file picker were a separate process and passed an open filehandle to the app once a file was selected, the application could run with very minimal permissions.
  
  Personally, I like the idea of dragging a file from the file browser onto the application icon to load it, and dragging from the application into a directory window to save. See ROX. (The same principle could be applied to other actions - eg no need for every application to run with permission to make connections to lpd to print, instead drag an icon from the app to a printer icon to print the document. This probably sounds like overkill though.)
  
  --
  -- Ed Avis ed@membled.com
10. Re:In other words... by Mark+Hood · 2005-09-10 23:46 · Score: 1
  
  The only site on the whitelist by default is addons.mozilla.org, where each extension is thoroughly checked that it works ok.
  
  Really? Who checks them, and vouches for their safety? Where on that site does it say that everything is 'thoroughly checked'? And if they do stand behind everything on that site, why don't they sign them? There's clearly no coherent policy yet.
  
  OK, so they don't write them, they won't sign them - fair enough. But then even the 'official workaround' XPI you could download to fix the IDN problem isn't signed. (Check for yourself: Click Here). So I hear about a security problem, but the only patch available relies on me to check the URL to make sure it's OK - and the fault is one that allows me to pretend to be another URL! Granted, the page it's linked from is HTTPS, but that's no guarantee...
  
  Or alternatively, someone can alter the XPI (or write a new one), pretend to mirror it and offer it for download - since the real one's not signed by Mozilla, I can't prove I'm not getting the right one!
  
  Unless extensions get signed, we'll never know where they come from - and I could find myself downloading a malicious extension from whatever.mozilla.org, and assuming I'd be OK.
  
  I know signing isn't the be-all and end-all (there's nothing to stop someone signing a malicious app) but at least I could see it wasn't signed by a Mozilla developer!
  
  Say what you like about Microsoft, but at least they tend to sign their Active X stuff, patch downloads, etc.
  
  And yes, I've spoken about this before...
  
  Mark
  
  --
  Liked this comment? Why not buy me something nice
11. Re:In other words... by ocelotbob · 2005-09-11 02:13 · Score: 1
  
  The future is now systrace does everything you say and more, and been around for a while now. It's NetBSD only, but will most likely spread in its availability.
  
  --
  Marxism is the opiate of dumbasses
Re:Request for Firebird developers by qbwiz · 2005-09-10 08:48 · Score: 1, Informative

It's called Thunderbird, not Firebird.

--
Ewige Blumenkraft.
Danger Will Robinson! by Elrac · 2005-09-10 08:53 · Score: 5, Insightful

All of this functionality comes with the aspect-oriented facility of overlays. Extensions also have as much access to the file system as the user running Firefox.
But... but... isn't it just this extreme flexibility that represents the biggest Achilles heal (sic) of Outlook and IE? Isn't this what Mozilla proudly avoids?

I realize that there are some differences, such as the fact that the red carpet is only rolled out for extensions the user trusts, but... when you advertise Firefox to dummies, your trusting users will BE dummies!

--
When one person suffers from a delusion, it is called insanity. When many people suffer from a delusion it is called Rel
HORRIBLE idea by Noksagt · 2005-09-10 08:57 · Score: 1

I would really like is the ability to click on one or a group of e-mail and send back to the sender (or whatever e-mail address the lying spammer has used for the reply address)This is a bad idea because, as you noted, most spam spoofs FROM: and/or REPLY TO:

Instead of bounding spam, you just harrass & send spam to some poor guy who had his email address borrowed by some spam bot. Congratulations! You just became as bad as the spammers.
Re:HORRIBLE idea..(and my inability to close tags) by Noksagt · 2005-09-10 08:59 · Score: 1, Redundant

Yeah--my overzealousness to point out how bad an idea this was made me miss a BLOCKQUOTE tag.
I would really like is the ability to click on one or a group of e-mail and send back to the sender (or whatever e-mail address the lying spammer has used for the reply address)
This is a bad idea because, as you noted, most spam spoofs FROM: and/or REPLY TO:

Instead of bouncing spam, you just harrass & send spam to some poor guy who had his email address borrowed by some spam bot. Congratulations! You just became as bad as the spammers.
anti-ActiveX by Noksagt · 2005-09-10 09:11 · Score: 1, Informative

Hmmm, sounds a lot like ActiveX.
ActiveX can't be exploited by other browsers & also limits the architecture and OS choice. The history of security problems with ActiveX has a much richer history. I don't know how much their model has really improved. Firefox extensions are in a combination of XML and JavaScript, so their functionality is a bit more limited. They are better sandboxed than IE ActiveX controls used to be. Firefox extension websites must be whitelisted before an install. I think IE has also moved to this model, but there were big problems when thing would be installed by default.
1. Re:anti-ActiveX by bfields · 2005-09-10 12:48 · Score: 1
  
  Firefox extensions are in a combination of XML and JavaScript, so their functionality is a bit more limited. They are better sandboxed than IE ActiveX controls used to be.
  
  From the submission: "Extensions also have as much access to the file system as the user running Firefox." What sandboxing?
2. Re:anti-ActiveX by Noksagt · 2005-09-10 12:58 · Score: 3, Interesting
  
  They are better sandboxed than IE ActiveX controls used to be.
  Here, I made a (rightly well-criticized) mistatement. I'm wrong. Both XPCOM and ActiveX can execute with full user-priviledges.
  
  As I said, though: webpages could tell IE (at least used to) where to download an ActiveX control. If the control was not already installed, IE would automatically download and install the control from the specified source. In firefox, the page must me whitelisted before extensions could be downloaded. Can someone tell me if IE has changed to the whitelist model yet? Last I heard, they were even maintaining a list of malicious ActiveX controls. This seemed inance to me, as there is most likely more malicious junk out there than truly useful controls.
Re:HORRIBLE idea..(and my inability to close tags) by radish · 2005-09-10 09:14 · Score: 2, Informative

Speaking as someone currently undergoing such a "borrowing" - it sucks.

Please for the love of god people, don't bounce messages back saying "My spam filter has blocked your message". I didn't send it, I don't care. Leave me alone!!!!!

--
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Re:HORRIBLE idea..(and my inability to close tags) by Noksagt · 2005-09-10 09:36 · Score: 2, Insightful

The problem is he probably ISN'T a spambot. The FROM header is very easily spoofed. His machine need not be the sender for the message to claim it came from him.
Re: Firefox 1.5 by moonbender · 2005-09-10 09:45 · Score: 1

Please tell me you didn't write that flame-ish post because of the new options panel. Can't figure out any other "significant" change in the UI, though.

--
Switch back to Slashdot's D1 system.
Re: Firefox 1.5 by easterlingman · 2005-09-10 09:45 · Score: 1

How about the way Microsoft copied Firefox almost exactly with their popup blocker toolbar?
Re:Hot on the Heals by rm69990 · 2005-09-10 09:48 · Score: 1

-1 Flamebait.

Discussing the security vulnerabilities is entirely appropriate, but bringing them up on every Firefox article when it is completely off-topic is flamebait.
Re:HORRIBLE idea..(and my inability to close tags) by radish · 2005-09-10 09:49 · Score: 2, Insightful

I'm not a spambot you moron. Go read up on SMTP and some back when you know what you're talking about. The FROM and REPLY-TO headers are spoofed (trivially easy) and the spamees aren't checking my domain's SPF records. Nothing to do with me whatsoever, other than getting me flooded with bounce messages.

--
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Review of Pro Firefox? Other book suggestions by Noksagt · 2005-09-10 09:50 · Score: 1

Has anyone seen galley copies of Pro Firefox: Extension and Application Development? Or does anyone have any other suggestions for dead-tree guides for developing firefox extensions? I know of books on XUL , but none targetted for basic extension programming.
More Resources by stoolpigeon · 2005-09-10 09:57 · Score: 4, Informative

These are a few sites that I found helpful. Some are a little old but I got something out of all of them.

http://www.xulplanet.com/
http://kb.mozillazine.org/Dev_:_Extensions
http://roachfiend.com/archives/2004/12/08/how-to-c reate-firefox-extensions/
http://businesslogs.com/technology/firefox_extensi on_tutorial.php
http://www.bengoodger.com/software/mb/extensions/p ackaging/extensions.html
http://mozilla-firefox-extension-dev.blogspot.com/
http://books.mozdev.org/index.html
http://www.mozilla.org/xpfe/gettingstarted.html

Of course another good way to learn about extensions is to download a few and look at the code. That has probably been the biggest help to me once the tutorials, etc. gave me the basic idea of what is going on.

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
1. Re:More Resources by Giulio+Cesare · 2005-09-10 17:12 · Score: 1
  
  An extensive list of resources (Websites, Books, Forums on creating web browser extensions) can be found at Web Browser Extensions -- Programming Resources
What you have to realize: by bhsx · 2005-09-10 10:03 · Score: 1

Everyone needs to realize that this is indeed needed functionality. What kind of browser would it be if you couldn't save a .zip file or anything else to your hard drive? Any program you've ever used has the ability to be harmful. Let me repeat that: Any program you've ever used has the ability to be harmful.
It's all the ability to trust what you're putting on your hard drive to begin with. I run Windows on one box and Linux on the other. I tend to run OSS software on my Windows box too. Why? Because I tend to trust it more! I can rest (mostly) assured of the peer review process in an OSS app, and that if some nasty mal/spyware is included, or if it crashes systems left and right, that the community will let me know that before it ever gets to my hard drive to begin with.
I would be even more assured, could I read/write C/C++; but for my needs this process works fine.
If you don't know the reputation of the source of a binary, you probably shouldn't be downloading it.
I obviously digress; but extensions for Firefox is not a problem. Malicious programs abound, be careful where you get your apps.

--
put the what in the where?
Talk about appropriate... by null+etc. · 2005-09-10 10:05 · Score: 3, Funny

The article is a little more thorough than necessary
...followed by a 146-word "excerpt" from the article.
Re:But what if... by protocol420 · 2005-09-10 10:06 · Score: 2, Funny

good luck finding a compiler built into the kernel

--
www.gaian-mind.org - eco-punk/crust coop and collective | www.anarchistfederation.org - so cal anarchist federation
yes by Xtifr · 2005-09-10 10:06 · Score: 1

> Does no one even try to edit these things?

There's a common saying around here...what is it? Oh yes: "You must be new here!" Or was that a rhetorical question? :)

> You do realize that these mistakes distract readers' attention

And if you've ever had your site slashdotted, you're probably grateful for anything that distracts some percentage of the readers. :)
Re:Hot on the Heals by ergo98 · 2005-09-10 10:30 · Score: 1

Actually it should be -1 Offtopic for being a spelling/wrong-wording post. The submitter presumably intended to say "hot on the heels", as "hot on the heals" is nonsense.
Re: Firefox 1.5 by NutscrapeSucks · 2005-09-10 10:42 · Score: 1

You are misinformed. That info bar was in SP2 betas for months before Firefox shamelessly ripped it off.

--
Whenever I hear the word 'Innovation', I reach for my pistol.
My thinking on the subject by TheSpoom · 2005-09-10 10:58 · Score: 4, Insightful

When should you use a Firefox extension?

Only when you're EXTENDING FIREFOX.

If your website requires an extension (or, for that matter, ActiveX) to work, you're simply coding it incorrectly.

Possible exceptions includes Windows Update, but even then, Microsoft coded that as part of the OS in XP, so the web portal really isn't necessary.

--
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
More misconceptions about XPCOM by SimHacker · 2005-09-10 11:07 · Score: 1

No, Mozilla extensions are NOT inherently open source, nor are they more secure than ActiveX. We're discussing XPCOM extensions, which are compiled binaries, not JavaScript.
Yes, there is a double standard about downloading ActiveX controls and XPCOM controls. XPCOM controls are at least as unsafe as ActiveX controls. At least ActiveX supports code signing, which XPCOM doesn't.
Open source has to do with the rights you have to use the code, not just that you can read the source code. It's certainly possible to write a browser extension or anything else in JavaScript that's not open source -- you just say in the comments "Copyright (C) 2005 by . All rights reserved." You don't even need to say that -- it's it copyright by default, but not open source by default.
Even if your point about being able to read XPCOM extension source code was factually correct, only an infintesimally small percentage of people actually even bother to read the code they download before they run it. And even if you can read it, it might be quite obfuscated and contain thousands of lines of code -- in fact the authors themselves might not even know that the code has security holes.
Take a look at the JavaScript source code to google maps, for example. Oh you haven't already read over every line of that code looking for security holes? That's exactly what I mean.
Please don't make the Raymondesque argument that open source code doesn't have security holes because everyone can read it, unless you personally read all the code you download before you run it yourself. Including the configure scripts!
-Don

--
Take a look and feel free: http://www.PieMenu.com
Re:MathML by Forbman · 2005-09-10 11:39 · Score: 1

You don't even need to say that -- it's it copyright by default, but not open source by default.

Whether the license on the copyrighted JavaScript says it's "open source" or not, if you can access and read the JavaScript code, it's out there in the open for all eyeballs to look at and discuss. Whether I can find a security hole or not or whether the code is obfuscated to hell or not is not really germane, nor is whether the authors know or not if the code has security holes in it, because there is probably someone crazy enough to "deobfuscate it" (i.e., like crackers, etc., who are patient enough using tools like disassemblers, hex editors and SoftICE to break SecureROM for NOCD cracks) and make sense of it, especially if the code promises some interesting techniques to be had (like Google Maps).

Please don't make the Raymondesque argument that open source code doesn't have security holes because everyone can read it, unless you personally read all the code you download before you run it yourself

Again, I should go green salmon fishing with this can of red herring. It is far easier for SOMEONE (whether it is me, you or the geek who never leaves his grandmother's basement with the OC-3 connection to the house...) to look at the source and simulate whether there is any weaknesses in it. It's obviously easy enough to do already with complex executables and libraries without access to any form of source code.

If it's open sourced, getting any changes back into the stream are far easier than if they're discovered in closed source, especially if the vendor regards 3rd-party security discoveries with great disdain and mockery.

I think also that code signing has proven to not be as trustworthy as Microsoft has pimped it up in the past. I certainly do not regard it as "trustworthy". Accountability? Oh, please. What if the certificate was issued to some company in .IQ or some other country you've never heard about? It really is a false sense of security.
Common misconceptions about XPCOM and ActiveX by SimHacker · 2005-09-10 11:59 · Score: 4, Informative

Noksagt, you are wrong, and spreading some common misconceptions, which you should stop repeating.
XPCOM extensions for Firefox are compiled binary machine language files, which have just as much access to your system as ActiveX controls do. Firefox XPCOM extensions are no more secure than ActiveX controls. Binary ActiveX and XPCOM controls are useful for situations where you need to do things that JavaScript doesn't support, like shaping the window of a pie menu (an open source ActiveX component, that you can download the source code if you like).
Internet Explorer has something similar to the way you can write Firefox extensions in JavaScript and UIL. But that's a totally different thing than binary ActiveX controls and behaviors, and it severly restricts what you can do.
You can script trustable ActiveX controls for Internet Explorer called "Dynamic HTML Behavior Components", using JavaScript (or any other ActiveX compatible scripting languages), XML and DHTML.
For example, user interface components like JavaScript Pie Menus for Internet Explorer or the Run On Sentence dynamic text animation style run with the same restrictions as JavaScript in the browser, so they can't access files or shape popup windows. (Also open source).
-Don

--
Take a look and feel free: http://www.PieMenu.com
long-needed protocol handler by heretic108 · 2005-09-10 14:04 · Score: 1

is one for freenet:<uri> URLs.

A Firefox plugin for supponting such URLs would be a huge boost for freenet.

www.freenetproject.org

--
-- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
1. Re:long-needed protocol handler by Dantu · 2005-09-11 02:28 · Score: 1
  
  The problem with handling freenet protocols is that you'd need some sort of freenet gateway.. and last time I ran one of those at home it used up around 120Mb of RAM and a significant portion of my broadband connection 24x7.
  
  I suppose the plugin could redirect you to some other gateway, but that's just URL rewritng, seems like a better candidate for a greasemonkey script than a full plugin.
Thank You by stoolpigeon · 2005-09-10 17:46 · Score: 1

That's awesome.

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
another tutorial by wikinerd · 2005-09-10 18:09 · Score: 1

here you can find another tutorial, although it's a bit old now.
Speaking as one who has coded... by Hosiah · 2005-09-10 20:22 · Score: 1

I prefer my tutorials briefer and pithier. I don't want to be in mid-nested-block and have to flip through 10 pages of the print-out looking for that one line I need amidst the author going on at length convincing me how folksy and friendly he can sound.
But I like how Python comes up yet again. It's nice, for once in my life, to learn a language and *then* see it catch on in a big way, instead of finishing learning a language on the very last day before it dies. I'm predicting that Python is going to soon be as ubiquitous as BASIC was back in the Stone Age.
Re:But what if... by ScriptedReplay · 2005-09-10 21:29 · Score: 1

good luck finding a compiler built into the kernel

what, you mean GNU/Emacs does not come with a built-in compiler??? Someone'd better warn RMS soon.

oh, you meant Linux ... nevermind then