Slashdot Mirror
A Mozilla Plugin to Help Overcome IE Rendering Flaw
least_weasel writes "An article on Ars Technica reveals Mozilla's intention to create and release a plugin for Internet Explorer that would allow the often-criticized IE to utilize some of the cooler rendering code developed for Firefox. The current WIP focuses on rendering using HTML5 standards, but the plans seem to be more ambitious than just fixing this one small piece of IE. The article covers some of the plans, hurdles, and potential benefits. It also spills the beans on the code name for the project: Screaming Monkey."
What's the advantage over just installing Firefox? Do people who don't have permission to install software have permission to install plugins like this?
Great idea... but if someone would have the wits and knowledge to look for this plugin, wouldn't they be using FF already? If websites prevented stuff from working without this plugin, wouldn't that just turn off viewers? Not sure how this is going to help, people have been harping at Microsoft about standards for years and all they've done is move towards them at the pace of a snail.
Comment removed based on user account deletion
Is it a sad or happy day for Microsoft, when their competitors get bored with beating them, and instead try to improve the Microsoft products to make them competitive - for free?
I run Firefox for NoScript and AdBlock...I could care less about rendering a page .002 picoseconds faster.
So I take it Balmer is involved in some way?
I've been reading about this for months. Its not exactly top secret.
https://wiki.mozilla.org/Tamarin:ScreamingMonkey
FYI, Screaming Monkey was already discussed in an earlier story.
The only problem is getting people to install the plugin. My own solution was to use the market penetration of Java Applets to develop a shunt that would render Canvas using Java APIs. (Note that the events system has not been completed in that demo. Make sure you click outside the block falling area so that the browser receives the keyboard commands.)
The same sort of shunt could be done with Flash 9 or Silverlight. Which would do a nice end-run around the problem of getting plugins installed.
Javascript + Nintendo DSi = DSiCade
Now with all of the features of Firefox, without the bother of all the security.
HTML 5: have DOM storage (session and local) and database storage. These should all be SameOrigin. Meant to block userâ(TM)s deleting of tracking cookies. Use of database storage, there can be SQL injection against the local database. Some browsers support GlobalStorage that donâ(TM)t have SameOrigin control. Lots of new attack surface in FF3. Websites can be protocol handlers (support spyware!!). Installation of protocol handler is one click. WebKit is a big supporter of HTML5 and supports these issues.
HTML5 has limited storage (~ 15 Mbytes total) allowing easy exhaustion attacks and there is no UI to manage this. DOS is easy. Can easily plant arbitrary evidence on a system. HTML 5: Security âoeneed to write this sectionâ.
We now have web developers making desktop apps without any security or privacy expertise. The Web is becoming more heterogeneous and far far more dangerous.
Hey, that's great. Do they also have plans to fix the flaws in Firefox?
Off the top of my head, could we finally have support for SVG as a native image format? Or even just SVG rendering that isn't slower than a stone cow?
Don't want to sound like the grumpy old man, I just want most of my web shit to work in *one* browser before I worry about how it works in every browser.
Never approach a vast undertaking with a half-vast plan.
Well i'll be darned, I guess someone should call the XHTML2 camp and tell them they lost the war!
Nah, don't bother them. They're busy working on the HD-DVD website.
Those who believe the Internet is private,
find their privates are on the Internet.
M$ didn't leave it broken so users had to deal with it, they left it broken so developers continued to support IE. If we have to code differently for IE, because it doesn't follow standards and many users use IE, it makes us constantly concerned with what M$ does.
It's like the ex who keeps you as a friend on facebook and makes sure you see all those new pictures with her new bf. Except with IE you just can't defriend it.
We now have web developers making desktop apps without any security or privacy expertise. The Web is becoming more heterogeneous and far far more dangerous.
What bothers me is how security is somehow pushed to the forefront as the most important issue, even more important than functionality.
The most secure system is one that is turned off. This new stuff they're adding increases the attack surface, sure, but it's also necessary to build stuff that actually works (like a web app that doesn't die when your wifi does).
But even aside from the issue of functionality vs. security, there's the issue of security somehow being way more important in the browser, which I think is nonsense. Client-server apps have always had lousy security, and were easily hijacked. Just because they now run in a browser, the threat level hasn't changed. A hacker that is determined can break in sure, but they've always been able to break in. Nothing has truly changed, except for the perception of the threat level.
All in all I think the web stack is pretty secure by default, when comparing it to the alternatives.
HTML5 comes in two flavours. One is straight HTML5 which is based off HTML4 (same parsing rules), the other is XHTML5 which is strict XML and requires the application/xml content type. None of them are really related to XHTML2 which is mostly dead at this point.
can design on a sane model with sane tools, deploy the plugin when the users are IE.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
"A Mozilla Plugin to Help Overcome IE Rendering Flaw"
Should it not read: A Mozilla Plugin to add Enhanced IE Rendering?
Come on. This old fight between browsers is becoming stale. IE included many things now in the HTML specs that were not available in any other browser, such as CSS Style for shadow effects, etc. Why is it that when something new comes out for IE that it is automatically described as a "bug" fix or a workaround to a "flaw"?
Please people, I like FF and IE for different reasons. At least write unbiased stories and stop bashing each other's code efforts.
This is exactly backwards to what most of us need. We need a [multiplatform] plugin for Firefox that will allow broken IE-only sites to work under Firefox so we can continue to use the browser of our choice. Not that I want to promote the use of IE-only coding, but the reality is that if the site doesn't work, the average users always blame Firefox, not the site designer.
This is entirely correct; the market leading browser is non-standard in many ways, and that breaks standards as a concept, or might have. But that is just a tactic towards a strategic goal, and it was the strategic goal to which I alluded in my post. Standards largely won out, so today we say IE is borken rather than saying it is the One True Way. Nice play, MS.
Standards are like the white blood cells of the Internet, and are the chief way that the system is able to work at all given the complexity and chaos of its origins. Without standards, it would eventually fall apart due to internal "diseases" born of the Not Coded Here mentality of corporations. MS probably wasn't so worried about the threat of email, or IRC, or gopher-space. But a graphic application that ran over resources and data spaces not-on-the-desktop must have made Bill Gates soil himself.
Thanks for the critique.
-- act fast decide fast --
=^..^= all your rodent are belong to us
Have Mozilla send come checks to all major software companies (Adobe wink wink) - perhaps Google can through in a few $100 million in the pot too to distribute. Goal: install Firefox (if not installed yet) and make Firefox the default browser. A little taste of Microsoft's own medicine.
*nawcom sips from his glass of kool-aid*
Any person "clever" enough to click Yes on an activeX installation prompt, you mean?
What's the difference between web developers and regular developers? Take a look at any desktop applications and tell me that they're programming with better security practices than web developers. Windows, apache, IIS, OSX, and many more programs include critical security holes that can be exploited externally; how is a buffer overflow any better or worse than improperly escaped SQL?
Developers as a whole have been programming without security and privacy expertise, web developers just happen to have a program that's exposed to (at best) everyone in a particular company, or often everyone in the world. With that kind of exposure, what percentage of non-web-based programs would survive without getting exploited?
Sorry, rant over. Security is a big concern, and for things which need to be very secure these features shouldn't be allowed. However, that shouldn't keep the browsers from increasing functionality and usability. Hopefully developers are learning their lessons and becoming more security conscious.
All in all I think the web stack is pretty secure by default, when comparing it to the alternatives.
Really? My opinion is that the "web stack" (not sure which stack you mean here; MSIE-Windows, FF-Windows, Safari-MacOSX, Konq-Linux, etc) has by far the worst record so far. MSIE-Windows has to be the #1 vector for infection now, and has been for at least the last 6-7 years. Which alternative are you thinking of? Because the "web stack" is, in my opinion, the premier virus runtime environment.
My opinion is that web designers made a HUGE mistake in not treating network input cautiously. The emphasis has been on "rich APIs", "data structure passing", extensibility, desktop integration, and so on. These are undoubtably good things in the absence of malicious input, but the fact is, there is a lot of malicious input out there. Web browsers would benefit greatly from some simple privilege separation; the Mozilla camp could do this with some effort, but MSIE is pretty much dead in the water here due to the level of integration with the base system. I understand the HTML5 camp's worry that Flash/Flex will become a de facto standard, but in my opinion, web security has not been taken seriously enough. These kinds of vulnerabilities have become a major source of income for organized crime in the East, and still people like you are saying that security is not the most important issue? Gimme a break.
I wonder why people think that "high" memory usage is related to leaks. Old firefox leaked memory. It's the same ignorance that sees "5 MB Free" in Vista and thinks it's really using up 2 Gigs (it's not, go read up on "SuperFetch", and caching, among other things). Three questions for you:
1) What version of Firefox are you running?
2) Does your memory usage change if you open a bunch more tabs? My guess would be "not much", which means it's hardly a leak (it's how it works, mhmm).
My copy of Firefox has been open for days, with three tabs open, one with pretty hefty rendering and two of slashdot - 131 MB of ram.
There had better be an easy way for web designers to tell if IE has that plugin installed or I'm going to be really pissed.
It's hard enough dealing with IE's crappy rendering... it will be so much more painful if the rendering engine in IE isn't *consistently* broken and we have no way to tell the difference in our code.
Come play free flash games on Kongregate!
You missed the key word there...professional. It means one who makes money from their profession. Developing to standards is great but it doesn't necessarily put food on the table. Idealism is nice, but it can cause one to starve. My guess is you are still in school and haven't had to pay any bills?
ScreamingMonkey is a project that aimed at providing IE with a JS runtime able to run EcmaScript 4 programs.
Since ES4 is apparently dead, I'm not sure where that leaves ScreamingMonkey.
The canvas stuff is a different project that follows the same general approach, but on a different browser component.
Did anyone think about pages that detect user agent strings? A lot of devs use the UA string to "fix" these rendering problems on a per browser basis.
The solution is for the web devs to stop coding to a browser, and do what they should have been doing all along: code to the standards.
You don't take advantage of browser-specific bugs when designing a site, and you'll have no problems when the bugs get fixed by Microsoft or by a third-party plugin.
I would look first to fix FF's rending flaws. I'm not going to list the dozens of bugs and out-of-compliance standards FF has,
Why don't you list the hundreds of major rendering flaws IE has in implementation of each standard, rather than the dozen or so minor flaws FF has overall, in the implementation of all the standards?
IE is not to ignored, but it's not to be catered to either.
IE6 users are to be warned about the severe bugs their browser has and how much their experience will improve if they switch to a standards-based browser such as Firefox or Opera.