A little more than half a year ago I wrote an article on how security solutions using whitelists are better than those using blacklists. At the same time I noted that even using whitelists is not always enough — for example when your whitelist is predictable and the attacker can make sure the whitelisting rule applies to him. NoScript extension was the example I used, and its author reacted by adding “XSS protection” assuming that this would invalidate my claims.
You probably noticed that I have been very quiet lately — I only managed to reply a few of the incoming mails, almost didn’t comment in bug reports and didn’t visit the Adblock Plus forum at all. Main reason is that I finally moved with my wife to our own apartment in Cologne and we simply didn’t have Internet at home yet. This means that I only had Internet access at work where I had already enough to do with getting TomTom HOME 2.0 ready for a release (note that “at work” is a little abstract when you are working remotely, so far it was defined for me as “a place where I have Internet”).
Other reason is of course that many (good) things kept me very busy — the new apartment (we like it very much but getting everything we need takes time), wedding celebration (surprisingly, almost everything went perfectly), our honeymoon (the weather in Cannes was perfect, and likewise everything else), new job (building a great application on top of Mozilla platform). I will spend the next week in Amsterdam, but in September I should finally catch up with everything I neglected for a while — including Adblock Plus.
I have been using WebRunner for a few weeks now, and it is pretty useful. It allows me to use some web applications independently from my browser — which makes sense, since these web applications have a user interface of their own and don’t require the full power of the browser. The web applications then appear in my taskbar with the correct icon instead of cluttering the browser with tabs. In addition, this allows the web applications to run constantly, even if I frequently restart my browser (which happens sometimes). And finally, I no longer need to be logged in at Google in my browser, one site less allowed to set permanent cookies.
Of course I found some things to improve, and now I see that Mark Finkle incorporated my changes in WebRunner 0.5. I will hopefully find time for more changes, there is quite a few other things I would like to have in WebRunner.
Despite a few disadvantages, XULRunner is a great tool for application development. The more disappointing it is when the very basic things fail: getting your application recognizable by its icon and application name. Setting icon and title for application’s windows is easy, and usually it is sufficient. However, Windows taskbar has the option “Group similar taskbar buttons” (enabled by default), and for a XULRunner application this group is displayed with XULRunner’s icon and the name “xulrunner”.
Not the fault of XULRunner as it comes out. Windows gets these parameters from resources of the executable which happens to be xulrunner.exe in this case. For the name it looks at the FileDescription field of the VERSIONINFO resource. In XULRunner this field is empty, consequently the filename is taken instead. The problem with this solution is that the application has no way to select the icon or the description at runtime, resources are added to the executable during compilation. Sun hit the same problem with Java and AFAICT didn’t find any real solution either.
Update, Juni 27: It seems that some of the weird comments here originated from a misunderstanding. This article isn’t about the web — HTML is the language of the web, no doubts. The Developer Day was about building applications, the ones you download — like Firefox, Songbird or Joost.
Mozilla Developer Day in Paris was great. I still cannot believe that I sat at the same table with Daniel Glazman and Benjamin Smedberg (but in our modern times there is proof). There were lots of people I always wanted to meet in person and many interesting talks. The Joost guys delivered a very impressive demo. But the best of it were the discussion sessions. 70 XUL developers in one room — this doesn’t happen too often.
I have been very silent recently, but I think it is time to give an update on what I am doing. Today is officially the first day on my new job — I am joining the developer team behind TomTom HOME. Nice at least one of my hobbies (Mozilla) has made it to a job. TomTom allowed me to stay in Cologne but I expect going to Amsterdam rather frequently.
I am finished here in Oslo, so I will move to Cologne next week. In some way I feel sad about it, I really liked Oslo. On the other hand, I will finally be in the same country as everybody I care about, it has been too long. Anyway, goodbye Norway and welcome Germany!
On a related note, it seems that I won’t have internet access the next week. My internet provider wanted to get rid of me so much that it decided to disconnect me one week before the date I asked.
Webmasters probably know one particularly “helpful” feature of Internet Explorer — if you happen to misconfigure your web server and it sends HTML files designated as text files, Internet Explorer will silently correct this mistake and display the files anyway. Of course, if you wanted to display HTML as text (because you want to show the source code, or because it really is a text file with HTML snippets in it) it still will be displayed as HTML. And if you, as a user of a non-IE browser, ever came across a misconfigured server that displays HTML/images/Flash as plain text — now you know why nobody bothered fixing the mistake. This feature is called “MIME sniffing” and many articles have been written about it, so I don’t need to repeat them.
However, there is a less known side of MIME sniffing. Have a look at this image. Doesn’t look dangerous, right? Now try to open it in Internet Explorer. What happened? As it comes out, MIME sniffing in Internet Explorer isn’t limited to text files. If it finds anything resembling HTML code in images it will interpret the image as an HTML page. In this case a comment in the image contains a SCRIPT tag, and Internet Explorer promptly executes the script. This opens an XSS vulnerability in any site that allows users to upload images (many forums do).
Update: 15:07 – Added Tab Mix Plus and TBE to the “not install” list.
ComputerWorld managed to generate quite a lot of buzz with its list of must-have extensions and extensions to avoid. But, as many commenters noticed, the extensions listed appear pretty random. The first list contains a number of extensions that are based on good ideas but either didn’t manage to implement these ideas properly or are simply useless to most Firefox users. On the other hand, some extensions that these users would really consider absolute “must-have” like Adblock Plus are simply missing which undermines the credibility of this article. The second article is no better. It lists several very popular extensions without giving good reasons why these should be avoided. And it is filled up with extensions that fall into the category “useless” — as if there were a point in warning users about hundreds of existing useless extensions. No wonder I have yet to see a single positive feedback on this article.
But since extension lists are so popular, I want to present here a list of my own. I do not expect anybody to agree with my choice of extensions, quite the opposite. That’s why I will describe each of them and tell who the extension is meant for, how good it is at doing its job and what its shortcomings are. Being an extension developer myself I choose extensions very carefully and evaluate them not only on the aspect of what they are doing but also on how they are doing it, something that most people don’t notice.