What is going on with Internet Explorer?

So now we know: the next Internet Explorer version will be called Internet Explorer 8. What a surprise. Thanks, Dean, for telling us. What we don’t know is just about everything else about Internet Explorer 8 because the IE team has been maintaining strict radio silence about it. And what we get is a bullshit answer that “the whole world relies on Internet Explorer and we must be very careful about what we say.”

But the IE team had one and a half years to work on Internet Explorer 8, they must have fixed some of the major bugs/design flaws by now! For example, what about this unholy design decision that attributes and properties of DOM nodes are the same thing that is causing bugs and very problematic non-standard/inconsistent behavior on numerous occasions? Has it finally been dropped? How about the hasLayout switch that makes setting a simple CSS property like “zoom : 1” have an effect like switching to a different layout engine? Has the behavior been made consistent? Does Internet Explorer 8 feature a way to read out and set selection in text fields without the abomination that is TextRange? I mean something simple like selectionStart/selectionEnd properties — something that cannot even be emulated using TextRange because the “characters” TextRange works with are not the same as actual string characters. Are HTML elements regular JavaScript objects in Internet Explorer 8 now, with actual JavaScript prototypes that can be extended? Or maybe document.importNode was implemented so that there is now a way to avoid an unintelligible error message when nodes are moved between documents? If nothing else, what about standard-compliant aliases for existing functionality, like addEventListener/attachEvent, dispatchEvent/fireEvent, window.getComputedStyle/runtimeStyle? Immutable event objects, anyone? The fact that the web pages can manipulate authentic events has been known to cause security issues (e.g. clipboard stealing) for years, Opera fixed the same bug five years ago.

Predictable whitelists strike again

A little more than half a year ago I wrote an article on how security solutions using whitelists are better than those using blacklists. At the same time I noted that even using whitelists is not always enough — for example when your whitelist is predictable and the attacker can make sure the whitelisting rule applies to him. NoScript extension was the example I used, and its author reacted by adding “XSS protection” assuming that this would invalidate my claims.

Well, it doesn’t. XSS is a very complex problem, and all the simple solutions to this problem usually turn out wrong. Which is once more confirmed by the attack on the security expert RSnake. The attackers knew that RSnake is using NoScript, so they simply included NoScript in their plan. They guessed that RSnake would whitelist his own site, found an XSS vulnerability there, used an XSS attack NoScript wouldn’t stop — and they would have been able to run JavaScript despite NoScript hadn’t their guess been wrong. That’s exactly the kind of attack I spoke about in my article.

Status update

You probably noticed that I have been very quiet lately — I only managed to reply a few of the incoming mails, almost didn’t comment in bug reports and didn’t visit the Adblock Plus forum at all. Main reason is that I finally moved with my wife to our own apartment in Cologne and we simply didn’t have Internet at home yet. This means that I only had Internet access at work where I had already enough to do with getting TomTom HOME 2.0 ready for a release (note that “at work” is a little abstract when you are working remotely, so far it was defined for me as “a place where I have Internet”).

Other reason is of course that many (good) things kept me very busy — the new apartment (we like it very much but getting everything we need takes time), wedding celebration (surprisingly, almost everything went perfectly), our honeymoon (the weather in Cannes was perfect, and likewise everything else), new job (building a great application on top of Mozilla platform). I will spend the next week in Amsterdam, but in September I should finally catch up with everything I neglected for a while — including Adblock Plus.

Get WebRunner 0.5 while it is hot!

I have been using WebRunner for a few weeks now, and it is pretty useful. It allows me to use some web applications independently from my browser — which makes sense, since these web applications have a user interface of their own and don’t require the full power of the browser. The web applications then appear in my taskbar with the correct icon instead of cluttering the browser with tabs. In addition, this allows the web applications to run constantly, even if I frequently restart my browser (which happens sometimes). And finally, I no longer need to be logged in at Google in my browser, one site less allowed to set permanent cookies.

Of course I found some things to improve, and now I see that Mark Finkle incorporated my changes in WebRunner 0.5. I will hopefully find time for more changes, there is quite a few other things I would like to have in WebRunner.

Getting application name and icon right with XULRunner

Despite a few disadvantages, XULRunner is a great tool for application development. The more disappointing it is when the very basic things fail: getting your application recognizable by its icon and application name. Setting icon and title for application’s windows is easy, and usually it is sufficient. However, Windows taskbar has the option “Group similar taskbar buttons” (enabled by default), and for a XULRunner application this group is displayed with XULRunner’s icon and the name “xulrunner”.

Taskbar shows 'xulrunner' instead of the application name

Not the fault of XULRunner as it comes out. Windows gets these parameters from resources of the executable which happens to be xulrunner.exe in this case. For the name it looks at the FileDescription field of the VERSIONINFO resource. In XULRunner this field is empty, consequently the filename is taken instead. The problem with this solution is that the application has no way to select the icon or the description at runtime, resources are added to the executable during compilation. Sun hit the same problem with Java and AFAICT didn’t find any real solution either.

Mozilla Developer Day: XUL vs. HTML

Update, Juni 27: It seems that some of the weird comments here originated from a misunderstanding. This article isn’t about the web — HTML is the language of the web, no doubts. The Developer Day was about building applications, the ones you download — like Firefox, Songbird or Joost.

Mozilla Developer Day in Paris was great. I still cannot believe that I sat at the same table with Daniel Glazman and Benjamin Smedberg (but in our modern times there is proof). There were lots of people I always wanted to meet in person and many interesting talks. The Joost guys delivered a very impressive demo. But the best of it were the discussion sessions. 70 XUL developers in one room — this doesn’t happen too often.

New job

I have been very silent recently, but I think it is time to give an update on what I am doing. Today is officially the first day on my new job — I am joining the developer team behind TomTom HOME. Nice at least one of my hobbies (Mozilla) has made it to a job. TomTom allowed me to stay in Cologne but I expect going to Amsterdam rather frequently.

Moving again

I am finished here in Oslo, so I will move to Cologne next week. In some way I feel sad about it, I really liked Oslo. On the other hand, I will finally be in the same country as everybody I care about, it has been too long. Anyway, goodbye Norway and welcome Germany!

On a related note, it seems that I won’t have internet access the next week. My internet provider wanted to get rid of me so much that it decided to disconnect me one week before the date I asked.

The hazards of MIME sniffing

Webmasters probably know one particularly “helpful” feature of Internet Explorer — if you happen to misconfigure your web server and it sends HTML files designated as text files, Internet Explorer will silently correct this mistake and display the files anyway. Of course, if you wanted to display HTML as text (because you want to show the source code, or because it really is a text file with HTML snippets in it) it still will be displayed as HTML. And if you, as a user of a non-IE browser, ever came across a misconfigured server that displays HTML/images/Flash as plain text — now you know why nobody bothered fixing the mistake. This feature is called “MIME sniffing” and many articles have been written about it, so I don’t need to repeat them.

However, there is a less known side of MIME sniffing. Have a look at this image. Doesn’t look dangerous, right? Now try to open it in Internet Explorer. What happened? As it comes out, MIME sniffing in Internet Explorer isn’t limited to text files. If it finds anything resembling HTML code in images it will interpret the image as an HTML page. In this case a comment in the image contains a SCRIPT tag, and Internet Explorer promptly executes the script. This opens an XSS vulnerability in any site that allows users to upload images (many forums do).

Yet another round of extension recommendations

Update: 15:07 – Added Tab Mix Plus and TBE to the “not install” list.

ComputerWorld managed to generate quite a lot of buzz with its list of must-have extensions and extensions to avoid. But, as many commenters noticed, the extensions listed appear pretty random. The first list contains a number of extensions that are based on good ideas but either didn’t manage to implement these ideas properly or are simply useless to most Firefox users. On the other hand, some extensions that these users would really consider absolute “must-have” like Adblock Plus are simply missing which undermines the credibility of this article. The second article is no better. It lists several very popular extensions without giving good reasons why these should be avoided. And it is filled up with extensions that fall into the category “useless” — as if there were a point in warning users about hundreds of existing useless extensions. No wonder I have yet to see a single positive feedback on this article.

But since extension lists are so popular, I want to present here a list of my own. I do not expect anybody to agree with my choice of extensions, quite the opposite. That’s why I will describe each of them and tell who the extension is meant for, how good it is at doing its job and what its shortcomings are. Being an extension developer myself I choose extensions very carefully and evaluate them not only on the aspect of what they are doing but also on how they are doing it, something that most people don’t notice.