July 2, 2008
IE8 And XSS Protection
The IEBlog talks about a new IE8 feature that helps prevent some XSS attacks..
While quite interesting, I do wonder if the algorithm should be released as an W3C standard so that browser vendors and others can improve on it in an open fashion. Web apps may break because of this and if each vendor does it differently, this could be yet another pain for developers.
Posted by doron at 8:17 PM | Comments (3) | TrackBack (1)
June 30, 2008
Extensions and Firefox 3 - nsICookieService Behavior Change
Several users of the Gmail Notifier have reported a bizarre bug that only happens in Firefox 3, and after some digging, I found out it seems nsICookieService has changed its behavior.
I was basically creating sandboxed http requests and storing off the cookies. When the user wants to visit Gmail, I load in the stored off cookies into the browser and load Gmail into a tab. I was using nsICookieService::setCookieString, yet somehow the cookies were not being loaded in Firefox 3.
A user figured out it was because he had Firefox set to not accept 3rd party cookies. It seems in Firefox 3, that preference now affects nsICookieService's behavior when adding new cookies.
nsICookieService::setCookieString does take an optional nsIChannel which would bypass this new restriction, but I need the cookie to be set for the browser in general and not just for one channel.
Enter nsICookieManager2, which has a ::add method. The comments even call it a backdoor method, and it seems to not care about the preference.
So basically, if your extension wants to set browser-wide cookies, the 3rd party acceptance flag (found in preferences under Privacy -> Accept 3rd Party Cookies) may break your extension.
Posted by doron at 10:43 PM | Comments (3) | TrackBack (0)
June 24, 2008
document.createExpression change between Firefox 2 and Firefox 3
Ran into this with an IBM product I am working on:
In Firefox 3 (Gecko 1.9), there seems to have been a change that affects XPath and document.createExpression. In particular, you now have to call createExpression on the document you will run the XPath against. Before, you could call createExpression on another document.
In Firefox 2, the following would work:
var expr = document.createExpression(...);
expr.evaluate(anotherDocument, ...)
In Firefox 3, you will get:
Node cannot be used in a document other than the one in which it was created" code: "4
Example showing this: http://nexgenmedia.net/mozilla/playgroundxpath.html
Hopefully this will save people time when running into this.
Posted by doron at 9:34 AM | Comments (2) | TrackBack (0)
June 16, 2008
SproutCore Is Crap
Loads in Firefox 2, but if I use Seamonkey or Minefield, I get nothing.
I thought everyone agreed user-agent sniffing was bad back at the start of the century...
Posted by doron at 6:03 PM | Comments (1) | TrackBack (0)
March 27, 2008
New Add-ons Site Is Awsome
The new add-ons site is awesome, especially for us extension developers.
The Statistics Dashboard especially is a welcome addition. Being able to see the active daily users count is a great way to boost ones ego :)
The basic download/activity data is available as a feed right now, but I wonder if having the more detailed data (operating systems, applications, etc) available would be of any use? Right now one can download the CSV files. Of course privacy becomes an issue as well.
Posted by doron at 8:56 AM | Comments (4) | TrackBack (1)
March 8, 2008
Trusting 3rd Party Programs
Interesting little story about 3rd party password stealing.
What was interesting to me was that my own Gmail Notifier was accused of stealing passwords early on. It turned out the person actually downloaded the extension from another site and not my own (back when there was no addons.mozilla.org) and had his account "hacked".
Luckily, we have addons.mozilla.org now for a central location to get extensions. Hopefully the extension reviewers are doing a good job filtering out evil extensions :)
Of course, it is easier for us as most extensions are pure xml/js and that makes auditing much easier.
Posted by doron at 6:37 PM | Comments (2) | TrackBack (1)
March 4, 2008
IE8 Sees The Light
Basically, if you have a standards-compliant page (doctype and all), it will use the new IE8 engine with all their changes. Before, it was going to be the IE7 mode. Of course, if your page has no doctype (Quirks mode), you still get the IE6 engine rendering mode.
Microsoft has made a bold choice, now it is up to us web developers to handle this correctly.
Posted by doron at 7:52 AM | Comments (0) | TrackBack (0)
February 17, 2008
How To Stop Firefox From Crashing When Watching ABC.com Full Episodes
Trying to watch an episode of Lost at abc.com and Firefox crashes on you? If you have Firebug installed, be sure to disable it for abc.com - that fixed it for me.
This tidbit actually came from the website of the company that created the plugin (Move Networks).
Posted by doron at 2:28 PM | Comments (4) | TrackBack (0)
February 14, 2008
.exe TLD Coming Soon?
It looks like they are simply handing any major issues (is foo.pdf a file or a url) off to the browser vendors rather than address them themselves. Hopefully they will consult browser vendors before they make any big changes, as it may affect extension sniffing (and perhaps security as well) browsers do today.
I call dibs on ihate.pdf!
Posted by doron at 12:01 PM | Comments (6) | TrackBack (1)
January 31, 2008
Quick Note to Extension Developers About browser.xul ID Changes
Edit: The changes that caused this were removed (see mfinkle's blog).
I filed bug 415099 today because certain ids where changed in browser.xul that broke my extension overnight.
So if you overlay browser.xul, you should make sure it works with today's build.
Sadly, the id change seems to be actually needed to fix a bug, so extension authors will need to work around this. Read on for a way to work around it.
Continue reading "Quick Note to Extension Developers About browser.xul ID Changes"
Posted by doron at 9:25 AM | Comments (0) | TrackBack (1)