Simon Willison points to a Forrester Reasearch publication (being offered for $49) that cites Greasemonkey as a reason for corporate IT departments to delay or avoid Firefox deployments. For those unfamiliar with Greasemonkey, it’s a plugin for Firefox that allows users to create custom JavaScript to be attached to invidual web pages, changing their functionality in much the same way that user style sheets can change the appearance of a web page.
Simon calls the report FUD, which it may be, and defends the right of corporate web users to employ such means:
…tools like Greasemonkey are a fantastic way of fixing issues with the atrocious interfaces found in many “enterprise” web applications.Workers who use Greasemonkey to improve their productivity by fixing problems with internal applications should be applauded.
While I have nothing against Greasemonkey, this statement gave me pause. It reminded me of a parallel situation I have seen often as a corporate developer- Excel VBA Macros. Working for a financial institution, many of my non-IT co-workers are advanced power users of applications such as Excel- but they are not programmers. Many is the time that I (or my department) have been called because some business process is broken- only to learn that the process is one we’ve never hear of. Most often it is an Excel solution that uses VBA macros, which usually begin as a recorded macro and grow over time, and that was developed by an end user. When we are called in, often the original author is no longer with the company (interns are notorious for building these things). The end user only knows how to push a button, and has no idea what to do when they see a VBA error dialog.
Why do these grassroots solutions break? Ignoring for a moment the questionable nature of Excel in general and VBA macros in particular, there are still many factors. Foremost is the fact that these users aren’t developers. These solutions generally have no error checking (or worse, on error resume next, VBA’s way of saying, “Don’t stop just because it’s broken”). These solutions are often built from a recorded macro, and so they have all of the implicit assumptions the user made when recording the macro. Just because your query returned data in column K doesn’t mean it always will. Another major factor is lack of awareness- the users don’t know when things external to the app will change- DB schema, filesystem paths, etc- and the IT department doesn’t know that some guy in accounting has a macro that will break when the upgrade the file server next weekend and change the server name. In addition to these problems, there’s no Q/A, no source code control, and no documentation.
So when the inevitable day comes, when Joey Intern is long gone back to college, when the third or fourth person to inherit this spreadsheet gets and unexpected error or incorrect results, what do they do? They call the helpdesk, of course. The helpdesk has no record of such an app and no documentation on how to support it. Yes, they can support Excel, but they have no clue what the macro send_daily_faxes does or how it works. So they send the problem to the developers- whoever has VB and/or Excel experience. Now we (development) have to support something we’ve never seen, not written to corporate standards, with no documentation.
The developers will calmly tell the user that this is not supported, that we have no idea where it came from or what it does. Sometimes they have to accept that, and if the need is sufficient, make a request for the development staff to build a tool which does the same thing (as they should have dome from the beginning). Sometimes, the developer has to bite the bullet and kill the better part of a day figuring what to fix so he can fix it. After all, if this thing has been used for the past three years to send faxes to clients each day with important financial info, we can’t just call the client and say, “Sorry, your daily fax was sent with an unsupported tool. We’ll build a new tool in month or two.” Even then, we try to schedule work to replace that macro with a supported solution.
I hope the parallels are obvious. While writing custom JavaScript for use with Greasemonkey is more complex than recording (and extending) an Excel macro, there are those who will try it. Every such modification that becomes critical to daily operations will eventually be shared and/or handed down, and one day they will break. Who will fix them?
Earlier today I wanted to print a web page for some offline reading. It was a page from a blog, featuring a left-handed nav/info bar and content on the right. Of course, I only wanted to print the content area. I tried printing, hoping for a print stylesheet that would supress the navbar. No such luck (note to self: implement a print stylesheet for your own glass house, and put down that stone).
I then tried turning off styles, figuring I could omit the pages of the printout which contained the navbar. I was surprised to find that Firefox prints using the default style sheet when styles are turned off (View|Page Style|No Style) (note to self: check Bugzilla, report if needed).
I considered adding a user stylesheet, hoping that it would cascade with the existing stylesheet. In trying to figure out what my stylesheet should do, I used the DOM inspector. I was disappointed to find the layout used a 1 row <table> with with 2 <td>s to achieve layout (note to self: you don’t do that- good job). No wories, judicious use of a following sibling CSS selector did the job:
td {display:none} /* don't show <td>s */
td+td {display:block} /* okay, show <td>s that follow another td */
The net affect is that only the first <td> (in each <tr>) is hidden. Perfect for this application. I tested this CSS snippet using the Edit CSS feature of fantastic the Web Developer Toolbar. On a whim, I tried printing, and was pleased to see that Firefox printed using the edited CSS.
Update: I dutifully checked Bugzilla. Bug 260762 looks like a match.
My list of installed Firefox Extensions has grown recently. In an effort to document what I’m using for future reference (the next time I need to setup FFx on a new machine), here’s a list of what’s currently installed, along with a brief blurb about what it is and what I think of it.
ChromEdit 0.1.1
Lets you edit userChrome.css, userContent.css, prefs.js and user.js without having to hunt for (or create) them. Quick tip: Go to Floppymoose.com, open their custom userContent.css, and paste it into your own. This creates User Stylesheet rules to hide images from many common ad sites. Update: A newer version of the ad blocking list, based on the floppymoose list, is available from mozilla.org.
del.icio.us 0.3.2
Adds context menu with entries to post current page or link to del.icio.us, find current page there, or to open your del.icio.us links/tags/inbox. Compatible with nutr.itio.us. Also adds a toolbar button for posting to del.icio.us (not displayed by default – Customize Toolbars to get it).
Feed Your Reader 0.7.1
Changes the Live Bookmarks ‘RSS’ icon to subscribe to the feed instead of creating Live Bookmarks. Can subscribe via more than 15 different aggregators, including Bloglines and any application that supports the feed:// protocol.
fireFTP 0.83.2
While still a little rough around the edges, this graphical FTP client that runs via Firefox (in a separate window) is exciting – I’ve been looking for a good, cross-platform, open-source graphical FTP client for a while. I even submitted a (1 line) patch to get it working on OS X… thanks in part to a debug build that author Mime Cuvalo sent me. I plan to spend some time contributing on this if I can find any.
ListZilla 0.5
Exports a list of all installed themes or extensions as text, html, or vBulletin codes. I used this to start this list. I have a few improvements I’d like to see in this one; I might even try submitting a patch when I can find two spare moments to rub together. Top of my list- let me ‘export’ to clipboard instead of a file, and let me edit the HTML template. Markdown output would also rock.
LiveHTTPHeaders 0.9
The first indispensible debugging aid I found for Firefox. Displays a trace window of all request and response headers. Perfect for debugging web services.
Print It! 0.2
Simple little plugin that adds context menu entries to Print and Print Preview. The single biggest feature I missed from IE. Don’t have to miss it anymore. Gotta love the ‘Fox.
Tabbrowser Extensions 1.11.2004092801
I’ve been using this since Firefox 0.6, and installing TBE is still the first thing I do to a fresh FFx install. Possibly not for the timid, it does have more options then you can shake a mouse at. I use it mainly to get the following features: Tab bar always visible, close icon on each tab, open new tabs in background, and colored tab groups. Indispensible. Thanks Piro!
User Agent Switcher 0.6
Lets you change the User Agent information reported by Firefox. Let your browser pretend to be IE or Opera, for stupid sites that care. You can also setup custome UA strings; I have one for Googlebot that I try sometimes if I think a site is cloaking. Haven’t caught one yet though.
Web Developer 0.8
The plugin no web developer should be without. Too much wholesome goodness to cover here, but as I’ve said before, it’s A Party in a Toolbar.
So there you have them. Links go to the extension’s homepage. You can also find extensions at Mozilla Update and Texturizer.net’s Firefox Help. Moz Update is the ‘official’ place to go, but I find Texturizer to be so much easier to browse. You can also subscribe to MozUpdate’s New Firefox Extensions RSS Feed. You’ve seen my preferences; leave me a comment with your list of favorites- or any you found to be a bust.
As I recently reported, I’ve been disappointed by the differences in the Firefox 1.0PR default theme on Windows and OS X. Using both platforms daily, I value Firefox’s cross-platform voodoo more than any other feature… but that means it really has to feel the same. As I stated last time:
The Win and Mac default themes are similar, but different enough to really bug me. I prefer the Windows default theme. Also, Piro’s TabBrowser Extensions made weird looking tabs under the default Mac theme. Changing themes fixed that (I tried pinball for a while). Of course, you can’t download the Windows default theme (or any default) from the update website. Today, I finally got tired of the issue, and tried to overcome the problem. I copied classic.jar from the chrome folder of my windows install, and used it to replace the version in my OS X install. It’s almost perfect. The only problem is the scroll bars… they don’t appear. There’s room for them, and If I click in the right place, they function, they just aren’t displayed.
Of course, I couldn’t leave well enough alone. After digging around for a while, I found that the scrollbars.css file in the OS X version was much smaller than in the Windows version, apparently delgating functionality to the OS scrollbars. So, I patched up my copy of the Windows jar file with the original OS X scrollbars.css, and it worked. Beautifully.
Screen shots. First, the “Before”:
This is the true default OS X theme. I’m running Piro’s TabBrowser Extensions, which accounts for the tab bar being fubar… it doesn’t mix with the default OS X theme. Also, compare the toolbar icons and the Bookmark Bar’s bookmark folders with the next screen shot- the “After”:
As you can see, the toolbar icons are a little different; to my eye they’re much better. The bookmark folders in the bookmarks bar contain folder icons, which makes it easier to visually separate the folders from each other. These feature were gained just by dropping in the windows version of classic.jar. But also notice the visible scrollbar; this was made possible by modifying the jar as described above.
If you’re using OS X and like the second screenshot better than the first, you’re welcome to download my modified classic.jar, however: I take no responsibility if it breaks your browser, your computer, or your leg. You’ve been warned.
Instructions: Download it, say to your Desktop. Shutdown Firefox (print these instructions, memorize them, or open this page in Safari while you work). In Terminal, go to Firefox’s application (not profile) chrome directory. Assuming a default drag-n-drop install to Applications, should look like this:
cd /Applications/Firefox.app/Contents/MacOS/chrome
Don’t be a shmuck. Back up the original: :
cp classic.jar classic.jar.orig
Put the shiny new one in place:
cp ~/Desktop/classic.jar .
Fire up the ‘Fox. Bask in the glow of your monitor.
Eventually, I need to just extract the thematic elements of the windows version from the jar file, and bundle it as an installable theme. For now, this is working.
On Saturday, I reported on the first Critical Update for Firefox. In addition to being pleased with the rapid response and integrated update notification, I was concerned about the fact that almost no detail was given on the vulnerability, either in the update tool or on any of several Mozilla websites. At the time, I said the following:
So there’s some kind of file download exploit possible, but the details are omitted. I’m no security expert, but I though best practice was to release as much information as possible. I don’t mind that Firefox has a vulnerability; no software is perfect. I’m impressed by the level of response and the integrated update system. At the same time, I’d rather see more information about the problem and solution (or even a link to same) than statistics spin.
On Sunday or Monday, I came accross the Bugzilla Bug# for the vulnerability (probably via Burning Edge). When I tried to click through to view the bug report, I got a big red screen with a message indicating the bug was permissioned, and I didn’t have perms to view it. This was something I’d not seen before at Bugzilla, and I’d intended to blog about it here.
Today there’s more information. Early this morning, Burning Edge reported “Bug 259708 fully disclosed”. I’ve now read bug 259708 and the comment thread, and I have to say I was wrong. The bug in question was pretty nasty, and would allow a download link on a web page (assuming you choose to save the file) to delete every file in the target directory. Ouch! The Mozilla folks decided to restrict access to the specifics while a patch was cranked out. They also decided to wait a couple days for the patch to be downloaded before disclosing the bug, allowing users to put a fix in place. The team acted quickly in the best interest of the users, and released all of the information in a timely manner without further jeopardizing users’ data.
Nice Job, Guys.
This morning, my copy of Firefox (1.0PR on OS X) was sporting a new icon. A small red icon with an arrow, next to the throbber.
After a moment, I recognized it as Firefox’s Update icon. This appears when updates to Firefox or your installed extensions become available. Clicking the icon, I learned that a Critical Update was available, and was warned “You should install these updates immediately to protect your computer from attack.” There was one update listed, “data:Downloading Fix from: ftp.mozilla.org”. Aside from being impressed that the browser was being proactive in warning me of a problem, I was intrigued: what exactly is the nature of the vulnerability, and what would the update do to correct it?
Unfortunately, I couldn’t determine this. The update dialog is application-modal, and the options options offered were “install now” and “cancel”. No additional information or links to same. Deciding to risk it all, I cancelled the dialog and went looking for answers. My first stop was the Firefox homepage. No information was there. I tried the support tab, which is actually the Mozilla.org master support page- with no luck. Undaunted, I tried the Firefox Support Forum link on that page, but the forum had no information either. My next stop was the Firefox Help site, which is familiar to anyone who’s been using the ‘Fox since before 0.9. Still no luck. After Google provided no answers, I tried the Mozilla.org homepage, and was rewarded for my perseverance. At the bottom of the page, in the Announcements category, was an entry date Oct 1, “Important Security Update for Firefox…“.
The Security Update Announcement offered an explanation, sort of, in a Question and Answer format:
How does this security vulnerability expose the user?
A malicious hacker who could trick a user into saving a file could delete files from a user’s download directory.
How serious is this vulnerability?
While this is a potentially severe security vulnerability, user interaction is required to trigger potential harm. This security update is also another example of the Mozilla Foundation identifying and fixing security vulnerabilities before they are exploited by malicious hackers. This type of security vulnerability is very different from cases where a hacker could take advantage of a vulnerability to obtain valuable information from a user’s computer.
Doesn’t this case illustrate that all browsers are equally insecure?
The Mozilla Foundation continues to have a very strong track record on security. According to Secunia, an independent security monitoring organization, Firefox currently has 1 open security issue, out of a total of 13 security advisories filed in 2003 and 2004. 0% of these are labeled “extremely critical”, 15% are labeled “highly critical”. For the same period, Secunia lists 16 open security issues out of 44 advisories for Internet Explorer 6.0, 14% of which are labeled “extremely critical”, 34% are “highly critical”.
So there’s some kind of file download exploit possible, but the details are omitted. I’m no security expert, but I though best practice was to release as much information as possible. I don’t mind that Firefox has a vulnerability; no software is perfect. I’m impressed by the level of response and the integrated update system. At the same time, I’d rather see more information about the problem and solution (or even a link to same) than statistics spin.
Also of note, there are two solutions to the problem: download the patch via the Update Icon, or download a new build (0.10.1). This highlights something else that’s been on my mind… The Firefox Homepage should really mention the version number next to the “Download Now” link. I can never tell when a new point release is out.
Concerns over communications aside, Firefox is still the best browser for my money (well, if it cost money), and far, far more secure than Internet Exploiter. I’m off to install the update.
UPDATE: Please read the followup to this post for more information.
When I first got my Mac, I used IE as my browser. A short time later, Safari was released, a I discovered tabbed browsing. I loved Safari, and loathed going back to IE when at work (Windows). I was happy.
Then I decided to start my own website (you’re soaking in it). My hosting company’s web-based site admin panel didn’t work correctly in Safari or IE/Mac. They suggested Firebird (formerly Pheonix, and soon to be Firefox). I resisted, but eventually tried it. A week later it was my primary browser – at version 0.6.1. This was due in very large part to Firefox’s cross-platform nature. Using a Mac at home and a Windows PC at work, I value any useful app which looks and feels the same in both locations (probably why I’m using emacs much more these days).
Then something happened- version 0.8. The Mac version got a new default theme, to make it more Mac-like. While I applaud the sentiment, what it really did is make it less Firefox-like. With a different theme on Windows and OS X, my seamless cross-browser experience had suddenly grown some huge, ugly seams. I was never very successful finding an independant theme I really liked, but eventually I settled on Qute by Arvid Axelsson. This was the default windows theme, and was also available for the Mac. I got to really like Qute.
Then something else happened- version 0.9. Gone were Pinstripe on Mac and Qute on Windows; we got a new, standard theme. Good plan, although I missed Qute, and I couldn’t install it- it didn’t work with the OS X version of 0.9. Since both platforms were the same, I eventually got used to the change, and all was good. (Note: At least I think so. Until today, I would have sworn that the Mac and Win versions of 0.9 had identical default themes. Tried running an old copy of 0.9 today on my Mac, and the default theme matched the OS X 1.0PR default theme. Don’t know if this is a profile thing, or If i just never noticed the difference).
Then something else happened – 1.0 Preview Release. I noticed a difference on the Mac when I installed the new version (At least i think so, see prior paragraph). The Win and Mac default themes are similar, but different enough to really bug me. I prefer the Windows default theme. Also, Piro’s TabBrowser Extensions made weird looking tabs under the default Mac theme. Changing themes fixed that (I tried pinball for a while). Of course, you can’t download the Windows default theme (or any default) from the update website. Today, I finally got tired of the issue, and tried to overcome the problem. I copied classic.jar from the chrome folder of my windows install, and used it to replace the version in my OS X install. It’s almost perfect. The only problem is the scroll bars… they don’t appear. There’s room for them, and If I click in the right place, they function, they just aren’t displayed. I’ve seen this with certain themes in older releases (I think Qute used to do it), and the current Qute release does the same thing. For now, I’m dealing with it, but eventually, I need to see if I can edit the theme and fix it.
I really hope that when the final 1.0 gold release of Firefox is released, all platforms will share a single, identical default theme. Firefox is one of the best cross-platform apps I’ve ever seen. It should look that way.
I recently began doing some web development at work. As a result, I ended up poking around the Firebird Extension page looking for useful tools. What I found was Chris Pederick’s Web Developer Extension. When combined with the DOM Inspector present in most Firebird builds, this may be the only developer tool I ever need.
WDE adds a toolbar to your Firebird (or Mozilla, via separate installer) window, below the bookmarks bar and above the tabs. Normally I dislike anything that adds a toolbar; I’m jealously protective of my screen real estate. In this case, I’m sold – this toolbar is worth the pixels. Here’s a rundown of what you get.
The tool bar contains 10 dropdown menus, filled with useful goodies, plus a view source button (the only feature I don’t use, since ctrl+U is faster and ingrained in my skull). On the right hand end of the bar are three small icons: Render Mode (Quirks or Standards Compliance, clicking opens page properties dialog), Javascript errors (clicking opens javascript console), and what I call the “Power Button”. Clicking the Power Button disables the entire toolbar, and clicking again re-enables it. As minor as this sounds, I’ve found it to be a huge help. When the toolbar is diabled, the icons and text are dimmed, and become much less intrusive. Since I use my Bookmarks bar constantly, leaving the Webdev toolbar off unless I’m using it really reduces visual noise when looking for a bookmark.
So what’s in the menus? Plenty. One menu lets you diable things, like cookies, image animations, images, Java, Javascript, color, referers, and stylesheets. The CSS menu integrates all of the functionality of the EditCSS extension which has served me so well for so long (in fairness, I’ve had some trouble with this integrated version, but I haven’t tried a clean profile yet). There’s a Forms menu, that lets you convert GETs to POSTs and vice-versa, display form details, make fields writeable, show passwords, and more. The Images menu lets you hide all images, find broken images, and replace images with ALT attributes. You can display image paths and/or image image dimensions, which appear as tooltip-sized labels directly in the page for easy viewing. You can also outline any of the following: images without an Alt attribute, images with a blank Alt attribute, and images with no Title attribute. Handy for the accessibility-minded developer.
The Information menu gives quick access to all sorts of information, including page headers, a speed report from WebSiteOptimization.com (in another tab), and even a report showing all cookies for the current page. From the Misc. menu, you can clear cache, clear HTTP auth, clear cookies (great when debugging your server-side session management code), zoom in and out, and more. It even contains a submenu with links to a number of W3C specs – conveniently opened in another tab, of course.
The Outline menu lets you outline various page elements, such as table cells, block elements, and links without title attribs; or you can specify custom elements to outline. The resize menu lets you see the size of your current browser, resize the window to 800×600 to make sure it’ll work on Grandma’s PC, or set an exact custom size. The Validation menu incorporates some of the functionality of Checky by providing one-click validation from a number of services, although not nearly as many as Checky. You can validate your CSS, HTML, Links, Section 508 Accessibility, and WAI Accessibility. For CSS and HTML there is also a “validate local” option, which automatically saves the current page to disk and uploads it to your validator. Perfect for checking dynamically built pages on a firewalled intranet. The Options menu lets you change a few things, including the URLs used for the validator menu.
I’ve been using this toolbar for about a week, and I’d hate do anymore development without it. It’s really that good. If you’d like to give it a try, you can install it directly from the Web Developer Extension homepage.
Update: Received a nice email from Chris. He pointed out an assumption I made that was incorrect, regarding the validate local feature. To quote Chris:
It doesn’t actually save the file to disk, but rather
creates a new request in the background to grab the source and send
it as text in a POST to the validator. I minor difference, but it
can affect the way it works for dynamic pages etc.
Thanks Chris! He also asked about the problem I head with CSS editing, but I’ll have to follow up on that next week. The problem was at work, and thankfully, I’m off until Tuesday. However, I tried using the CSS Editing on my powerbook, and it seems to work nicely. It has the additional feature that each stylesheet is loaded as a separate tab in the edit pane.
Nearly two months after its release, I’m finally using Mozilla Firefox 0.8 on my Powerbook. I’ve been using it on my Win2K box at work since the release, but I had issues under OS X.
Since yesterday, two important things have occurred. First, Arvid Axelsson released the Qute theme for Firefox OS X. I don’t care for the new default theme under OS X, and I think it was a mistake to release 0.8 with a new default and without the theme used on other platforms (Qute). One of the big advantages I find in Firefox is that it’s the same on my Mac and on my PC. By not offering the same default themes (at least as choices), its value as a cross-platform browser is diminished. It’s not completely the same as before; the icons are the same but the tabs look different. Hopefully this will improve.
Today, Shimoda Hiroshi (a.k.a. Piro) released an update to his Tabbrower Extentions, which finally lays to rest the last of the OS X/FF0.8/TBE compatibility issues. TBE has become an such an integral part of my browsing experience that I just refuse to work without it.
So far, the ‘Fox seems to working ok. As well as Firebird 0.7 served me for many months, I was really looking forward to this upgrade. 0.7′s performance under OS X was pretty poor at times. Closing a tab or window could at times take 10 seconds or more. Shutting down the whole app could take minutes. I haven’t noticed performance problems so far under 0.8, but it’s early yet. To be fair, some of the issue I had under 0.7 could have been the fault of TBE; Piro says on his site that the TBE can slow browser performance. At any rate, it never got so bad that I’d consider dropping TBE. In addition to the FF upgrade, Piro’s had a number of releases to TBE in the past couple of months, so hopefully I’ll see improved performance across the board.
As I noted at the time, Mozilla Firebird 0.7 was upgraded (and renamed) to Mozilla Firefox 0.8 in early February. I’ve been using Firefox 0.8 since the day it was released on my Windows PC at work. I works wonderfully. On my OS X Powerbook, however, things are different.
I downloaded 0.8 for the Powerbook the day it was released, and tried it out. Within two minutes I had decided that I do not like the new “default” theme for OS X, Pinstripe. No knock on the fine folk(s) who put the theme together; but I simply dislike it. The actual pinstriping is fine, but the buttons, tabs, etc. were so different from Qute (the default theme for 0.7 and non-OSX builds of 0.8) that I found it distracting. Adding insult to injury, Pinstripe is incompatible with the Tabbrowser Extensions extension, which I find indespensable. After some searching, I found the home page of Arvid Axelsson, creator of the Qute theme. According to his FAQ, Qute should be available for Firefox for OS X “Relatively Soon”. Having read that, I closed Firefox and returned to Firebird 0.7 to wait.
It’s been three weeks since 0.8 was released, and Qute is still not available for OS X. Being that I stayed home (sick) today, I decided to give 0.8 a try again. I still don’t care for pinstripe, so I decided to try some other themes. I tried three or four, and all had the same problem… scroll bars are missing. They are functional, if you click in the right place, but they do not render. I’ve had this problem with themes on OS X before, in older versions of Firebird. I went looking for a bug in Bugzilla, but couldn’t find one. This seems unlikely, so I wonder if I searched correctly. I may try again later, and then submit a bug if I can’t find it already written up.
So, I’m back to using 0.7. I don’t especially mind, but I’d rather be using the newest version. I do think that changing OS X‘s default theme, or at least not including Qute in the distribution, was a poor decision. One of the biggest selling points of Firefox for me is that I can use the same browser on OS X and on Windows. Without the availability of the “default” theme on all platforms, however, it doesn’t feel like the same browser.