Archive for the 'Browsers' Category

Note: I've reorganized this site to use tags; the category archive remains to support old links. Only posts prior to April, 2006 are categorized. Tag Archive »

Critical Update

Firefox Update Icon This morning, my copy of Firefox (1.0PR on OS X) was sporting a new icon. A small red icon with an arrow, next to the throbber.

After a moment, I recognized it as Firefox’s Update icon. This appears when updates to Firefox or your installed extensions become available. Clicking the icon, I learned that a Critical Update was available, and was warned “You should install these updates immediately to protect your computer from attack.” There was one update listed, “data:Downloading Fix from: ftp.mozilla.org”. Aside from being impressed that the browser was being proactive in warning me of a problem, I was intrigued: what exactly is the nature of the vulnerability, and what would the update do to correct it?

Unfortunately, I couldn’t determine this. The update dialog is application-modal, and the options options offered were “install now” and “cancel”. No additional information or links to same. Deciding to risk it all, I cancelled the dialog and went looking for answers. My first stop was the Firefox homepage. No information was there. I tried the support tab, which is actually the Mozilla.org master support page- with no luck. Undaunted, I tried the Firefox Support Forum link on that page, but the forum had no information either. My next stop was the Firefox Help site, which is familiar to anyone who’s been using the ‘Fox since before 0.9. Still no luck. After Google provided no answers, I tried the Mozilla.org homepage, and was rewarded for my perseverance. At the bottom of the page, in the Announcements category, was an entry date Oct 1, “Important Security Update for Firefox…“.

The Security Update Announcement offered an explanation, sort of, in a Question and Answer format:

  • How does this security vulnerability expose the user?

    A malicious hacker who could trick a user into saving a file could delete files from a user’s download directory.

  • How serious is this vulnerability?

    While this is a potentially severe security vulnerability, user interaction is required to trigger potential harm. This security update is also another example of the Mozilla Foundation identifying and fixing security vulnerabilities before they are exploited by malicious hackers. This type of security vulnerability is very different from cases where a hacker could take advantage of a vulnerability to obtain valuable information from a user’s computer.

  • Doesn’t this case illustrate that all browsers are equally insecure?

    The Mozilla Foundation continues to have a very strong track record on security. According to Secunia, an independent security monitoring organization, Firefox currently has 1 open security issue, out of a total of 13 security advisories filed in 2003 and 2004. 0% of these are labeled “extremely critical”, 15% are labeled “highly critical”. For the same period, Secunia lists 16 open security issues out of 44 advisories for Internet Explorer 6.0, 14% of which are labeled “extremely critical”, 34% are “highly critical”.

So there’s some kind of file download exploit possible, but the details are omitted. I’m no security expert, but I though best practice was to release as much information as possible. I don’t mind that Firefox has a vulnerability; no software is perfect. I’m impressed by the level of response and the integrated update system. At the same time, I’d rather see more information about the problem and solution (or even a link to same) than statistics spin.

Also of note, there are two solutions to the problem: download the patch via the Update Icon, or download a new build (0.10.1). This highlights something else that’s been on my mind… The Firefox Homepage should really mention the version number next to the “Download Now” link. I can never tell when a new point release is out.

Concerns over communications aside, Firefox is still the best browser for my money (well, if it cost money), and far, far more secure than Internet Exploiter. I’m off to install the update.

UPDATE: Please read the followup to this post for more information.

The Thing about Themes

When I first got my Mac, I used IE as my browser. A short time later, Safari was released, a I discovered tabbed browsing. I loved Safari, and loathed going back to IE when at work (Windows). I was happy.

Then I decided to start my own website (you’re soaking in it). My hosting company’s web-based site admin panel didn’t work correctly in Safari or IE/Mac. They suggested Firebird (formerly Pheonix, and soon to be Firefox). I resisted, but eventually tried it. A week later it was my primary browser – at version 0.6.1. This was due in very large part to Firefox’s cross-platform nature. Using a Mac at home and a Windows PC at work, I value any useful app which looks and feels the same in both locations (probably why I’m using emacs much more these days).

Then something happened- version 0.8. The Mac version got a new default theme, to make it more Mac-like. While I applaud the sentiment, what it really did is make it less Firefox-like. With a different theme on Windows and OS X, my seamless cross-browser experience had suddenly grown some huge, ugly seams. I was never very successful finding an independant theme I really liked, but eventually I settled on Qute by Arvid Axelsson. This was the default windows theme, and was also available for the Mac. I got to really like Qute.

Then something else happened- version 0.9. Gone were Pinstripe on Mac and Qute on Windows; we got a new, standard theme. Good plan, although I missed Qute, and I couldn’t install it- it didn’t work with the OS X version of 0.9. Since both platforms were the same, I eventually got used to the change, and all was good. (Note: At least I think so. Until today, I would have sworn that the Mac and Win versions of 0.9 had identical default themes. Tried running an old copy of 0.9 today on my Mac, and the default theme matched the OS X 1.0PR default theme. Don’t know if this is a profile thing, or If i just never noticed the difference).

Then something else happened – 1.0 Preview Release. I noticed a difference on the Mac when I installed the new version (At least i think so, see prior paragraph). The Win and Mac default themes are similar, but different enough to really bug me. I prefer the Windows default theme. Also, Piro’s TabBrowser Extensions made weird looking tabs under the default Mac theme. Changing themes fixed that (I tried pinball for a while). Of course, you can’t download the Windows default theme (or any default) from the update website. Today, I finally got tired of the issue, and tried to overcome the problem. I copied classic.jar from the chrome folder of my windows install, and used it to replace the version in my OS X install. It’s almost perfect. The only problem is the scroll bars… they don’t appear. There’s room for them, and If I click in the right place, they function, they just aren’t displayed. I’ve seen this with certain themes in older releases (I think Qute used to do it), and the current Qute release does the same thing. For now, I’m dealing with it, but eventually, I need to see if I can edit the theme and fix it.

I really hope that when the final 1.0 gold release of Firefox is released, all platforms will share a single, identical default theme. Firefox is one of the best cross-platform apps I’ve ever seen. It should look that way.

A Party in a Toolbar

I recently began doing some web development at work. As a result, I ended up poking around the Firebird Extension page looking for useful tools. What I found was Chris Pederick’s Web Developer Extension. When combined with the DOM Inspector present in most Firebird builds, this may be the only developer tool I ever need.

WDE adds a toolbar to your Firebird (or Mozilla, via separate installer) window, below the bookmarks bar and above the tabs. Normally I dislike anything that adds a toolbar; I’m jealously protective of my screen real estate. In this case, I’m sold – this toolbar is worth the pixels. Here’s a rundown of what you get.

The tool bar contains 10 dropdown menus, filled with useful goodies, plus a view source button (the only feature I don’t use, since ctrl+U is faster and ingrained in my skull). On the right hand end of the bar are three small icons: Render Mode (Quirks or Standards Compliance, clicking opens page properties dialog), Javascript errors (clicking opens javascript console), and what I call the “Power Button”. Clicking the Power Button disables the entire toolbar, and clicking again re-enables it. As minor as this sounds, I’ve found it to be a huge help. When the toolbar is diabled, the icons and text are dimmed, and become much less intrusive. Since I use my Bookmarks bar constantly, leaving the Webdev toolbar off unless I’m using it really reduces visual noise when looking for a bookmark.

So what’s in the menus? Plenty. One menu lets you diable things, like cookies, image animations, images, Java, Javascript, color, referers, and stylesheets. The CSS menu integrates all of the functionality of the EditCSS extension which has served me so well for so long (in fairness, I’ve had some trouble with this integrated version, but I haven’t tried a clean profile yet). There’s a Forms menu, that lets you convert GETs to POSTs and vice-versa, display form details, make fields writeable, show passwords, and more. The Images menu lets you hide all images, find broken images, and replace images with ALT attributes. You can display image paths and/or image image dimensions, which appear as tooltip-sized labels directly in the page for easy viewing. You can also outline any of the following: images without an Alt attribute, images with a blank Alt attribute, and images with no Title attribute. Handy for the accessibility-minded developer.

The Information menu gives quick access to all sorts of information, including page headers, a speed report from WebSiteOptimization.com (in another tab), and even a report showing all cookies for the current page. From the Misc. menu, you can clear cache, clear HTTP auth, clear cookies (great when debugging your server-side session management code), zoom in and out, and more. It even contains a submenu with links to a number of W3C specs – conveniently opened in another tab, of course.

The Outline menu lets you outline various page elements, such as table cells, block elements, and links without title attribs; or you can specify custom elements to outline. The resize menu lets you see the size of your current browser, resize the window to 800×600 to make sure it’ll work on Grandma’s PC, or set an exact custom size. The Validation menu incorporates some of the functionality of Checky by providing one-click validation from a number of services, although not nearly as many as Checky. You can validate your CSS, HTML, Links, Section 508 Accessibility, and WAI Accessibility. For CSS and HTML there is also a “validate local” option, which automatically saves the current page to disk and uploads it to your validator. Perfect for checking dynamically built pages on a firewalled intranet. The Options menu lets you change a few things, including the URLs used for the validator menu.

I’ve been using this toolbar for about a week, and I’d hate do anymore development without it. It’s really that good. If you’d like to give it a try, you can install it directly from the Web Developer Extension homepage.

Update: Received a nice email from Chris. He pointed out an assumption I made that was incorrect, regarding the validate local feature. To quote Chris:

It doesn’t actually save the file to disk, but rather creates a new request in the background to grab the source and send it as text in a POST to the validator. I minor difference, but it can affect the way it works for dynamic pages etc.

Thanks Chris! He also asked about the problem I head with CSS editing, but I’ll have to follow up on that next week. The problem was at work, and thankfully, I’m off until Tuesday. However, I tried using the CSS Editing on my powerbook, and it seems to work nicely. It has the additional feature that each stylesheet is loaded as a separate tab in the edit pane.

Foxy

Nearly two months after its release, I’m finally using Mozilla Firefox 0.8 on my Powerbook. I’ve been using it on my Win2K box at work since the release, but I had issues under OS X.

Since yesterday, two important things have occurred. First, Arvid Axelsson released the Qute theme for Firefox OS X. I don’t care for the new default theme under OS X, and I think it was a mistake to release 0.8 with a new default and without the theme used on other platforms (Qute). One of the big advantages I find in Firefox is that it’s the same on my Mac and on my PC. By not offering the same default themes (at least as choices), its value as a cross-platform browser is diminished. It’s not completely the same as before; the icons are the same but the tabs look different. Hopefully this will improve.

Today, Shimoda Hiroshi (a.k.a. Piro) released an update to his Tabbrower Extentions, which finally lays to rest the last of the OS X/FF0.8/TBE compatibility issues. TBE has become an such an integral part of my browsing experience that I just refuse to work without it.

So far, the ‘Fox seems to working ok. As well as Firebird 0.7 served me for many months, I was really looking forward to this upgrade. 0.7’s performance under OS X was pretty poor at times. Closing a tab or window could at times take 10 seconds or more. Shutting down the whole app could take minutes. I haven’t noticed performance problems so far under 0.8, but it’s early yet. To be fair, some of the issue I had under 0.7 could have been the fault of TBE; Piro says on his site that the TBE can slow browser performance. At any rate, it never got so bad that I’d consider dropping TBE. In addition to the FF upgrade, Piro’s had a number of releases to TBE in the past couple of months, so hopefully I’ll see improved performance across the board.

Regression

As I noted at the time, Mozilla Firebird 0.7 was upgraded (and renamed) to Mozilla Firefox 0.8 in early February. I’ve been using Firefox 0.8 since the day it was released on my Windows PC at work. I works wonderfully. On my OS X Powerbook, however, things are different.

I downloaded 0.8 for the Powerbook the day it was released, and tried it out. Within two minutes I had decided that I do not like the new “default” theme for OS X, Pinstripe. No knock on the fine folk(s) who put the theme together; but I simply dislike it. The actual pinstriping is fine, but the buttons, tabs, etc. were so different from Qute (the default theme for 0.7 and non-OSX builds of 0.8) that I found it distracting. Adding insult to injury, Pinstripe is incompatible with the Tabbrowser Extensions extension, which I find indespensable. After some searching, I found the home page of Arvid Axelsson, creator of the Qute theme. According to his FAQ, Qute should be available for Firefox for OS X “Relatively Soon”. Having read that, I closed Firefox and returned to Firebird 0.7 to wait.

It’s been three weeks since 0.8 was released, and Qute is still not available for OS X. Being that I stayed home (sick) today, I decided to give 0.8 a try again. I still don’t care for pinstripe, so I decided to try some other themes. I tried three or four, and all had the same problem… scroll bars are missing. They are functional, if you click in the right place, but they do not render. I’ve had this problem with themes on OS X before, in older versions of Firebird. I went looking for a bug in Bugzilla, but couldn’t find one. This seems unlikely, so I wonder if I searched correctly. I may try again later, and then submit a bug if I can’t find it already written up.

So, I’m back to using 0.7. I don’t especially mind, but I’d rather be using the newest version. I do think that changing OS X‘s default theme, or at least not including Qute in the distribution, was a poor decision. One of the biggest selling points of Firefox for me is that I can use the same browser on OS X and on Windows. Without the availability of the “default” theme on all platforms, however, it doesn’t feel like the same browser.