Category gecko

  • I’ve finally released Easy Passwords as a Web Extension (not yet through AMO review at the time of writing), so that it can continue working after Firefox 57. To be precise, this is an intermediate step, a hybrid extension meant to migrate data out of the Add-on SDK into the Web Extension part. But all the functionality is in the Web Extension part already, and the data migration part is tiny. Why did it take me so long? After all, Easy Passwords was created when Mozilla’s Web Extensions plan was already announced. So I was designing the extension with Web Extensions in mind, which is why it could be converted without any functionality changes now. Also, Easy Passwords has been available for Chrome for a while already.

    Posted , Author

  • This announcement by the Princeton University is making its rounds in the media right now. What the media seems to be most interested in is their promise of ad blocking that websites cannot possibly detect, because the website can only access a fake copy of the page structures where all ads appear to be visible. The browser on the other hand would work with the real page structures where ads are hidden. This isn’t something the Princeton researchers implemented yet, but they could have, right?

    Posted , Author

  • “The password system is broken” – I don’t know how often I’ve heard that phrase already. Yes, passwords suck. Nobody can be expected to remember passwords for dozens of websites. Websites enforcing arbitrary complexity rules (“between 5 and 7 characters, containing at least two-upper case letters and a dog’s name”) doesn’t make it any better. So far I’ve heard of three common strategies to deal with passwords: write them down, use the same one everywhere or just hit “forgot password” every time you access the website. None of these are particularly secure or recommendable, and IMHO neither are the suggestions to derive passwords via more or less complicated manual algorithms.

    As none of the password killing solutions gained significant traction so far, password managers still seem to be the best choice for now. However, these often have the disadvantage of relying on a third-party service which you have to trust or storing your passwords on disk so that you have to trust their crypto. But there is also this ancient idea to derive individual passwords from a single master password via one-way hashing functions. This is great as the only sensitive piece of data is your master password, and this one you can hopefully just remember.

    Posted , Author

  • So WebExtensions are the great new way to build Firefox extensions, and soon everybody creating a new extension should be using that over everything else. But what about all the people who already have extensions? How can one be expected to migrate a large extension to WebExtensions and still keep it working? Chances are that you will first spend tons of time rewriting your code, and then even more time responding to complains of your users because that rewrite introduced bugs and unintended changes.

    Posted , Author

  • Note: This blog post started as a rant about MDN which is sadly not very useful for add-on authors way too often. I tried to reformulate it in a neutral way. The point definitely isn’t blaming the people working hard on keeping that documentation up to date.

    MDN has some great content. However, as far as extension development goes, maybe somewhat less content and more structure/quality would be beneficial. Yes, there are a few well-written overview articles. But quite frankly, I’ve seen them for the first time today — because most of the time I’ll get to MDN via a search engine. And if you take this route, there is a good chance to hit an article that pre-dates Firefox 4.0.

    Posted , Author

  • The big news is: e10s is coming to desktop Firefox after all, and it was even enabled in the nightly builds already. And while most of the times the add-ons continue working without any changes, this doesn’t always work correctly. Plus, using the compatibility shims faking a single-process environment might not be the most efficient approach. So reason enough for add-on authors to look into the dreaded and underdocumented message manager and start working with frame scripts again.

    Posted , Author

  • TL;DR: I created a new extension called Enforce Encryption. See extension description for a simple explanation of how it works and why using encrypted connections is important.


    I realized that Stack Overflow is one of the few websites that I use with authentication and yet over plain unencrypted HTTP connections. So, what if I just change http:// into https:// in the address bar? Surprisingly, this worked, even though Stack Overflow doesn’t support HTTPS officially (way too many links lead back to HTTP).

    So, if I want to use Stack Overflow over HTTPS now, how do I do it? All my history items lead to unencrypted pages. But even if I clean out my history, I regularly get to Stack Overflow pages via search or links. Switching to HTTPS manually every time is just unrealistic. That’s something where HTTP Strict Transport Security could help, if it were active for that site all links and history entries would be changed into HTTPS automatically.

    Posted , Author

  • A simple restartless extension can probably keep all its code in the bootstrap.js file. However, it gets crowded there very soon. Plus there is some code that is really only boilerplate and should probably kept separate from your actual code.

    This sounds like a job for JavaScript code modules. It is mostly a matter of taste (I prefer CommonJS module syntax) but there is one really big disadvantage of JavaScript code modules: they have to be unloaded explicitly when your extension is shut down. Which means that you either have to keep a list of modules to unload in your bootstrap.js file or add cleanup code each time you load a module. I find neither approach very compelling.

    Posted , Author

  • Note: This article is not about extensions based on the Add-on SDK (Jetpack). You don’t have to use the SDK to create a restartless extension. Just wanted to point this out explicitly to avoid confusion.

    An extension that will install without requiring a Firefox restart? This was a nightmare to develop not too long ago. Fortunately, things changed and the last showstopper bug was fixed in Firefox 8. Effort to create a restartless (or bootstrapped as it is called officially) extension is acceptable now. In fact, I have converted all my extensions and removed support for classic non-restartless extensions from my build tools — I am certain that I am not going back.

    Posted , Author

  • Taras recently blogged on how websites manage to ruin Firefox performance by continuing to do something even though their tab is no longer active — they keep updating the view that you cannot see. He wondered whether it would be possible to suspend these tabs from an extension. I looked into this and there is a way to suspend all timeouts for a tab — something that an extension could use. Getting the details right wasn’t quite trivial but I think that my extension gets it right now: Suspend background tabs. Enjoy!

    Posted , Author

← Older Newer →