Category xul

  • I am back from the Mozilla Summit and somewhat managed to process all the new information I got there. But instead of posting yet another summit summary or more summit photos (what, you didn’t know how great this summit was?) I have a far more boring topic for today: localization of XULRunner-based applications.

    Posted , Author

  • I already mentioned platform bugs in the previous article but this discussion is worth expanding. Fact is, with the XULRunner code base being rather huge you are bound to find bugs and inconsistencies if you only dig a little deeper. Most of them will be minor though some occasionally turn out mission critical.

    Posted , Author

  • When talking about runtimes people often expect XULRunner to be something like Java. Sometimes people will also mention .NET — if you are one of them feel free to replace the word “Java” but “.NET” everywhere in this article, it shouldn’t affect the meaning in any way. Fact is, XULRunner is very different from Java and I will try to explain why.

    Posted , Author

  • I applied to lead a session on XULRunner in large software projects at the Mozilla Summit. Unfortunately, that proposal was rejected, no talk for me at the summit. Yet there is apparently some interest in the topic, I got messages from two people who won’t be attending the summit asking for slides. I won’t create any slides but I decided to share my thoughts on the topics I wanted to discuss. Having spent the last three years building XULRunner-based applications (first TomTom HOME, now Songbird) I have some experience in this area. Still, this will be necessarily a one-sided view so don’t hesitate to comment.

    Posted , Author

  • Good news: AMO is finally getting serious about improving security of add-ons. Several bugs that I filed almost a year ago and didn’t have time to follow up on have suddenly seen some movement, even to the point of setting a two weeks deadline to resolve the security issues (thanks, Jorge). Sure, this approach won’t make you new friends and one add-on author preferred to remove his add-ons rather than fix them. But it is really overdue to start enforcing policies.

    Posted , Author

  • XUL overlays are a great mechanism for extending existing functionality. However, there is a catch — any scripts loaded by an overlay are sharing the namespace with the scripts loaded by the original page and the scripts loaded by other overlays (typically from other extensions). So if extension Foo defines a global variable myGreatVar and extension Bar chooses to define a global variable myGreatVar as well, bad things will happen — both extensions will end up accessing the same variable and usually both extensions will behave erratically because of that. Same happens with functions, if two scripts define the same global functions the second function definition will override the first. The situation is worst for constants — a constant cannot be redeclared meaning that one of the extensions will cause an error message.

    Posted , Author

  • One of the most overused JavaScript features is the eval() function. I have seen it used in very many extensions but only a few actually had a good reason to use it. So I want to go through all the wrong reasons one would use eval().

    Posted , Author

  • I spent in total something like 10 hours searching 78 of the top 100 extensions for signs of unsafe interactions with the web (yes, I failed downloading the extensions that are hidden behind a EULA, will do better next time). The result: 14 extensions with severe vulnerabilities (typically the kind of vulnerability that lets a web page take over your browser and even the computer if your browser runs with administrator privileges) and several proof of concept exploits. The good news: I don’t think that I missed too many vulnerable extensions, when I searched for more patterns I just kept finding new issues in the extensions that were already known to be vulnerable. More good news: none of the top 10 most popular extensions made the list. The bad news: many of the remaining extensions didn’t make this list simply because they don’t interact with the web or only interact with the web in ways that are relatively unproblematic. Some others were just too messy to get an overview in reasonable time, so it was impossible to understand whether questionable coding practices actually caused security issues.

    Posted , Author

  • Over the last few years I reported a bunch of security vulnerabilities in various extensions and by far the most common issue was: “Extension Foo allows execution of remote code in privileged context”. Typically, an RSS reader extension would take the content of the RSS feed (HTML code), format it nicely and insert into the extension window. The issue that is overlooked here is that the RSS feed could contain some JavaScript code and it would then execute with the privileges of the extension — meaning for example that it would get full access to the browser (cookies, history etc) and to user’s files. pdp discovered a similar issue in the Firebug extension that uses an HTML-based templating system and forgot to sanitize some input received from the webpage.

    Posted , Author

  • Opening a XUL dialog from JavaScript is usually easy, you use Window.openDialog method that is almost the same as Window.open but also accepts some parameters that the dialog will be able to access via Window.arguments collection. But what if your JavaScript code runs inside an XPCOM component doesn’t have a window? Still not very hard, you use nsIWindowWatcher.openWindow method then. The tricky part here is passing parameters to the dialog however. I had to resort to hacks here in the past, and other people seem to have issues with that as well, so I thought I would share the solution.

    Posted , Author

← Older Newer →