Incompleteness 2011-12-16T12:22:33+00:00 http://www.6307968.com Joe Walker console.mihai(); 2015-02-16T00:00:00+00:00 http://www.6307968.com/blog/2015/02/09/console-dot-mihai/ <p>A few days ago <a href="http://www.robodesign.ro/mihai/blog/thanks">Mihai 葮ucan</a> went home to Romania. We're not expecting him to fix any more bugs in Firefox, but I'd like to raise a glass of <a href="https://en.wikipedia.org/wiki/%C8%9Auic%C4%83">葰uic膬</a>, to the 1919 bugs that he has been involved in fixing in Firefox.</p><p>Devtools at Mozilla has only been a serious thing for a bit under 5 years. Firebug is much older, but wasn't really a Mozilla project. We started for real in the middle on 2010, and Mihai was one of the first people to start helping.</p><p>The console code was initially a complete mess. Code that everyone touched and no-one loved, born before there was momentum, when landing code was a dark art.</p><p>I remember more than once looking at console code thinking - 'I can do the right fix in a few weeks or the wrong fix in a few hours', and like many before me, leaving the root problem for someone else to fix.</p><p>That someone was Mihai.</p><p>Most of the Devtools team at Mozilla is remote, so all I knew of Mihai to start with, was his strange voice. I'm no expert on Romanian accents, but this was different. His voice was compressed and clearly a struggle. He coughed regularly. So we listened more carefully when he spoke and thought nothing of it.</p><p>And Mihai continued to fix the console. Kevin Dangoor, who ran Devtools at the time said to me once - "You know the problem with Mihai is simply feeding him enough bugs - that's nearly a full time job!"</p><p>When video chat became a thing, I think we all noticed Mihai's hands, and wondered how he typed, but were probably too embarrassed to ask what was up.</p><p>I'm not sure who asked first, but around the time we first all got together in London I asked if he could travel easily, and found out the detail.</p><p>Mihai has <a href="https://en.wikipedia.org/wiki/Epidermolysis_bullosa">Epidermolysis Bullosa</a> (sometimes known as E.B.) specifically - Recessive Dystrophic Epidermolysis Bullosa.</p><p>E.B. is a brutal skin condition which causes chronic blistering, and makes everyday objects dangerous. Those with it are sometimes called butterfly children because of their brittle skin. In Mihai's case it has left him in a wheelchair, and having to very gently punch the keyboard to get anything done.</p><p>E.B. makes you very vulnerable to skin cancer from the continued scarring from the blisters. So everyday objects that wouldn't pose a risk to those with normal skin become sharp and dangerous to people with E.B. Needless to say - anyone with E.B. has a huge mountain to climb every single day.</p><p>When presented with the mountain that <em>just existing</em> presents to EB sufferers, I think many people would be happy to just exist. But that's not Mihai, who has made developer tools for the web a personal mission. There aren't many things you can do when the outside is so dangerous, but Mihai found something he could do and did it with a passion.</p><p>Mihai's illness has meant he hasn't been able to work on the console recently, and we've probably not adjusted properly, but that's temporary.</p><p>Mihai's legacy is that there are hundreds of millions of people using a product, Firefox, that Mihai contributed to, hundreds of thousands of them of them spend a significant proportion of their time in the console that was his responsibility. And there are billions of people using websites created by people directly helped by Mihai's work.</p><p>In all but his darkest moments, Mihai copes without complaining. The annoying molehills that we complain about are largely irrelevant sideshows to Mihai, and working with him has been an honour.</p><p>If you've used Firefox Devtools, or if you've used any website where the author might have used Devtools, or if you're impressed by what Mihai has overcome, there's <a href="http://ebresearch.org/">EB Research</a> which investigates the root causes and solutions to the problem of EB.</p><p>Mihai always wants to do more, but he needs your help with this bit: <a href="http://ebresearch.org/">EB Research</a>.</p><iframe src="https://www.youtube-nocookie.com/embed/Evliw540068" allowfullscreen="" frameborder="0" height="360" width="640"></iframe><p>(The video in this post is from a series created for <a href="http://www.debra-international.org/homepage.html">DEBRA</a> international by Lowe GGK. The full set of <a href="http://www.debra-international.org/media-center/media-center/eb-awareness-campaign-images.html">images</a> and <a href="http://www.debra-international.org/media-center/media-center/eb-awareness-campaign-videos.html">videos</a> is well worth a look)</p> Combatting Self-XSS (Part 2) 2014-04-24T17:30:00+00:00 http://www.6307968.com/blog/2014/04/24/combatting-self-xss-part-2/ <p>The immediate context to this post is <a href="http://www.6307968.com/blog/2011/12/14/combating-self-xss/">Self-XSS</a> but it may have a wider context in avoiding other Internet scams.</p><p>I鈥檇 like to frame Self-XSS in terms of a human script execution engine. It鈥檚 an interpreter - and probably not JITed, but it works with a broad and poorly specified grammar. Not all humans have the same interpreter, but there鈥檚 enough of a dominant language to provide a mono-culture which makes attack easy.</p><p>However not all script execution engines are created equal. Some come with advanced scam detection routines. Some have random timeouts and many have surprising execution errors. It鈥檚 not my intention to be derogatory, but it鈥檚 a fact that not everyone has English skills the same.</p><p>So Self-XSS is a script that uses this script execution engine to coerce someone to do the attacker鈥檚 bidding, probably to their own detriment. If you're writing a scam script, you need to keep the scripts simple enough to avoid the victims鈥?scam-detection, timeouts and errors.</p><p>These problems mean that we might be able to draw a graph of script complexity vs completion rate (where 鈥榗ompletion鈥?is a scam that succeeded). It might look like this:</p><img src="../images/posts/self-xss-graph1.png" alt="Graph of complexity vs completion rate showing exponential drop off"><p>I鈥檇 like to suggest that humans are not that simple and that we shouldn鈥檛 expect something as predictable as that.</p><p>Many (most?) of the tasks that we complete on computers can be done purely using unconcious / heuristic / system 1 processing (in <a href="https://en.wikipedia.org/wiki/Dual_process_theory#Systems">dual process</a>) terms. That is to say using parts of the brain that are fast, pattern-based and non-analytical. Its less common that we need to use concious / systematic / system 2 processing (slow, lazy, analytical). (鈥淭hinking, Fast and Slow鈥? is probably the canonical work to understand these terms in more depth)</p><p>I鈥檇 suggest that, for most people, scam detection is a system 2 operation. So forcing use of system 2 to prevent scams might help. (Obviously this is at odds with the 鈥?lt;a href="http://www.amazon.com/Think-Common-Sense-Approach-Usability/dp/0789723107/">don鈥檛 make me think</a>鈥? approach to good UX design - I鈥檓 obviously not arguing that bad design is a good thing).</p><p>We don鈥檛 have a lot of data for Self-XSS. The data that I know of is:</p><table> <tbody><tr> <th>Attack</th> <th>Completion Rate</th> <th>Complexity</th> </tr> <tr> <td>Facebook</td> <td>&lt;10%</td> <td>3 steps</td> </tr> <tr> <td>Win+R [1]</td> <td>&lt;1%</td> <td>5+ steps</td> </tr> <tr> <td>Other attacks [2]</td> <td>&lt;1%</td> <td>4+ steps</td> </tr> </tbody></table><p>It seems reasonable that an infinitely simple script would always succeed, and that at some point of complexity the completion rate will drop to 0. So that something like 5 data points.</p><p>It would be fair to criticise this as 鈥榥ot much data鈥? which is part of the point:</p><ul> <li>If you have more data in places where Self-XSS attacks have worked, please publish them and tell me.</li> <li>If you know of research into the use of system 1 vs. system 2 in detecting scams, I鈥檇 love to hear about it.</li> </ul><p>However, given the lack of data, it seems to me that there is a surprising drop-off in completion rate with increasing script complexity. There isn鈥檛 much any evidence for attacks that were somewhat complex, and got some people - it looks as though all attacks that were somewhat complex were surprisingly unsuccessful.</p><p>So the drop-off rate might look something a bit more like this:</p><img src="../images/posts/self-xss-graph2.png" alt="Graph of complexity vs completion rate showing more sudden drop-off than before"><p>Which might in some small way indicate a point in script complexity where system 2 needed to get involved, and where the analytical part of system 2 said 鈥淲ait, am I being scammed?鈥?lt;/p><p>Summary: We shouldn't think of scams purely in terms of smart people not getting scammed, and some sort of level of intellegence providing scam protection. Perhaps for many people, scams are detected when system 2 gets involved, and there may be ways in which we can design software to protect people.</p><p>How does this affect browser developer tools? I believe that we have solutions [3] to the problem that tailor the addition of complexity only to places where people are most at risk, so 99.99% of people won't be affected. Also the level of complexity that is being added is a low as it can be whilst still being effective.</p><p>Notes:</p><p>[1]: Pressing Win+R on Windows systems gets you a system level command prompt. I have no evidence that this has been used in Self-XSS attacks, probably due to limitations in cmd.exe forced an attack script that is 5 or more steps.</p><p>[2]: I've seen several demonstrations of Self-XSS that involve 4 or more steps, but none that have a high completion rate.</p><p>[3]: Relevant bugs: Firefox <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=994134">994134</a>, <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=664589">664589</a>, <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=953166">953166</a>, also Chromium <a href="https://code.google.com/p/chromium/issues/detail?id=345205">345205</a>, </p> Work for Mozilla building Developer Tools 2013-03-7T16:30:00+00:00 http://www.6307968.com/blog/2013/03/07/work-for-mozilla-building-developer-tools/ <p><strong>Update</strong>: We've hired now, and very happy that Brian and Patrick are on the team.</p><p>Short version: <a href="https://twitter.com/paulrouget">Paul</a>, <a href="https://twitter.com/harthvader">Heather</a>, <a href="https://twitter.com/ratcliffe_mike">Mike</a> <a href="https://twitter.com/joewalker">and I</a> are hiring. <a href="http://jobvite.com/m?3T1TJfwg">Apply here</a>.</p><p>The built-in developer tools are mostly <a href="https://github.com/mozilla/mozilla-central/tree/master/browser/devtools">built in JavaScript</a>. So you'll need to be comfortable with using JavaScript to create applications (rather than just tweaking pages). Obviously our tools are just for Firefox so we can take advantage of <a href="https://developer.mozilla.org/en-US/docs/JavaScript/ECMAScript_5_support_in_Mozilla">ES5</a> and <a href="https://developer.mozilla.org/en-US/docs/JavaScript/ECMAScript_6_support_in_Mozilla">ES6</a> features the second they're added to Firefox so knowing about what's new would help too.</p><p>But our team is particularly about helping people understand content (i.e. HTML and CSS) so you'll also need to understand how pages are laid out and how to get a browser to bow to your bidding. You'll also need to be good at creating interfaces that people want to use, and fast at learning because there's a lot to <a href="https://developer.mozilla.org/en-US/docs/The_Mozilla_platform">our platform</a>. Knowing some C++ could be useful too.</p><p>Perfect would be if you've spent time in the trenches of web development thinking "<em>If only the tools would tell me X, Y and Z, I could be soooo much better</em>". This is your chance to make millions of people better at their jobs.</p><p>Our team is all around the world, so you can enjoy working from home, and you'll need to communicate well over IRC, video chat and email. But you'll also be working on open source software that changes the lives of hundreds of millions of users worldwide.</p><p>If you can help, <a href="http://jobvite.com/m?3T1TJfwg">apply here</a>, and contact me directly (<a href="https://twitter.com/joewalker">twitter</a> or <code>jwalker at mozilla.com</code>) to make sure you're in the system, or to ask questions.</p> Hackathon Summary 2012-06-27T13:00:00+00:00 http://www.6307968.com/blog/2012/06/27/hackathon-summary/ <p>So yesterday a whole bunch of people to together to hack on some commands for the new <a href="http://www.6307968.com/blog/2012/06/18/firefox-command-line/">Developer Tools Command Line</a>. Thanks to everyone that took part.</p><p>This is a quick summary of the commands and hacks that we created. We've now got to work out what to do with them. Some we'll clean up, localize, test and ship, and some we'll do some we'll suggest putting onto AMO.</p><table> <tbody><tr> <th>Command</th> <th>Description</th> <th>Author(s)</th> <th>Source</th> </tr> <tr> <td>color</td> <td>Several commands to convert between rgb, hex, hsl and color names</td> <td><a href="https://github.com/elvisds">elvisds</a></td> <td><a href="https://gist.github.com/2998893">Gist</a></td> </tr> <tr> <td>scratchpad</td> <td>Extra commands to open a empty and pre-<span>populated scratchpads</span></td> <td><a href="http://antennasoft.net/robcee/">Rob Campbell</a></td> <td><a href="https://gist.github.com/2995780">Gist</a></td> </tr> <tr> <td>debugger</td> <td>Several commands to control the debugger</td> <td><a href="https://blog.mozilla.org/tilt/">Victor Porof</a></td> <td><a href="https://bugzilla.mozilla.org/attachment.cgi?id=636656&amp;action=diff">Patch</a></td> </tr> <tr> <td>tilt refresh</td> <td>Rebuilds the visualization 3D mesh and webpage texture if any changes to the DOM were made</td> <td><a href="https://blog.mozilla.org/tilt/">Victor Porof</a></td> <td><a href="https://bugzilla.mozilla.org/attachment.cgi?id=636659&amp;action=diff">Patch</a></td> </tr> <tr> <td>calllog</td> <td>Use new Debugger API to log function calls</td> <td><a href="http://theunfocused.net/">Blair McBride</a></td> <td><a href="https://github.com/Unfocused/gcli-commands/blob/master/calllog.mozcmd">Repo</a></td> </tr> <tr> <td>idl</td> <td>Show the IDL file for a specified XPCOM int<span>erface</span></td> <td><a href="http://theunfocused.net/">Blair McBride</a></td> <td><a href="https://github.com/Unfocused/gcli-commands/blob/master/idl.mozcmd">Repo</a></td> </tr> <tr> <td>memory</td> <td>Get a memory report for the current page</td> <td><a href="http://theunfocused.net/">Blair McBride</a></td> <td><a href="https://github.com/Unfocused/gcli-commands/blob/master/memory.mozcmd">Repo</a></td> </tr> <tr> <td>restart</td> <td>Commands to restart Firefox</td> <td><a href="https://gist.github.com/scrapmac">Girish Sharma</a></td> <td><a href="https://gist.github.com/2995968">Gist</a></td> </tr> <tr> <td>sorttabs</td> <td>Sorts visible tabs based on url</td> <td><a href="https://gist.github.com/scrapmac">Girish Sharma</a></td> <td><a href="https://gist.github.com/2997619">Gist</a></td> </tr> <tr> <td>addon</td> <td>Commands to enable and disable plugins</td> <td><a href="http://www.flailingmonkey.com/">Mike Ratcliffe</a>, <a href="http://astithas.com/">Panagiotis Astithas</a>, <a href="https://github.com/Pimm">Pimm Hogeling</a></td> <td><a href="https://gist.github.com/3003149">Gist 1</a>, <a href="https://gist.github.com/2998412">Gist 2</a></td> </tr> <tr> <td>time</td> <td>Time how long it takes a command to run</td> <td><a href="http://martndemus.nl/">Marten Schilstra</a></td> <td><a href="https://bug768562.bugzilla.mozilla.org/attachment.cgi?id=636791">Patch</a></td> </tr> <tr> <td>date</td> <td>Prints the date to the command line</td> <td><a href="http://martndemus.nl/">Marten Schilstra</a></td> <td><a href="https://gist.github.com/2997578">Gist</a></td> </tr> <tr> <td>responsive</td> <td>Commands to control responsive mode</td> <td><a href="http://paulrouget.com/">Paul Rouget</a></td> <td><a href="https://bug751904.bugzilla.mozilla.org/attachment.cgi?id=636648">Patch</a></td> </tr> <tr> <td>loadscript</td> <td>Loads a JavaScript resource into the current page</td> <td><a href="http://martndemus.nl/">Marten Schilstra</a></td> <td><a href="https://gist.github.com/2998222">Gist</a></td> </tr> <tr> <td>mdn</td> <td>Searches the Mozilla Developer Network</td> <td><a href="http://martndemus.nl/">Marten Schilstra</a>, <a href="http://paulrouget.com/">Paul Rouget</a></td> <td><a href="https://gist.github.com/2998645">Gist 1</a>, <a href="https://gist.github.com/1d943933ffb43a72946d">Gist 2</a></td> </tr> <tr> <td>find</td> <td>Go to a tab (fuzzy matched)</td> <td><a href="https://github.com/espadrine">Thaddee Tyl</a></td> <td><a href="https://github.com/espadrine/mozcmd/blob/master/find.mozcmd">Repo</a></td> </tr> <tr> <td>search</td> <td>Search and replace in page</td> <td><a href="https://github.com/graememcc">graememcc</a></td> <td><a href="https://gist.github.com/2996890">Gist</a></td> </tr> <tr> <td>bug</td> <td>Open a numbered bug</td> <td><a href="https://github.com/zombie">zombie</a></td> <td><a href="https://gist.github.com/3000409">Gist</a></td> </tr> <tr> <td>basename/dirname</td> <td>Split up file paths</td> <td><a href="https://twitter.com/fitzgen">Nick Fitzgerald</a></td> <td><a href="https://github.com/joewalker/mozcmd/pull/4">Pull</a></td> </tr> <tr> <td>qsa</td> <td>Perform querySelectorAll on the current document and return number of matches</td> <td><a href="http://twitter.com/zii">Zach Carter</a></td> <td><a href="https://gist.github.com/3000231">Gist</a></td> </tr> <tr> <td>jsbeautifier</td> <td>Loads a URL, JS-beautifies it, and opens a new tab with the result</td> <td><a href="http://www.open-mike.org/about">Mike Hanson</a></td> <td><a href="https://github.com/michaelrhanson/mozcmd">Repo</a></td> </tr> <tr> <td>replace/rm/export</td> <td>Commands to edit and export page details</td> <td><a href="http://www.robodesign.ro/mihai/blog">Mihai Sucan</a></td> <td><a href="https://github.com/joewalker/mozcmd/pull/1">Pull</a></td> </tr> </tbody></table><p style="text-align:center;"> <a href="http://www.flickr.com/photos/robceemoz/322394517"> <img src="../images/posts/hackathon2.jpg" alt="people hacking"> </a> </p> Command Line Hackathon Details 2012-06-24T13:00:00+00:00 http://www.6307968.com/blog/2012/06/25/hackathon-details/ <p>I <a href="http://www.6307968.com/blog/2012/06/20/command-line-hackathon/">promised</a> details of how to take part in the command line hackathon on June 26th ...</p><h2>Getting Started</h2><p>The command line is part of the developer toolbar, which is currently prefed off. You enable it by visiting <code>about:config</code> in Firefox and setting <code>devtools.toolbar.enabled</code> to true and restarting.</p><p>Then use the new Tools 鈫?Web Developer 鈫?Developer Toolbar menu or press <code>Ctrl+Shift+V</code> (Win/Linux) or <code>Alt+Cmd+V</code> (Mac) to open the toolbar</p><p>If you want a way to keep your commands around, you'll want to use the command directory method, if you just want a quick hack, use scratchpad.</p><h3>Creating commands with Scratchpad</h3><p>Make sure you've <a href="http://antennasoft.net/robcee/2011/05/10/scratchpad-nee-workspace-web-developer-menu-landed/">enabled chrome privilages on your scratchpad</a>. Then <a href="https://gist.github.com/2944612">start with a template like this</a>, and your ready to play.</p><p>See the docs <a href="https://developer.mozilla.org/en/Tools/GCLI/Scratchpad">creating commands with scratchpad</a> on MDN for more.</p><h3>Creating commands from a Command Directory</h3><p>Find somewhere to store commands and copy <a href="https://github.com/joewalker/mozcmd/blob/master/hello.mozcmd">this template</a> to a file called <code>hello.mozcmd</code> (or you could clone the repo which could come in handy for submitting your commands). The filename isn't important but it should end <code>.mozcmd</code>. Then tell Firefox where your directory is with this command: <code>pref set devtools.commands.dir &lt;PATH-TO-DIR&gt;</code>.</p><p>Then refresh the commands from the command dir using <code>cmd refresh</code> and try out the new command: <code>hello</code>.</p><p>See the docs <a href="https://developer.mozilla.org/en/Tools/GCLI/Scratchpad">creating commands with scratchpad</a> on MDN for more.</p><h2>Finding Out More</h2><p>You can probably guess most of what you need from <a href="https://github.com/joewalker/mozcmd/blob/master/hello.mozcmd">the example</a>, however there is <a href="https://developer.mozilla.org/en/Tools/GCLI/Writing_GCLI_Commands">documentation and links</a> on MDN if you need more detail.</p><h2>Taking Part</h2><p>We're collecting ideas for commands on <a href="https://etherpad.mozilla.org/command-line-hackathon">https://etherpad.mozilla.org/command-line-hackathon</a>, and we'll keep that updated during the day to coordinate things.</p><p>To get help and support, the best option is #devtools on irc.mozilla.org (SSL:on, Port:6697) or see <a href="https://wiki.mozilla.org/IRC">the connection docs</a> or use IRC on the web at <a href="http://chat.mibbit.com">mibbit.com</a> (Connect to Mozilla, Channel: #devtools).</p><div> <a href="http://www.flickr.com/photos/robhawkes/7231923050/"> <img src="../images/posts/hackathon3.jpg" alt="people hacking"> </a> </div><h2>How to raise a bug</h2><p>Use <a href="https://bugzilla.mozilla.org/enter_bug.cgi?alias=&amp;assigned_to=nobody%40mozilla.org&amp;blocked=&amp;bug_file_loc=http%3A%2F%2F&amp;bug_severity=normal&amp;bug_status=NEW&amp;cf_blocking_basecamp=---&amp;cf_blocking_kilimanjaro=---&amp;cf_crash_signature=&amp;cf_status_esr10=---&amp;cf_status_firefox13=---&amp;cf_status_firefox14=---&amp;cf_status_firefox15=---&amp;cf_status_firefox16=---&amp;cf_tracking_esr10=---&amp;cf_tracking_firefox13=---&amp;cf_tracking_firefox14=---&amp;cf_tracking_firefox15=---&amp;cf_tracking_firefox16=---&amp;comment=%0D%0AWhat%20did%20you%20do%20%28steps%20to%20reproduce%29%3F%0D%0A%0D%0A%0D%0AWhat%20happened%3F%0D%0A%0D%0A%0D%0AWhat%20should%20have%20happened%3F%0D%0A%0D%0A&amp;component=Developer%20Tools%3A%20Console&amp;contenttypeentry=&amp;contenttypemethod=autodetect&amp;contenttypeselection=text%2Fplain&amp;data=&amp;defined_groups=1&amp;dependson=&amp;description=&amp;flag_type-203=X&amp;flag_type-325=X&amp;flag_type-37=X&amp;flag_type-41=X&amp;flag_type-5=X&amp;flag_type-607=X&amp;flag_type-720=X&amp;flag_type-721=X&amp;flag_type-737=X&amp;flag_type-748=X&amp;flag_type-775=X&amp;flag_type-780=X&amp;flag_type-781=X&amp;form_name=enter_bug&amp;keywords=&amp;maketemplate=Remember%20values%20as%20bookmarkable%20template&amp;op_sys=All&amp;priority=--&amp;product=Firefox&amp;qa_contact=developer.tools.console%40firefox.bugs&amp;rep_platform=All&amp;requestee_type-203=&amp;requestee_type-325=&amp;requestee_type-41=&amp;requestee_type-5=&amp;requestee_type-607=&amp;requestee_type-748=&amp;requestee_type-781=&amp;short_desc=GCLI&amp;status_whiteboard=&amp;target_milestone=---&amp;version=Trunk">this link</a> to tell us about any problems with the command line.</p><h2>Submitting a Command</h2><p>You can submit a command any of the following ways:</p><p> </p><ol> <li>Fork <a href="https://github.com/joewalker/mozcmd">this repo</a> and create a pull request (preferred)</li> <li>Create a new etherpad containing your submission and put a link to your new etherpad in the <a href="https://etherpad.mozilla.org/command-line-hackathon">main etherpad</a></li> <li>Email it to jwalker at mozilla.com.</li> </ol><p>Whichever way you choose, please include the following in your submission so we know you're happy for us to distribute your work:</p><p><code>Signed-off-by: Your Name &lt;email@example.com&gt;</code></p><p>Adding this text is a statement that you have the right to contribute the code under the MPLv2 for inclusion in the Mozilla codebase.</p><p><strong>Hope to see you on June 26th</strong></p> Firefox Command Line Hackathon 2012-06-20T12:00:00+00:00 http://www.6307968.com/blog/2012/06/20/command-line-hackathon/ <p>TL;DR: On June 26th, the Firefox developer tools team is holding a hackathon to add to the list of commands for the Firefox developers toolbar.</p><aside> <a href="http://www.flickr.com/photos/donotlick/5272510170"> <img src="../images/posts/hackathon1.jpg" alt="people hacking"> </a> </aside><p>See this recent <a href="http://www.6307968.com/blog/2012/06/18/firefox-command-line/">blog post for context on the new developers command line</a>.</p><p>I'm in the process of finishing off <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=724055">bug 724055</a> which will make it as easy as is possible to create new commands, just set a pref to point to a directory where your commands are stored in JSON (ish) files, and you're done.</p><p>In the next few days I'll update this post (Update: <a href="http://www.6307968.com/blog/2012/06/25/hackathon-details/">see here</a>) with a set of resources for creating commands and ideas for commands. We'll hang out in IRC and crank away and see how many commands we can get written in a day.</p><p>If you can spare some time, we'd love to have some help.</p><p><small>Update: Originally this post had a date typo and said the 27th. The real date is the 26th.</small></p> Firefox Command Line for Developers 2012-06-18T12:00:00+00:00 http://www.6307968.com/blog/2012/06/18/firefox-command-line/ <p>TL;DR: We're adding a toolbar to Firefox, for developers, which includes a command line. It's a great place to add small tools and experimental features, and we're making it easy to add your own commands.</p><p>The toolbar should land in Firefox 16 or 17 and will look like this:</p><div style="overflow-x:hidden;"> <img src="../images/posts/gcli-look-mac.png" alt="GCLI on a Mac"> </div><p>The buttons are useful, but I'm most excited about the commands. We can add an almost unlimited set of commands here without cluttering up the UI, or making things slow, and we've done lots of work to make the command line easy to use.</p><p>The challenge: It might be stretching things a little to call the command line a 'platform', and commands 'apps', but the command line still needs commands to be successful. There's a list of commands that we're working on for manipulating Firefox developer tools, and we'll be expanding this list to include system level commands too.</p><p>We're planning on a hackathon in a couple of weeks to add to the list of commands and to check that it really as as easy as we think it is to extend. Details soon.</p><p>If you want to try it out, it's in Nightly now, you'll need to flip the <code>devtools.toolbar.enable</code> preference in <code>about:config</code>.</p> Combating Self-XSS 2011-12-14T12:00:00+00:00 http://www.6307968.com/blog/2011/12/14/combating-self-xss/ <aside> <img src="../images/posts/self-xss-gun.png" alt="gun with barrel pointing at user"> <div>Friends don't let friends etc</div> </aside><h3 id="what-is-self-xss-">What is Self-XSS?</h3><p>Dr. Evil has several options for getting his script to execute in the page of another site. Generically we call this <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">XSS</a>. Self-XSS involves using social engineering to coerce a user into manually executing JavaScript using the location bar or developer tools. For more, see <a href="https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=ieinternals&amp;WeblogPostName=socially-engineered-xss-attacks-and-pasting-javascript-in-the-address-bar-in-ie9">socially-engineered XSS attacks</a>.</p><p>The <a href="http://blog.commtouch.com/cafe/web-security/nasty-facebook-picture-attack-based-on-self-xss/">recent Facebook attack</a> signals that something needs to be done, but knowing the right response is tricky.</p><h3 id="what-is-mozilla-doing-about-it-">What is Mozilla doing about it?</h3><p>We're proposing adding a directive to <a href="https://developer.mozilla.org/en/Security/CSP">CSP</a> that says <em>'Please disallow user supplied JavaScript in the context of this resource'</em>.</p><p>It will probably look something like this:</p><pre><code>X-Content-Security-Policy: no-user-js </code></pre><p>We're also going to add a way for developers to opt out of this protection. Effectively saying <em>'I can take care of the JavaScript that I ask my browser to execute'</em>.</p><h3 id="how-does-this-affect-other-firefox-developer-tools-">How does this affect other Firefox developer tools?</h3><p>It doesn't. <a href="https://hacks.mozilla.org/2011/11/developer-tools-in-firefox-aurora-10/">The Highligher, Style Inspector</a>, <a href="https://wiki.mozilla.org/DevTools/Features/CSSEditor">Style Editor</a> and <a href="https://blog.mozilla.com/tilt/">Tilt</a> are all unaffected. This is only about JavaScript executed via the Web Console and <a href="https://blog.mozilla.com/devtools/2011/08/15/introducing-scratchpad/">Scratchpad</a>.</p><h3 id="how-does-this-affect-users-">How does this affect users?</h3><div> <style> table.custom { border-collapse: collapse; } table.custom td, table.custom th { border: 1px solid #aaa; padding: 5px; } table.custom th { text-align: center; } </style> </div><table class="custom"> <tbody><tr> <th colspan="2" rowspan="2">User</th> <th colspan="2">Is a developer?</th> </tr> <tr> <th>No</th> <th>Yes</th> </tr> <tr> <th rowspan="2">Can recognize Self-XSS attack?</th> <th>No</th> <td>Added Self-XSS attacks protection.</td> <td>Warned about Self-XSS, may benefit from protection.</td> </tr> <tr> <th>Yes</th> <td>Unchanged</td> <td>Minor inconvenience of having to set a preference (one time only) to enable user JavaScript on sites using this Self-XSS protection.</td> </tr> </tbody></table><p>I think this is a fairly clear net win: Minor, one time only, inconvenience to a sub-set of web developers, vs. full-time protection for the many that wouldn't recognize a self-xss attack.</p><h3 id="objections-this-is-a-user-problem">Objections: This is a user problem</h3><p>The goal of educating 7 billion people about what JavaScript can do is lofty, grandiose, ambitious and utterly unattainable. There has to be another solution.</p><h3 id="objections-this-is-a-facebook-problem">Objections: This is a Facebook problem</h3><p>While it's true that allowing untrusted, unvetted, third party, dynamic content onto your site is something to avoid, I don't think that fixing this either is going to happen, or would fix the problem. The attack could easily forward you to another site to see the clipboard injecting flash, before returning you to the original site for the 'paste' step.</p><h3 id="objections-this-is-a-flash-problem">Objections: This is a Flash problem</h3><p>While it's true that Adobe's clipboard policies are more relaxed than those of major web browsers, we've seen people caught by instructions that ask people to select/copy their own attack script. We think that the level of pain caused to developers by the CSP solution is low enough that we can justify the additional protection.</p> Marketing (according to the browser makers) 2010-09-13T16:47:32+00:00 http://www.6307968.com/blog/2010/09/13/marketing-according-to-the-browser-makers/ <ul> <li>Mozilla: <a href="http://twitter.com/paulrouget/status/19734735459">Go Open Web, Go Mozilla</a></li> <li>Google: <a href="http://twitter.com/diveintomark/status/21115916946">Go Google, Go Open Web</a></li> <li>Apple: <a href="http://www.guardian.co.uk/technology/blog/2010/jun/04/html5-apple-browser-standard-mistake">Go Apple</a></li> <li>Microsoft: <a href="http://tech.slashdot.org/story/10/09/12/2018229/IE9-Team-Says-Our-GPU-Acceleration-Is-Better-Than-Yours">The others are teh suck</a></li> </ul> Apple and Adobe, Obituaries and Idealism 2010-02-1T07:22:00+00:00 http://www.6307968.com/blog/2010/02/01/apple-and-adobe-obituaries-and-idealism/ <p>Practical reasons for thinking that Flash is dying: </p><ol> <li>You can't get flash on an iPhone, iPod or iPad </li><li><a href="http://lists.w3.org/Archives/Public/public-html/2009Sep/0049.html">IE9 looks like it could get HTML5 video</a> </li></ol><p>Idealistic reasons why Flash should be dying: </p><ol> <li>The spec is controlled by a single entity. </li><li>The Flash wire-format is binary. View-source is important. </li><li>The Flash runtime can't be fully open-sourced due to patent encumbered codecs. </li></ol><p>It's obvious, but you can't beat a good venn diagram: </p><p><img src="../images/posts/flash-death.png" alt="ven diagram showing that practice and idealism are non-overlapping sets"> </p><p>The Idealism isn't having much effect. </p><h3>Apple</h3><p>There's a parallel post to this one, with the subject being the iPad instead of Flash, and that it's a Bad Thing when you're <a href="http://al3x.net/2010/01/28/ipad.html">not allowed to tinker with devices that you own</a>. </p><p>Idealistically the world would wait until something Chromey, Androidy, WebOSy or Maemoy came along out of principle. But we all know <a href="http://twitter.com/diveintomark/status/8292775700">that's not going to happen</a> however much we complain. </p><p>Shame really. All the talk is for nothing. </p> Ĵ12һţ
<center id="eyouk"></center>
<optgroup id="eyouk"><div id="eyouk"></div></optgroup> <rt id="eyouk"></rt>
<center id="eyouk"></center>
<noscript id="eyouk"></noscript><center id="eyouk"><tr id="eyouk"></tr></center>
<center id="eyouk"><wbr id="eyouk"></wbr></center><optgroup id="eyouk"></optgroup>
<center id="eyouk"></center>
<optgroup id="eyouk"><div id="eyouk"></div></optgroup> <rt id="eyouk"></rt>
<center id="eyouk"></center>
<noscript id="eyouk"></noscript><center id="eyouk"><tr id="eyouk"></tr></center>
<center id="eyouk"><wbr id="eyouk"></wbr></center><optgroup id="eyouk"></optgroup>