Adblock Plus and (a little) more
Adblock Plus screencast online · 2009-03-13 16:02 by Wladimir Palant
Ian Ozsvald and Richard Mitchelson from ProCasts offered me to create a screencast for Adblock Plus. They then went on analyzing what potential users need to know and the result is quite remarkable:
Hidden cost of (not) using Venkman · 2009-03-12 19:12 by Wladimir Palant
I came across a Venkman “feature” that was so unexpected that I even filed a JavaScript engine bug on it. Only after Gijs Kruitbosch asked me to test with a clean profile I realized that the JavaScript performance issue I was seeing wasn’t inherent to Firefox but rather something the Venkman extension was responsible for. That’s right, Venkman is degrading JavaScript performance just by being installed, even if you don’t use it. I had Venkman installed “just in case” and this was a big surprise to me.
Mixing absolute and relative lengths in SVG clip paths · 2009-03-12 12:14 by Wladimir Palant
A supposedly simple task turned out to be pretty hard and now I am left guessing whether I am dealing with an SVG spec issue or with a Gecko bug. I need to make corners of a XUL element transparent, something that should be easy if you apply SVG effects to it.
Getting rid of Flash cookies · 2009-03-02 12:57 by Wladimir Palant
Pretty much every Flash movie on the web today uses Flash Player’s global storage feature to store data on your disk, similar to regular browser cookies. What makes this feature so problematic is the lack of proper control mechanisms. For example, for browser cookies I selected “Keep until I close Firefox” which makes sure that cookies can be set (no site functionality is broken) but won’t survive too long. But this setting won’t apply to Flash data. Same goes for the Private Browsing mode in Firefox 3.1, it has absolutely no effect on Flash. Note also that Flash data is the same for all browsers and all profiles.
EasyList downloads back on easylist.adblockplus.org - most of the time · 2009-02-27 02:21 by Wladimir Palant
A few months ago I decided to move EasyList downloads to MozDev. However, my bandwidth limit increased greatly since then and I can handle the traffic myself now. So taking the load away from MozDev’s server that surely has better things to do seems to be a good idea. Also, downloads get more reliable again because they don’t depend on two servers. For now I let easylist.adblockplus.org serve 80% of the requests while remaining 20% are still being redirected to MozDev. I want to see how that goes, might change the proportions again later.
Avoiding naming conflicts in overlays · 2009-02-16 23:12 by Wladimir Palant
XUL overlays are a great mechanism for extending existing functionality. However, there is a catch — any scripts loaded by an overlay are sharing the namespace with the scripts loaded by the original page and the scripts loaded by other overlays (typically from other extensions). So if extension Foo defines a global variable myGreatVar and extension Bar chooses to define a global variable myGreatVar as well, bad things will happen — both extensions will end up accessing the same variable and usually both extensions will behave erratically because of that. Same happens with functions, if two scripts define the same global functions the second function definition will override the first. The situation is worst for constants — a constant cannot be redeclared meaning that one of the extensions will cause an error message.
More extension puzzles · 2009-02-11 17:42 by Wladimir Palant
Since Haploid solved my previous puzzle way too fast, here is another one: what is that page really trying to load? And why is it that NoScript and Adblock Plus disagree so much on that — none of the dozen domains NoScript is showing show up in Adblock Plus and the one request showing up in Adblock Plus doesn’t show in NoScript.
Analyzing huge piles of code · 2009-02-10 23:37 by Wladimir Palant
Back in August, at the Firefox Summit, I promised Giorgio Maone to properly analyze NoScript. Trust me, better that than the alternative. And it is not that I forgot. I tried, really. Problem is, Giorgio isn’t a big friend of modularization. Most of NoScript code is contained in two files, one being 2000 and the other whooping 8000 lines long, all of its 500 features nicely intertwined. He isn’t a big fan of documentation either, keeping code comments to a minimum as to prevent code bloat. Finally, he isn’t a big fan of consistency and made sure that each feature is triggered only under its very unique conditions. In short, the code is a mess.
Five wrong reasons to use eval() in an extension · 2009-02-06 13:35 by Wladimir Palant
One of the most overused JavaScript features is the eval() function. I have seen it used in very many extensions but only a few actually had a good reason to use it. So I want to go through all the wrong reasons one would use eval().
Vulnerable extensions survey · 2009-02-05 16:49 by Wladimir Palant
I spent in total something like 10 hours searching 78 of the top 100 extensions for signs of unsafe interactions with the web (yes, I failed downloading the extensions that are hidden behind a EULA, will do better next time). The result: 14 extensions with severe vulnerabilities (typically the kind of vulnerability that lets a web page take over your browser and even the computer if your browser runs with administrator privileges) and several proof of concept exploits. The good news: I don’t think that I missed too many vulnerable extensions, when I searched for more patterns I just kept finding new issues in the extensions that were already known to be vulnerable. More good news: none of the top 10 most popular extensions made the list. The bad news: many of the remaining extensions didn’t make this list simply because they don’t interact with the web or only interact with the web in ways that are relatively unproblematic. Some others were just too messy to get an overview in reasonable time, so it was impossible to understand whether questionable coding practices actually caused security issues.