Find Your Device:
Or Continue to Thread: Time for a (serious) Firefox F…
1st February 2014, 05:35 AM |#2  
OP Junior Member
Thanks Meter: 0



14:00 tcaud2 Hi I've got a serious issue with my game maker addon.
14:00 tcaud2 I need to rip a font from an image, but the image is loaded from a file// URI
14:00 tcaud2 I was told this was a cross-domain policy violation.
14:00 tcaud2 he solution, you said, was to load the image in the main module. But that's apparently impossible, because Jetpack has no concept of the HTML DOM, and thus, can't create image objects.
14:02 jsantell OtherRealm: what is 'window' in this case?
14:03 jsantell tcaud2: is the image in the data/ directory of your addon?
14:04 OtherRealm Just a nul var until it is called in this method
14:04 OtherRealm var window;
14:04 jsantell OtherRealm: can you post the code on a gist or pastebin?
14:04 tcaud2 It is not.
14:04 tcaud2 it's in the user's filesystem
14:06 tcaud2 Am I right that I have to read the image data itself and send it as a message to the web page, then data:uri it on the web page side?
14:09 OtherRealm (url removed)
14:12 OtherRealm or:
14:12 OtherRealm (url removed)
14:25 zombie_ tcaud2: yeah, i understand
14:25 zombie_ just use a file api, and read the _content_ of the file, convert it (base64 encode) to a data:uri and send that as a message to your web page
14:28 zombie_ margaret: do you maybe have some other mozilla tool/environment (i think it's called mozbuild? or something) for working with some other code base?
14:28 zombie_ i think i've seen a bug or two about conflicts with python environments
14:29 margaret zombie_: possibly, i know i've had to mess with my python setup for running tests on mozilla-central
14:30 zombie_ margaret: you can try searching the bugzilla on that, i think i've seen a workaround in one of the bugs
14:30 zombie_ (or i can try searching in a few minutes, after dinner)
14:32 margaret zombie_: okay, thanks
14:32 margaret i don't really *need* to use the add-on sdk, but i thought it would be easier for what i'm trying to do
14:32 margaret i figured it was a good excuse to try learning how to use it
14:38 jsantell margaret: yeah what version of py are you using?
14:39 margaret jsantell: 2.7.4
14:42 jsantell margaret: humm that should be fine..
14:42 *** lmandel quit (Input/output error)
14:42 *** brambles quit (Ping timeout)
14:43 *** brambles joined #jetpack
14:44 jsantell OtherRealm: so looking at your code
14:45 jsantell OtherRealm: window doesn't have a port, it doesnt have associated content scripts
14:48 OtherRealm Yes, do I need those in order for the ports to be broadcast from addon to content and the other way around?
14:49 jsantell OtherRealm: what kind of content do you have? what do you want it to do/communicate with
14:52 OtherRealm I want to send a json string to the window, have it be parsed and loaded into a form, then for this form to be able to be edited and saved, passing the changes back to the main.js in a json string
14:53 jsantell OtherRealm: what is the window? you can apply a page worker or page mod, things like that
14:53 jsantell OtherRealm: which have content scripts
14:53 jsantell OtherRealm: windows are just firefox windows
14:55 OtherRealm Ideally I would like to have it be a chrome window without all the extra nav features
14:55 *** joshua-s quit (Quit: Try Firetext ((url removed)), a word processor for Firefox OS!)
14:56 *** joshua-s joined #jetpack
14:57 *** philor|afk is now known as philor
15:00 *** phlsa joined #jetpack
15:02 *** Gijs quit (Connection reset by peer)
15:02 *** Gijs joined #jetpack
15:03 jsantell OtherRealm: you can have a pagemod attach itself to the search.html page you load
15:03 jsantell OtherRealm: and communicate with those ports
15:04 OtherRealm Alright, I will try that
15:04 OtherRealm Thanks
15:04 *** cers quit (Ping timeout)
15:06 *** cers joined #jetpack
15:13 canuckistani margaret that's a seriously weird error, maybe Python env weirdness
15:13 canuckistani Also, you don't need to activate the SDK, just call cox directly
15:14 *** bwinton is now known as bwinton_away
15:14 canuckistani Er, 'cfx', and goddammit autocorrect I did not mean 'CFO' either
15:16 *** bwinton_away is now known as bwinton
15:17 zombie_ any reason jetpack meeting notes aren't on planet.m.o?
15:17 zombie_ canuckistani: ^
15:17 canuckistani They never have been
15:18 canuckistani They get sent to the google group, but no-one has asked for rss before to my knowledge
15:19 zombie_ ok, if i'm the only one asking, i guess i can manage for myself..
15:21 *** TimAbraldes joined #jetpack
15:29 tcaud2 I've been thinking... firefox is trying to cater to both business users and desktop users.
15:29 tcaud2 That's bad.
15:30 tcaud2 Two different user classes. Good at the time of revolution against IE, but bad now that the revolution is over.
15:31 tcaud2 I see a pattern in the comments of domestic users taking umbrage to many of the changes being instituted, while business users take a more conciliatory, appeasing approach.
15:31 tcaud2 And you guys cite them as evidence for your supporty.
15:32 tcaud2 I think I've figured the way to beat you. Yes, this is the method. That's the argument.
15:32 tcaud2 biz vs consumer.
15:35 jsantell im not even sure what that means
15:36 tcaud2 That will be good for you in that it will take the heat off you from domestic users, and allow you to focus on growing your userbase with business users.
15:36 tcaud2 Firefox is way too secure.
15:37 tcaud2 Many people want a browser that doesn't have these crazy security policies.
15:37 zombie_ tcaud2: you are not going to get very far if your argument is going to be "firefox needs to be less secure"
15:37 tcaud2 They don't want IE. They don't want Google.
15:37 tcaud2 No, I don't mean, "let's let security holes run free".
15:37 zombie_ especially in light of recent NSA fallout
15:37 jsantell all modern browsers have these "crazy security policies", and no one wants a browser that exposes them to even more dangerous vectors
15:38 tcaud2 I mean, let's let users decide what they want a given web page to be able to do.
15:38 jsantell hence the existance of jetpack
15:39 tcaud2 The AsYouWish addon basically does that by restoring enablePrivilege, which was removed on behalf of idiots and grandmothers.
15:40 tcaud2 I didn't create AsYouWish. It has a number of users. The only reason it's not used more is because Mozilla has made a point of suppressing it.
15:41 jsantell so if the addon gives you the capabilities you desire, whats the problem
15:42 tcaud2 It's not the capabilities I have, but the capabilities other users have.
15:43 tcaud2 There needs to be a movement of (smart) people towards using their webapps with (limited) access to their local file systems.
15:43 tcaud2 Like for example my game maker addon. Only intelligent users will be able to use it. So it's no big issue.
15:44 tcaud2 I can't just advise them to use AsYouWish, because they know nothing about it. It's not trusted.
15:44 zombie_ and you have that ability.. jetpack allows you to access files on the user's computer.. what is the problem?
15:45 tcaud2 It's ten times easier to write programs by accessing chrome in the webpage than by using jetpack and jumping through its security hoopla.
15:45 zombie_ yeah, and it's 100 times harder to protect users from possible bad actors with that approach
15:46 tcaud2 And there you go again with the protection thing. See, smart users don't want your protection.
15:46 jsantell tcaud2: i assure you, they do.
15:46 tcaud2 They want software that doesn't have security holes.
15:46 tcaud2 I know a number that don't.
15:46 zombie_ i'm a pretty smart user, and i'm in the rare position to be able to inspect *and understand* the the code of firefox addons
15:47 jsantell tcaud2: and if having the AsYouWish addon solves the issue, just make it a dependency
15:47 zombie_ and yet, i have ~20 addons in my firefox, and don't have time to inspect every one of them
15:47 tcaud2 AsYouWish is still in experimental status.
15:47 tcaud2 It doesn't have your sanction.
15:48 zombie_ you say users should trust you and your addon, but can't trust AsYouWish?
15:48 jsantell well luckily you can deploy your xpi anywhere on the internet
15:48 zombie_ what's the difference.. i have heard of that addon before, i would much rather trust them then you
15:48 tcaud2 Actually they are kinda leery about addons, too.
15:49 tcaud2 You have not approved as you wish.
15:49 tcaud2 AsYouWish
15:50 *** phlsa quit (Quit: My MacBook Pro has gone to sleep. ZZZzzz…)
15:51 tcaud2 It's only been experimentally reviewed.
15:53 tcaud2 I am in contact with the author of AsYouWish.
15:55 tcaud2 Can you pledge, if it is submitted, that it will be given a fair review, and not rejected on basis of its essential function?
15:58 *** philor is now known as philor|away
15:58 jsantell that's up to AMO
15:58 zombie_ tcaud2: people here don't review addons.. and there are rules for submitting your addons for review, if you follow them, i'm pretty sure the review will be fair
15:59 canuckistani also, AsYouWish isn't just any add-on
15:59 canuckistani it exposes system privileges to the web
16:01 zombie_ tcaud2: wait, just realized, your argument is not "firefox wont let me do this", but "i want this thing to be easier, at the cost of possible security issues, and the harder job of the AMO reviewers" ??
16:01 zombie_ in that case, you just lost all sympathy from me
16:03 *** humph quit (Ping timeout)
16:04 tcaud2 Right well, canuckistani, that's kinda immaterial. Policy is policy, right? So if AsYouWish is safe so long as users know what they are doing, it should be approved by AMO, right?
16:05 *** ejpbruel joined #jetpack
16:05 ejpbruel gozala: ping
16:05 gozala ejpbruel: hello
16:05 canuckistani tcaud2: that's up to AMO reviewers, you should go talk to them
16:05 ejpbruel gozala: hi! i have a generic js style question for you
16:05 ejpbruel gozala: how do you recommend doing something like enums in js?
16:06 canuckistani but the potential for AsYouWish to be insecure via a bug and therefore very harmful is quite high
16:06 canuckistani the good thin i guess is it is unlikely it will be very popular
16:06 canuckistani ...because the use case is quite specific

which led to this:


16:14 *** tcaud2 joined #amo-editors
Add-on code review discussions | Don't ask to ask | Mention the name and ID of your add-on | See #amo for (url removed) site, #addons for general add-on support, #extdev for extension development | (url removed) | Queue status: (url removed)
Topic set by John-Galt on Mon Oct 01 2012 16:43:17 GMT-0400 (Eastern Daylight Time)
16:15 tcaud2 Hi, I'd like to discuss the AsYouWish addon.
16:23 tcaud2 It has received preliminary review.
16:24 tcaud2 It's function is to restore enablePrivilege, which was removed as of Firefox 17.
16:33 jorgev what would you like to discuss?
16:33 tcaud2 I would like to discuss its prospects for approval.
16:34 jorgev full approval? I don't think that'll happen
16:34 *** JesperHansen quit (Ping timeout)
16:34 tcaud2 Why not?
16:35 jorgev because it's a power tool and potential footgun
16:35 jorgev we generally give those preliminary approval only
16:36 tcaud2 So let me get this straight: you're not going to even give it the mark of trust that the tool does not steal a person's credit card information?
16:37 tcaud2 I mean it's coming from some guy nobody knows, they have to trust him personally, as it is, before even trying to use it as a power tool.
16:38 tcaud2 I know how your process works. You have two stages: preliminary, where you don't hardly even look it over, and full, where you pour over it and study every aspect.
16:39 jorgev you don't know it very well then
16:39 jorgev preliminary approval does go through code review and we make sure the add-on is safe to use
16:40 tcaud2 Then why do you state on the add button on MDN that it hasn't been reviewed?
16:40 tcaud2 That's all end users see.
16:40 jorgev if it says it hasn't been reviewed it's because it hasn't
16:40 tcaud2 you're mixing words.
16:41 jorgev AsYouWish has not been reviewed
16:41 jorgev it is awaiting preliminary review
16:41 tcaud2 What further review do you need beyond assessing whether it is safe?
16:41 tcaud2 No it's not.
16:41 John-Galt It is.
16:42 rctgamer3 It is.
16:42 jorgev (url removed)
16:42 jorgev it has been, for a very long time
16:42 jorgev I'm not sure what is blocking its review, but maybe John-Galt can clarify that
16:43 John-Galt The last time I reviewed it, it took an entire day, and I haven't had an entire day to devote to it since then.
16:44 tcaud2 However, even after preliminary review is completed, it states "the addon has not been reviewed by mozilla".
16:44 tcaud2 just below the button.
16:45 tcaud2 here's another example.
16:45 rctgamer3 tcaud2: After it has been preliminary reviewed, that line will change
16:45 jorgev tcaud2: (url removed)
16:45 jorgev that's how a preliminarily approved add-on looks like
16:47 *** fixanoid_ quit (Ping timeout)
16:50 tcaud2 yeah nevermind on that.
16:50 tcaud2 well when is the review?
16:51 *** JesperHansen joined #amo-editors
16:51 tcaud2 can you schedule someone to look at it?
16:51 jorgev the active admin reviewers are John-Galt and TheOne
16:51 jorgev it's up to them to make time for it
16:52 tcaud2 So you're not going to honor the expectation that it would be reviewed in three weeks.
16:52 tcaud2 as AMO states.
16:53 tcaud2 which of course you are already hideously overdue.
16:53 John-Galt The ideal is 3 days. It's not a guarantee, and for add-ons like this which require a thororugh security review, things can take considerably longer.
16:54 tcaud2 So there's no time frame.
16:54 jorgev there's an approximation
16:54 jorgev and most add-ons are reviewed within those times
16:54 jorgev some take longer, some take much longer
16:55 jorgev especially for the first review
16:55 tcaud2 that's not the first review.
16:55 tcaud2 It was updated.
16:56 tcaud2 it's not a huge task.
16:56 tcaud2 I think you could finish it in a couple hours.
16:56 jorgev by first review I mean it hasn't been approved before
16:56 tcaud2 but it has been approved previously.
16:56 tcaud2 hasn't it?
16:57 John-Galt It hasn't
16:57 tcaud2 well it's been 9 months.
16:57 tcaud2 or thereabouts.
17:00 John-Galt It's true, I'd have liked it to have been reviewed months ago. But it's been a busy year, and the several hours it would take to review that add-on could be used to review dozens of others.
17:01 John-Galt I'm also not especially happy about the idea of that add-on existing or being hosted on AMO, so it's not an especially high priority. But I will get to it soon, now that queue lengths are relatively low.
17:02 tcaud2 soon as in, two weeks?
17:02 John-Galt I can't give you a timeframe.
17:02 tcaud2 I don't believe you.
17:03 tcaud2 Be honest.
17:03 John-Galt *shrug*
17:04 TheOne he was
17:06 tcaud2 He's not honest about his intent to not review it.
17:07 John-Galt I think this conversation is over.
17:09 tcaud2 It's clear that you don't want to do it, hence you won't do it unless someone forces you to. But you're the boss and you've expressed your reservations, while manipulating the author of the addon. You'd might as well be president telling the government not to observe a law you don't like.
17:10 jorgev as much as I like fascism analogies, this is getting very derailed
17:10 jorgev I acknowledge that the waiting time for your add-on has been absurd
17:10 jorgev and I do think it should be reviewed soon (say, within the next month)
17:10 jorgev but we can't give you any promises
17:11 jorgev also, given that your add-on is targeted to a very specific audience, I wonder why it is so dependent on AMO
17:11 jorgev it's been around for over a year and has about 40 users
17:12 jorgev so I don't think it's than unreasonable for it to be a low priority given its complexity and potential for security problems
17:12 tcaud2 because people associate AMO reviews with trustworthiness.
17:12 tcaud2 but I'm done. I got what I came for.
17:12 tcaud2 BTW, I'm not the author.
17:13 rctgamer3 jorgev: replied to your needinfo
17:13 jorgev that's good to know
17:13 tcaud2 I'm an associate.

Now, a bit of interpretation and analysis, given the players and factors at hand.

The current state of the software industry is emblematic of a confluence of interest between Mozilla, Microsoft, and Google. Java has been weakened both by Oracle's incompetence and pushes by these Big 3 to label it a hazard and make it hard to use (in the current version of Firefox, starting Java apps is a stability hazard as I'm sure you've noticed). What would be a future of apps driven by the browser has been eclipsed by a dominant, but not universal, ethos that browsers are meant to surf the internet, not replace the Windows/Linux desktop. Browser-based Javascript is, in its current state, the easiest programming language to develop with, thanks to HTML 5. But HTML 5 is held back by the problem of extremely tight security, which favors cloud-based solutions. The cloud-based future the web-app proponents say is coming, however, probably won't truly happen given the power of the phone/cable internet companies. They will see to it that there are always people who can't afford high speed internet, and that's where hard drives and offline apps come in.

As we can infer from the logs above, all of the browser makers fear being labeled as "insecure". It was the perception of insecurity that drove businesses away from IE in the mid 2000s. This police-state ethos of over-protectiveness, to the point of protecting users from themselves, creates an effective power umbrella that the Big 3 find exclusive opportunity in. Microsoft can continue to count on people remaking their software every 3-4 years for their new Windows version (and dropping out of the market if they don't). Google can push its terrible app system and crowd phone storage until users find they must buy new phones whether or not the processing and memory needs of their phone are otherwise sufficient. The system benefits the bigger players and makes things very hard on the smaller players, the small time app devs, because they waste time trying to keep their old apps current, causing them to lose opportunity to develop new apps, which results in lost revenue. Android, as you all know, is just as bad if not worse than Windows for this. Mozilla is creating an app store based around Javascript, which one might think a hallmark of stability because of the seeming eternity of web standardization. However their constantly shifting non-standard APIs create software dysfunction within a couple years of release. Beyond that, these three forces are now the controlling powers in the standardization process itself.

Why the focus on protecting users even at the risk of their own ire? Part of the issue is that schools and businesses are major consumers of browsers. The needs of individuals do not necessarily overlap with those of organizations, but it's easier to develop one single app and apparently the people at Mozilla have just enough of a strange combination of overconfidence and self-delusion to think they can force an app tailored for businesses on users. As such we're spoon-fed increasing amounts of drivel by all three browser vendors that "users want" a virtual nanny telling them what they can and can't do with their browser. (you can judge for yourself whether or not they are crassly attempting to manipulate my position on this from the logs).

But if you take anything from the logs, it should be this: all three browser makers intend to ignore the wishes of individual users in pursuit of the personal agendas of the personalities calling the shots. As soon as Firefox began becoming popular, Google began hiring on its developers for their Chrome project -- it's well understood at Mozilla that playing Google's game is good for your career. Google's interests are ultimately not our interests. Mozilla subsists on Google's dime, and will remain supported by Google for as long (which it's currently attempting to sustain by growing its market share in developing countries, even as it loses share in the west).

AsYouWish stands in opposition to this gambit. It is an addon for Firefox that enables local file access by webpages as the user wishes. This functionality was formerly standard, but was eliminated a couple of years ago due to it posing a "hazard" for users who were too incompetent to determine whether a request by a website for local file access was safe or unsafe. Server admins who relied on the functionality balked, and AsYouWish was created as a compromise. Although it is possible to access the file system through the addons API (without being forced to use a hard-to-explain sandboxed "virtual file system", as per Chrome), the addon API is extremely cumbersome to program, requiring a maze of callbacks and supporting infrastructure for all but the simplest tasks (you can read Mozilla's justification for this madness above). In contrast, the same thing can be done via AsYouWish in a few minutes. There are some problems with AsYouWish; particularly, it doesn't work on mobile. It's also heavily disliked by Mozilla. Although the author is a teacher by trade who insists it is safe, and was developed with advise by Mozilla staff, certain individuals at Mozilla are dogmatically fixated on the belief that browsers and local file access don't mix. As you read above, they are noncommittal to giving it a place in Mozilla's addons gallery to the point of unfairness and dishonesty.

While AsYouWish may provide a temporary fix, my views on this matter are more long range. I see an intrinsic conflict of interest between Mozilla and home users. Many of its users (perhaps even a majority) have stuck with it because it's the anti-Google, the browser of freedom. Google may say it's "not evil", but for all its progressive social values its attitude towards users isn't very different from Microsoft's, because it's a company that looks to maximize its own potential in everything it does. The days of wide-eyed idealism that made Firefox what it was are long gone at Mozilla, and as such it no longer coincides with the sensibilities and values of many of its users. The time has come for a fork, "Freedom Fox", which provides a Mozilla build that incarnates the values of the people who originally created it, the values of respect for user discretion and freedom. A browser for people who feel smart enough, capable enough to determine for themselves what websites are threatening and which aren't. A browser that is respectful enough not to ridicule users with the notion that they aren't intelligent enough. A browser that respects user preferences and expectations enough that it won't force radical redesigns on them that increase bugs and hamper usability. That is what the people signed up for. That's what is needed today, to restore freedom in the software industry and to help it grow to meet the potential of tomorrow.

MicroGoog has overtaken everything else. Let this be our last stand!