Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Developing Firefox Extensions with GNU/Linux

Posted by Zonk on Sat Sep 10, 2005 03:33 PM
from the extend-the-browser-extend-the-fun dept.
Programming Mozilla The Internet IT Technology
QT writes "Ars Technica has a lengthy but useful introduction to developing Firefox extensions with GNU/Linux. This guide comes hot on the heels of the RC for Beta 1 of Firefox. The article is a little more thorough than necessary, but I can't complain about anything that spurs Firefox development." From the article: "What can you do with a Firefox Extension? Firefox extensions can modify the Firefox user interface. This includes adding buttons to tool bars and menus; changing fonts, colors, and icons; capturing events in the client interface like page loads and clicks; and modifying web pages after the browser loads them and before the user sees them. All of this functionality comes with the aspect-oriented facility of overlays. Extensions also have as much access to the file system as the user running Firefox. Extensions can add protocol handlers, hooking actions to URLs like icq://, aim://, or stantz://. Extensions have UniversalXPConnect privileges, allowing them to harness any XPCOM component. Firefox comes with a rich library of XPCOM components that permit your extension to drive very low-level functionality like sockets from Javascript. You can also augment the XPCOM library with Firefox extensions by adding Javascript, linkable libraries, or XPIDL."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Developing Firefox Extensions with GNU/Linux 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • since these things have full access to the local machine, remind me why we love extensions and hate activex?
    • Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.

      On the other hand, I allow all of my software to update themselves automatically, I allow every thing that has extensions to install them automatically when I request an extension, and I trust that virtually any program I run across will be ok.

      And I've only seen two viruses in the last 2 decades (except on my brother's Amiga), both of which were on computers or hard drives that I i
      • Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.

        In theory, Firefox is a browser for the masses and is designed to supplant Internet Explorer. If Firefox has a userbase that's more technically sophisticated than other browsers, that only means that there's more work to do.

        So please quit blowing yourself by thinking Firefox is l33t d00d software -- it isn't. The whole goal is stripped down and simple for the ordinary IE user.

        Now i
        • "I'm sure at some pont a signing mechanism like Authenicode will be deemed necessary."

          Just like signed ActiveX?

          Anyone can sign something. For signing to work you need a trusted registry/organisation to cryptographically sign things and use a whitelist system to reject untrusted signitures, just like SSL certificates. But we aren't talking about certificates we're talking about code. Anytime someone sticks an official stamp on something people start expecting the official stamper/supposed quality assurer to
          • No, I don't think signing is a cure-all, but it does minimize one social exploit. Whatever you think about ActiveX, I've never heard about an evil control that pretends to be Windows Update or Macromedia Flash.

            If firefox become popular, it's possible there would be a ton of fake "Ad Block" and "Tab Browser" extentions, and signing is pretty much the only way to stop it.

            If you want to see an example of this in action, search Google for "eMule", the opensource filesharing client. About 90% of the links go to
            • "Whatever you think about ActiveX, I've never heard about an evil control that pretends to be Windows Update or Macromedia Flash."

              Very very true. The problems with ActiveX all stem from uninformed users clicking yes to that XXX Toolbar popup.

              I definately think it'd be a good idea for Mozilla to implement a community page for every extension any firefox browser anywhere tries to install from a remote location. Something much like the current extension directory, but inclusive of extensions not even hosted th
              • The trust ratings and user comments need to be safe from poisoning and therefore moderated

                Keep in mind that Kazaa was the run-away most popular filesharing client for years, despite all of the well-known spyware it came with.

                If you want to moderate all of the "wrong" opinons or just plain spam on this proposed BBS, you might as well just skip a step and put the Cabal directly in charge. (Whether that would be mozilla.org is unlikely, I think.)

                And since your proposal relies on hashes, browser support, and so
        • Exactly what I was thinking. Asume Firefox has 90% market share. One gets an (spam-)mail in, asking it to visit stated link. The link gives the user a request to install a certain Firefox extension. The user thinks it is save, because that is the sole reason he/she installed Firefox in the first place (with the upcoming IE 7 there really aren't any more standing reasons yet). And there you go, a fully open browser, with access to the filesystem, throwing all the information needed for anything nasty, right

      • Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.

        Sounds like double-standards to me. "ActiveX and Firefox extensions are fundamentally the same thing, but one is good and one is bad because Firefox users are smarter". Surely the same "educated user" would also have no problems with ActiveX, in which case, where's the real difference?

        • Sounds like reality. I've yet to see an evil extension, and you're welcome to create a proof of concept for us. Strangely, even if you succeed, it will be news and a frontpage story here on slashdot... and within a few days, we'll have protections against it.

          Never mind that you can't install any extensions by default anyway, unless they're from a trusted domain... and you can't even click through.

          When the game of evil is over, and the score tallied, its activeX 1,635,498 vs firefox extensions 2. That should

          • With ActiveX the code is loaded when I visit the page, for the average user there is no choice if the code will run; since the default settings typically aren't changed.

            What you say simply isn't true. I just booted up XP to check. The default settings are to prompt the user for signed controls and to ignore unsigned controls altogether.

    • Because Firefox has no security vulnerabilities that would allow extensions to be installed without the user's explicit consent. Because Firefox is open source, any security vulnerability will be patched immediately and delivered seamlessly to every Firefox user.

      Because Firefox has such a low market share, it is simply not profitable to deploy spyware extensions for it.

      • Because Firefox has no security vulnerabilities that would allow extensions to be installed without the user's explicit consent.

        Are there open IE bugs that allow this? Both products are susceptible to any worm/trojan dropping a malicious extension into the user's profile and/or whitelisting other sites.

        Because Firefox has such a low market share, it is simply not profitable to deploy spyware extensions for it.

        Security through low marketshare?! There have been malicious ads/extensions that have targeted fi

    • Re:this reminds me... (Score:5, Insightful)

      by jd142 (129673) on Saturday September 10 2005, @04:17PM (#13527810) Homepage
      They don't have full access to the local machine, they only have the user's access to the local machine. There's an important difference.

    • Re:this reminds me... (Score:5, Insightful)

      by moonbender (547943) <moonbender.gmail@com> on Saturday September 10 2005, @04:35PM (#13527921)
      Simple: ActiveX was and is often used by websites to extend website functionality. For instance, Microsoft uses it to implement the functionality of its Windows Update website. Trend Micro uses it to implement the functionality of its house call anti virus service. And so on. Of course there isn't anything inherently bad about it, both examples are very useful. It would be very insecure, though, to allow untrusted sites to extend their functionality this way, and it would have been very bad if ActiveX had been a standard repertoire of web design in the way that Flash is, for example.

      Firefox extensions are quite different. They typically extend the functionality of the browser, independent of the web sites you might use. I say typically because there are counterexamples, for instance extensions designed to make working with Wikipedia easier. But this is the exception, not the norm. Firefox extensions aren't "meant" to be used by a lot of different web site, and people would find it quite strange if they were required to install an extension for viewing just one web site.

      So maybe the technology is similar (I wouldn't know), the way they are typically used, and were designed and meant to be used are quite different.
      • Good point -- it always helps to clear up the termonology before diving too deep into a flamewar. Mozilla has developed a bunch of technologies that have rough equivilance to IE tech:

        Netscape Plugins =~ ActiveX control
        XPInstall =~ "ActiveX Web Distribution" (may not be the official name)
        Firefox Extentions =~ Browser Helper Objects (BHOs)

        The confusion I think is that most BHOs use ActiveX Distribution as the installation mechanism.

        (And the other confusin is that MS has defined the term "ActiveX" in 9 differe
    • As someone else already pointed out, there's no way to install them without user interaction and consent.

      Also, Mozilla extensions are inherently open-source. You can simply unzip the .xpi, then unzip the .jar and look at the code. And that's all that they are - ECMAscript and XUL. That makes them cross-platform, too.

      They're a lot easier to trust and a lot more likeable than ActiveX controls, don't you think?
      • Yes, because Firefox is a Linux/Unix only program. Gotcha. I totally understand now :)
        • Everyone needs to realize that this is indeed needed functionality. What kind of browser would it be if you couldn't save a .zip file or anything else to your hard drive? Any program you've ever used has the ability to be harmful. Let me repeat that: Any program you've ever used has the ability to be harmful.
          It's all the ability to trust what you're putting on your hard drive to begin with. I run Windows on one box and Linux on the other. I tend to run OSS software on my Windows box too. Why? Becau

  • Where's my bittorrent:// ? (Score:3, Insightful)

    by Anonymous Coward on Saturday September 10 2005, @03:38PM (#13527631)
    Where's my bittorrent:// protocol??!?!

    I would love to simply do a bittorrent from firefox. I think that'd spur alot more users and make it easier to... um... *LEGAL* download torrents... (like knoppix, fedora, etc.)

    Bring on the torrents!!!

  • In other words... (Score:5, Insightful)

    by nmb3000 (741169) <nmb3000@that-google-mail-site.com> on Saturday September 10 2005, @03:48PM (#13527679) Homepage Journal
    Firefox extensions are are useful and powerful tools when used correctly, yet have the ability to easily become malicious and destructive if the user doesn't pay attention.

    Hmmm, sounds a lot like ActiveX. While the main intent for the two is a little different (browser tweaking vs. client-side scripting & server interaction), both require users to make informed decisions. People going on about how Firefox is so much safer because it doesn't support ActiveX might need to consider dropping that argument. As Firefox's market share grows, so will the number of websites that advertise Firefox plugins, and unaware users will be just as susceptible to malware and viruses as they were with IE.

    • Re:In other words... (Score:4, Informative)

      by Unordained (262962) <unordained_slash ... @pseudotheos.com> on Saturday September 10 2005, @04:19PM (#13527818) Homepage
      It seems like it'd be nice if apps like Firefox were routinely (!) run as a user with fewer privs than the actual user sitting at the terminal. I know it needs -some- disk access for cache, etc. and some access to the user's files (when uploading or downloading specific files) but on the whole it'd be nice to have some sort of mechanism in place to keep apps from accessing things when they shouldn't. The view that an app should only have access to the current user's files is okay, but not ideal -- users still don't want their own setup trashed by some tricky extension, even if the rest of the host computer is fine. In a multi-user environment, that's not so easy ... creating a new user, for every app/user combination, that provides exactly the access required by the app and no more. Lots of maintenance.

      I'm not sure that users would be very accepting of an environment in which they were asked each time an app requested a new file handle -- "would you like to allow Firefox to access /home/unordained/file1.txt in read-only mode?" ... "would you like to allow p2p-app-1 to open a socket to ip xxx.xxx.xxx.xxx?" ... "would you like to allow some-app-2 to change the following registry keys?" ... but that is, (without the annoyance) what I'd like. Our computing environments are just far too unsafe for the average user.

      Suggestions? Existing (partial) solutions? (This is your opportunity to go on at length about your preferred, overly-safe-for-you operating system, and for others to trash it on grounds of any remaining work-arounds.)
    • How is "download virus.xpi here idiot" any different from "download virus.exe here idiot"?

      Stupid people are stupid, they make the Internet and the world a worse place for all of us. It's too bad I don't have the time to spend to revoke all of their life certificates.

      • Common misconceptions about XPCOM and ActiveX (Score:5, Informative)

        by SimHacker (180785) * on Saturday September 10 2005, @06:59PM (#13528697) Homepage Journal
        Noksagt, you are wrong, and spreading some common misconceptions, which you should stop repeating.

        XPCOM extensions for Firefox are compiled binary machine language files, which have just as much access to your system as ActiveX controls do. Firefox XPCOM extensions are no more secure than ActiveX controls. Binary ActiveX and XPCOM controls are useful for situations where you need to do things that JavaScript doesn't support, like shaping the window of a pie menu [piemenus.com] (an open source ActiveX component, that you can download the source code if you like).

        Internet Explorer has something similar to the way you can write Firefox extensions in JavaScript and UIL. But that's a totally different thing than binary ActiveX controls and behaviors, and it severly restricts what you can do.

        You can script trustable ActiveX controls for Internet Explorer called "Dynamic HTML Behavior Components", using JavaScript (or any other ActiveX compatible scripting languages), XML and DHTML.

        For example, user interface components like JavaScript Pie Menus for Internet Explorer [piemenus.com] or the Run On Sentence dynamic text animation style [piemenus.com] run with the same restrictions as JavaScript in the browser, so they can't access files or shape popup windows. (Also open source).

        -Don

      • Re:anti-ActiveX (Score:4, Interesting)

        by Noksagt (69097) on Saturday September 10 2005, @07:58PM (#13528947) Homepage
        They are better sandboxed than IE ActiveX controls used to be.
        Here, I made a (rightly well-criticized) mistatement. I'm wrong. Both XPCOM and ActiveX can execute with full user-priviledges.

        As I said, though: webpages could tell IE (at least used to) where to download an ActiveX control. If the control was not already installed, IE would automatically download and install the control from the specified source. In firefox, the page must me whitelisted before extensions could be downloaded. Can someone tell me if IE has changed to the whitelist model yet? Last I heard, they were even maintaining a list of malicious ActiveX controls. This seemed inance to me, as there is most likely more malicious junk out there than truly useful controls.

  • Danger Will Robinson! (Score:5, Insightful)

    by Elrac (314784) <[moc.zcirtoms] [ta] [lrac]> on Saturday September 10 2005, @03:53PM (#13527706) Homepage Journal
    All of this functionality comes with the aspect-oriented facility of overlays. Extensions also have as much access to the file system as the user running Firefox.
    But... but... isn't it just this extreme flexibility that represents the biggest Achilles heal (sic) of Outlook and IE? Isn't this what Mozilla proudly avoids?

    I realize that there are some differences, such as the fact that the red carpet is only rolled out for extensions the user trusts, but... when you advertise Firefox to dummies, your trusting users will BE dummies!
  • Has anyone seen galley copies of Pro Firefox: Extension and Application Development [amazon.com]? Or does anyone have any other suggestions for dead-tree guides for developing firefox extensions? I know of books [amazon.com] on [amazon.com] XUL [amazon.com] , but none targetted for basic extension programming.

  • More Resources (Score:5, Informative)

    by stoolpigeon (454276) <bittercode@gmail> on Saturday September 10 2005, @04:57PM (#13528052) Homepage Journal
    These are a few sites that I found helpful. Some are a little old but I got something out of all of them.

    http://www.xulplanet.com/ [xulplanet.com]
    http://kb.mozillazine.org/Dev_:_Extensions [mozillazine.org]
    http://roachfiend.com/archives/2004/12/08/how-to-c reate-firefox-extensions/ [roachfiend.com]
    http://businesslogs.com/technology/firefox_extensi on_tutorial.php [businesslogs.com]
    http://www.bengoodger.com/software/mb/extensions/p ackaging/extensions.html [bengoodger.com]
    http://mozilla-firefox-extension-dev.blogspot.com/ [blogspot.com]
    http://books.mozdev.org/index.html [mozdev.org]
    http://www.mozilla.org/xpfe/gettingstarted.html [mozilla.org]

    Of course another good way to learn about extensions is to download a few and look at the code. That has probably been the biggest help to me once the tutorials, etc. gave me the basic idea of what is going on.

  • Talk about appropriate... (Score:3, Funny)

    by null etc. (524767) on Saturday September 10 2005, @05:05PM (#13528098)
    The article is a little more thorough than necessary

    ...followed by a 146-word "excerpt" from the article.

    • It's called Thunderbird, not Firebird.
    • I would really like is the ability to click on one or a group of e-mail and send back to the sender (or whatever e-mail address the lying spammer has used for the reply address)This is a bad idea because, as you noted, most spam spoofs FROM: and/or REPLY TO:


      Instead of bounding spam, you just harrass & send spam to some poor guy who had his email address borrowed by some spam bot. Congratulations! You just became as bad as the spammers.
      • Yeah--my overzealousness to point out how bad an idea this was made me miss a BLOCKQUOTE tag.

        I would really like is the ability to click on one or a group of e-mail and send back to the sender (or whatever e-mail address the lying spammer has used for the reply address)

        This is a bad idea because, as you noted, most spam spoofs FROM: and/or REPLY TO:

        Instead of bouncing spam, you just harrass & send spam to some poor guy who had his email address borrowed by some spam bot. Congratulations! You just became

    • -1 Flamebait.

      Discussing the security vulnerabilities is entirely appropriate, but bringing them up on every Firefox article when it is completely off-topic is flamebait.
    • > Does no one even try to edit these things?

      There's a common saying around here...what is it? Oh yes: "You must be new here!" Or was that a rhetorical question? :)

      > You do realize that these mistakes distract readers' attention

      And if you've ever had your site slashdotted, you're probably grateful for anything that distracts some percentage of the readers. :)

    • My thinking on the subject (Score:5, Insightful)

      by TheSpoom (715771) * <slashdot&uberm00,net> on Saturday September 10 2005, @05:58PM (#13528373) Homepage Journal
      When should you use a Firefox extension?

      Only when you're EXTENDING FIREFOX.

      If your website requires an extension (or, for that matter, ActiveX) to work, you're simply coding it incorrectly.

      Possible exceptions includes Windows Update, but even then, Microsoft coded that as part of the OS in XP, so the web portal really isn't necessary.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.