Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Programming Mozilla The Internet IT Technology

Developing Firefox Extensions with GNU/Linux 146

QT writes "Ars Technica has a lengthy but useful introduction to developing Firefox extensions with GNU/Linux. This guide comes hot on the heels of the RC for Beta 1 of Firefox. The article is a little more thorough than necessary, but I can't complain about anything that spurs Firefox development." From the article: "What can you do with a Firefox Extension? Firefox extensions can modify the Firefox user interface. This includes adding buttons to tool bars and menus; changing fonts, colors, and icons; capturing events in the client interface like page loads and clicks; and modifying web pages after the browser loads them and before the user sees them. All of this functionality comes with the aspect-oriented facility of overlays. Extensions also have as much access to the file system as the user running Firefox. Extensions can add protocol handlers, hooking actions to URLs like icq://, aim://, or stantz://. Extensions have UniversalXPConnect privileges, allowing them to harness any XPCOM component. Firefox comes with a rich library of XPCOM components that permit your extension to drive very low-level functionality like sockets from Javascript. You can also augment the XPCOM library with Firefox extensions by adding Javascript, linkable libraries, or XPIDL."
This discussion has been archived. No new comments can be posted.

Developing Firefox Extensions with GNU/Linux

Comments Filter:
  • this reminds me... (Score:2, Insightful)

    by QunaLop ( 861366 )
    since these things have full access to the local machine, remind me why we love extensions and hate activex?
    • by XO ( 250276 )
      Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.

      On the other hand, I allow all of my software to update themselves automatically, I allow every thing that has extensions to install them automatically when I request an extension, and I trust that virtually any program I run across will be ok.

      And I've only seen two viruses in the last 2 decades (except on my brother's Amiga), both of which were on computers or hard drives that I i
      • Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.

        In theory, Firefox is a browser for the masses and is designed to supplant Internet Explorer. If Firefox has a userbase that's more technically sophisticated than other browsers, that only means that there's more work to do.

        So please quit blowing yourself by thinking Firefox is l33t d00d software -- it isn't. The whole goal is stripped down and simple for the ordinary IE user.

        Now i
        • by baadger ( 764884 )
          "I'm sure at some pont a signing mechanism like Authenicode will be deemed necessary."

          Just like signed ActiveX?

          Anyone can sign something. For signing to work you need a trusted registry/organisation to cryptographically sign things and use a whitelist system to reject untrusted signitures, just like SSL certificates. But we aren't talking about certificates we're talking about code. Anytime someone sticks an official stamp on something people start expecting the official stamper/supposed quality assurer to
          • No, I don't think signing is a cure-all, but it does minimize one social exploit. Whatever you think about ActiveX, I've never heard about an evil control that pretends to be Windows Update or Macromedia Flash.

            If firefox become popular, it's possible there would be a ton of fake "Ad Block" and "Tab Browser" extentions, and signing is pretty much the only way to stop it.

            If you want to see an example of this in action, search Google for "eMule", the opensource filesharing client. About 90% of the links go to
            • by baadger ( 764884 )
              "Whatever you think about ActiveX, I've never heard about an evil control that pretends to be Windows Update or Macromedia Flash."

              Very very true. The problems with ActiveX all stem from uninformed users clicking yes to that XXX Toolbar popup.

              I definately think it'd be a good idea for Mozilla to implement a community page for every extension any firefox browser anywhere tries to install from a remote location. Something much like the current extension directory, but inclusive of extensions not even hosted th
              • The trust ratings and user comments need to be safe from poisoning and therefore moderated

                Keep in mind that Kazaa was the run-away most popular filesharing client for years, despite all of the well-known spyware it came with.

                If you want to moderate all of the "wrong" opinons or just plain spam on this proposed BBS, you might as well just skip a step and put the Cabal directly in charge. (Whether that would be mozilla.org is unlikely, I think.)

                And since your proposal relies on hashes, browser support, and so
              • How about just have the browser automatically check the URL of the extension the user has asked to install (wether knowing so or not) with some database on mozilla.org, at which point, it will automatically bring you anything known about that extension, and it would be required that you at least acknowledge it?
                • That'd work but I suspect the first wave of dodgy scam URL's that are smart enough to exploit firefox users would also be smart enough to thawte this just by introducing a random string into the URL on each hit.

                  Theres also no gaurentee the domain/IP will remain the same..and then there's the privacy issue of sending mozilla url's of extensions you're trying to install.

                  Thats why i suggested some kind of heuristic/hash mechanism on the code.
        • by FST777 ( 913657 )
          Exactly what I was thinking. Asume Firefox has 90% market share. One gets an (spam-)mail in, asking it to visit stated link. The link gives the user a request to install a certain Firefox extension. The user thinks it is save, because that is the sole reason he/she installed Firefox in the first place (with the upcoming IE 7 there really aren't any more standing reasons yet). And there you go, a fully open browser, with access to the filesystem, throwing all the information needed for anything nasty, right
          • I think the svg/canvas support could quickly become a reason.

            Check this [geocities.com] out for a simplistic demo of canvas support. (Must have Deer Park Beta 1 or greater)

            Check the source code. Everything is written in javascript. Security doesn't sell browsers to non tech people. Cool widgets sells browsers to people.

            The insecurity of the extensions can be fixed. Even right now firefox has a "OMG WTF THIS COULD BE BAD!!!" screen when you are installing an extension from a new site. You have to go through 3 pages to add t
          • I didn't say that Firefox users should be the most intelligent. I said that it's automatically assumed that Firefox users will be more intelligent. Why is this? Because it's developed by open source developers. I have never found a single open source project that had "ease of use for non-developers" as any point that it was ever striving for.

        • So please quit blowing yourself by thinking Firefox is l33t d00d software -- it isn't. The whole goal is stripped down and simple for the ordinary IE user. - 0h, p|3453, 5ur3 17 15 |337 d00d 50f7w4r3!

        • As we all know, the elite don't run browsers. We use telnet.
      • Because in theory, someone educated enough to run Firefox would also be educated enough to not allow it to run untrusted things.

        Sounds like double-standards to me. "ActiveX and Firefox extensions are fundamentally the same thing, but one is good and one is bad because Firefox users are smarter". Surely the same "educated user" would also have no problems with ActiveX, in which case, where's the real difference?

        • His argument did sound like that...for me it has to do with implementation. With ActiveX the code is loaded when I visit the page, for the average user there is no choice if the code will run; since the default settings typically aren't changed.

          With Firefox extensions I have to install the code, the page I am visiting does not make that choice for me. It is possible to install from different sites, but that requires changing the default settings...which most users won't do.

          There is also the issue that an
          • by Bogtha ( 906264 )

            With ActiveX the code is loaded when I visit the page, for the average user there is no choice if the code will run; since the default settings typically aren't changed.

            What you say simply isn't true. I just booted up XP to check. The default settings are to prompt the user for signed controls and to ignore unsigned controls altogether.

            • Then that's a recent change, are you running SP2? I have a machine running Windows but the settings were changed from the defaults too long ago to know what SP2 might have altered in that respect.

              In thinking about this a little more there is also the issue of users checking the box to trust code signed by the same source. For example, all code signed by Microsoft; which could then open them to insecure code that had been previously signed....unless their browser is also set to check revocation lists (and
              • Recent as in last year... Yes - keep in mind that by the time firefox had been published with such functionality - the lesson had already been learned by MSFT users around the globe. Thus its incredibly easy to say "oh firefox already HAD that".

                The *idea* of self installing extensions is a good one really. Its unfortunate that our trust as end users continues to be exploited.
              • default on XP pre-SP2 (I just checked, as I don't have SP2 on this box) is to ask for any code.
                  I think it was 5.5 IE that had the defaults to run anything signed automatically, and prompt for unsigned.
        • Sounds like reality. I've yet to see an evil extension, and you're welcome to create a proof of concept for us. Strangely, even if you succeed, it will be news and a frontpage story here on slashdot... and within a few days, we'll have protections against it.

          Never mind that you can't install any extensions by default anyway, unless they're from a trusted domain... and you can't even click through.

          When the game of evil is over, and the score tallied, its activeX 1,635,498 vs firefox extensions 2. That should
          • I've yet to see an evil extension

            So? You aren't seriously suggesting that it's difficult or impossible, are you? The Greasemonkey extension introduced a vulnerability by accident. You don't think the same thing can be done on purpose? Or is your opinion that it's just unlikely for anybody to do it? That's security by obscurity.

            When the game of evil is over, and the score tallied, its activeX 1,635,498 vs firefox extensions 2. That should tell you something.

            ActiveX has been in use for almo

            • Yeh. Find me someone that was nailed by the accidental vulnerability. Hell, find me someone that didn't upgrade. Maybe you're just one of the naysayers, but it always strikes me how firefox issues always end up being theoretical. Proof of concept.

              Yeh, I like to make numbers up, but I forgot to label it sarcastic. Fuck you, loser.

              I look forward to your next post, where you accuse Google of being run by the devil simply because they might do something lowlife in the future...
              • Find me someone that was nailed by the accidental vulnerability.

                So it is security by obscurity that you are preaching?

                Maybe you're just one of the naysayers

                Actually, I'm a Firefox user, I just don't feel the need to assert its superiority at every available opportunity, regardless of its merits.

                it always strikes me how firefox issues always end up being theoretical.

                Malware writers tend to target the most popular software. Firefox has been targeted too, though. Here's the first refere [slashdot.org]

                • >>Find me someone that was nailed by the accidental vulnerability.

                  >So it is security by obscurity that you are preaching?

                  Security by obscurity has a simple definition. It's "microsoft keeps bugs secret, so hackers can't use them!". Firefox, and its extensions, are open source. There is no such thing, dufus. What I meant is "show me the victims". It would be astronomically unlikely for there to be no victims for no other reason than "good luck". So if there are none (and you haven't produced any),
          • Sounds like reality. I've yet to see an evil extension, and you're welcome to create a proof of concept for us. Strangely, even if you succeed, it will be news and a frontpage story here on slashdot... and within a few days, we'll have protections against it.

            Against what ? If extensions can write to disk (which they can, downTHEMall! being a good example), they can write nasty things there. You disable that functionality, and DownTHEMall! stops working.

            These are not Java applets we are talking about h

            • Yeh, I understand, you don't. Again, you keep talking about _when_ firefox extensions do something bad, I'm still in _if_. That's its theoretically possible, no one denies... all software is theoretically exploitable.

              You people like to talk about marketshare being the significant factor (it just hasn't happened yet, because no one uses it). Me, it's starting to seem like maybe there is another factor, a social one that's a (the?) significant factor. Maybe good intentions do count for something.

              I like to try
              • by Anonymous Coward

                I like to try out extensions from time to time, and yet, somehow I'm still safer than I ever could be using IE.

                That safety is an illusion. I saw one extension (or it might have been a Greasemonkey script; the difference isn't important as it could have been either for this vulnerability to work) that was intended to serve as a browser-based single sign-on. It passed all the passwords to Javascript dynamically loaded from an external site. Purportedly, this was because it started out life as a bookmarkle

    • Because Firefox has no security vulnerabilities that would allow extensions to be installed without the user's explicit consent. Because Firefox is open source, any security vulnerability will be patched immediately and delivered seamlessly to every Firefox user.

      Because Firefox has such a low market share, it is simply not profitable to deploy spyware extensions for it.
      • Because Firefox has no security vulnerabilities that would allow extensions to be installed without the user's explicit consent.

        Are there open IE bugs that allow this? Both products are susceptible to any worm/trojan dropping a malicious extension into the user's profile and/or whitelisting other sites.

        Because Firefox has such a low market share, it is simply not profitable to deploy spyware extensions for it.

        Security through low marketshare?! There have been malicious ads/extensions that have targeted fi

        • Because Firefox has no security vulnerabilities that would allow extensions to be installed without the user's explicit consent.

          Are there open IE bugs that allow this? Both products are susceptible to any worm/trojan dropping a malicious extension into the user's profile and/or whitelisting other sites.

          Um, if you already got a trojan into a system, why would you bother to have it whitelist anything, instead of just doing whatever nastiness the extension was supposed to do ?

          Doesn't make much sense t

        • "Security through low marketshare?!"

          works for Apple.
    • by jd142 ( 129673 ) on Saturday September 10, 2005 @04:17PM (#13527810) Homepage
      They don't have full access to the local machine, they only have the user's access to the local machine. There's an important difference.
    • Well, on a Linux or Unix system, it gets nicely sandboxed by the permissions system. Running a program as user simply doesn't give the program root authority.

      ActiveX on the other hands, runs on Windows, and has basically full root access to the machine.

      See the difference?
      • Yes, because Firefox is a Linux/Unix only program. Gotcha. I totally understand now :)
    • by moonbender ( 547943 ) <moonbender@NosPaM.gmail.com> on Saturday September 10, 2005 @04:35PM (#13527921)
      Simple: ActiveX was and is often used by websites to extend website functionality. For instance, Microsoft uses it to implement the functionality of its Windows Update website. Trend Micro uses it to implement the functionality of its house call anti virus service. And so on. Of course there isn't anything inherently bad about it, both examples are very useful. It would be very insecure, though, to allow untrusted sites to extend their functionality this way, and it would have been very bad if ActiveX had been a standard repertoire of web design in the way that Flash is, for example.

      Firefox extensions are quite different. They typically extend the functionality of the browser, independent of the web sites you might use. I say typically because there are counterexamples, for instance extensions designed to make working with Wikipedia easier. But this is the exception, not the norm. Firefox extensions aren't "meant" to be used by a lot of different web site, and people would find it quite strange if they were required to install an extension for viewing just one web site.

      So maybe the technology is similar (I wouldn't know), the way they are typically used, and were designed and meant to be used are quite different.
      • Good point -- it always helps to clear up the termonology before diving too deep into a flamewar. Mozilla has developed a bunch of technologies that have rough equivilance to IE tech:

        Netscape Plugins =~ ActiveX control
        XPInstall =~ "ActiveX Web Distribution" (may not be the official name)
        Firefox Extentions =~ Browser Helper Objects (BHOs)

        The confusion I think is that most BHOs use ActiveX Distribution as the installation mechanism.

        (And the other confusin is that MS has defined the term "ActiveX" in 9 differe
      • Right on. Firefox extensions are NOT equivalent of ActiveX per se. They're equivalent of BHOs (Browser Helper Objects).

        Of course, there's a distinct difference there as well. MSIE users first learn of these "BHO" things when run their favorite anti-spyware program and discover they have quite a few more BHOs than they thought.

        MSIE makes it easy to install BHOs. Perhaps too easy, leading to drive-by downloads.

        Firefox .xpi install mechanism has been used to spread spyware too (a long long time ago), but

      • Hmm... no, the Windows Update ActiveX control is used to ensure that only IE is used to access Windows Update. The ActiveX control is able to exceed user's security privileges to provide back certain system information that might not otherwise be possible to do otherwise for a given user.

        it would have been very bad if ActiveX had been a standard repertoire

        Well, MS *did* want it to be the way to do what Flash does now, because it wasn't as limited compared to downloaded Java controls. But I'm going to guess
        • The [Windows Update] ActiveX control is able to exceed user's security privileges to provide back certain system information that might not otherwise be possible to do otherwise for a given user.

          Umm, no. Windows Update can only be run by Administrator users, and administrators can (directly or indirectly) do anything to a system.

          ActiveX has enough real problems that there's absolutely no need to manufacture ridiclous falsehoods in order to talk it down.
    • You have to install an extension.
      Regards,
      Steve
    • As someone else already pointed out, there's no way to install them without user interaction and consent.

      Also, Mozilla extensions are inherently open-source. You can simply unzip the .xpi, then unzip the .jar and look at the code. And that's all that they are - ECMAscript and XUL. That makes them cross-platform, too.

      They're a lot easier to trust and a lot more likeable than ActiveX controls, don't you think?
      • No, Mozilla extensions are NOT inherently open source, nor are they more secure than ActiveX. We're discussing XPCOM extensions, which are compiled binaries, not JavaScript.

        Yes, there is a double standard about downloading ActiveX controls and XPCOM controls. XPCOM controls are at least as unsafe as ActiveX controls. At least ActiveX supports code signing [msdn.com], which XPCOM doesn't.

        Open source has to do with the rights you have to use the code, not just that you can read the source code. It's certainly poss

        • You don't even need to say that -- it's it copyright by default, but not open source by default.

          Whether the license on the copyrighted JavaScript says it's "open source" or not, if you can access and read the JavaScript code, it's out there in the open for all eyeballs to look at and discuss. Whether I can find a security hole or not or whether the code is obfuscated to hell or not is not really germane, nor is whether the authors know or not if the code has security holes in it, because there is probably s
    • A big part of it is that extensions are mostly managed and installed and what-not by users, not by webmasters, or whatever it is you call the guy that is building the website. That way, people without the extension aren't left out in the cold, they can still access the content, just without whatever spiffiness the extension provides.
  • by Anonymous Coward on Saturday September 10, 2005 @03:38PM (#13527631)
    Where's my bittorrent:// protocol??!?!

    I would love to simply do a bittorrent from firefox. I think that'd spur alot more users and make it easier to... um... *LEGAL* download torrents... (like knoppix, fedora, etc.)

    Bring on the torrents!!!
  • "hot the heals"? (Score:1, Insightful)

    by Anonymous Coward
    A grammar mistake and a spelling mistake in the same phrase. Learn English, guys.

    And that statment "RC for Beta 1 of Firefox" without the "v 1.5" modifier implies that Firefox is something new that is about to be released. Does no one even try to edit these things?

    You do realize that these mistakes distract readers' attention from the actual article content, right?
    • by Xtifr ( 1323 )
      > Does no one even try to edit these things?

      There's a common saying around here...what is it? Oh yes: "You must be new here!" Or was that a rhetorical question? :)

      > You do realize that these mistakes distract readers' attention

      And if you've ever had your site slashdotted, you're probably grateful for anything that distracts some percentage of the readers. :)
  • In other words... (Score:5, Insightful)

    by nmb3000 ( 741169 ) on Saturday September 10, 2005 @03:48PM (#13527679) Journal
    Firefox extensions are are useful and powerful tools when used correctly, yet have the ability to easily become malicious and destructive if the user doesn't pay attention.

    Hmmm, sounds a lot like ActiveX. While the main intent for the two is a little different (browser tweaking vs. client-side scripting & server interaction), both require users to make informed decisions. People going on about how Firefox is so much safer because it doesn't support ActiveX might need to consider dropping that argument. As Firefox's market share grows, so will the number of websites that advertise Firefox plugins, and unaware users will be just as susceptible to malware and viruses as they were with IE.
    • anti-ActiveX (Score:1, Informative)

      by Noksagt ( 69097 )

      Hmmm, sounds a lot like ActiveX.

      ActiveX can't be exploited by other browsers & also limits the architecture and OS choice. The history of security problems with ActiveX has a much richer history. I don't know how much their model has really improved. Firefox extensions are in a combination of XML and JavaScript, so their functionality is a bit more limited. They are better sandboxed than IE ActiveX controls used to be. Firefox extension websites must be whitelisted before an install. I think IE ha

      • by SimHacker ( 180785 ) * on Saturday September 10, 2005 @06:59PM (#13528697) Homepage Journal
        Noksagt, you are wrong, and spreading some common misconceptions, which you should stop repeating.

        XPCOM extensions for Firefox are compiled binary machine language files, which have just as much access to your system as ActiveX controls do. Firefox XPCOM extensions are no more secure than ActiveX controls. Binary ActiveX and XPCOM controls are useful for situations where you need to do things that JavaScript doesn't support, like shaping the window of a pie menu [piemenus.com] (an open source ActiveX component, that you can download the source code if you like).

        Internet Explorer has something similar to the way you can write Firefox extensions in JavaScript and UIL. But that's a totally different thing than binary ActiveX controls and behaviors, and it severly restricts what you can do.

        You can script trustable ActiveX controls for Internet Explorer called "Dynamic HTML Behavior Components", using JavaScript (or any other ActiveX compatible scripting languages), XML and DHTML.

        For example, user interface components like JavaScript Pie Menus for Internet Explorer [piemenus.com] or the Run On Sentence dynamic text animation style [piemenus.com] run with the same restrictions as JavaScript in the browser, so they can't access files or shape popup windows. (Also open source).

        -Don

      • Firefox extensions are in a combination of XML and JavaScript, so their functionality is a bit more limited. They are better sandboxed than IE ActiveX controls used to be.

        From the submission: "Extensions also have as much access to the file system as the user running Firefox." What sandboxing?

      • Re:anti-ActiveX (Score:4, Interesting)

        by Noksagt ( 69097 ) on Saturday September 10, 2005 @07:58PM (#13528947) Homepage
        They are better sandboxed than IE ActiveX controls used to be.
        Here, I made a (rightly well-criticized) mistatement. I'm wrong. Both XPCOM and ActiveX can execute with full user-priviledges.

        As I said, though: webpages could tell IE (at least used to) where to download an ActiveX control. If the control was not already installed, IE would automatically download and install the control from the specified source. In firefox, the page must me whitelisted before extensions could be downloaded. Can someone tell me if IE has changed to the whitelist model yet? Last I heard, they were even maintaining a list of malicious ActiveX controls. This seemed inance to me, as there is most likely more malicious junk out there than truly useful controls.
    • Re:In other words... (Score:4, Informative)

      by Unordained ( 262962 ) <unordained_slashdotNOSPAM@csmaster.org> on Saturday September 10, 2005 @04:19PM (#13527818)
      It seems like it'd be nice if apps like Firefox were routinely (!) run as a user with fewer privs than the actual user sitting at the terminal. I know it needs -some- disk access for cache, etc. and some access to the user's files (when uploading or downloading specific files) but on the whole it'd be nice to have some sort of mechanism in place to keep apps from accessing things when they shouldn't. The view that an app should only have access to the current user's files is okay, but not ideal -- users still don't want their own setup trashed by some tricky extension, even if the rest of the host computer is fine. In a multi-user environment, that's not so easy ... creating a new user, for every app/user combination, that provides exactly the access required by the app and no more. Lots of maintenance.

      I'm not sure that users would be very accepting of an environment in which they were asked each time an app requested a new file handle -- "would you like to allow Firefox to access /home/unordained/file1.txt in read-only mode?" ... "would you like to allow p2p-app-1 to open a socket to ip xxx.xxx.xxx.xxx?" ... "would you like to allow some-app-2 to change the following registry keys?" ... but that is, (without the annoyance) what I'd like. Our computing environments are just far too unsafe for the average user.

      Suggestions? Existing (partial) solutions? (This is your opportunity to go on at length about your preferred, overly-safe-for-you operating system, and for others to trash it on grounds of any remaining work-arounds.)
      • It seems like it'd be nice if apps like Firefox were routinely (!) run as a user with fewer privs than the actual user sitting at the terminal.

        Suggestions? Existing (partial) solutions?

        Internet Explorer 7 will have something called "low-rights IE" [msdn.com]. Another follow-up is on the IE weblog [msdn.com].

        • The upshot is to really do it right, you need operating system support for an application-based security model. No current desktop OS currently supports this kind of security -- they are all firmly rooted in the user-based security model inherited from time-sharing systems.

          That means either waiting for Vista or waiting for someone to add this security model to Linux/X11. Hopefully Firefox (and other internet software packages) will mimic IE and also have "low-rights" support on Vista.
      • What would be nice is if there was some sort of support for "sub-users", or some sort of sub-level type of users that are limited within one's user account with less privileges than the main user. So user "bob" and "joe" can each have a sub-user named "firefox" (that the app sets up for every account on the system when installed by the admin) that is limited to a small set of dirs inside the user's home directory. If the app tries accessing any dirs outside the default set of allowed dirs, the O/S should
      • Re:In other words... (Score:3, Informative)

        by cortana ( 588495 )
        You are describing SELinux [google.co.uk]. :)
      • would you like to allow Firefox to access /home/unordained/file1.txt in read-only mode?

        Make the file picker return a capability to access the file, not just the filename. Then if I want to upload a file using the web browser, picking it automatically gives Firefox permission to read it.

        would you like to allow some-app-2 to change the following registry keys?

        Firefox uses the Windows registry to set itself as the default handler for several protocols (e.g. http: [http]) and default handler for several file types (e
        • Yes - and while you're at it why not do this for all applications not just Firefox?

          It's another reason why the file picker should be part of the desktop environment (like the window manager or panel) and not implemented separately by every application.

          If your apps are GNOME apps or KDE apps then of course they use a library to display the file picker dialogue, but it's still running as part of the application. This means that the app needs to run with permission to view the whole directory tree and open an
    • Re:In other words... (Score:3, Interesting)

      by Leffe ( 686621 )
      How is "download virus.xpi here idiot" any different from "download virus.exe here idiot"?

      Stupid people are stupid, they make the Internet and the world a worse place for all of us. It's too bad I don't have the time to spend to revoke all of their life certificates.
    • Re:In other words... (Score:1, Informative)

      by Anonymous Coward
      Extensions can never be installed without you knowing it. For a website to install an extension, you have to manually add that website to a whitelist, and then you have to stare at the installation dialog for three seconds and then click install.
      The only site on the whitelist by default is addons.mozilla.org, where each extension is thoroughly checked that it works ok.

      If someone is dumb enough to get a malicious extension installed with these security measures, he deserves to have his machine compromised.
      • The only site on the whitelist by default is addons.mozilla.org, where each extension is thoroughly checked that it works ok.

        Really? Who checks them, and vouches for their safety? Where on that site does it say that everything is 'thoroughly checked'? And if they do stand behind everything on that site, why don't they sign them? There's clearly no coherent policy yet [mozilla.org].

        OK, so they don't write them, they won't sign them - fair enough. But then even the 'official workaround' XPI [mozilla.org] you could download to fix the ID
  • The author says, "When should you use a Firefox Extension? Only when you must." He suggests that if you can do it on the web page using DHTML, AJAX, or even XUL, that is the way you should do it. Extension writing is to be used when there are no other options.
  • by Elrac ( 314784 ) <<moc.zcirtoms> <ta> <lrac>> on Saturday September 10, 2005 @03:53PM (#13527706) Homepage Journal
    All of this functionality comes with the aspect-oriented facility of overlays. Extensions also have as much access to the file system as the user running Firefox.
    But... but... isn't it just this extreme flexibility that represents the biggest Achilles heal (sic) of Outlook and IE? Isn't this what Mozilla proudly avoids?

    I realize that there are some differences, such as the fact that the red carpet is only rolled out for extensions the user trusts, but... when you advertise Firefox to dummies, your trusting users will BE dummies!
  • Has anyone seen galley copies of Pro Firefox: Extension and Application Development [amazon.com]? Or does anyone have any other suggestions for dead-tree guides for developing firefox extensions? I know of books [amazon.com] on [amazon.com] XUL [amazon.com] , but none targetted for basic extension programming.
  • More Resources (Score:5, Informative)

    by stoolpigeon ( 454276 ) <bittercode@gmail> on Saturday September 10, 2005 @04:57PM (#13528052) Homepage Journal
    These are a few sites that I found helpful. Some are a little old but I got something out of all of them.

    http://www.xulplanet.com/ [xulplanet.com]
    http://kb.mozillazine.org/Dev_:_Extensions [mozillazine.org]
    http://roachfiend.com/archives/2004/12/08/how-to-c reate-firefox-extensions/ [roachfiend.com]
    http://businesslogs.com/technology/firefox_extensi on_tutorial.php [businesslogs.com]
    http://www.bengoodger.com/software/mb/extensions/p ackaging/extensions.html [bengoodger.com]
    http://mozilla-firefox-extension-dev.blogspot.com/ [blogspot.com]
    http://books.mozdev.org/index.html [mozdev.org]
    http://www.mozilla.org/xpfe/gettingstarted.html [mozilla.org]

    Of course another good way to learn about extensions is to download a few and look at the code. That has probably been the biggest help to me once the tutorials, etc. gave me the basic idea of what is going on.
  • by null etc. ( 524767 ) on Saturday September 10, 2005 @05:05PM (#13528098)
    The article is a little more thorough than necessary

    ...followed by a 146-word "excerpt" from the article.

  • is one for freenet:<uri> URLs.

    A Firefox plugin for supponting such URLs would be a huge boost for freenet.

    www.freenetproject.org [freenetproject.org]

  • here [wikinerds.org] you can find another tutorial, although it's a bit old now.
  • I prefer my tutorials briefer and pithier. I don't want to be in mid-nested-block and have to flip through 10 pages of the print-out looking for that one line I need amidst the author going on at length convincing me how folksy and friendly he can sound.

    But I like how Python comes up yet again. It's nice, for once in my life, to learn a language and *then* see it catch on in a big way, instead of finishing learning a language on the very last day before it dies. I'm predicting that Python is going to soon

An adequate bootstrap is a contradiction in terms.

Working...