Google Adsense doesn't like Adbar

From: Google AdSense
To: Jesse Ruderman
Subject: Google AdSense Account Status
Date: Tue, 8 Mar 2005 21:56:17 -0800

Hello Jesse,

We regularly review sites in the AdSense program for compliance with our program policies.

While reviewing your account, we noticed that you are currently displaying Google ads in a manner that is not compliant with these policies. We've noted that you are in violation of the following program policies on www.squarefree.com/extensions/adbar:

- We've found that you're displaying Google ads in a manner that does not comply with our program policies. According to Google AdSense program policies, no Google ad or search box code may be pasted into any software application, even if it is modified to not show ads through your AdSense account. In order to comply with our policies, please remove the Google ad code from the software provided in your site.

Thank you for your understanding. Once you've made the necessary changes, please reply to this email so that we may review your account again.

We also suggest that you take the time to review our program policies (https://www.google.com/adsense/policies?hl=en_US) and Terms and Conditions (https://www.google.com/adsense/localized-terms?hl=en_US) to ensure that all of your pages are in compliance.

Sincerely,

Heraldo
The Google AdSense Team

Posted on March 08, 2005 at 10:51 PM in Google, Mozilla | Comments (7) | TrackBack (0)

Security advisories for old versions of Firefox

Dan Veditz has updated the Mozilla Foundation Security Advisories page with information about holes that were fixed for Firefox 1.0, Thunderbird 0.9 and 1.0, and Mozilla 1.7.5.

None of the holes were arbitrary-code-execution holes, which surprised me. The worst hole fixed for Firefox 1.0 was the javascript: Live Bookmarks hole, which required some user cooperation and allowed attackers to steal cookies and sometimes execute arbitrary code. In contrast, many previous Mozilla and Firefox releases included new fixes for memory management holes such as buffer overflows. Exploits for memory management holes are harder to write, but they allow attackers to execute arbitrary code without getting any cooperation from users.

Posted on January 25, 2005 at 09:45 PM in Mozilla, Security | Comments (10) | TrackBack (0)

Coming soon to squarefree.com

I have trouble completing personal projects that take longer than a weekend. I often lose interest after doing the interesting parts and procrastinate indefinitely on completing the projects since they have no deadline. In August 2004, I set a goal compatible with my attention span: "start and finish one interesting project every weekend". This goal helped me write a bunch of Firefox extensions and one or two Firefox patches, but of course it didn't help me finish longer projects. Now I have several half-finished longer-than-a-weekend projects piled up.

I'm hoping that this "coming soon" post will make me finish at least some of these projects soon. Also, you can tell me which projects you want me to finish first.

  • A novel attack against something that was proven secure using a what I think is a poor definition of security.
  • A proof that a popular puzzle is NP-complete.
  • A list of some of Firefox's weaknesses, design elements that can lead to security holes.
  • Security tips for Firefox users (current version). Since this document is already 7 printed pages long without screenshots, it may be more effective at pointing out critical user interface flaws in Firefox and Windows than at educating users.
  • Security tips for web application developers (current version).
  • Security tips for Firefox developers and extension developers (current version).
Posted on January 17, 2005 at 07:05 AM in Mozilla, Research, Security | Comments (6) | TrackBack (1)

Beerware code in Mozilla

I read about Poul-Henning Kamp's Beerware License in a comment on Simon Willison's blog. The license is very short and very free:

/*
 * ----------------------------------------------------------------------------
 * "THE BEER-WARE LICENSE" (Revision 42):
 * <phk@FreeBSD.ORG> wrote this file.  As long as you retain this notice you
 * can do whatever you want with this stuff. If we meet some day, and you think
 * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 * ----------------------------------------------------------------------------
 */

Kamp's page mentions that "netscape used my malloc implementation". I searched Mozilla's lxr for the license and found it intact above Mozilla's malloc implementation.

Posted on December 23, 2004 at 05:42 AM in Mozilla | Comments (2) | TrackBack (0)

Firefox first suggestion for "f"

When I type "f" into Google Suggest, the first suggestion is "Firefox". Nice. Does that mean Firefox is the most common search starting with "f", or are there other factors that affect the ranking?

Posted on December 10, 2004 at 09:39 AM in Google, Mozilla | Comments (8) | TrackBack (2)

New Firefox Extension: How'd I Get Here?

How'd I Get Here? takes you to the page on which you first clicked a link to the current page. It works in Firefox trunk (not Firefox 1.0) and will work in Firefox 1.1.

Posted on December 05, 2004 at 02:43 AM in Mozilla | Comments (11) | TrackBack (0)

Opera - Naked Joy of Surfing

Aamuli writes:

Yes, yes, I gladly admit that this idea is stolen from Pornzilla project which claims that "Firefox is the best porn browser". I beg to differ so I present to you: Opera - Naked Joy of Surfing!

Posted on November 30, 2004 at 03:23 AM in Mozilla, Porn | Comments (0) | TrackBack (0)

Bug madness: Halloween edition

Posted on November 08, 2004 at 04:18 AM in Mozilla | Comments (1) | TrackBack (0)

Some people are never happy, part 2

  • 66984 - Need name for new image library (rename libpr0n).
  • 108816 - World War III: "What should Backspace do (or not)".
  • 259207 - Mozilla firefox needs a title song.
  • 261354 - RSS button looks like it says "ASS".
  • 262173 - Firefox Icon Problem - new firefox icon appears to be giant red panda that is humping south america.
  • 266457 - Inappropriate content in the Firefox Crew's Pick list (default bookmarks).
  • 34669 comment 11 - "Fixing summary to not end with 'loads of ass' when truncated at 60 chars."

Thanks to Peter van der Woude for telling me about several of these bugs.

Part 1

Posted on October 29, 2004 at 04:39 AM in Mozilla | Comments (5) | TrackBack (2)

Community Firefox ad in The New York Times

The Mozilla Foundation plans to run a full-page Firefox ad in The New York Times soon after the launch of Firefox 1.0. Spread Firefox is asking for donations to fund the ad and expenses related to the 1.0 launch.

All donors' names will be included in the ad. In addition to creating an incentive to donate, this strengthens the ad by showing that it was paid for by a large community rather than a corporation. (Why don't more political and non-profit ads do the same thing?)

I donated today. If ten readers donate through my donation link, I will be listed as a Community Champion instead of just a donor.

Posted on October 19, 2004 at 04:30 AM in Mozilla | Comments (12) | TrackBack (4)

Request for extension ideas

What new Firefox extensions would you like to see?

Posted on October 18, 2004 at 06:22 AM in Mozilla | Comments (81) | TrackBack (0)

New Firefox extension: Search Keys

Search Keys lets you go to search results by pressing the number of the search result instead of clicking. You can press 1 to go to the first result, Shift+2 to open the second result in a new window, etc. It works with Google, Google News, Google Groups, Google Desktop Search, and del.icio.us.

Update Oct 16, 2004: The shortcut for opening in a new tab is now Alt+N on Windows and Mac, to avoid conflicting with the Ctrl+N shortcut for switching tabs. It is still Ctrl+N on Linux, which uses Alt+N for switching tabs.

Posted on October 15, 2004 at 08:01 AM in Google, Mozilla | Comments (14) | TrackBack (0)

Graph of bugs blocking Firefox 1.0

sensemann made this graph. Check his thread for the latest version of the graph.

Posted on September 17, 2004 at 10:14 PM in Mozilla | Comments (1) | TrackBack (0)

Google's "Browse By Name" in Firefox

Google recently introduced a mode called "Browse By Name", a cross between "I'm Feeling Lucky" and a normal Google search. "Browse By Name" acts like "I'm Feeling Lucky" if Google is certain that the first hit is correct, but otherwise returns a normal set of search results. If you use Internet Explorer with the Google Toolbar, "Browse By Name" is the default behavior for non-URLs typed into the address bar. The Google Toolbar shows a dialog the first time you use the feature.

By default, Firefox uses "I'm Feeling Lucky" for non-URLs typed into its address bar. You can change the behavior by going to about:config and setting keyword.URL to the appropriate URL and then restarting Firefox.

Address bar behavior keyword.URL
I'm Feeling Lucky http://www.google.com/search?ie=UTF-8&btnI=&q=
Browse By Name http://www.google.com/search?ie=UTF-8&sourceid=navclient&gfns=1&q=
Google search http://www.google.com/search?ie=UTF-8&q=
Posted on September 09, 2004 at 03:41 AM in Google, Mozilla | Comments (5) | TrackBack (4)

Firefox extension for porn: Thumbs

Tired of clicking hundreds of text links in TGPs just to get to the 10% of galleries with the good stuff? Thumbs shows the first thumbnail from each linked gallery, so you can just middle-click the ones you want.

Posted on August 28, 2004 at 08:17 PM in Mozilla, Porn | Comments (7) | TrackBack (2)

Porn sites recommend Firefox

Linktoy:

IMPORTANT-Make sure you read this before using links on this page. Due to the ever increasing amount of nasty scripts and spyware being installed on peoples computers the ONLY browser I recommend for these links is FireFox.

Asianthumbs:

U.S. Department of Homeland Security recommends not using Microsoft's Internet Explorer because of security vulnerabilities... More details.

Get Firefox

Pornfu:

this site is optimized for mozilla firefox because internet explorer is gay. in fact, if you use IE, you have a 93% chance of getting AIDS. if you already have AIDS, you will get cancer instead.

Thanks to Asa for some of these links.

Update Sept 25, 2004: As part of my efforts to promote Pornzilla, I asked these sites to link to Pornzilla in addition to Firefox.

Posted on August 21, 2004 at 08:21 PM in Mozilla, Porn | Comments (4) | TrackBack (4)

Opera's least popular feature comes to Firefox

The adbar extension displays Google ads related to pages you view. It works in Firefox 0.9+.

Posted on August 15, 2004 at 06:51 AM in Google, Mozilla | Comments (22) | TrackBack (1)

Hidden search results - answer

Michael Lefevre and mpt gave correct, but incomplete, answers to the question in my previous blog entry in their comments. Part of Michael's answer:

You'd have to work out which bits of closed bugs should be queryable (if you give any indication of a result based on, say, summary or comment queries, you could be disclosing important bits of the closed bug).

Indicating hidden results for a summary query would indeed disclose an important bit of the bug: its summary. First, the attacker would query for bugs with summaries starting with "a", "b", etc. Discovering that at least one hidden bug's summary begins with "b", the attacker would query for bugs whose summaries start with "ba", "bb", etc. After a few hundred more queries, the attacker would have the entire summary.

Posted on August 14, 2004 at 08:53 PM in Google, Mozilla, Security | Comments (2) | TrackBack (0)

Hidden search results

Google sometimes hides search results to ensure that search results are varied:

In order to show you the most relevant results, we have omitted some entries very similar to the 15 already displayed. If you like, you can repeat the search with the omitted results included. [foo site:squarefree.com]

or due to bad laws:

In response to a complaint we received under the Digital Millennium Copyright Act, we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint for these removed results. [scientology site:xenu.net]

Bugzilla also sometimes hides search results, to protect confidential bugs such as undisclosed security holes. Unlike Google, Bugzilla doesn't tell you that there are hidden results for your search. This caused me to worry that potential employers would think I can't count. It also makes it impossible for Peter(6) and others to tell exactly how many release blockers there are.

When Bugzilla hides search results from you, why doesn't it inform you like Google does?

Hint: while "Because nobody implemented that feature" may be technically correct, that's not the answer I'm looking for.

Posted on August 14, 2004 at 02:42 AM in Google, Mozilla, Security | Comments (8) | TrackBack (0)

Some people are never happy

  • 114061 - Red star default desktop icon is offending to many people.
  • 222306 - Bird head of real Firebird logo in page header logo looks like a goose on fire.
  • 233525 - Background of Download Manager looks like one-finger-salute.
  • 246760 - New default theme looks like it was made be a 3 year old.
  • 254287 - Icon for 'Switch to an alternate stylesheet' looks like a soy bean speared by a hairclip.
Posted on August 04, 2004 at 09:47 AM in Mozilla | Comments (17) | TrackBack (3)

Bounties

mozilla.org now has a security bug bounty program, which offers $500 to people who discover "critical" security holes. Meanwhile, Microsoft offers a $250,000 bounty for catching virus authors.

Posted on August 02, 2004 at 09:36 AM in Mozilla, Security | Comments (2) | TrackBack (0)

Preventing browser UI spoofing

The problem of web sites being able to spoof browser UI was on Slashdot recently. This is a hard problem that browser vendors have known about for a long time.

The most popular solution, preventing web sites from disabling the status bar, is insufficient. Keeping the status bar always on would only keep malcious sites from spoofing https sites. In contrast, keeping the address bar always on would keep malicious sites from spoofing all web sites. Keeping the address bar always on would also be more effective at preventing web sites from spoofing native applications.

One argument for using the status bar is that it's smaller than the address bar. But it's only about 8px shorter if we use small-icons mode for pop-ups, and we can probably make it even shorter.

One suggestion was to show the hostname in the status bar. The hope is that users would then look there instead of the address bar to verify what site they're on. I don't think enough users would change their habits for this to work. It would also require cluttering the status bar in ordinary windows, which seems like a high price to pay to save 8px in pop-up windows.

Whatever we choose (address bar or status bar), we can do things to avoid breaking existing web sites. If a web site requests a 400x300 window without an address bar, we can give it a 400x334 window with an address bar. We can add a menubutton to the address toolbar in pop-up windows with menu items "Restore toolbars", "Hide address toolbar", and "Hide address toolbar in all pop-ups from https://gmail.google.com/".

Posted on August 01, 2004 at 11:54 PM in Mozilla, Security | Comments (13) | TrackBack (1)

Pornbar for Firefox

Inspired by the Bible Toolbar extension for Firefox, Billistic made Pornbar. Sadly, he based his extension on the Eurekster toolbar, not the Bible Toolbar.

Update August 15: Pornbar is now listed on the Pornzilla site.

Posted on August 01, 2004 at 02:54 PM in Mozilla, Porn | Comments (6) | TrackBack (0)

Garey and Johnson

My copy of Garey and Johnson arrived the other day. I wonder if it will make good airplane reading while I'm heading to Mozilla Developer Day next week.

Firefox 1.0 RC1 renamed to Firefox 1.0 PR

Firefox 1.0 Preview Release (previously Firefox 1.0 Release Candidate 1 (previously Firefox 1.0 Beta (previously Firebird 1.0 Beta (previously Phoenix 1.0 Beta)))) is planned for the second or third week of August. I'm glad the Mozilla Foundation decided to move away from using misleading "Release Candidate" names for builds that aren't release candidates.

Posted on July 26, 2004 at 03:28 PM in Mozilla | Comments (8) | TrackBack (0)

Adam Sacarny on the shell: hole

Adam Sacarny, author of the Mozilla shell: vulnerability timeline, discusses what Mozilla can do to work around future holes in programs that register themselves as protocol handlers.

Posted on July 25, 2004 at 08:54 PM in Mozilla, Security | Comments (0) | TrackBack (0)

Browser stats from search referrals

For visitors who reach my site through Google searches, browser percentages vary widely depending on search terms. In general, geekier terms have a higher percentage of Mozilla users. I analyzed stats for 35 days in June and July 2004 using a hacky batch file.

Search phrase Total hits IE Mozilla Safari Opera Other
burning edge (946) 170 731 (78%) 26 15 4
firefox nightly (586) 107 438 (75%) 29 12 0
bookmarklet (2067) 568 1296 (63%) 123 68 12
gmail (1151) 781 312 (27%) 15 43 0
jibjab mirror (103) 76 23 (22%) 2 2 0
best porn (176) 135 31 (18%) 6 3 1
good porn (222) 187 22 (12%) 10 2 1
google home page (436) 404 20 (5%) 6 3 3

Stats for some of these search terms are skewed toward Mozilla not because the search terms themselves are geeky but because "Firefox" or "Mozilla" appears in the title of the result page on my site. Searches for "good porn" and "best porn" lead to a page on my site titled Why Mozilla Firefox is the best porn browser. Searches for "how to get a gmail" lead to my blog entry titled Help make Firefox better and get a Gmail invitation!.

By the way, over 50% of total hits to my site are Mozilla :)

Posted on July 25, 2004 at 02:01 AM in Google, Mozilla | Comments (2) | TrackBack (0)

Cookies are no longer delicious delicacies

<blake2> congratulations mconnor
<blake2> you just destroyed a legend!

Today Mike Connor replaced "Cookies are delicious delicacies." in Firefox's options with "Cookies are pieces of information stored by web pages on your computer. They are used to remember login information and other data."

Blake's famous placeholder text even appeared in a book, O'Reilly's Google: The Missing Manual:

As of this writing, Firefox is still in the testing, or beta, stage (version 0.8), which sounds dicey. But in fact, it's definitely far enough along that anyone can use it with confidence. The underlying technology is the same as Mozilla's, so problems tend to show up in things like the occasional misspelled menu item or a cookie setting that includes the observation, "Cookies are delicious delicacies," inserted by an engineer with a wacky sense of humor.

(O'Reilly sent me a free copy of the book because it dedicates several pages to my search bookmarklets. The authors of the book say several useful things about my bookmarklets that I didn't know!)

<blake2> how times have changed. I guess we really are shipping something.

Posted on July 24, 2004 at 02:18 AM in Mozilla | Comments (3) | TrackBack (6)

Company blocks employees from using IE

mgaugusch's 70-person company not only prepared Firefox for network install, but it also used Squid to block Internet Explorer from accessing sites other than Windows Update and the company's own site. The company does not prevent employees from using other browsers, such as Opera, although Opera users may have to change their user-agent setting to make Opera stop making itself appear to be IE. (Via mgaugusch's post on MozillaZine.)

Posted on July 21, 2004 at 03:22 PM in Mozilla | Comments (0) | TrackBack (2)

100 up-to-date Firefox extensions

update.mozilla.org now has 100 Firefox extensions that work in 0.9. Extensionroom has 195, but many of them only work in older versions.

Posted on July 10, 2004 at 06:54 PM in Mozilla | Comments (8) | TrackBack (0)

History of my Mozilla involvement

Slashdot was responsible for my initial involvement in the Mozilla project. It might have been this article or it might have been a comment (such as mpt's) in another article.

The first Mozilla build I used was M13. I reported my first bug in February 2000, when I was a senior in high school.

At first, I only reported and triaged bugs. Then I started writing testcases for layout bugs, participating in user interface design, and finding security holes. Now I'm also writing patches for UI bugs.

Things that encouraged me to continue contributing when I was a newbie:

  • Eli Goldberg's comment in my first bug report.
  • My sixth bug report, which was about pop-up windows, getting forty votes. At the time, that was enough to put it in the top ten!
  • Some of my bug reports getting fixed quickly.
  • Asa's e-mail to me when he gave me Bugzilla permissions (confirm bugs, edit all fields).
  • Communicating with other Mozilla community members not only through Bugzilla but also through IRC.
Posted on July 10, 2004 at 03:58 PM in Mozilla | Comments (5) | TrackBack (0)

Character Encoding UI in Firefox

There seem to be five ways to set character encodings in Firefox.

  1. Options > General > Languages > Default character encoding
  2. View > Character Coding > Auto-Detect > (select a language or "Off" or "Universal")
  3. View > Character Coding > More > (select an encoding)
  4. View > Character Coding > Customize > Active character encodings
  5. View > Character Coding > (select an encoding)

What do these options do? How do they interact? How can the options and how they interact be made more clear in the UI, or even in Help? Note that I only have a vague idea of what a character encoding is and why a user would need to select one.

Google didn't get me far. Help in Firefox only says "View > Character Coding: Allows you to manually change the character encoding on a Web page. Firefox usually does this automatically." Bug 181541 comments 61 and 62 helped me understand a little.

Posted on July 09, 2004 at 11:25 PM in Mozilla, User Interfaces | Comments (4) | TrackBack (0)

I have another convert

MontyDrei:

Holy crap, Mozilla Firefox is awesome. I wish I had converted earlier.

He was this missionary who brought me out of darkness into the light of Firefox.

I installed Firefox on his computer in order to write a bookmarklet for him. And in order to convert him, of course.

Posted on July 09, 2004 at 10:59 PM in Mozilla | Comments (0) | TrackBack (0)

Race conditions in security dialogs

I discovered arbitrary code execution holes in Firefox, Internet Explorer, and Opera that involve human reaction time. One version of the attack works like this:

The secret word fills the blank in the sentence 'If ____ web developers would use alternate text correctly!'  It is all lowercase.

The page contains a captcha displaying the word "only" and asks you to type the word to verify that you are a human. As soon as you type 'n', the site attempts to install software, resulting in a security dialog. When you type 'y' at the end of the word, you trigger the 'Yes' button in the dialog. I made a demo of this attack for Firefox and Mozilla.

Another form of the attack involves convincing the user to double-click a certain spot on the screen. This spot happens to be the location where the 'Yes' button will appear. The first click triggers the dialog; the second click lands on the 'Yes' button. I made a demo of this attack for Firefox and Mozilla.

These types of attack work on any security dialog that can be triggered by untrusted content. The attack is most useful in a dialog where one of the buttons means "Yes, let this untrusted content run arbitrary code". Firefox has such a dialog in the form of the extension installation (XPI) dialog. Similarly, Internet Explorer has the ActiveX installation dialog and Opera has an "Open" button for downloaded executables. Programs other than browsers might also be vulnerable.

Firefox's solution, from bug 162020, is to delay enabling the "Yes"/"Install" buttons until three seconds after the dialog appears. I believe that this is the only possible fix other than completely denying untrusted content the ability to pose the dialog. Unfortunately, this fix is frustrating for users who install extensions often.

Some users have been intentionally lowering the delay to 0 seconds, which frustrates me. These users think the delay was added merely to force everyone to read the dialog. I surprises me that these users were not able to figure out the security hole given the fix. Ironically, advanced users are the most susceptible to these attacks, because they type and double-click faster than they react to unexpected stimuli.

It might be possible to lower the delay to less than three seconds, making it less annoying, without jeopardizing security. Designing experiments to determine the minimum "safe" delay would be tricky. You would want to do everything an attacker could do to increase participants' reaction time: give them a complicated task, make new rectangles appear every second to make the dialog less unexpected, etc.

It might make sense to make the dialog appear only after the user clicks a statusbar indicator that means "This web site wants to install software". This would get rid of the problem of choosing a delay, and it wouldn't require users who want to install extensions to wait.

Firefox FAQ for Seamonkey users

What's the difference between Firefox and Mozilla?

Mozilla (Application Suite, also known as SeaMonkey) is a complete suite of Internet applications, including a web browser, a mail/news client, and a chat client. Firefox is just a browser, which makes it a better choice if you already have a mail client for example. Also, since Firefox is smaller than the whole Mozilla suite, it's faster and easier to use.

Note, though, that Firefox is not just the standalone Mozilla browser. The user interface in Firefox differs from Mozilla in many ways. For example, Firefox has customizable toolbars.

[This question and answer are mostly from David Tenser's Firefox FAQ.]

What do I gain by switching from Mozilla to Firefox?
  • Speed. Firefox is much faster than Mozilla.
  • Customizable toolbars.
  • It's easier to browse with multiple windows and multiple tabs. Shift+click opens a link in a new window and Ctrl+click opens it in a new tab.
  • Middle-click autoscroll.
  • Form autocomplete.
  • Extensions and themes. It's easier to develop extensions and themes for Firefox, so there are more available.
  • Update notification.
Will Firefox import my Mozilla settings?

Firefox will offer to import your Mozilla passwords, cookies, and options the first time you run it. You can also use File > Import to import them at any time.

What happened to option XYZ?

The option you want to change might still exist in about:config, or there might be an extension that adds it.

Will Firefox integrate with my default mail client like Mozilla integrated with Mozilla Mail?

You can still press Ctrl+M to open your mail client to compose a new message. The Ctrl+2 shortcut to open your mail client is gone; use your operating system to make a global shortcut instead. You can add a toolbar button to open your mail client using Customize Toolbars. The "Send Link" command still exists, but the "Send Page" command is gone (bug 216168).

If you use Mozilla Mail as your mail client, I recommend that you switch to Thunderbird after you switch to Firefox. Firefox can't integrate well with Mozilla Mail because Mozilla Mail assumes you use Mozilla as your browser. If you use another mail cilent, such as Eudora, you don't have to switch to Thunderbird.

How do I create custom sidebars in Firefox?

To create a custom sidebar in Firefox, bookmark the URL you want to use as a sidebar, right-click the bookmark and select "Properties", and check "Load this bookmark in the sidebar".

Posted on July 01, 2004 at 03:55 PM in Mozilla | Comments (3) | TrackBack (0)

Cross-browser security holes

Slashdot reports a "new" spoofing hole in many browsers, including older versions of Mozilla, discovered by Mark Laurence. The hole is that site A can load its own content into a frame on site B, and the content will appear to be from site B because the frameset is still from site B. This attack only works if site B is a framed site, so some banks are not affected.

A comment I posted on Slashdot:

Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:

Mozilla (bugzilla.mozilla.org 246448)
Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17.
Opera (bugs.opera.com 145283)
No response.
Microsoft
On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.

Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.

To be fair to Microsoft, the fix for the frame-spoofing hole did break a few sites. According to a bug filed today, the Charles Schwab brokerage site is one of the broken sites.

Posted on July 01, 2004 at 01:30 PM in Mozilla, Security | Comments (1) | TrackBack (1)

Help make Firefox better and get a Gmail invitation!

I will give 5 Gmail invitations to new Mozilla volunteers this week. There are several ways you can make useful contributions to the Mozilla project with only a nightly build of Firefox and a Bugzilla account:

Finding and reporting bugs

You can find bugs to report through everyday use or by intentionally looking for bugs. Good ways to find bugs that haven't already been reported are testing new features (extension manager, two-pane bookmark manager), testing rarely used features (help, bookmark update notification), and testing for keyboard accessibility.

When you find a bug, search Bugzilla to find out if your bug has already been reported. If it hasn't, report it. Most bug reports should include your build ID (from Help > About), steps to reproduce the bug, and the expected and actual results from following those steps.

Triaging unconfirmed bugs

Bugs filed by new Bugzilla users start with the "unconfirmed" status. You can change to "new" once you've checked that they're useful. This includes searching Bugzilla to make sure it isn't a duplicate, making sure the summary (title) is clear and specific, and making sure the bug is in the correct component. If the bug is a bug in page display, it also needs a simplified testcase (see below) before it can be marked as "new". For more information, see Bug Triagers' Guide: Moving a Bug from Unconfirmed to New.

Isolate bugs and create simplified testcases

Isolating bugs is one of the best ways to save Mozilla developers time. In many bug reports, the reporter has included a URL and a description of what Mozilla does wrong at that URL. Before a Mozilla developer can fix the bug, she has to figure out what part or parts of the page trigger the bug. You can save Mozilla developers time by isolating bugs and attaching your minimal minimal testcases to bugs. To find bugs that need testcases, look for unconfirmed bugs in layout components, bugs without the "testcase" keyword, or bugs with the "qawanted" keyword.

Testcases should be as small as possible while still showing the bug. For most layout bugs, a minimal testcase will be under a kilobyte. Be sure to include text in the testcase or in the bug making it clear what the correct behavior is and what Mozilla is doing wrong. For more tips on creating testcases, see The BugAThon.

Contest rules

While or after contributing, tell me your Bugzilla e-mail address. I'll look at what you and other new volunteers have done in Bugzilla and give the accounts to those with the best contributions.

On Tuesday, Asa will be in #mozillazine to help new volunteers learn how to use Bugzilla as part of a weekly event called Bugday. Asa or I can give you Bugzilla privileges once you've added useful comments to a few bugs. These priviliges let you report bugs as new rather than unconfirmed, mark other people's bugs as duplicates, and make other changes to bugs.

You're not limited to the ways of contributing I listed above. For more ideas, see Getting involved with mozilla.org.

Posted on June 21, 2004 at 02:29 PM in Mozilla | Comments (19) | TrackBack (2)

Machine learning in Firefox

Blake Ross is looking for ideas for how to improve Firefox with machine learning. He hopes to choose one of the ideas for a summer research project at Stanford. I added several suggestions in a comment on his post.

Posted on June 18, 2004 at 01:22 PM in Mozilla | Comments (1) | TrackBack (0)

Taking a break by filing bugs

I filed 11 bugs in 6 hours today :) 7 of the bugs required testcases. My "bugs to file" folder is down from 112 files to 73, not counting subdirectories.

Posted on April 25, 2004 at 05:45 AM in Mozilla | Comments (0) | TrackBack (0)

Pornzilla update

I updated Pornzilla today. I rewrote the introduction and the About Pornzilla section. I also wrote and added some search bookmarklets, including one that searches Google for pages on the same site that have the same title.

Posted on April 23, 2004 at 05:40 AM in Mozilla, Porn | Comments (3) | TrackBack (0)

After I graduate

I will spend the summer in Austin, Texas, working in the Mozilla group at IBM.

I will start graduate school at UCSD in September.

Posted on April 18, 2004 at 12:34 AM in Mozilla, My plans | Comments (4) | TrackBack (0)

Sending encrypted e-mail

I had to install Enigmail and gpg in order to send a vulnerability report to CERT.

I am not happy with gpg's UI. I had to read this page to figure out which command-line options I had to use. GPG gives a vague yet serious-sounding warning if you use an empty "passphrase" when creating your key. (As far as I can tell, a strong passphrase protects you against someone who can read the file containing your private key, but other than that it doesn't increase security.) It asked me to move the mouse around and bang on the keyboard while it generated my keys, but it generated the keys in less than a second, making me worry that it didn't use any good sources of entropy when it created my key.

I was able to figure out how to use Enigmail without much trouble. I encountered lots of warning and error messages, but I think they were all necessary. (I didn't like the text "This message will appear 1 more time" at the bottom of most of the warnings, though. I don't want Enigmail to keep me from making a mistake just because I almost made the mistake 2 times in the past!) Enigmail's options were split between the Options window and the Account Settings window, but that's a problem with Thunderbird in general.

Neither CERT nor Enigmail warned me that the subject of my e-mail would be sent unencrypted.

Posted on April 18, 2004 at 12:15 AM in Mozilla, Security | Comments (1) | TrackBack (0)

Hard to reproduce

Nu||:

Ive had it happen a couple of times around the 3-26 builds. It was shortly after running a fresh build on an old profile and reinstalling a couple of the extensions that don't carry over. I don't remember what phase the moon was in, hard to reproduce.

Posted on April 05, 2004 at 07:38 PM in Mozilla | Comments (0) | TrackBack (0)

Switched to Thunderbird

I switched from Mozilla Mail to Thunderbird yesterday. Two new features I like: toolbar customization, messages I have have replied to are marked in the thread pane with a green arrow. Thunderbird also includes a spell checker, but I probably won't end up using the spell checker until it supports spell-check-as-you-type (58612).

After switching, I changed some prefs (which might have been present in Mozilla Mail too):

  • Never send return receipts
  • Open each message in a new window
  • Don't remember the last selected message
  • When you mistakenly think that my message is not plain text, "convert it to plain text" without asking me".

Things that bug me the most about Mozilla Mail and Thunderbird:

  • Searching sucks.
    • Search defaults to "any of the following" (125631), like Altavista did in 1999.
    • Specifying a search seems to take more clicks than it needs to.
    • Searching is slow because it doesn't index (bug number?) or even short-circuit (154867).
  • Address completion sucks.
    • The first address is usually not the one I want to e-mail (208833).
    • Autocompletion breaks the backspace key (239558).
  • I can't minimize Thunderbird to the system tray for notifications (208923). I would... uhh... set it to check every 2 hours, and I'd never open Thunderbird otherwise, and then I wouldn't be distracted by mail so often!
  • Message composition message windows don't disappear until Thunderbird finishes sending the message (126140, WONTFIX).

Gmail (Google) and remail (IBM Research) suggest that there is a lot of room for improvement in e-mail clients. (Gmail screenshot with ads, Gmail screenshots with "related pages".)

Posted on April 03, 2004 at 10:21 PM in Mozilla | Comments (1) | TrackBack (0)

AOL to update Netscape 7.x

According to an article in The Inquirer, AOL will release a new version of Netscape based on "the latest Mozilla code" early this summer. They'll probably use the 1.7 branch, which Firefox 1.0 will also be based on. (via apeiron in #bs)

Posted on March 30, 2004 at 03:09 AM in Mozilla | Comments (0) | TrackBack (0)

Firefox shirts

http://www.cafeshops.com/mozilla has been selling unofficial Firefox shirts for a few weeks. I suspect that the shop is run by a Mozilla developer (it used to sell "I kicked blake from #mozilla" shirts), but I don't know whether he/she has permission to sell Firefox merchandise.

I bought the "Futured" shirt, which Kerz and I designed, from Cafepress several years ago. It faded faster than most shirts I've owned. I don't know whether Cafepress has improved the quality of their shirts since then.

Update Mar 29, 2004: curious points out that The Mozilla Store now has official Firefox shirts. Yay!

Posted on March 29, 2004 at 09:57 PM in Mozilla | Comments (1) | TrackBack (0)

Bug 233625 kills bunnies

From a bug-advocacy comment:

I cannot overstate the severity of this problem. This is not a minor inconvience. This is CARNAGE!!!

Posted on March 28, 2004 at 05:53 AM in Mozilla | Comments (0) | TrackBack (0)

How to report a security hole to Microsoft

Hixie helped me report a security hole to Opera. Then Hixie and his friends at the W3C Technical Plenary tried to help me report it to Microsoft, offering these suggestions:

  • "There's probably a form on microsoft.com/ie."
  • "You report it to cnet."
  • "You break into Microsoft's systems using the exploit, and insert the bug into their bug system. Since you can only do that with security bugs, that filters out the non-security ones."

I think I reported the bug to Microsoft successfully. The language on Microsoft's form ("enchancement suggestion" and "wish" rather than "bug report") was discouraging, but I did get to check a box labeled "Security".

Posted on March 10, 2004 at 12:59 AM in Mozilla, Security | Comments (4) | TrackBack (0)

Anime Firefox logo

Anime version of the Firefox logo (via noririty).

Posted on February 21, 2004 at 09:21 PM in Mozilla | Comments (5) | TrackBack (1)

MozillaZine fixes information leak

Three hours before Firefox 0.8 was released, I found a security hole in Mozillazine: you could see the titles of unpublished articles (e.g. http://mozillazine.org/talkback.html?article=4283) in the titlebar. Using this hole, I accidentally discovered the name change before the release. The hole has been fixed.

jesus_X informs me that long ago, MozillaZine let you see the full text of unpublished articles. I guess the original hole was partially fixed, leaving only the title of the article visible.

Posted on February 11, 2004 at 12:38 AM in Mozilla, Security | Comments (8) | TrackBack (0)

Pornzilla is back!

The goal of the Pornzilla project is to make Mozilla into a great porn browser. We contribute to Mozilla directly, promote bookmarklets and extensions that enhance porn surfing, and maintain a list of bugs that impact porn surfing.

Posted on February 02, 2004 at 03:26 AM in Mozilla, Porn | Comments (13) | TrackBack (1)

What's new in Mozilla Firebird 0.8

Firebird 0.8 should be out soon on Monday, Feb 9.

Update: Firefox 0.8 (note the new name) was released on Feb 9.

Here's some of what's new:

New features

  • Windows installer
  • New download manager
  • Work Offline
  • Add Bookmark dialog: recent-folders dropdown and folder-selection tree (replacing a single dropdown listing all folders)
  • DOM Inspector is now included in zip builds
  • IDN support
  • IPv6 support on Windows 2000/XP/2003

Major improvements

  • 220807 - prompt user about invalid text/plain content. (Solves most problems like "Firebird tries to display some .rar files instead of downloading them.")
  • 214266 - Find should wrap by default
  • 217286 - Cookie whitelist should override session cookie option.
  • 142459(?) - Shift+click and middle-click on scroll bar should jump to that location
  • 214260 - XPInstall UI improvements
  • 33282 - enable external scheme handlers (like aim: and telnet:) in Linux
  • 6% faster page loading (comparing December to September on a Tp (pageloader time) graph)

Important bug fixes

  • 210910 - Right-clicking a file within a bookmarks folder in the bookmarks menu or toolbar makes that folder inaccessible.
  • 203102 - URL typed into address bar lost after switching tabs; "Open in new tab" should prefill URI in address bar.
  • 222157 - View Source: Find and Save don't work.
  • 213250 - Autoscroll prevents middle clicking on links in XML (XHTML) documents.
  • 224416 - Tabs don't remember focused element.
  • 216170 - Send Page (as Link) omits query string
  • 98564 - caret overlaps the last character in textfield (if positioned after the last char).
  • 212366 - Make -moz-opacity apply to descendants as a group, as required by CSS3 opacity
  • 219705 - Linux: Blackdown Java crashes, saying "Internal error on browser end".
  • 102578 - Linux: Clicking wrongfully fires onmouseout (breaks some dhtml menus, css/edge menus)
  • 201209 - GTK2: -moz-opacity makes things invisible.
Posted on January 29, 2004 at 03:50 AM in Mozilla | Comments (5) | TrackBack (19)

What should be fixed in Firebird 0.8

Update Jan 30: see also What's new in Firebird 0.8.

alanjstr listed 11 bugs he thinks should be fixed before Firebird 0.8 is released. I agree with him on 3 bugs:

  • 229600 - Installing 2 extensions without restarting re-launches extension-installer for previous installed extensions. (regression)
  • 228988 - XPInstall - "Installation complete / restart" message always shown. (regression)
  • 230271 - Form autocomplete only works in the first tab. (regression)

I have 2 more bugs that I think should be fixed before 0.8:

  • 217410 - bump skin version. (This would prevent "no scrollbars after upgrade" problem.)
  • 228672 - Installer deletes unrelated folders. (Dataloss. New because Firebird 0.7 didn't have an installer.)

The installer bug is particularly scary because of the potential PR impact. The Firebird installer deletes all files in the installation directory if you check the "Safe Upgrade" box. A few users who installed nightlies into "C:\Program Files\" lost that entire directory. I don't know if any users have lost data since the Dec 23 change to make the "Safe Upgrade" box unchecked by default, but if Firebird 0.8 is released with the bug, I'd expect at least a few users who install to weird directories to check the box.

A bug in the iTunes installer that wiped hard disks earned a Slashdot story. If Firebird 0.8 is released with this bug, I would expect it to lead to an even bigger backlash on Slashdot because:

  • The iTunes installer tried to delete iTunes.app (a specific application folder), while the Firebird installer tries to delete whatever directory you were installing to. "Nuke from orbit" upgrades are inherently dangerous, but they're even more dangerous when the user gets to choose the target directory.
  • The iTunes installer deleted more than it intended because of what is arguably a misfeature of the Bash shell: if you don't use quotes carefully, a script's behavior can change unexpectedly when a parameter contains a space. The Firebird installer deletes more than it intends because its developers didn't anticipate users installing Firebird directly to "C:\Program Files\". Firebird has nobody else to share the blame.
  • Firebird's development process is open enough that anyone can see that we knew about the problem since at least December 30.
  • "Safe Upgrade" is the worst possible name for a misbehaving nuke-from-orbit feature.

My preferred solution for 0.8 is to relabel the checkbox from "Safe Upgrade" to "Delete all files in [installation directory]". (cf bug 197274, which changed "Enable Automatic Image Resizing" to "Resize large images to fit in the browser window".) I looked at some code but couldn't tell how hard it would be to change the checkbox label to include the installation directory.

I'm not sure what the installer "should" do. It would be nice if installing on top of an old build didn't cause random-seeming problems. Then nuking the installation directory from orbit would not be necessary. If fixing those problems is not feasible, maybe the installer should have a list of files or subfolders to delete, and only delete those.

Flag queries: blocking0.8+ (blocking), blocking0.8? (nominated), blocking0.8- (not blocking). Anyone may nominate bugs, but only a few people may plus or minus. Bugs that are plussed are usually recent regressions or newly discovered security holes. Don't renominate a minused bug unless you're sure you've added something the minuser didn't know.

Posted on January 10, 2004 at 05:46 AM in Mozilla, User Interfaces | Comments (4) | TrackBack (0)

Netscape.com e-mail addresses for sale

"Netscape" (the new ISP) is auctioning off 200 netscape.com e-mail addresses. I found out by clicking on this ad. The ISP is auctioning jess@netscape.com, jessica@netscape.com, and jessie@netscape.com, but not my old address, jesse@netscape.com.

I searched eBay to find out what names have the highest bids. So far, "john" ($112.50) is beating "michael" ($105.50) and "mark" ($102.50). Most of the names are still at the opening bid of $9.95.

Posted on January 09, 2004 at 01:56 AM in Mozilla | Comments (2) | TrackBack (0)

1) Report bug. 2) ??? 3) Profit!

Track the popularity of the Busniess Plan meme over time by searching for Mozilla bug reports that say "3. Profit".

So far, 27 bugs have been reported with the phrase. The first report was in December 2001, and the meme's popularity seems to have peaked around March 2003. Its popularity is now declining slowly.

Posted on January 07, 2004 at 11:20 PM in Humor, Mozilla | Comments (0) | TrackBack (0)

Mozilla 1.6b < Mozilla 1.0.1?

Warning, you are using Mozilla Version 1.6b.  The recommended browsers to view this page are Internet Explorer 4.0 or better, Netscape 4.0 or better, Mozilla 1.0.1 or better, or Opera 5.0 or better.

This USPS page uses the expression (browserName == "Mozilla" && browserVersion >= 1.0) to recognize acceptable versions of Mozilla. The string "1.6b" becomes NaN when coerced to a number, so the expression is false if you're using Mozilla 1.6b. If you're using Mozilla 1.5 instead of 1.6b, you won't see the warning. Ironically, "1.0.1", the minimum version they claim to support, coerces to NaN.

If the site had used parseFloat instead of implicit coercion, it wouldn't have hit this problem. parseFloat("1.6b") returns the number 1.6.

Posted on December 22, 2003 at 05:01 AM in JavaScript, Mozilla | Comments (2) | TrackBack (1)

Google Cache and slow CSS

If you use Google Cache when a server isn't responding, and the page uses an external style sheet, you won't be able to see the cached page. The reason is that most browsers block page display while waiting for the style sheet to load, and Google doesn't cache CSS or images. This limits the usefulness of Google's cache, especially now that CSS is popular.

Google could cache CSS along with HTML. To avoid spidering and storing every page's CSS, Google could proxy CSS loads for Google Cache users, and have the proxy time out after 5 seconds. But both of these solutions might use a lot of bandwidth.

Google could add code to cache pages to make CSS load later or in a non-blocking fashion. This has the disadvantage that when the server is responding, the page will be presented unstyled for a split-second. Since some Google users use the cache even when the site isn't down, this would be bad.

I hoped there would be a way for Google to add code to cache pages to stop blocking loads that are taking too long. JavaScript can detect a slow load: call setTimeout above the LINK element, and call clearTimeout in another SCRIPT element below the LINK. But the function setTimeout activates can't cancel the load by disabling the style sheet, changing the LINK's href, or removing the LINK element from the document. Browser makers didn't anticipate JS trying to cancel a blocking load. (Removing the LINK element from the document even crashes IE.)

Another solution is for browsers to make CSS loads block less:

  • 84582#c11 - CSS loads should stop blocking layout if they take more than a few seconds
  • 220142 - Pressing Stop while waiting for CSS should finish displaying what has been loaded before stopping.
  • 224029 - JS can't cancel blocking load of a style sheet
Posted on October 29, 2003 at 12:02 AM in Google, JavaScript, Mozilla | Comments (2) | TrackBack (0)

Clever blogspammer

A spammer posted the following comment on my old blog post Chrome URLs in Mozilla and Mozilla Firebird yesterday:

I've been a long time user of both IE and Netscape. Now I'm using Mozilla and Firebird. Although I'm a fan of Mozilla and Firebird and have recommended it to friends.

The poster's URL had a spammy-looking domain name ("success-biz-replica"), but the site itself didn't look too spammy and the comment seemed fairly on-topic, so I didn't delete the comment. But today I stumbled on a very similar comment here and realized the comments were spam. The spammer probably decided to spam blogs mentioning Mozilla because those blogs are likely to have high Google PageRank.

I went into my web server logs to see what search phrase she used. I figured it would be something like mozilla "post a comment" "remember personal info" but I wanted to see the exact search phrase. I searched for the poster's IP address and found this:

193.230.197.6 - - [26/Oct/2003:11:07:05 -0800] "GET /archives/000007.html HTTP/1.0" 200 12252 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Alexa Toolbar)"

There was no referer, which probably just means she hid the referer intentionally. But I noticed something else: she used Internet Explorer to post the comment.

I deleted the comment.

Posted on October 28, 2003 at 12:29 AM in Blogging, Google, Mozilla, Spam | Comments (7) | TrackBack (0)

Firebird patches

I attached simple patches to 3 Firebird bugs:

213377 [5] - Cannot stop animation with stop button or escape key
216722 [3] - Inital focus in Help|About Mozilla Firebird should be "OK"
218146 [0] - mousedown on tab and drag out still switches to tab (fix: switch onmousedown instead of onclick)

I hope my patches fare better than the ones mentioned in this forum thread.

Posted on October 24, 2003 at 08:38 PM in Mozilla | Comments (1) | TrackBack (0)

Minor security hole in Google

Webmasterworld's "hitchhiker" and I found a security hole in Google today. He searched for something like "this can't be true" and his browser reported a JavaScript syntax error. I pointed out that with a carefully constructed query string, you can get Google to spit out something syntactically valid that does whatever you want. For example:

http://www.google.com/search?q='+alert(document.cookie)+'
causes Google to generate the following onClick attribute: onClick="c('http://images.google.com/images?q='+alert(document.cookie)+'
&hl=en&lr=&ie=UTF-8&c2coff=1&safe=off','wi',event);"

If you follow the link and click a tab (web, images, groups, directory, news), you'll see your Google cookie in a dialog.

Hitchhiker responded:

I just can't believe G made that kinda mistake.

ESCAPE ESCAPE!

Escaping is not always the best solution. When I found a similar hole in some JavaScript code in Mozilla, ducarroz's solution was to use an alternative window.setTimeout syntax. The normal version of setTimeout takes a string to be parsed and executed; the alternative version takes a function and parameters. Instead of escaping the untrusted input, we avoided parsing a string containing the untrusted input.

Posted on October 23, 2003 at 08:15 PM in Google, Mozilla, Security | Comments (2) | TrackBack (0)

Browser stats for squarefree.com

Mozilla: 59.6% (76.6% Firebird)
MSIE: 27.5%
Opera: 2.3%
KHTML: 1.2%

Other: 9.4% (includes robots)

Posted on October 21, 2003 at 01:49 AM in Mozilla | Comments (1) | TrackBack (0)

What's new in Mozilla Firebird 0.7

If all goes well, Mozilla Firebird will be released early next week. Here's a list of changes since 0.6 that I consider important.

Continue reading "What's new in Mozilla Firebird 0.7"
Posted on October 10, 2003 at 05:44 PM in Mozilla | Comments (13) | TrackBack (5)

Upcoming birthday

I will turn 21 on October 13, 2003.

On an unrelated note, here's the list of Mozilla bugs I reported that are still open and the list of bugs I'm voting for.

Posted on October 01, 2003 at 02:21 AM in Mozilla | Comments (6) | TrackBack (0)

Mozilla Firebird becoming popular at Mudd

Twice this week I have witnessed Mudd students recommending Mozilla Firebird to other Mudd students. Both students mentioned pop-up blocking and tabbed browsing. One also mentioned themes, Flash Click to View and other extensions, and the customizable search bar (he uses IMDb and dictionary.com in addition to Google).

Posted on September 14, 2003 at 08:25 PM in Mozilla | Comments (2) | TrackBack (0)

A minor accomplishment

I built Mozilla Firebird for the first time yesterday! It took me 3 days to convert my Mozilla build setup to build Mozilla Firebird. I started with a working MSVC.Net Mozilla build and used Gemal's guide to building Mozilla Firebird [with gcc], thinking I would be able to skip the gcc-related steps since I already had a working build environment for Mozilla.

I switched from msvc.net to gcc twice (once accidentally, once intentionally), but ended up using msvc.net. Read more for a boring list of the problems I ran into, and a much shorter list of suggestions for changes to Gemal's page.

Continue reading "A minor accomplishment"
Posted on August 19, 2003 at 06:08 AM in Mozilla | Comments (4) | TrackBack (0)

Is my Mozilla chrome too expensive?

This Google search, in addition to finding my blog entry called Chrome URLs in Mozilla and Mozilla Firebird, displays the following ad (affiliate identifier removed):

Posted on August 18, 2003 at 05:12 PM in Mozilla | Comments (1) | TrackBack (0)

How I search for bugs

People often ask if I memorize bug numbers. I've only memorized a few bug numbers; my speed comes from having memorized parts of bug summaries and these searching tricks:

  • I use Bugzilla QuickSearch for 99% of my searches. I only use query.cgi when I need "changed in n days" or things only available in boolean charts (such as bug history).
  • I include resolved bugs in most of my searches (using "ALL") so I can follow links from duplicates.
  • I restrict my searches to bugs with 2 or mote votes (using "votes:2") when I search for a bug I know is "popular". About 9% of open bugs have 2 or more votes.

I also change bugs so I can search for them more easily.

  • I change summaries to make bugs show up in searches by adding words that I'm likely to search for.
  • I change summaries to make them easy to understand in search results by making them more precise or shorter.
  • I cross-reference bugs that are closely related by adding a comment to each bug pointing to the other bug.

If I know that two bugs are cross-referenced, I often use the "collect buglinks" bookmarklet instead of skimming comments for the link.

Posted on August 13, 2003 at 04:39 AM in Mozilla | Comments (4) | TrackBack (0)

Firebird build blog

I started a blog, The Burning Edge, to help Mozilla Firebird fans decide which nightlies to use.

Posted on August 12, 2003 at 06:28 AM in Mozilla | Comments (2) | TrackBack (0)

Chrome URLs in Mozilla and Mozilla Firefox

Every once in a while, someone asks how to open the JavaScript Console in a browser tab, or how to make a shortcut that opens the Bookmark Manager. Here are the chrome:// URLs you need.

To make a shortcut, use the -chrome switch, like this: firefox.exe -chrome chrome://browser/content/bookmarks/bookmarksManager.xul. If you leave out the -chrome switch, the Bookmark Manager (etc) will be inside a browser window.

To open one of these in a browser tab, just enter the URL into the address bar. Chrome URLs can be bookmarked like any other type of URL. Opening these chrome URLs in browser tabs is not supported, so don't be surprised if you encounter bugs.

Mozilla Firefox:

prefs chrome://browser/content/pref/pref.xul
privacy prefs chrome://browser/content/pref/pref-privacy.xul
bookmark manager chrome://browser/content/bookmarks/bookmarksManager.xul
bookmark panel chrome://browser/content/bookmarks/bookmarksPanel.xul
history panel chrome://browser/content/history/history-panel.xul
download panel chrome://browser/content/downloads/downloadPanel.xul
javascript console chrome://global/content/console.xul
master password chrome://pippki/content/pref-masterpass.xul

Mozilla Seamonkey (suite):

mail chrome://messenger/content/messenger.xul
(Does not work well)
chatzilla chrome://chatzilla/content/chatzilla.xul
(Does not work well)
prefs chrome://communicator/content/pref/pref.xul
(Also works in Firefox until bug 221602 is fixed)
history window chrome://communicator/content/history/history.xul
(Also works in Firefox until bug 221602 is fixed)

Update 2004-11-30: This entry is now duplicated at MozillaZine Knowledge Base: Chrome URLs. The Knowledge Base entry may be more up-to-date than this blog entry.

Posted on August 09, 2003 at 10:14 PM in Mozilla | Comments (9) | TrackBack (0)