futtta's blog

Did you know you can limit the damage an iframe can do by adding the “sandbox” attribute? And that you can add a value to that attribute to loosen your grip if you choose to do so?

I remember reading about this a couple of years ago or so, but forgot as  support for this html5 spec was limited to Chrome (Apple added support in Safari as well). But while investigating a problem a WP DoNotTrack-user was facing, I re-discovered iframe sandboxing (it effectively stopped the javascript-based tracking inside the iframe) and noticed that support for it is to be included in Internet Explorer 10 and that Mozilla is finally working on an implementation as well.

So yeah, the option to sandbox iframe’s pointing to blacklisted (or non-whitelisted) hostnames will probably be in a future version of WP DoNotTrack. Stay tuned!

Firefox 6 got pushed on my Ubuntu 11.04 netbook as an update a couple of days ago and things were badly broken; memory usage was skyrocketing, the kswapd was eating almost all CPU and the system was pretty much in a continuous wait-state.

After some cursing and a lot of Scroogling, I finally stumbled across this blogpost which described the exact same problem and advised to set  “layers.acceleration.force-enabled” (which tries to force hardware acceleration, which isn’t supported on Linux by default) back to “false” in about:config. And indeed this small rollback solved my memory-woes. Guess I shouldn’t have dismissed that silly about:config warning message after all.

And while we’re on the subject; Firefox 7 should see substantial improvements in memory usage, yay!

A couple of days ago I saw “Code Rush“, a non-fiction movie about life at Netscape while they were in the process of open sourcing their browser in 1998. It’s a great documentary about a defining moment in the history of the web, touching on subjects like code & quality (zarro boogs), the fight with Microsoft, the awkward marriage with AOL, the stock market, technology start-up culture and work versus life.

Open sourcing Communicator didn’t save Netscape as a company, but it did allow the Mozilla Organization to create a whole new browser suite based on XUL and NGlayout (later Gecko), which were 2 important building blocks for Phoenix, a standalone browser (instead of a suite) which we now know as Firefox.

Code Rush aired in 2000 on PBS in the States, but was released under a Creative Commons license in 2009. You can check out all footage (and search the transcripts) on clickmovement.org.

Apparently the Firefox-brand is  that strong that some want to be associated with it. But I’m not sure Mozilla (the not-for-profit or the corp) is fine with the blatant … “re-use” of their artwork.

The irony; Fox security offers fire- & theft-detection. But never mind, we’ve got Firefox 4 (beta7) to look forward to, haven’t we?

You probably read that  Steve Jobs officially declared Flash a stability nightmare and that Adobe’s CEO responded that OS X is to blame. Hard to take sides in this blame-game, especially without access to Apple’s crash reports data. We do, however, have access to Mozilla’s crash-stats.mozilla.com. Could those figures provide us with at least some relevant statistics about Flash’s reliability?

I imported this csv-file with the top 300 crashers for Firefox 3.6.3 for the last 50 days (3.6.3 was released on April 1th) into a Google Docs spreadsheet and counted the number of crashes for each line where “Flash” or “NPSWF32″ is in the signature (SUMIF without wildcard characters, seriously Google!?). You can find the spreadsheet here, but these are the results:

That’s right; almost 1/3 of the Firefox 3.6.3 “top crashers” are clearly related to Flash! So yes, there is good reason to consider plugins in general and Flash in particular a stability risk for Firefox. And for the record, the numbers for Mac seem to indicate that the problem is even (much) worse there! So hurray for Firefox 3.6.4 with Out of Process Plugins! And hey Adobe, get your Flash together!

A couple of days ago I installed Lorentz, a beta version of Firefox. Lorentz is virtually identical to Firefox 3.6.3, except that it incorporates part of the work of the Electrolysis team. Their “Out-of-process plugins”-code lets Firefox-plugins (on Windows & Linux, they’re still working on Mac OSX according to the release notes) run in a separate process from the browser, meaning Flash (but also Silverlight or Quicktime) can’t crash Firefox any more.

This feature actually is long overdue, a substantial amount of Firefox crashes are indeed caused by Flash failing and Mozilla’s competitors (MS IE, Apple Safari and Google Chrome) already have similar (or even more exhaustive) crash-protection.

Once you’ve installed Lorentz (or Chrome or IE8 or Safari off course) you can safely visit http://flashcrash.dempsky.org/, which exploits a bug that was reported 19 months ago and which may still cause the most recent Flash-version (10.0.45.2) to crash. And if flashcrash doesn’t bring up the plugin-crash-dialog, you can always kill the “mozilla-runtime” process that hosts the plugins, just for kicks!

Microsoft IE8 introduced it, Apple Safari4 has it, Google Chrome4 does it and now somewhere in the not too distant future, Firefox will ship it too; support for X-FRAME-OPTIONS.

X-cuse-me? Well, X-FRAME-OPTIONS is the HTTP response header that broke Google Talk chat badge a few months ago, remember? It allows you to specify whether your site or page can be (i)framed or not, by setting it to “DENY” (not allowed to be framed) or “SAMEORIGIN” (allowed if the framing site is on the exact same domain). The most important reason for this functionality is as a prevention-mechanism for “clickjacking” (a.k.a. UI redressing), a type of web attack that tries to trick victims into clicking a framed site by hiding it behind another innocent element.

So now that feature is finally coming to Firefox as well; Mozilla’s Brendan Sterne, one of the driving forces behind Mozilla’s much broader content security policy, grabbed the bug by the balls and came up with a first patch. If all goes well, this would be an ideal candidate to get pushed out with a minor version update as per the new release process, no?