Mozilla

Firefox Gets Dressed Up with Personas

Standard

morgamic's current persona

Personas was launched a couple of weeks ago, and it’s been received well. On the Personas add-on page on addons.mozilla.org you can already see 1.3 million downloads with 922,000 of those coming in the last seven days. Wow!

picture of add-ons listing and stats

The response to Personas is great, and I hope we can find more ways to get people excited about the extensibility of Firefox. I thought about some of the key factors to its success:

  • Easy to install, fun to use
  • Unique and personalized but not intrusive
  • Easy to create your own
  • Makes an obvious change to your browser

It’s awesome to see what’s going on with Personas — congrats to Mozilla Labs and the Personas team. Looking forward to what’s coming up next!

Tabbing Through Elements in Firefox on Mac

Standard

This weekend my laptop decided to die after the latest batch of Apple system updates. Not sure why, but on the first startup after the update, it wanted to randomly shut off (hard power-down) and could not get out of that cycle. Thanks, Apple.

So I did my first successful restore from a Time Machine backup. However, while I was waiting, I used a vanilla install of Firefox. I noticed that I couldn’t tab through form elements and it would jump straight from the page to the address bar. WTF?

Here is how you enable this tab behavior that you’re used to on Windows:

  1. Go to System Preferences… in the apple menu
  2. Open Keyboard & Mouse
  3. Go to the Keyboard Shortcuts tab
  4. Check All controls

This will let you tab through individual web elements normally. Screenshot below, in case it helps.

screenshot of keyboard pref pane in mac os x

Update: Alex Faaborg noted that you can track Bug 437296 if you’d like to follow overriding OS keyboard settings to maintain a consistent user experience in the browser across platforms.

Update: Chris Ilias pointed out so kindly that this is already in the Mozilla Knoledge base.

Firefox Keeps You Safe In Ways Other Browsers Don’t

Standard

You might know about some of the more glamorous Firefox 3 security features, but behind the scenes Firefox is protecting you from malicious extensions and plugins through its blocklisting service.

Depicted below is a diagram of how Firefox talks to its blocklist service. This is how it works:

  1. Every day Firefox downloads an XML document from our blocklist service.
  2. This tells Firefox if there are any malicious plugins or extensions out there.
  3. If Firefox detects any of these items on your system, it disables them so you can surf the web safely.

Flow chart for Firefox's blocklist service

What is remarkable about this is that it covers you from things Mozilla doesn’t even release. One of the things I’ve always been proud of is Mozilla’s dedication to its users, and I think this is a good illustration of how we’re finding ways to make the web better and safer. We don’t just care about Firefox, we care about you — and if you are put in a bad position because of poor security in a third-party plugin, we will be there to cover for you — on our dime.

Extension blocklisting has been available since Firefox 2, and we’ve used it in the past to blocklist extensions that cause major crashes or have security problems. Plugin blocklisting is new in Firefox 3, and this is a pretty big feature given recent security news involving plugins.

All major plugins have had arbitrary code execution issues at some point. Plugins like Quicktime or Flash have had some popular cases where hackers could execute code on your system just by having you load a corrupted Flash object or Quicktime movie. Usually vendors are pretty good about updating once these exploits are disclosed, but with Firefox 3 we’ve added plugin blocklisting so we can protect you if vendors aren’t quick enough to respond or don’t provide an easy way for you to upgrade.

Screenshot of a blocklisted item.

Mozilla doesn’t want to leave you out in the cold, and Firefox’s blocklist service is another tool we can use to look out for you.

It’s important to use this tool responsibly so we have discussed a policy for quite some time. The blocklist policy is in our public wiki, and we welcome any questions about it. Any time we consider blocklisting, we contact the vendor or author of the add-on in question to encourage a quick update and let them know we are considering blocklisting. Decisions to blocklist are made by committee to make sure we are not using this service incorrectly or blocklisting things prematurely without just cause.

To show you what the XML document looks like, here is an example of what we are currently serving:

<?xml version="1.0"?>
<blocklist xmlns="http://www.mozilla.org/2006/addons-blocklist">
  <emitems>
    <emitem id="fdm_ffext@freedownloadmanager.org">
      <versionrange minVersion="1.0" maxVersion="1.3.1">
        <targetapplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
           <versionrange minVersion="3.0a1" maxVersion="*"/>
        </targetapplication>
      </versionrange>
    </emitem>
  </emitems>
  <pluginitems>
    <pluginitem>
      <match name="name" exp="Yahoo Application State Plugin"/>
      <match name="description" exp="Yahoo Application State Plugin"/>
      <match name="filename" exp="npYState.dll"/>
    </pluginitem>
  </pluginitems>
</blocklist>

What this does:

  • Tells firefox to blocklist the Free Download Manager extension, versions 1.0 thru 1.3.1 for Firefox 3.0a1 and higher.
  • Tells firefox to blocklist the Yahoo Application State plugin, for all Firefox versions loading npYState.dll.

Information about the blocklist is always found on mozilla.com’s blocklist info page. To learn more about the service itself, feel free to read more about its specifications.

Overall, the blocklist service is another way Firefox is watching out for you, and even though it doesn’t get much press coverage, it’s a remarkable thing and speaks volumes about how serious we are about keeping Firefox users safe — even from stuff that wasn’t Mozilla’s fault.