Subscribe: Planet Mozilla
Added By: Feedage Forager Feedage Grade B rated
Language: English
add  blog  data  firefox quantum  firefox  make  mozilla  new  open  quantum  release  rust  time  users  web  work 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Planet Mozilla

Planet Mozilla

Planet Mozilla -


The Firefox Frontier: March Add(on)ness: Momentum (2) vs Grammarly (3)

Sat, 17 Mar 2018 12:36:04 +0000

The pen is mightier than the sword, but is personal organization more powerful than having to worry about grammar? You tell us in today’s March Add(on)ness. Momentum Optimization With Momentum, … Read more

The post March Add(on)ness: Momentum (2) vs Grammarly (3) appeared first on The Firefox Frontier.

The Firefox Frontier: March Add(on)ness: uBlock (1) vs Kimetrack (4)

Fri, 16 Mar 2018 14:07:15 +0000

Decide who will be the ultimate privacy extension in today’s Add-on Madness… uBlock Origin Privacy, tracking uBlock Origin is an efficient blocker. Easy on CPU and memory. Nobody likes to … Read more

The post March Add(on)ness: uBlock (1) vs Kimetrack (4) appeared first on The Firefox Frontier.

Daniel Pocock: OSCAL'18, call for speakers, radio hams, hackers & sponsors reminder

Fri, 16 Mar 2018 08:46:29 +0000

The OSCAL organizers have given a reminder about their call for papers, booths and sponsors (ask questions here). The deadline is imminent but you may not be too late. OSCAL is the Open Source Conference of Albania. OSCAL attracts visitors from far beyond Albania (OpenStreetmap), as the biggest Free Software conference in the Balkans, people come from many neighboring countries including Kosovo, Montenegro, Macedonia, Greece and Italy. OSCAL has a unique character unlike any other event I've visited in Europe and many international guests keep returning every year. A bigger ham radio presence in 2018? My ham radio / SDR demo worked there in 2017 and was very popular. This year I submitted a fresh proposal for a ham radio / SDR booth and sought out local radio hams in the region with an aim of producing an even more elaborate demo for OSCAL'18. If you are a ham and would like to participate please get in touch using this forum topic or email me personally. Why go? There are many reasons to go to OSCAL: We can all learn from their success with diversity. One of the finalists for Red Hat's Women in Open Source Award, Jona Azizaj, is a key part of their team: if she is announced the winner at Red Hat Summit the week before OSCAL, wouldn't you want to be in Tirana when she arrives back home for the party? Warm weather to help people from northern Europe to thaw out. For many young people in the region, their only opportunity to learn from people in the free software community is when we visit them. Many people from the region can't travel to major events like FOSDEM due to the ongoing outbreak of immigration bureaucracy and the travel costs. Many Balkan countries are not EU members and incomes are comparatively low. Due to the low living costs in the region and the proximity to larger European countries, many companies are finding compelling opportunities to work with local developers there and OSCAL is a great place to make contacts informally. Sponsors sought Like many free software communities, Open Labs is a registered non-profit organization. Anybody interested in helping can contact the team and ask them for whatever details you need. The Open Labs Manifesto expresses a strong commitment to transparency which hopefully makes it easy for other organizations to contribute and understand their impact. Due to the low costs in Albania, even a small sponsorship or donation makes a big impact there. If you can't make a direct payment to Open Labs, you could also potentially help them with benefits in kind or by contributing money to one of the larger organizations supporting OSCAL. Getting there without direct service from Ryanair or Easyjet These notes about budget airline routes might help you plan your journey. It is particularly easy to get there from major airports in Italy. If you will also have a vacation at another location in the region it may be easier and cheaper to fly to that location and then use a bus to Tirana. Making it a vacation For people who like to combine conferences with their vacations, the Balkans (WikiTravel) offer many opportunities, including beaches, mountains, cities and even a pyramid (in Tirana itself). It is very easy to reach neighboring countries like Montenegro and Kosovo by coach in just 3-4 hours. For example, there is the historic city of Prizren in Kosovo and many beach resorts in Montenegro. If you go to Kosovo, don't miss the Prishtina hackerspace. [...]

Cameron Kaiser: TenFourFox FPR6 SPR1 coming

Fri, 16 Mar 2018 03:47:55 +0000

Stand by for FPR6 Security Parity Release 1 due to the usual turmoil following Pwn2Own, in which the mighty typically fall and this year Firefox did. We track these advisories and always plan to have a patched build of TenFourFox ready and parallel with Mozilla's official chemspill release; I have already backported the patch and tested it internally.

The bug in question would require a TenFourFox-specific exploit to be useful, but is definitely exploitable, and fortunately was easily repaired. The G5 will chug overnight and have builds tomorrow and heat the rear of the house all at the same time.

Michael Comella: Addressing GitHub Problems: "What PRs are open for this issue?"

Fri, 16 Mar 2018 00:00:00 +0000

When looking at a GitHub issue, I often need to know, “What PRs are open for this issue?” I wrote the GitHub Issue Hoister add-on to address my problem.

It hoists those “mcomella added a commit that references this issue” links to the top of an issue page to make them easier to access and see at a glance:


Check out the brief tutorial for caveats and more details, or just download it off AMO. For bugs/issues, file them on github.

The Mozilla Blog: Prepare to be Creeped Out

Thu, 15 Mar 2018 16:53:08 +0000

Mozilla Fellow Hang Do Thi Duc joins us to share her Data Selfie art project. It collects the same basic info you provide to Facebook. Sharing this kind of data about yourself isn’t something we’d normally recommend. But, if you want to know what’s happening behind the scenes when you scroll through your Facebook feed, installing Data Selfie is worth considering. Use at your own risk. If you do, you might be surprised by what you see.

Hi everyone, I’m Hang,

Ever wonder what Facebook knows about you? Why did that ad for motorcycle insurance pop up when you don’t own a motorcycle? Why did that ad for foot cream pop up right after you talked about your foot itching?

I wondered. So I created something to help me find out. I call it Data Selfie. It’s an add-on–a little piece of software you download to use with your web browser–that works in both Firefox and Chrome.

How does it work? Every time you like, click, read, or post something on Facebook, Facebook knows. Even if you don’t comment or share much, Facebook learns about you as you scroll through your feed.

My add-on does something similar. It’s here to help you understand how your actions online can be tracked. It does this by collecting the same information you provide to Facebook, while still respecting your privacy.

NOTE: The add-on is available in Firefox too.

Want to see what your Data Selfie looks like? Here’s how:

  1. Go here:
  2. Download the Firefox or Chrome add-on
  3. Check out my privacy policy if you want to know more about how this works .
  4. You’ll see an eye icon that looks in the upper right corner of your browser. Click on it.
  5. From the list, click “Your Data Selfie.”

You’ll see there’s not much to your Data Selfie yet. Just browse Facebook as you normally do. It takes about a week of regular Facebook use for your Data Selfie to gather enough information to give you a good idea of what Facebook might know about you.

Thanks! I hope you enjoy your Data Selfie.

Hang Do Thi Duc
Mozilla Fellow

PS. My Data Selfie says I’m a laid-back, liberal man who isn’t likely to have a gym membership and prefers style when buying clothes. Pretty accurate, actually.

The post Prepare to be Creeped Out appeared first on The Mozilla Blog.

Air Mozilla: Reps Weekly Meeting, 15 Mar 2018

Thu, 15 Mar 2018 16:00:00 +0000

(image) This is a weekly call with some of the Reps to discuss all matters about/affecting Reps and invite Reps to share their work with everyone.

Mozilla VR Blog: Building Mixed Reality spaces for the web

Thu, 15 Mar 2018 14:30:00 +0000

One of the primary goals of our Social Mixed Reality team is to enable and accelerate access to Mixed Reality-based communication. As mentioned in our announcement blog post, we feel meeting with others around the world in Mixed Reality should be as easy as sharing a link, and creating a virtual space to spend time in should be as easy as building your first website. In this post, we wanted to share an early look at some work we are doing to help achieve the second goal, making it easy for newcomers to create compelling 3D spaces suited for meeting in Mixed Reality. Anyone who has gone through the A-Frame tutorials and learned the basics of creating boxes, spheres, and other entities soon find themselves wanting to build out a full 3D environment. Components such as the a-frame environment component can be a good start to adding life to the initial black void of an empty virtual space, but that mostly takes care of ‘background’ aspects to the space such as the sky, ground surface, and far-off objects like trees and clouds. Beyond that, people quickly find themselves facing a roadblock: the kind of space they want to make is often more ambitious than what can be done with a few simple shapes, and needs to be more architectural and grounded in reality. To build such a space today requires a wide variety of knowledge and skills, from the obvious ones like modelling and texturing, to those more specific to Mixed Reality such as optimizing rendering performance and properly designing the architecture for scale and comfort in a headset. If we want building your first space to be as easy as building your first website, there is clearly a lot of work to be done! So, what can we do to make it easier? Modular by Design What do Lego and IKEA have in common? Well, aside from originating from Scandinavian countries, they both make products whose designs embrace modularity to great effect. Through this modularity, just about anyone can put together a desk from IKEA or a spaceship from Lego, and a wide variety of products can be made due to the versatility of the parts. Why not apply these same ideas to building virtual spaces? We are working on a system, all of which will be open sourced and freely available, which will allow anyone to create virtual spaces using a set of premade architectural elements that can be combined in countless ways. We’re not the first to come up with such a system, it’s been an approach growing in popularity and sophistication within game studios for building large, continuous worlds. In our case, the pieces in our system all follow a strict set of metrics that make the construction process as simple as possible and remove the guesswork involved in assembling a scene. The result is that a person with basic knowledge can quickly put together a virtual space that feels more like a real place and less like a world made up of simple shapes. For more experienced creators, the system can be used for rapid prototyping, allowing them to realize their ideas more quickly. The most exciting part is that, combined with our other efforts, you’ll soon be able to visit the spaces you build with this system with anyone around the world, all from within Mixed Reality, by simply sharing a link. Optimized for Mixed Reality Creating experiences for Mixed Reality poses a unique set of challenges, such as the need to deliver high frame rates and a comfortable, immersive experience. Things can quickly fall apart when using assets that are too demanding for mobile devices or even lower-end PC hardware. Unfortunately, many assets you might obtain from various asset stores are often not optimized or designed for Mixed Reality experiences. Our architectural modules are being built for Mixed Reality from the start. Vertex counts, texel density, and draw calls are just a few of the metrics we use to validate performance and to ensure tha[...]

Mozilla Addons Blog: Enter the Firefox Quantum Extensions Challenge

Thu, 15 Mar 2018 14:00:38 +0000

Firefox users love using extensions to personalize their browsing experience. Now, it’s easier than ever for developers with working knowledge of JavaScript, HTML, and CSS to create extensions for Firefox using the WebExtensions API. New and improved WebExtensions APIs land with each new Firefox release, giving developers the freedom to create new features and fine-tune their extensions.

You’re invited  to use your skill, savvy, and creativity to create great new extensions for the Firefox Quantum Extensions Challenge. Between March 15 and April 15, 2018, use Firefox Developer Edition to create extensions that make full use of available WebExtensions APIs for one of the prize categories. (Legacy extensions that have been updated to WebExtensions APIs, or Chrome extensions that have been ported to Firefox on or after January 1, 2018, are also eligible for this challenge.)

A panel of judges will select three to four finalists in each category, and the community will be invited to vote for the winners. We’ll announce the winners with the release of Firefox 60 in May 2018. Winners in each category will receive an iPad Pro and promotion of their extensions to Firefox users. Runners-up will receive a $250 USD Amazon gift card.

Ready to get started? Visit the challenge site for more information (including the official rules) and download Firefox Developer Edition.

Winners will be notified by the end of April 2018 and will be announced with the release of Firefox 60 in May 2018.

Good luck!

The post Enter the Firefox Quantum Extensions Challenge appeared first on Mozilla Add-ons Blog.

Hacks.Mozilla.Org: Firefox Quantum Extensions Challenge

Thu, 15 Mar 2018 13:58:34 +0000

Firefox users love using extensions to personalize their browsing experience. Now, it’s easier than ever for developers with working knowledge of JavaScript, HTML, and CSS to create extensions for Firefox using the WebExtensions API . New and improved WebExtensions APIs land with each new Firefox release, giving developers the freedom to create new features and fine-tune their extensions. You’re invited to use your skill, savvy, and creativity to create great new extensions for the Firefox Quantum Extensions Challenge . Between March 15 and April 15, 2018, use Firefox Developer Edition to create extensions that make full use of available WebExtensions APIs for one of the prize categories. (Legacy extensions that have been updated to WebExtensions APIs, or Chrome extensions that have been ported to Firefox on or after January 1, 2018, are also eligible for this challenge.) A panel of judges will select three to four finalists in each category, and the community will be invited to vote for the winners. We’ll announce the winners with the release of Firefox 60 in May 2018. Winners in each category will receive an iPad Pro and promotion of their extensions to Firefox users. Runners-up will receive a $250 USD Amazon gift card. Categories Best in Tab Management & Organization Firefox users love customizing their browser tabs. Create the next generation of user-friendly extensions to style, organize, and manage tabs. Best Dynamic Themes With the new theme API, developers can create beautiful and responsive dynamic themes to customize Firefox’s appearance and make them interactive. We’re looking for a dynamite combination of aesthetics and utility. Best in Games & Entertainment Extensions aren’t just for improving productivity — they’re also great for adding whimsy and fun to your day. We’re looking for high-performing, original ideas that will bring delight to Firefox users. New & Improved APIs So many new WebExtensions APIs have landed in the last few Firefox releases, and Firefox 60 will add even more. Let’s start with themes. The current Theme API supports nearly 20 different visual elements that developers can customize. In Firefox 60, the list will grow to include the following items now in development: tab_line – Set the color of the tab line shown at the top of the active tab tab_selected – Set the background color of the selected tab tab_loading – Set the color of the tab loading indicator popup – Set the background color of the Firefox popup (arrow panel) popup_text – Set the text color of the Firefox popup (arrow panel) popup_border – Set the border color of the Firefox popup (arrow panel) But remember, your goal isn’t just to come up with a nice looking set of UI elements. Wow us with an extension that uses the Theme API to dynamically modify UI elements in order to create something that is visually stunning and equally useful. For tabs, several new API have been added, including: browserSettings.openBookmarksInNewTabs() for controlling the options to open bookmarks in new tabs . browserSettings.openSearchResultsInNewTabs() so extensions can open search results in new tabs . tabs.captureTab() . This is very similar to tabs.captureVisibleTab() , but allows you to capture any tab (specified by ID) instead of just the active tab. Calling tabs.create() without a windowId will now target only non-popup windows . Tabs.query() now does pattern matching on the title . The contextualIdentities API is not new, but it is unique to Firefox and may provide developers with some interesting tools for separating online identities. The same goes for the sidebar API, another unique feature of Firefox that allows developers to get creative with alternate user interface models. Get Started Visit the challenge site for more information and[...]

The Firefox Frontier: March Add(on)ness: Tree Style Tab (1) Vs Don’t Touch My Tabs (4)

Thu, 15 Mar 2018 13:24:58 +0000

It’s a head-to-head match up of tab customization for March Add(on)ness… Tree Style Tab Customization Tree Style Tabs opens new tabs as organized “children” of the current tab. Such “branches” … Read more

The post March Add(on)ness: Tree Style Tab (1) Vs Don’t Touch My Tabs (4) appeared first on The Firefox Frontier.

Gervase Markham: Poetic License

Thu, 15 Mar 2018 03:28:51 +0000

I found this when going through old documents. It looks like I wrote it and never posted it. Perhaps I didn’t consider it finished at the time. But looking at it now, I think it’s good enough to share. It’s a redrafting of the BSD licence, in poetic form. Maybe I had plans to do other licences one day; I can’t remember.

I’ve interleaved it with the original license text so you can see how true, or otherwise, I’ve been to it. Enjoy :-)

Copyright (c) , 
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions 
are met:

You may redistribute and use –
as source or binary, as you choose,
and with some changes or without –
this software; let there be no doubt.
But you must meet conditions three,
if in compliance you wish to be.

1. Redistributions of source code must retain the above copyright 
   notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright 
  notice, this list of conditions and the following disclaimer in the 
  documentation and/or other materials provided with the distribution.
3. Neither the name of the  nor the names of its 
   contributors may be used to endorse or promote products derived 
   from this software without specific prior written permission.

The first is obvious, of course –
To keep this text within the source.
The second is for binaries
Place in the docs a copy, please.
A moral lesson from this ode –
Don’t strip the copyright on code.

The third applies when you promote:
You must not take, from us who wrote,
our names and make it seem as true
we like or love your version too.
(Unless, of course, you contact us
And get our written assensus.)


One final point to be laid out
(You must forgive my need to shout):


When all is told, we sum up thus –
Do what you like, just don’t sue us.


Firefox Nightly: These Weeks in Firefox: Issue 34

Wed, 14 Mar 2018 19:38:06 +0000

Highlights Help us eliminate annoying in-content popups by installing this add-on and reporting when pages display an in-content popup like this: These things are the worst. Help us get them out of your way. Tab warming has (finally!) been enabled on Nightly This should help with perceived tab switching performance. Here’s a blog post describing how it works. See any issues with it? Please file bugs and mark them blocking this bug For enterprise folks on Windows, there’s a new policy engine, with templates to set policies through Group Policy. We got a shout-out on gHacks. If you’re a Windows system administrator, this is probably a welcome sight. Activity Stream has a new section context menu to remove, collapse, and reorder sections. Move, remove, and collapse to your hearts content. We disabled all Device Sensor APIs except device orientation. Check out this technical blog post on Firefox Themer from Les Orchard Friends of the Firefox team (Give a shoutout/thanks to people for helping fix and test bugs. Introductions) Introductions :Prathiksha got her Level 3 contributor access last week! Mike Kaply is joining our team! Resolved bugs (excluding employees): More than one bug fixed: :prathiksha Dhi Aurrahman Tim Nguyen :ntim :jonathanGB New contributors (🌟 = First Patch!) 🌟 Adam Kasztenny got rid of a bunch of dead code from the old about:newtab page 🌟 Amy switched some tests from using a hand-rolled promiseTopicObserved to using TestUtils.topicObserved 🌟 Aleksandr got rid of some dead code in the browser/modules directory Arthur Deschamps made sure that we send the user to about:privatebrowsing in private browsing windows at the right times 🌟 Omar got rid of the unused gBrowser.tabContextMenu property 🌟 Raymond converted some hardcoded colours in about:addons to CSS variables instead Daniel Marshall (:starsandspirals) renamed the “profileStorage” Form Auto-fill singleton to “formAutofillStorage” to make its purpose more clear 🌟 gregorywlodarek changed the label for a button in about:preferences so that it makes more sense 🌟 kanika16047 switched a test from using a hand-rolled promiseWaitForCondition to using TestUtils.waitForCondition instead 🌟 Michael Webster added support for showing download progress in the taskbar on Linux Mint 🌟 Olivier Tilloy updated how we detect and set Firefox as the default browser on Linux when installed as a Snap package 🌟 Videet Singhai removed the unused MEMORY_HEAP_COMMITTED_UNUSED Telemetry probe Project Updates Add-ons Including an embedded experiment in a WebExtension no longer breaks browserAction (uplifted to 59). Tab hiding shutdown now happens even if the API is unused, removing the possibility of hidden tabs staying erroneously hidden (fixed in 60). tabs.query() returns highlighted tabs when querying… highlighted tabs (fixed in 60). Dev tools panel drop downs expand as they should (fixed in 60). Async proxy.onRequest API (fixed in 60). …and DNS resolve API added (also in 60). Improved information on where errors triggered by async APIs came from (in 60). Fixed an issue where extension sidebars reload unnecessarily (fixed in 60). Some security bugs got fixed in Firefox 60 as well. Theming: You can now set the active tab line color (in 60). You can now change the background color of the selected tab (in 60). Narrowly avoided releasing tab_background_text misnamed which would’ve been bad for migrations of Chrome extensions (uplifted to 59) Activity Stream Various fixes for bookmarks and snippets Dashboard for Activity Stream Metrics Summary, Search, and User Preferences Project to move Activity Stream settings to about:preferences will be landed in 6[...]

Air Mozilla: The Joy of Coding - Episode 132

Wed, 14 Mar 2018 17:00:00 +0000

(image) mconley livehacks on real Firefox bugs while thinking aloud.

Air Mozilla: Weekly SUMO Community Meeting, 14 Mar 2018

Wed, 14 Mar 2018 16:00:00 +0000

(image) This is the SUMO weekly call

Hacks.Mozilla.Org: Making WebAssembly better for Rust & for all languages

Wed, 14 Mar 2018 15:02:52 +0000

One big 2018 goal for the Rust community is to become a web language. By targeting WebAssembly, Rust can run on the web just like JavaScript. But what does this mean? Does it mean that Rust is trying to replace JavaScript? The answer to that question is no. We don’t expect Rust WebAssembly apps to be written completely in Rust. In fact, we expect the bulk of application code will still be JS, even in most Rust WebAssembly applications. This is because JS is a good choice for most things. It’s quick and easy to get up and running with JavaScript. On top of that, there’s a vibrant ecosystem full of JavaScript developers who have created incredibly innovative approaches to different problems on the web. But sometimes for specific parts of an application, Rust+WebAssembly is the right tool for the job… like when you’re parsing source maps, or figuring out what changes to make to the DOM, like Ember. So for Rust+WebAssembly, the path forward doesn’t stop at compiling Rust to WebAssembly. We need to make sure that WebAssembly fits into the JavaScript ecosystem. Web developers need to be able to use WebAssembly as if it were JavaScript. But WebAssembly isn’t there yet. To make this happen, we need to build tools to make WebAssembly easier to load, and easier to interact with from JS. This work will help Rust. But it will also help all other languages that target WebAssembly. What WebAssembly usability challenges are we tackling? Here are a few: How do you make it easy to pass objects between WebAssembly and JS? How do you package it all up for npm? How do developers easily combine JS and WASM packages, whether in bundlers or browsers? But first, what are we making possible in Rust? Rust will be able to call JavaScript functions. JavaScript will be able to call Rust functions. Rust will be able to call functions from the host platform, like alert. Rust crates will be able to have dependencies on npm packages. And throughout all of this, Rust and JavaScript will be passing objects around in a way that makes sense to both of them. So that’s what we are making possible in Rust. Now let’s look at the WebAssembly usability challenges that we need to tackle. Q. How do you make it easy to pass objects between WebAssembly and JS? A. wasm-bindgen One of the hardest parts of working with WebAssembly is getting different kinds of values into and out of functions. That’s because WebAssembly currently only has two types: integers and floating point numbers. This means you can’t just pass a string into a WebAssembly function. Instead, you have to go through a bunch of steps: On the JS side, encode the string into numbers (using something like the TextEncoder API) Put those numbers into WebAssembly’s memory, which is basically an array of numbers Pass the array index for the first letter of the string to the WebAssembly function On the WebAssembly side, use that integer as a pointer to pull out the numbers And that’s only what’s required for strings. If you have more complex types, then you’re going to have a more convoluted process to get the data back and forth. If you’re using a lot of WebAssembly code, you’ll probably abstract this kind of glue code out into a library. Wouldn’t it be nice if you didn’t have to write all that glue code, though? If you could just pass complex values across the language boundary and have them magically work? That’s what wasm-bindgen does. If you add a few annotations to your Rust code, it will automatically create the code that’s needed (on both sides) to make more complex types work. This means calling JS functions from Rust using whatever types those [...]

The Firefox Frontier: March Add(on)ness: Video Download Helper (1) Vs Cookie AD (4)

Wed, 14 Mar 2018 11:42:43 +0000

It’s battle two of March Add(on)ness today and we have… Video DownloadHelper Media Video DownloadHelper is the easy way to download and convert Web videos from hundreds of YouTube-like sites. … Read more

The post March Add(on)ness: Video Download Helper (1) Vs Cookie AD (4) appeared first on The Firefox Frontier.

Daniel Stenberg: GAAAAAH

Wed, 14 Mar 2018 09:00:28 +0000

That’s the thought that ran through my head when I read the email I had just received. GAAAAAAAAAAAAH You know the feeling when the realization hits you that you did something really stupid? And you did it hours ago and people already noticed so its too late to pretend it didn’t happen or try to cover it up and whistle innocently. Nope, none of those options were available anymore. The truth was out there. I had messed up royally. What triggered this sudden journey of emotions and sharp sense of pain in my soul, was an email I received at 10:18, Friday March 9 2018. The encrypted email pointed out to me in clear terms that there was information available publicly on the curl web site about the security vulnerabilities that we intended to announce in association with the next curl release, on March 21. (The person who emailed me is a member of a group that was informed by me about these issues ahead of time.) In the curl project, we never reveal nor show any information about known security flaws until we ship fixes for them and publish their corresponding security advisories that explain the flaws, the risks, the fixes and work-arounds in detail. This of course in the name of keeping users safe. We don’t want bad guys to learn about problems and flaws until we also offer fixes for them. That is, unless you screw up like me. It took me a few minutes until I paused my work I was doing at the moment and actually read the email, but once I did I acted immediately and at 10:24 I had reverted the change on the web site and purged the URL from the CDN so the information was no longer publicly visible there. The entire curl web site is however kept in a public git repository, so while the sensitive information was no longer immediately notable on the site, it was still out of the bag and there was just no taking it back. Not to mention that we don’t know how many people that already updated their git clones etc. I pushed the particular file containing the “extra information” to the web site’s git repository at 01:26 CET the same early morning and since the web site updates itself in a cronjob every 20 minutes we know the information became available just after 01:40. At which time I had already gone to bed. The sensitive information was displayed on the site for 8 hours and 44 minutes. The security page table showed these lines at the top: # Vulnerability Date First Last CVE CWE 78 RTSP RTP buffer over-read February 20, 2018 7.20.0 7.58.0 CVE-2018-1000122 CWE-126: Buffer Over-read 77 LDAP NULL pointer dereference March 06, 2018 7.21.0 7.58.0 CVE-2018-1000121 CWE-476: NULL Pointer Dereference 76 FTP path trickery leads to NIL byte out of bounds write March 21, 2018 7.12.3 7.58.0 CVE-2018-1000120 CWE-122: Heap-based Buffer Overflow I only revealed the names of the flaws and their corresponding CWE (Common Weakness Enumeration) numbers, the full advisories were thankfully not exposed, the links to them were broken. (Oh, and the date column shows the dates we got the reports, not the date of the fixed release which is the intention.) We still fear that the names alone plus the CWE descriptions might be enough for intelligent attackers to figure out the rest. As a direct result of me having revealed information about these three security vulnerabilities, we decided to change the release date of the pending release curl 7.59.0 to happen one week sooner than previously planned. To reduce the time bad actors would be able to abuse this information for malicious purposes. How exactly did it happen? When approaching a release day, I always create local git [...]

Daniel Stenberg: Here’s curl 7.59.0

Wed, 14 Mar 2018 06:55:55 +0000

We ship curl 7.59.0 exactly 49 days since the previous release (a week shorter than planned because of reasons). Download it from here. Full changelog is here. In these 49 days, we have done and had.. 6 changes(*) 78 bug fixes (total: 4337) 149 commits (total: 22,952) 45 contributors, 20 new (total: 1,702) 29 authors (total: 552) 3 security fixes (total: 78) This time we’ve fixed no less than three separate security vulnerabilities: FTP path trickery security issue LDAP NULL dereference RTSP RTP buffer over-read (*) = changes are things that don’t fix existing functionality but actually add something new to curl/libcurl. New features mostly. The new things time probably won’t be considered as earth shattering but still a bunch of useful stuff: –proxy-pinnedpubkey The ability to specified a public key pinning has been around for a while for regular servers, and libcurl has had the ability to pin proxies’ keys as well. This change makes sure that users of the command line tool also gets that ability. Make sure your HTTPS proxy isn’t MITMed! CURLOPT_TIMEVALUE_LARGE Part of our effort to cleanup our use of ‘long’ variables internally to make sure we don’t have year-2038 problems, this new option was added. CURLOPT_RESOLVE This popular libcurl option that allows applications to populate curl’s DNS cache with custom IP addresses for host names were improved and now you can add multiple addresses for host names. This allows transfers using this to even more work like as if it used normal name resolves. CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS As a true HTTP swiss-army knife tool and library, you can toggle and tweak almost all aspects, timers and options that are used. This libcurl option has a new corresponding curl command line option, and allows the user to set the timeout time for how long after the initial (IPv6) connect call is done until the second (IPv4) connect is invoked in the happy eyeballs connect procedure. The default is 200 milliseconds. Bug fixes! As usual we fixed things all over. Big and small. Some of the ones that I think stuck out a little were the fix for building with OpenSSL 0.9.7 (because you’d think that portion of users should be extinct by now) and the fix to make configure correctly detect OpenSSL 1.1.1 (there are beta releases out there). Some application authors will appreciate that libcurl now for the most part detects if it gets called from within one of its own callbacks and returns an error about it. This is mostly to save these users from themselves as doing this would already previously risk damaging things. There are some functions that are still allowed to get called from within callbacks. [...]

Ehsan Akhgari: An overview of online ad fraud

Tue, 13 Mar 2018 23:29:07 +0000

I have researched various aspects of the online advertisement industry for a while, and one of the fascinating topics that I have come across which I didn’t know too much about before is ad fraud.  You may have heard that this is a huge problem as this topic hits the news often, and after learning more about it, I think of it as one of the major threats to the health of the Web, so it’s important for us to be more familiar with the problem. People have done a lot of research on the topic but most of the material uses the jargon of the ad industry so they may be inaccessible to those who aren’t familiar with it (I’m learning my way through it myself!) and also you’d need to study a lot to put a broad picture of what’s wrong together, so I decided to summarize what I have learned so far, expressed in simple terms avoiding jargon, in the hopes that it’s helpful.  Needless to say, none of this should be taken as official Mozilla policy, but rather this is a hopefully objective summary plus some of my opinions after doing this research at the end. How ad fraud works Fraudsters have always existed in all walks of life, looking for easy ways of making money.  Online ad fraud provides an appealing avenue for fraudsters because of two reasons.  One is that once they have a working system capable of generating revenue, they can easily scale it up with almost no extra effort involved, so this gives them the ability to generate a lot of revenue.  And we’re talking a lot here.  To give you a sense of the scale, the infamous Methbot operation which has been well document was generating $3-5 million USD at some point, per day.  The other reason is that there is relatively low risk associated with online ad fraud, since depending on the jurisdiction, online ad fraud falls into a legal gray area, and also doesn’t involve physical risk as opposed many other types of fraudulent activities. Ad fraud has been made possible through abusing the quality metrics the ad industry uses to assess the effectiveness of marketing campaigns.  For example, historically metrics such as time spent on page, or how often people clicked on an ad (click-through rate) were used, which were trivial to game programmatically.  Even when more sophisticated metrics such as percentage of customers achieving a specific marketing goal, such as buying something or signing up for a newsletter were employed, these were implemented through mechanisms such as invisible tracking pixels (1×1 invisible GIFs sending some tracking cookies to the server) which again is trivial to game.  These metrics in practice are gamed so much that high rates on these metrics are more associated with bot traffic than actual human customers! A typical ad fraud scenario today works by automating the process of generating traffic designed to game one of these metrics, and run that on bots across a botnet.  These are bots that attempt to act like a human to avoid being detected as a bot (and being block listed or punished by ad networks).  These bots also usually aren’t simple scripts.  They are usually full browser environments, which are either controlled from the outside environment (e.g., through sending the browser  mouse/keyboard events, or through embedding APIs) or even by modifying an open source browser!  This allows the bot to perform actions on the page, such as add items to a shopping cart, or click on an ad, etc. It’s worth explaining how these botnets are typically run.  Botnets usually consists of many hijacked computers connected to [...]

K Lars Lohn: Things Gateway, Part 7 - IKEA TRÅDFRI

Tue, 13 Mar 2018 22:50:56 +0000

In this series of postings, I've been setting up, configuring, and playing with IoT devices through the experimental Things Gateway from Mozilla.  I've covered the generic Zigbee and Z-Wave devices, the Philips Hue devices, and the TP-Link WiFi devices.  Today, I add IKEA TRÅDFRI to this circus. Of course, in this series, I've also been doing a bit of editorializing.  I was critical of the TP-Link devices because their security model requires the end user to just trust them.  I'm critical of the IKEA TRÅDFRI for a physical safety reason.  What does the word TRÅDFRI mean?  I'm assuming it is a Swedish word that means "severe blood loss from slashed wrists" because that is what is likely to happen when opening the package.  The clamshell plastic that entombs their products is difficult to open with anything short of a chainsaw.  My kitchen scissors wouldn't do the job and I had to resort to garden pruning shears and that left dangerously sharp pieces that drew blood.  Be careful.However, the products themselves have a lot of positive aspects once you manage to liberate them from their packaging.  IKEA's decision to not implement their own method of remote access from outside the home is great.  The Android and iOS apps cannot operate the IKEA devices remotely.  That is a big plus for data security.  It also means that the IKEA corporation is apparently not monitoring the use of your light bulbs.Another advantage to IKEA TRÅDFRI is affordability.  These are currently the least expensive Zigbee compatible lights out there.For this demonstration, I'm only going to use the TRÅDFRI light bulbs.  Because of an idiosyncrasy in how the dimmers, switches and motion detectors work, they are not currently compatible with the Things Gateway.  I'm assuming that will change in the future.Goal: demonstrate the use of IKEA TRÅDFRI bulbs with the Things Gateway.ItemWhat's it for?Where I got itThe Raspberry Pi and associated hardware from Part 2 of this series.This is the base platform that we'll be adding ontoFrom Part 2 of this seriesDIGI XStickThis allows the Raspberry Pi to talk the ZigBee protocol - there are several models, make sure you get the XU-Z11 model.The only place that I could find this was Mouser ElectronicsIKEA TRÅDFRI 980 lumen bulb To demonstrate use of the bulb without the TRÅDFRI gateway, dimmer or switch.IKEA TRÅDFRI 980 lumenStep 1: setup the Raspberry Pi and the DIGI XStick in the manner specified in Part 2 of this series.Step 2:  Plug in your IKEA TRÅDFRI bulbs.  If they came with a kit, like the one shown in the unpackaging photo above, they need to be factory reset.  Factory reset is fairly easy: using a manual power switch, turn the bulb on and off rapidly at least six times (more seems ok). It will do no harm to do the factory reset even if the bulbs did not come in a bundled package.  Once they've reset, they wink once in acknowledgement.  You can see that wink at the end of the video.Step 3: Pair the bulbs with the Things Gateway by pressing the "+" button on the Things screen.  Then apply power to the bulbs.  I found that the IKEA bulbs take a bit longer to be recognized than other Zigbee compatible bulbs.  Select Save on each bulb and then press "Done".  That is all there is to it. While these IKEA bulbs are the least expensive Zigbee bulbs that I have found, there may be a reason behind that.  I noticed that the bulb that I've labeled I02 seems to have a problem.  After being on for about five minutes, it'll just spontaneously blink [...]

Air Mozilla: Martes Mozilleros, 13 Mar 2018

Tue, 13 Mar 2018 22:00:00 +0000

(image) Reunión bi-semanal para hablar sobre el estado de Mozilla, la comunidad y sus proyectos. Bi-weekly meeting to talk (in Spanish) about Mozilla status, community and...

Mike Conley: Firefox Performance Update #3

Tue, 13 Mar 2018 20:06:25 +0000

Hi! I’ve got another slew of Firefox performance work to report today. Special thanks to the folks who submitted things through this form to let me know about performance work that’s taken place recently! If you’ve seen something fixed lately that’ll likely have a positive impact on Firefox performance, let me know about it! So, without further ado, here are some of the folks who have made some nice improvements to Firefox performance lately. Thanks for making Firefox faster and better! Andrew Osmond made it so that very long animated GIFs and APNGs no longer consume ridiculous amounts of memory! Instead of holding all of the decoded frames in memory, the animation is streamed like a video. This should make Whimsy users very happy indeed. Matt Woodrow got rid of an unnecessary hash table that we were building when computing DisplayLists (which is part of painting). Earlier this month, Matt also made it so that we don’t unnecessarily build layers if nothing on screen actually changed during an invalidation. For both bugs, this means Firefox is doing less work – and less work means getting pixels to the screen faster! Emilio Cobos Álvarez made it so that we can style large text files (for example, this log file) much, much faster than before. Dão Gottwald made it so that we only have to load some front-end CSS once instead of multiple times in different scopes. He also got rid of the tabbrowser XBL binding, which resulted in some wins on our Talos performance testing benchmark for painting newly opened tabs. Gijs Kruitbosch got rid of some old, dead code that we were running early during start-up for no good reason. Gijs also made it so that Telemetry doesn’t make us load the blocklist. Finally, he made it so that we’re more likely to load the blocklist asynchronously rather than synchronously. All of these should help reduce browser start time! Paolo Amadini got rid of some synchronous layout flushes that could be experienced when opening submenus within our animated menu panels. Ryan VanderMeulen bumped our default Windows compiler to VS2017 15.6 for Firefox 61. Just switching has resulted in some benchmark improvements for our Windows builds! Not bad for a compiler upgrade! Marco Bonardo made it so that we lazily load a Places script, rather than loading it automatically for every single window that gets opened. [...]

Firefox Test Pilot: So, How’s Screenshots Doing?

Tue, 13 Mar 2018 18:48:00 +0000

It’s been a bit over five months since we launched Firefox Screenshots in Firefox 56, and I wanted to take a moment to reflect on what’s happened so far and to look forward to what’s coming next.So far, our users have taken more than 67 million screenshots. This is a big number that makes my manager happy, but more interesting is how we got here.The changing shape of FirefoxWe launched Firefox Screenshots in Firefox 56 in late September of 2017. This was one release before the widely hailed Firefox Quantum release, back when Firefox still had curvy tabs.When we launched, the screenshot button appeared in the browser toolbar with a little badge highlighting the new feature.
Firefox 56 UI with Screenshots appearing in the toolbar
In Firefox Quantum, actions such as bookmarking, sending a tab to a mobile device, or saving to Pocket were all moved into a contextual menu. The Firefox Screenshots control moved to this new home as well.
Firefox Quantum with a hidden Screenshots control
As a Firefox user, I really like this new design: it’s cleaner, more consistent than what came before. As the Product Manager for Screenshots, I was definitely worried about how the change would affect our numbers.We did take a pretty sizable hit in the short term. Firefox Quantum launched on November 14th and rolled out over the following week. In the four weeks that followed, 23.2% fewer shots were taken than prior to the Firefox Quantum launch.
The dark purple line show shots taken in the 28 days after Quantum, while the lighter line shows shots taken in the 28 days prior.
Taking a step back, the logic of Firefox’s redesign starts to show. While the graph above measures shots actually taken, the one below shows total shots initiated during the same period. Shots are initiated when someone clicks the screenshots button or right-clicks to trigger the screenshots UI.
Users started to take a lot more shots in the month before Quantum.
These charts show that while users started to take a lot more shots before Firefox Quantum, they didn’t actually wind up taking that many more shots. This difference really shows in the relative rates of shots canceled before and after Firefox Quantum. Canceled shots just mean that a user escapes the Screenshot UI without capturing a screenshot by refreshing the page, hitting escape, or clicking the cancel button. As the graph below show, these events fell off a cliff after Firefox Quantum.
After Quantum, canceled shots fell drastically.
So, yes, we lost users with the Firefox Quantum launch, but the change was actually quite positive for us because the changes made engagements with Firefox Screenshots a lot more likely to end in a shot actually being taken.The chart at left shows all shots initiated, canceled and taken from September 28th, 2017 through March 1st, 2018 split by the Firefox Quantum release. The change in ratio between taken and canceled is pretty impressive. Before Firefox Quantum there was 1 shot taken for every 2 shots canceled. Since Firefox Quantum there have been 2 shots taken for every shot canceled. It seems that users who engage with Screenshots in Firefox Quantum do so intentionally whereas before people might have simply clicked the new button to to see what happened.Another not[...]

Mozilla VR Blog: A Truly Responsive WebXR Experiment: A-Painter XR

Tue, 13 Mar 2018 16:10:24 +0000

In our posts announcing our Mixed Reality program last year, we talked about some of the reasons we were excited to expand WebVR to include AR technology. In the post about our experimental WebXR Polyfill and WebXR Viewer, we mentioned that the WebVR Community Group has shifted to become the Immersive Web Community Group and the WebVR API proposal is becoming the WebXR Device API proposal. As the community works through the details of these changes, this is a great time to step back and think about the requirements and implications of mixing AR and VR in one API. In this post, I want to illustrate one of the key opportunities enabled by integrating AR and VR in the same API: the ability to build responsive applications that work across the full range of Mixed Reality devices. Some recent web articles have explored the idea of building responsive AR or responsive VR web apps, such as web pages that support a range of VR devices (from 2D to immersive) or the challenges of creating web pages that support both 2D and AR-capable browsers. The approaches in these articles have focused on creating a 3D user-interface that targets either AR or VR, and falls back to progressively simpler UIs on less capable platforms. In contrast, WebXR gives us the opportunity to have a single web app respond to the full range of MR platforms (AR and VR, immersive and flat-screen). This will require developers to consider targeting a range of both AR and VR devices with different sorts of interfaces, and falling back to lesser capabilities for both, in a single web app. Over the past few months, we have been experimenting with this idea by extending the WebVR paint program A-Painter to support handheld AR when loaded on an appropriate web browser, such as our WebXR viewer, but also Google’s WebARonARCore and WebARonARKit browsers. We will dig deeper into this idea of building apps that adapt to the full diversity of WebXR platforms, beyond just these two, in a future blog post. An Adaptive UI: A-Painter XR Let’s start with a video of some samples we created for the WebXR Viewer, our iOS app. This video ends with a clip of the WebXR version of A-Painter. Rather than simply port A-Painter to support handheld AR, we extended it so that both the VR and handheld AR UIs are integrated in the same app, with the appropriate UI selected based on the capabilities of the user’s device. This project was undertaken to explore the idea of creating an “AR Graffiti” experience where users could paint in AR using the WebXR Viewer, and required us to create an interface designed for the 2D touch screens on these phones. The result is shown in this video. This version of A-Painter XR currently resides in the “xr” branch of the A-Painter github repository and is hosted at (There is a direct link to the page, along with links loading pre-created content, on the startup page for the WebXR Viewer.) I’d encourage you to give it a try. The same URL works in on all the platforms highlighted in the video. There were two major steps to making A-Painter XR work in AR. First, the underlying technology needed to be ported from WebVR to our WebXR polyfill. We updated three and aframe to work with WebXR instead of only supporting WebVR. This was necessary because A-Painter is built on AFrame, which in turn is built on three. (You can use these libraries yourself to explo[...]

Mozilla Open Policy & Advocacy Blog: Mozilla files response to European Commission ‘Fake news and online disinformation’ public consultation

Tue, 13 Mar 2018 15:54:58 +0000

The rising phenomenon of so-called ‘fake news’ and online misinformation has become a global political issue in recent times. We believe that the complex and multi-factor nature of the phenomenon – in terms of its causes and impact – make one-size-fits-all regulatory solutions inappropriate. Rather, as our just-filed response to the European Commission public consultation on ‘Fake News and Online Disinformation’ argues, the true solutions lie in greater investment in media literacy, trust, and a multi-stakeholder approach. As a mission-driven organisation promoting openness, innovation, and opportunity on the Web, online misinformation cuts to the heart of our vision. Our consultation response – and broader engagement around this issue with lawmakers around the globe – thus seeks to provide an accurate problem definition and a series of balanced actionable insights to mitigate against online misinformation. In any conversation around political and social issues, proper framing is essential. To that end, we advise European lawmakers to avoid sweeping terms such as ‘fake news’ and instead adopt a more nuanced definition that captures the design intent, legality, and purposeful nature of misinformation content on the Web. Linked to this, to make meaningful progress against the spread of misinformation online it is necessary to understand that this is a constantly evolving threat, which manifests in different ways, and is the result of a range of causes. From interaction with a broad variety of stakeholders across the Internet community, we have identified a broad mix of technological, economic, literary, and psychological factors which can contribute to the phenomenon The fluid and interdependent nature of these contributory factors mean counter-actions must be targeted, proportionate, and multi-stakeholder in nature. In that context, we have used the consultation response to advise against sweeping one-size-fits-all platform regulation and government regulation of legal speech, and instead stress the importance of media literacy education, trust-building exercises, and continuous dialogue between all stakeholders involved. As the European Union considers measures to tackle online misinformation, we will continue to provide thought-leadership to keep the Internet healthy and empowering for its users and creators. Our ongoing Mozilla Information Trust Initiative (MITI) and our leadership in developing the final report of the European Commission’s High-level Expert Group on Fake News and Online Misinformation (HLEG) are just two examples of how we seek to support an open and thriving online news ecosystem. And of course, we’ll continue to build products like Pocket and build out the Coral Project, that help online news empower democratic societies. Read our full consultation submission here, and stay tuned for updates on our work on this through the European Commission’s HLEG and around the world.   The post Mozilla files response to European Commission ‘Fake news and online disinformation’ public consultation appeared first on Open Policy & Advocacy.[...]

The Mozilla Blog: Latest Firefox available to users where they browse the web — laptop, Fire TV and the office. Plus, a chance to help with the next Firefox release!

Tue, 13 Mar 2018 13:07:26 +0000

This week, we’re happy to roll out not one, but three Firefox releases to our users. Now available in more of the places where they browse, Firefox users can access the web whether they’re relaxing at home with their laptop, in front of their TV with Amazon Fire TV, or at the office. Additionally, we’re running a contest (with prizes!) for users who want to help with the next Firefox Quantum release in May. So, without further ado, here’s information on this week’s Firefox releases: Latest Firefox Quantum release for Desktop Today, March 13, the latest release of Firefox Quantum for desktop users is now available. We’ve improved privacy for those who use Private Browsing mode. To learn more about the technical details on how that works, you can visit this blog post. And, we made changes under the hood where users may notice faster page load times. The latest version of Firefox Quantum is available for the Desktop and Mobile – iOS and Android. Latest Firefox for Amazon Fire TV Available this Week With this latest release, we’ve included a fresh new look to help you easily navigate the web on your Fire TV. No more typing in long URLs that you like to visit frequently. Users can now save their preferred websites by pinning them to the Firefox home screen. By using the menu button, you can easily remove any pinned websites at any time. Add your favorite websites to Firefox on Fire TV   Firefox Quantum for Enterprise Available Wednesday in Beta Starting on Wednesday, Firefox Quantum for Enterprise enters Beta, as a final step towards bringing a release version of Firefox Quantum to enterprise users. Needless to say, we’re all super excited to give millions of additional users an update to Firefox Quantum, as everyone deserves to have a super fast and well designed browser. To learn more about how we’re making it easier for IT professionals to install the new Firefox Quantum for their employees, visit our blog post and sign up for the beta of Firefox Quantum for Enterprise.   Want to help with the next Firefox Quantum release? Did you know that back in 2008, Pocket won our Extend Firefox 3 contest? We’re bringing back the tradition of Firefox Extensions contests with our first Firefox Quantum Extensions Challenge this month! Whether you’re a developer or someone who likes to create fun, cool things, like one-woman Firefox theme machine, MaDonna, we’re looking for the next generation of Extensions. Since the next release of Firefox Quantum supports new WebExtension APIs, we’re on the hunt for new Extensions to make our users’ browsing experience productive, fast, and fun. The winners will be crowned by the next Firefox Quantum release in May. For more details about the contest and prizes, visit our site today and the Hacks blog on Thursday, March 15.   And in related Extensions/Add-on news, we’re holding our annual March Add(on)ness. There are thousands of ways you can customize Firefox to make it your own web experience. So, we’re playing off the top Add-ons to find out who will walk away with the title as “the must-have, must-install extension” of our annual tournament. Learn more on the Firefox Frontier.   If you haven’t yet switched to the new Firefox Quantum browser, we invite you to download the latest version. Download Firefox for Windows, Mac, Linux Release Notes f[...]

Mozilla Future Releases Blog: IT Pros and CIOs: sign up to try Firefox Quantum for Enterprise

Tue, 13 Mar 2018 13:06:25 +0000

A few months ago we announced our plan to build enterprise administrative controls (i.e. a “policy engine”) for Firefox Quantum. These new administrative controls will allow IT professionals to easily deploy a pre-configured installation of the new Firefox to employees’ Windows, Mac, and Linux PCs. Administrators can, for example, set up a default proxy, disable certain features, or package Firefox Quantum along with a collection of Add-Ons or bookmarks. As we gear up for the release of these administrative controls, we’d like to get feedback from IT professionals interested in deploying Firefox Quantum. Today we invite IT pros to sign up to try the beta of Firefox Quantum for Enterprise. If you’re an IT professional, why should you provide your employees with Firefox Quantum? Modern business demands a modern browser Over the past decade, many businesses have adopted on-demand applications (SaaS) for seemingly everything: tasks like word processing, accounting, file sharing, marketing, and sales tracking. Rather than installing these applications on users’ computers, employees access these applications simply by loading them via a web browser. This trend has made the web browser the most frequently used and arguably the most critical application that is installed on employees’ computers. The web browser has, in effect, quietly become the operating system for modern business software. Legacy web browsers (e.g. Internet Explorer and old versions of Firefox) run many of these web applications slowly. Even worse, sometimes legacy web browsers can’t run modern web apps because older browsers don’t support newer web standards these apps rely on. That’s why IT professionals should ensure that their employees have a modern web browser capable of quickly running today’s web apps. Speed up your business with Firefox Quantum It’s often said that time is money, and in business this adage certainly rings true. With this in mind, consider the unique impact of your web browser. A browser that loads pages and switches tabs just seconds faster can save users more than fifteen minutes over the course of the day. So why is it that some browsers are faster than others? And what’s special about Firefox Quantum? While browsers might seem simple and similar to each other on the surface, they are remarkably different and complex under the hood. Much like cars, browsers have engines with unique performance characteristics. Firefox Quantum is the result of a years-long effort to dramatically reinvent the quintessential open source browser. Inside Firefox Quantum is an all-new, cutting-edge engine made to harness the power of today’s multi-core computers. Above all things, Firefox Quantum is FAST. Mozilla, the organization that makes Firefox, helped pioneer a whole new systems programming language – Rust – and coded major parts of the browser with it. For example, Firefox Quantum uses an algorithm written in Rust to match CSS to HTML. This breakthrough algorithm runs super fast, in parallel across multiple CPU cores, instead of in a sequence on one CPU core. Firefox Quantum’s unique architecture translates to real user benefit, as it’s often faster than Chrome and Edge, while typically using less memory. With Firefox Quantum, users can open numerous tabs to run web apps, while still havin[...]

Wladimir Palant: Can Chrome Sync or Firefox Sync be trusted with sensitive data?

Tue, 13 Mar 2018 10:45:49 +0000

A few days ago I wrote about insufficient protection of locally saved passwords in Firefox. As some readers correctly noted however, somebody gaining physical access to your device isn’t the biggest risk out there. All the more reason to take a look at how browser vendors protect your passwords when they upload them to the cloud. Both Chrome and Firefox provide a sync service that can upload not just all the stored passwords, but also your cookies and browsing history which are almost as sensitive. Is it a good idea to use that service? TL;DR: The answer is currently “no,” both services have weaknesses in their protection. Some of these weaknesses are worse than others however. Chrome Sync I’ll start with Chrome Sync first, where the answer is less surprising. After all, there are several signs that this service is built for convenience rather than privacy. For example, the passphrase meant to protect your data from Google’s eyes is optional. There is no setup step where it asks you “Hey, do you mind if we can peek into your data? Then choose a passphrase.” Instead, you have to become active on your own. Another sign is that Google lets you access your passwords via a web page. The idea is probably that you could open up that webpage on a computer that doesn’t belong to you, e.g. in an internet café. Is it a good idea? Hardly. Either way, what happens if you set a passphrase? That passphrase will be used to derive (among other things) an encryption key and your data will be encrypted with it. And the big question of course is: if somebody gets hold of your encrypted data on Google’s servers, is translating the passphrase into an encryption key slow enough to prevent somebody from guessing your passphrase? Turned out, Chrome is using PBKDF2-HMAC-SHA1 with 1003 iterations. To give you an idea of what that means, I’ll again use the numbers from this article as a reference: with that iterations count, a single Nvidia GTX 1080 graphics card could turn out 3.2 million PBKDF2-HMAC-SHA1 hashes per second. That’s 3.2 million password guesses tested per second. 1.5 billion passwords known from various website leaks? Less than 8 minutes. A 40 bits strong password that this article considers to be the average chosen by humans? That article probably overestimates humans’ capabilities for choosing good passwords, but on average within two days that password will be guessed as well. It’s actually worse than that. The salt that Chrome uses for key derivation here is a constant. It means that the same password will result in the same encryption key for any Chrome user. That in turn means that an attacker who got the data for a multitude of users could test a password guess against all accounts. So they would only spend four days and the data for any account using up to 40 bits strong password would be decrypted. Mind you, Google themselves has enough hardware to do the job within minutes if not seconds. I am talking about somebody not willing to invest more than $1000 into hardware. I reported this as issue 820976, stay tuned. Site-note: Style points to Chrome for creative waste of CPU time. The function in question manages to run PBKDF2 four times where one run would have been sufficient. First run derives the salt from host name and username (both hap[...]

Mark Surman: Mozilla Foundation is seeking a VP, Leadership Programs

Tue, 13 Mar 2018 10:00:45 +0000

One of Mozilla’s biggest strengths is the people — a global community of engineers, designers, educators, lawyers, scientists, researchers, artists, activists and every day users brought together with the common goal of making the internet healthier. A big part of Mozilla Foundation’s focus over the past few years has been increasing both the size and diversity of this community and the broader moveme. In particular, we’ve run a series of initiatives — the Internet Health Report, MozFest, our fellowships and awards — aimed at connecting and supporting people who want to take a leadership role in this community. Our global community is the lynchpin in our strategy to grow a global movement to create a healthier digital world. Over the next couple of months, we are looking for a new VP, Leadership Programs (click for job spec) to drive this aspect of Mozilla Foundation’s work. This role was formerly held by Chris Lawrence, who built an incredible team and foundational set of programs. Chris left Mozilla last November. We are seeking someone to step into this role and to help us increase the impact and global reach of these leadership programs. It’s worth lingering on this one point: we want to grow the global reach of our leadership development programs — and, in turn, increase the global scope and diversity of our community. That is one of the first priorities we will ask this new VP to tackle. Right now, the majority of our staff and much of our are in North America. Certainly, this has improved in the last few years. For example, our 2018 cohort of fellows has people based in Brazil, Canada, Chile, Germany, India, Kenya, Mexico, Netherlands, South Africa, Tunisia, and USA. However, this is just a start. This new VP will lead the effort to go further . With this in mind, the VP, Leadership Programs will be based in Mozilla’s Berlin office. Berlin is our biggest office outside of North America. It is well placed to work with people based in African, Middle Eastern and South Asian time zones. And, Berlin as a city is a cosmopolitan hub of open tech work — attracting people from all around the world. While putting one person in Berlin won’t immediately change things, it should help us shift our attention across the Atlantic and further eastward over time. Who are we looking for? Someone quite rare and special. Ideally, the new VP will be someone with both: deep experience working on some aspect of internet health; and a proven track record building high impact organizations and teams. They will need the vision to hone our leadership development and community building programs, working with our teams to take the Internet Health Report, our fellowships and awards program, and the annual Mozilla Festival to the next level of excellence. They will also need to look outwards, growing our community of partner orgs and foundations to building a movement for a healthier digital world. A full job spec is posted here. Our aim is to  make the process as open as we possibly can — knowing this is hard when you’re recruiting for a senior role and most of the people you want are in existing jobs. The first step is this blog post letting everyone know what’s up. If you have names to suggest or suggestions on other factors to conside[...]

This Week In Rust: This Week in Rust 225

Tue, 13 Mar 2018 04:00:00 +0000

Hello and welcome to another issue of This Week in Rust! Rust is a systems language pursuing the trifecta: safety, concurrency, and speed. This is a weekly summary of its progress and community. Want something mentioned? Tweet us at @ThisWeekInRust or send us a pull request. Want to get involved? We love contributions. This Week in Rust is openly developed on GitHub. If you find any errors in this week's issue, please submit a PR. Updates from Rust Community News & Blog Posts Rust's 2018 roadmap. Rust is the most loved language for 3 years in a row in Stack Overflow Developer Survey. Writing an OS in pure Rust. Announcing the Tokio runtime. Redefining failure: Review of failure crate. Announcing Rust Compiler Performance Working Group. Announcing Rust Portability Working Group. Snips open sources Snips NLU - a Natural Language Understanding service written in Rust. Announcing relibc: A libc implementation in Rust. Exploring function overloading. Coping with mutable state in multiple threads with Rust. Crashing a Rust Hyper server with a denial of service attack. This week in Rust docs 96. [podcast] Rusty Spike Podcast - episode 22. Rust 1.24.1, the 2018 roadmap, compile times, SIMD, and Pathfinder. Crate of the Week This week's crate is cursive, a library for easy text-user interface applications. Thanks to Wangshan Lu for the suggestion. Submit your suggestions and votes for next week! Call for Participation Always wanted to contribute to open-source projects but didn't know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started! Some of these tasks may also have mentors available, visit the task page for more information. Get started with these beginner-friendly issues. [good first issue] tera: Add loop controls. Tera is a template engine for Rust based on Jinja2/Django. If you are a Rust project owner and are looking for contributors, please submit tasks here. Updates from Rust Core 124 pull requests were merged in the last week replace all const evaluation with miri (epic PR) replace internal iterator structures with impl Trait NLL: Make causal tracking lazy turn feature-gate table into a query so it is covered by dependency tracking Warn about ignored generic bounds in for show used type variable when issuing a "can't use type parameters from outer function" error message suggest type for overflowing bin/hex-literals add functionality for gating feature flags on epochs; rejigger epoch lints optimize str::repeat add functions for reversing the bit pattern in an integer implement FromStr for PathBuf stabilize FusedIterator New Contributors 1011X Kurtis Nusbaum Maxim Nazarenko Peter Lyons Songbird0 Approved RFCs Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week: RFC 2341: Allow locals and destructuring in const fn. Update the disambiguation handling in RFC 1946 (intra-rustdoc-links) to match impl concerns. Final Comment Period Every week the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now. This week's FCPs are: [disposition: merge] Standard library API for immovable types. [disposition: merge] A[...]

Will Kahn-Greene: Side projects and swag-driven development

Tue, 13 Mar 2018 02:00:00 +0000


I work at Mozilla. I work on a lot of stuff:

  • a main project I do a ton of work on and maintain: Socorro
  • a bunch of projects related to that project which I work on and maintain: Antenna, Everett, Markus
  • some projects that I work on occasionally but don't maintain: mozilla-django-oidc
  • one project that many Mozilla sites use that somehow I ended up with but has no relation to my main project: Bleach
  • some projects I'm probably forgetting about
  • a side-project that isn't related to anything else I do that I "maintain": Standups

For most of those projects, they're either part of my main job or I like working on them or I get some recognition for owning them. Whatever the reason, I don't work on them because I feel bad. Then there's Standups which I work on solely because I feel bad.

This blog post talks about me and Standups, pontificates about some options I've talked with others about, and then lays out the concept of swag-driven development.

Read more… (8 mins to read)

Mozilla Security Blog: Distrust of Symantec TLS Certificates

Mon, 12 Mar 2018 21:15:13 +0000

A Certification Authority (CA) is an organization that browser vendors (like Mozilla) trust to issue certificates to websites. Last year, Mozilla published and discussed a set of issues with one of the oldest and largest CAs run by Symantec. The discussion resulted in the adoption of a consensus proposal to gradually remove trust in all Symantec TLS/SSL certificates from Firefox. The proposal includes a number of phases designed to minimize the impact of the change to Firefox users: January 2018 (Firefox 58): Notices in the Browser Console warn about Symantec certificates issued before 2016-06-01, to encourage site owners to replace their TLS certificates. May 2018 (Firefox 60): Websites will show an untrusted connection error if they use a TLS certificate issued before 2016-06-01 that chains up to a Symantec root certificate. October 2018 (Firefox 63): Distrust of Symantec root certificates for website server TLS authentication. After the consensus proposal was adopted, the Symantec CA was acquired by DigiCert; however, that fact has not changed Mozilla’s commitment to implement the proposal. Firefox 60 is expected to enter Beta on March 13th carrying with it the removal of trust for Symantec certificates issued prior to June 1st, 2016, with the exception of certificates issued by a few subordinate CAs that are controlled by Apple and Google. This change affects all Symantec brands including GeoTrust, RapidSSL, Thawte, and VeriSign. The change is already in effect in Firefox Nightly. Mozilla telemetry currently shows that a significant number of sites – roughly 1% of the top one million – are still using TLS certificates that are no longer trusted in Firefox 60. While the number of affected sites has been declining steadily, we do not expect every website to be updated prior to the Beta release of Firefox 60. We strongly encourage operators of affected sites to take immediate action to replace these certificates. If you attempt to visit a site that is using a TLS certificate that is no longer trusted in Firefox 60, you will encounter the following error:  Clicking on the “Advanced” button will allow you to bypass the error and reach the site: These changes are expected to be included in the final version of Firefox 60 that is planned to be release on May 9th, 2018. In Firefox 63, trust will be removed for all Symantec TLS certificates regardless of the date issued (with the exception of certificates issued by Apple and Google subordinate CAs as described above). Wayne Thayer Kathleen Wilson The post Distrust of Symantec TLS Certificates appeared first on Mozilla Security Blog.[...]

The Firefox Frontier: March Add(on)ness is here

Mon, 12 Mar 2018 19:11:37 +0000

Winter’s icy hand is releasing its grip, birds are returning from southern migration which means it’s that time of year where people everywhere rank things, put them in brackets and … Read more

The post March Add(on)ness is here appeared first on The Firefox Frontier.

Air Mozilla: Mozilla Weekly Project Meeting, 12 Mar 2018

Mon, 12 Mar 2018 18:00:00 +0000

(image) The Monday Project Meeting

Gervase Markham: To Planet Mozilla Readers

Mon, 12 Mar 2018 01:26:46 +0000

This is a quick note addressed to those reading this blog via a subscription to Planet Mozilla. Following my stepping back from the Mozilla project, posts to this blog are unlikely to feature Mozilla-related content in the future, and will instead be about, well, what it’s like to be dying :-) I therefore won’t be syndicating them. If you wish to keep reading what I write, you may want to take a direct subscription. Here’s my direct feed.


The Servo Blog: This Week In Servo 107

Mon, 12 Mar 2018 00:30:00 +0000

In the last week, we merged 85 PRs in the Servo organization’s repositories. Congratulations to waywardmonkeys for their new mandate to review and maintain the low-level harfbuzz bindings, and their work to create safe higher-level bindings! Planning and Status Our roadmap is available online, including the overall plans for 2018. This week’s status updates are here. Notable Additions emilio made some Linux environments not crash on startup. jdm created a tool to chart memory usage over time. emilio reordered some style system checks for better performance. mrobinson improved the clipping behaviour of blurred text shadows. mbrubeck added the resize API to SmallVec nox expanded the set of CSS types that can use derived serialization. gw reduced the number of allocations necessary on most pages. SimonSapin replaced the angle crate with a fork maintained by Mozilla. mrobinson removed some redundant GPU matrix math calculations. Beta-Alf improved the performance of parsing CSS keyframes. gw simplified the rendering for box shadows. mkollaro implemented the glGetTexParameter API. fabricedesre added the pageshow event when navigating a page. SimonSapin demonstrated how to integrate the DirectComposition API in WebRender. waywardmonkey added a higher-level crate for using the harfbuzz library. paulrouget switched Servo to use the upstream glutin crate instead of an outdated fork. oOIgnitionOo added a command line flag to download and run a nightly build of Servo. New Contributors Dmitry Florian Wagner Martina Kollarova Vegard Sandengen Interested in helping build a web browser? Take a look at our curated list of issues that are good for new contributors![...]

The Rust Programming Language Blog: Rust's 2018 roadmap

Mon, 12 Mar 2018 00:00:00 +0000

Each year the Rust community comes together to set out a roadmap. This year, in addition to the survey, we put out a call for blog posts in December, which resulted in 100 blog posts written over the span of a few weeks. The end result is the recently-merged 2018 roadmap RFC. Rust: 2018 edition This year, we will deliver Rust 2018, marking the first major new edition of Rust since 1.0 (aka Rust 2015). We will continue to publish releases every six weeks as usual. But we will designate a release in the latter third of the year (Rust 1.29 - 1.31) as Rust 2018. This new “edition” of Rust will be the culmination of feature stabilization throughout the year, and will ship with polished documentation, tooling, and libraries that tie in to those features. The idea of editions is to signify major steps in Rust’s evolution, where a collection of new features or idioms, taken as a whole, changes the experience of using Rust. They’re a chance, every few years, to take stock of the work we’ve delivered in six-week increments. To tell a bigger story about where Rust is going. And to ship the whole stack as a polished product. We expect that each edition will have a core theme or focus. Thinking of 1.0 as “Rust 2015”, we have: Rust 2015: stability Rust 2018: productivity What will be in Rust 2018? The roadmap doesn’t say for certain what will ship in Rust 2018, but we have a pretty good idea, and we’ll cover the major suspects below. Documentation improvements Part of the goal with the Rust 2018 release is to provide high quality documentation for the full set of new and improved features and the idioms they give rise to. The Rust Programming Language book has been completely re-written over the last 18 months, and will be updated throughout the year as features reach the stable compiler. Rust By Example will likewise undergo a revamp this year. And there are numerous third party books, like Programming Rust, reaching print as well. Language improvements The most prominent language work in the pipeline stems from 2017’s ergonomics initiative. Almost all of the accepted RFCs from the initiative are available on nightly today, and will be polished and stabilized over the next several months. Among these productivity improvements are a few “headliners” that will form the backbone of the release: Ownership system improvements, including making borrowing more flexible via “non-lexical lifetimes”, improved pattern matching integration, and more. Trait system improvements, including the long-awaited impl Trait syntax for dealing with types abstractly. Module system improvements, focused on increasing clarity and reducing complexity. Generators/async/await: work is rapidly progressing on first-class async programming support. In addition, we anticipate a few more major features to stabilize prior to the Rust 2018 release, including SIMD, custom allocators, and macros 2.0. Compiler improvements As of Rust 1.24, incremental recompilation is available and enabled by default on the stable compile[...]

Cameron Kaiser: TenFourFox FPR6 available

Sun, 11 Mar 2018 06:46:07 +0000

TenFourFox Feature Parity Release 6 is now available for testing (downloads, hashes, release notes). Other than finishing the security patches and adding a couple more entries to the basic adblock, there are no other changes in this release. Assuming no issues, it will become live Monday evening Pacific time as usual.

The backend for the main download page at Floodgap has been altered such that the Downloader is now only offered to browsers that do not support TLS 1.2 (this is detected by checking for a particular JavaScript math function Math.hypot, the presence of which I discovered roughly correlates with TLS 1.2 support in Google Chrome, Microsoft Edge, Safari and Firefox/TenFourFox). This is to save bandwidth on our main server since those browsers are perfectly capable of downloading directly from SourceForge and don't need the Downloader to help them. This is also true of Leopard WebKit, assuming the Security framework update is also installed.

For FPR7, I have already exposed basic adblock in the TenFourFox preferences pane, and am looking at some efficiency updates as well as updates to the supported TLS ciphers and hopefully date pickers if there is still time. Also, the limited profiling tools I have at my disposal suggest that some of the browser's occasional choppiness is at least partially associated with improperly scheduled garbage collection slices. I'm experimenting with retuning the runtime environment to see if we can stave off some types of collection to preserve CPU cycles and not bloat peak memory usage too much. So far, 24 hours into testing with some guesswork numbers, it doesn't seem to be exploding. More on that later.

Wladimir Palant: Master password in Firefox or Thunderbird? Do not bother!

Sat, 10 Mar 2018 15:38:20 +0000

There is a weakness common to any software letting you protect a piece of data with a password: how does that password translate into an encryption key? If that conversion is a fast one, then you better don’t expect the encryption to hold. Somebody who gets hold of that encrypted data will try to guess the password you used to protect it. And modern hardware is very good at validating guesses. Case in question: Firefox and Thunderbird password manager. It is common knowledge that storing passwords there without defining a master password is equivalent to storing them in plain text. While they will still be encrypted in logins.json file, the encryption key is stored in key3.db file without any protection whatsoever. On the other hand, it is commonly believed that with a master password your data is safe. Quite remarkably, I haven’t seen any articles stating the opposite. However, when I looked into the source code, I eventually found the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Anybody who ever designed a login function on a website will likely see the red flag here. This article sums it up nicely: Out of the roughly 320 million hashes, we were able to recover all but 116 of the SHA-1 hashes, a roughly 99.9999% success rate. The problem here is: GPUs are extremely good at calculating SHA-1 hashes. Judging by the numbers from this article, a single Nvidia GTX 1080 graphics card can calculate 8.5 billion SHA-1 hashes per second. That means testing 8.5 billion password guesses per second. And humans are remarkably bad at choosing strong passwords. This article estimates that the average password is merely 40 bits strong, and that estimate is already higher than some of the others. In order to guess a 40 bit password you will need to test 239 guesses on average. If you do the math, cracking a password will take merely a minute on average then. Sure, you could choose a stronger password. But finding a considerably stronger password that you can still remember will be awfully hard. Turns out that the corresponding NSS bug has been sitting around for the past 9 (nine!) years. That’s also at least how long software to crack password manager protection has been available to anybody interested. So, is this issue so hard to address? Not really. NSS library implements PBKDF2 algorithm which would slow down bruteforcing attacks considerably if used with at least 100,000 iterations. Of course, it would be nice to see NSS implement a more resilient algorithm like Argon2 but that’s wishful thinking seeing a fundamental bug that didn’t find an owner in nine years. But before anybody says that I am unfair to Mozilla and NSS here, other products often don’t do any better. For example, if you want to encrypt a file you might be inclined to use OpenSSL command line tools. However, the password-to-key conversion performed by the opens[...]

Chris H-C: TIL: Feature Detection in Windows using GetProcAddress

Fri, 09 Mar 2018 22:04:58 +0000

In JavaScript, if you want to use a function that was introduced only in certain versions of browsers, you use Feature Detection. For example, you can ask “Hey, browser, do you have a function called `includes` on Array?” If the browser has it, you use it; and if it doesn’t, you either get along without it or load your own implementation. It turns out that this same concept can be (and, in Firefox, is) done with Windows APIs. Firefox for Windows is built against the Windows 10 SDK. This means the compiler knows the API calls and type definitions for all sorts of wondrous modern features like toast notifications and enumerating graphics adapters in a specific order. However, as of writing, Firefox for Windows supports Windows 7 and up. What would happen if Firefox tried to use those fancy new Windows 10 features when running on Windows 7? Well, at compile time (when Mozilla builds Firefox), it knows everything it needs to about the sizes and names of things used in the new features thanks to the SDK. At runtime (when a user runs Firefox), it needs to ask Windows at what address exactly all of those fancy new features live so that it can use them. If Firefox can’t find a feature it expects to be there, it won’t start. We want Firefox to start, though, and we want to use the new features when available. So how do we both use the new feature (if it’s there) and not (if it’s not)? Windows provides an API called GetProcAddress that allows the running program to perform some Feature Detection. It is asking Windows “Hey, so I’m looking for the address of this fancy new feature named FancyNewAPI. Do you know where that is?”. Windows will either reply “No, sorry” at which point you work around it, or “Yes, it’s over at address X” at which point to convert address X into a function pointer that takes the same number and types of arguments that the documentation said it takes and then instruct your program to jump into it and start executing. We use this in Firefox to detect gamepad input modules, cancelable synchronous IO, display density measurements, and a whole bunch of graphics and media acceleration stuff. And today (well, yesterday at this point) I learned about it. And now so have you. :chutten –edited to remove incorrect note that GetProcAddress started in WinXP– :aklotz noted that GetProcAddress has been around since ancient times, MSDN just periodically updates its “Minimum Supported Release” fields to drop older versions.[...]

Nicholas Nethercote: A New Preferences Parser for Firefox

Fri, 09 Mar 2018 21:56:45 +0000

Firefox’s preferences system uses data files to store information about default preferences within Firefox, and user preferences in a user’s profile (such as prefs, which records changes to preference values, and user, which allows users to override default preference values). A new parser These data files use a custom format, and therefore Firefox has a custom parser for them. I recently rewrote the parser. The new parser has the following benefits over the old parser. It is faster (raw parsing speed is close to 2x faster). It is safer (because it’s written in Rust rather than C++). It is more correct and better tested (the old one got various obscure edge cases wrong). It is more readable, and easier to modify. It issues no warnings, only errors. It is slightly stricter (e.g. doesn’t allow any malformed input, and it catches integer overflow). It has error recovery and better error messages (including correct line numbers). Modifiability Modifiability was the prime motivation for the change. I wanted to make some adjustments to the preferences file grammar, but this would have been very difficult in the old parser, because it was written in an awkward style. It was essentially a single loop containing a giant switch statement on a state variable. This switch was executed for every single char in a file. The states held by the state variable had names like PREF_PARSE_QUOTED_STRING, PREF_PARSE_UNTIL_OPEN_PAREN, PREF_PARSE_COMMENT_BLOCK_MAYBE_END. It also had a second state variable, because in some places a single one wasn’t enough; the parser had to return to the previous state after exiting the current state. Furthermore, lexing and parsing were not separate, so code to handle comments and whitespace was spread around in various places. The new parser is a recursive descent parser — even though the grammar doesn’t actually have any recursion — in which the structure of the code reflects the structure of the grammar. Lexing is distinct from parsing. As a result, the new parser is much easier to read and modify. In particular, after landing it I added error recovery without too much effort; that would have been almost impossible in the old parser. Note that the idea of error recovery for preferences parsing was first proposed in bug 107264, filed in 2001! After landing it, I tweeted the following. I fixed an old bug: Imagine going back in time and telling the reporter “this bug will get fixed 16 years from now, and the code will be written in a systems programming language that doesn’t exist yet”. — Nicholas Nethercote (@nnethercote) February 20, 2018 Amazingly enough, the original reporter is on Twitter and responded! I kept getting emails on this bug over the years — dependencies and stuff — and I’d be like, “this bug is still open?!” Great job, @nnethercote! — Kevin Basil Fritts (@kevinbasil) March 1, 2018 Strictness The new parser [...]

Firefox Test Pilot: Fun with Themes in Firefox

Fri, 09 Mar 2018 20:55:01 +0000

TL;DR: Last year, I started work on a new Test Pilot experiment playing with themes in Firefox.New theme APIs are funAt the core of this experiment are new theme APIs for add-ons shipping with Firefox.These APIs take inspiration from static themes in Google Chrome, building from there to enable the creation of dynamic themes.For example, Quantum Lights changes based on the time of day.VivaldiFox reflects the sites you’re visiting.You could even build themes that use data from external HTTP services — e.g. to change based on the weather.To explore these new APIs, Firefox Themer consists of a website and a companion add-on for Firefox. The website offers a theme editor with a paper doll preview — you can click on parts of a simulated browser interface and dress it up however you like. The add-on grants special powers to the website, applying changes from the theme in the editor onto the browser itself.Editing themes on the webThe site is built using Webpack, React, and Redux. React offers a solid foundation for composing the editor. Personally, I really like working with stateless functional components — they’re kind of what tipped me over into becoming a React convert a few years ago. I’m also a terrible visual designer with weak CSS-fu — but using Webpack to bundle assets from per-component directories makes it easier for teammates to step in where I fall short.Further under the hood, Redux offers a clean way to manage theme data and UI state. Adding undo & redo buttons is easy, thanks to redux-undo. And, by way of some simple Redux middleware, I was able to easily add a hook to push every theme changes into the browser via the add-on.The website is just a static page — there’s no real server-side application. When you save a theme, it ends up in your browser’s localStorage. Though we plan to move Themer to a proper production server when we launch in Test Pilot, I’ve been deploying builds to GitHub Pages during development.Another interesting feature of the website is that we encode themes as a parameter in the URL. Rather than come up with a bespoke scheme, I use this json-url module to compress JSON and encode it as Base64, which makes for a long URL but not unreasonably so. This approach enables folks to simply copy & paste a URL to share a theme they’ve made. You can even link to themes from a blog post, if you wanted to!When the page loads and sees the ?theme URL, it unpacks the data and loads it into editor’s Redux store. I’ve also been able to work this into the location bar with the HTML5 History API and Redux middleware. The browser location represents the current theme, while back & forward buttons double as undo & redo.Add-ons can be expansion cartridgesThe companion add-on is also built using Webpack. It acts as an expansion cartridge for the theme editor on the website.(Can you tell I’ve had retro comput[...]

The Servo Blog: Mozilla’s Servo team joining Mixed Reality

Fri, 09 Mar 2018 06:30:00 +0000

Servo had amazing year in 2017. We saw the style system ship and deliver performance improvements as a flagship element of the highly regarded Firefox Quantum release. And we’ve continued to build out the engine platform and experiment with new embedding APIs, innovations in graphics and font rendering, and graduate subsystems to production readiness for inclusion in Firefox. Consistently throughout those efforts, we saw work in Servo demonstrate breakthrough advances in parallelism, graphics rendering, and robustness. Coming in to 2018, we see virtual and augmented reality devices transitioning from something just for hardcore gamers and enterprises into broad consumer adoption. These platforms will transform the way that users create and consume content on the internet. As part of the Emerging Technologies and Mozilla Research missions to enable the web platform on these new systems, we will be adopting the Mozilla Servo team as part of the Mixed Reality team and doubling down on our investigations in virtual and augmented reality. Servo is already the platform where we first implemented support for mobile VR, extensions, such as, WebGL MultiView, and even our sneak peak running on the Qualcomm Snapdragon 835 developer kit and compatible AR glasses from last September. Servo’s lean, modern code base and leading-edge strengths in parallelism and graphics are ideal for prototyping new technology for the web and growing the results into production code usable both inside and outside of Servo. What does this look like concretely? The first thing we will do is get Servo implementing the GeckoView API, working inside one of our existing mobile browser shell apps, and working with a ton of VR and AR devices so that it can run hand-in-hand with our existing use of Gecko in our Mixed Reality Browser. Like our WebXR iOS Viewer, this will give us a platform where we can experiment, drive standards forward, and build compelling pilot experiences. Some of the experiments we’re looking to invest more in during 2018: Declarative VR. We have libraries like Three, Babylon, A-Frame, and ReactVR and tools like PlayCanvas and Unity to produce 3D content, but there are no standards yet for how traditional web pages should behave when loaded into a headset. We will continue to experiment with things like DOM to texture. It is still difficult to allow web content to be part of a 3D scene. Higher quality text rendering with WebRender and Pathfinder, originally designed for desktop but now tuned for VR and AR hardware. Experiment with new AR APIs and computer vision. Experiment with new WebGL extensions (multiview, lens-matched shading, etc.) Experiments with device & voice APIs (WebBluetooth, Physical Web/Beacon successors, etc.) Keep tuned here and to the Mozilla Mixed Reality blog for more updates! It’s going[...]

Hacks.Mozilla.Org: Hands-On Web Security: Capture the Flag with OWASP Juice Shop

Fri, 09 Mar 2018 06:28:49 +0000

As a developer, are you confident that you know what you need to know about web security? Wait, maybe you work in infosec. As a security specialist, are you confident that the developers you work with know enough to do the right thing? Often, these aren’t easy questions to answer, even for seasoned security professionals working with world class software engineers as we do at Mozilla. OK, you can watch tutorial videos and take a variety of online tests, but it’s always more fun to try things in real life with a group of friends or colleagues. Our recent Mozilla all-hands was one of those opportunities. A Capture the Flag (CTF) event offer a sociable hands-on way to learn about security and they are often a tradition at security conferences. I’m part of the Mozilla Firefox Operations Security team and we work closely with all Mozilla developers to make sure that the core services Mozilla relies on to build, ship, and run Firefox are as secure as possible. In this retrospective, I’ll show how you can easily set up a CTF event using free and open source software, as the Security team did back in December, when we gathered in Austin for Mozilla All Hands event. Customizing OWASP Juice Shop We chose OWASP Juice Shop, a web app designed intentionally for training purposes to be insecure. Juice Shop uses modern technologies like Node, Express and AngularJS, and provides a wide range of security challenges ranging from the simple to the complex. This was important for us since our participants had a wide range of skills, and included developers with little formal security training to professional penetration testers. Juice Shop is a “single user application,” but it comes with a CTF mode and detailed instructions for Hosting a CTF Event. When this is turned on, the application generates “CTF-tokens” anytime someone solves one of the challenges. These can then be uploaded to a central scoring server. The CTF mode also disables the hints which might have made some of the challenges too easy for our more advanced players. Juice Shop can be run in a wide variety of ways, but to make it easy for your participants I recommend using a docker image, as this has only one dependency: docker. You can find the official Juice Shop docker image here: or you can build your own if you want to customize it. You can customization instructions online. We enabled the built-in CTF mode and changed the application name and the example products in order to make it feel more Firefox-y and to hide its origin (as solutions for the Juice Shop challenges are easily found on the internet). Once we were happy with our changes we uploaded our image to dockerhub: mozilla/ctf-austin Setting Up a Scoring Server You’ll want to set up a scoring server, to allow participants to upload their CTF-tokens and compare their [...]

Daniel Pocock: Bug Squashing and Diversity

Fri, 09 Mar 2018 00:39:32 +0000

Over the weekend, I was fortunate enough to visit Tirana again for their first Debian Bug Squashing Party. Every time I go there, female developers (this is a hotspot of diversity) ask me if they can host the next Mini DebConf for Women. There have already been two of these very successful events, in Barcelona and Bucharest. It is not my decision to make though: anybody can host a MiniDebConf of any kind, anywhere, at any time. I've encouraged the women in Tirana to reach out to some of the previous speakers personally to scope potential dates and contact the DPL directly about funding for necessary expenses like travel. The confession If you have read Elena's blog post today, you might have seen my name and picture and assumed that I did a lot of the work. As it is International Women's Day, it seems like an opportune time to admit that isn't true and that as in many of the events in the Balkans, the bulk of the work was done by women. In fact, I only bought my ticket to go there at the last minute. When I arrived, Izabela Bakollari and Anisa Kuci where already at the venue getting everything ready. They looked busy, so I asked them if they would like a bonus responsibility, presenting some slides about bug squashing that they had never seen before while translating them into Albanian in real-time. They delivered the presentation superbly, it was more entertaining than any TED talk I've ever seen. The bugs that won't let you sleep The event was boosted by a large contingent of Kosovans, including 15 more women. They had all pried themselves out of bed at 03:00 am to take the first bus to Tirana. It's rare to see such enthusiasm for bugs amongst developers anywhere but it was no surprise to me: most of them had been at the hackathon for girls in Prizren last year, where many of them encountered free software development processes for the first time, working long hours throughout the weekend in the summer heat. and a celebrity guest A major highlight of the event was the presence of Jona Azizaj, a Fedora contributor who is very proactive in supporting all the communities who engage with people in the Balkans, including all the recent Debian events there. Jona is one of the finalists for Red Hat's Women in Open Source Award. Jona was a virtual speaker at DebConf17 last year, helping me demonstrate a call from the Fedora community WebRTC service to the Debian equivalent, At Mini DebConf Prishtina, where fifty percent of talks were delivered by women, I invited Jona on stage and challenged her to contemplate being a speaker at Red Hat Summit. Giving a talk there seemed like little more than a pipe dream just a few months ago in Prishtina: as a finalist for this prestigious award, her odds have shortened dramatically. It is so inspiring that a collaboration between free software[...]

The Firefox Frontier: Celebrating 24 incredible women on International Women’s Day

Thu, 08 Mar 2018 20:52:42 +0000

This International Women’s Day Mozilla is celebrating 24 remarkable women who are using the web to change the world. We’re recognizing them throughout the day on the Mozilla twitter feed. … Read more

The post Celebrating 24 incredible women on International Women’s Day appeared first on The Firefox Frontier.

Mozilla Localization (L10N): L10n Report: March Edition

Thu, 08 Mar 2018 17:33:13 +0000

Please note some of the information provided in this report may be subject to change as we are sometimes sharing information about projects that are still in early stages and are not final yet. Welcome! New localizers: Chinese (Simplified): Aragaki Yui Catalan: Joan Montané Chuvash: Francis Tyers and Anatoly Mironov German: Jan Greek: Μιχάλης ĺ ľfb Polish: Adam Foryś Portuguese (Brazil): Mateus Generoso Tatar: Ilnar Salimzianov, Mansur Saykhunov, and Francis Tyers Are you a locale leader and want us to include new members in our upcoming reports? Contact us! New community/locales added We enabled several new locales on Pontoon in the past weeks, get in touch if you speak the language and want to contribute: Acehnese (ace) Angika (anp) Crimean Tatar (crh) Chuvash (cv) Tatar (tt) New content and projects What’s new or coming up in Firefox desktop Firefox 59 closed down for localization on February 28, while 60 will remain open until April 25. Firefox 60 is an ESR release, so it’s particularly important to catch up with localization and ensure a good quality in the shipping build. From a localization point of view, the focus remains on migrating existing Preferences strings to Fluent. We have recently passed the 100 messages milestone, with the migration of the XUL portion of the General pane, and started introducing some of the cool features available in the new localization system. use-current-pages = .label = { $tabCount -> [1] Use Current Page *[other] Use Current Pages } .accesskey = C For more details about this migration, see the announcement on dev-l10n. Also make sure to familiarize yourself with both Pontoon’s UI and Fluent syntax. More migrations are planned for the 61 Nightly cycle, starting on March 12. Activity Stream (New Tab) is also planning to integrate its settings in Firefox main preferences for 60: new strings have already landed in the Activity Stream project, a few more will land in mozilla-central. What’s new or coming up in mobile There’s a lot going on around mobile this month, so hang on tight! First of all, Firefox for iOS is soon launching it’s v11. L10n deadline for this is Tuesday, March 13th. This release includes many cool new features and improvements, such as: Improved tracking protection iPad specific improvements in navigation, drag and drop Keyboard support Performance telemetry On the Firefox for Android front, merge day is like for Desktop, so March 12th. The official release is the next day. Locales supported by the Play Store should expect to get an updated string for the What’s New Beta 60 this week. Please remember to check your appstores folder on Pontoon for anything new! Firefox for Fire TV v2 is also right around the corner, and the l10n deadline for completion i[...]

Air Mozilla: Reps Weekly Meeting, 08 Mar 2018

Thu, 08 Mar 2018 16:00:00 +0000

(image) This is a weekly call with some of the Reps to discuss all matters about/affecting Reps and invite Reps to share their work with everyone.

The Mozilla Blog: Mozilla experiment aims to reduce bias in code reviews

Thu, 08 Mar 2018 15:39:32 +0000

Mozilla is kicking off a new experiment for International Women’s Day, looking at ways to make open source software projects friendlier to women and racial minorities. Its first target? The code review process. The experiment has two parts: there’s an effort to build an extension for Firefox that gives programmers a way to anonymize pull requests, so reviewers will see the code itself, but not necessarily the identity of the person who wrote it. The second part is gathering data about how sites like Bugzilla and GitHub work, to see how “blind reviews” might fit into established workflows. The idea behind the experiment is a simple one: If the identity of a coder is shielded, there’s less opportunity for unconscious gender or racial bias to creep into decision-making processes. It’s similar to an experiment that began the 1970s, when U.S. symphonies began using blind auditions to hire musicians. Instead of hand-picking known proteges, juries listened to candidates playing behind a screen. That change gave women an edge: They were 50 percent more likely to make it past the first audition if their gender wasn’t known. Over the decades, women gained ground, going from 10% representation in orchestras to 35 percent in the 1990s. Mozilla is hoping to use a similar mechanism – anonymity – to make the code review process more egalitarian, especially in open source projects that rely on volunteers. Female programmers are underrepresented in the tech industry overall, and much less likely to participate in open source projects. Women account for 22 percent of computer programmers working in the U.S, but only 11 percent of them contribute to open source projects. A 2016 study of more than 50 GitHub repositories revealed that, in fact, women’s pull requests were approved more often than their male counterparts – nearly 3% more often. However, if their gender was known, female coders were .8% less likely to have their code accepted. What’s going on? There are two possible answers. One is that people have an unconscious bias against women who write code. If that’s the case, there’s a test you can take to find out: Do I have trouble associating women with scientific and technical roles? Then there is a darker interpretation: that men are acting deliberately to keep computer programming a boy’s club, rather than accepting high-quality input from women, racial minorities, transgender individuals, and economically underprivileged folks. A Commitment to Diversity What does it mean to be inclusive and welcoming to female software engineers? It means, first of all, taking stock of what kind of people we think will do the best job creating software. “When we talk about diversity and inclusion, it h[...]

Mozilla Cloud Services Blog: Changing your primary email in Firefox Accounts

Thu, 08 Mar 2018 15:35:42 +0000

The Firefox Accounts team recently introduced the ability for a user to change their primary email address. Being one of the main developers to work this feature, I wanted to share my experience and give a summary on what it took to get this feature to our users. Our motivation Based on user feedback, the most common scenario for changing your primary email was losing access to that email account. This email was often associated with work or an organization they no longer were apart of. Most account systems would simply allow the user to continue logging in with their old email. However, because your Firefox Account can contain sensitive information, we needed to have an extra layer of security. This came in the form of us running heuristics on the login attempt and prompting you to verify that email address. For example, logging in from a device that has not had a login in over 3 days would require an email confirmation. If you can no longer access that email address, you are locked out of your account and the data it contains. This caters on the side of security versus user experience. The most common workaround was to create a new account and sync your existing data. This method meant that you could lose data on the old account if you were syncing from a new device. Design decisions Once we decided to move forward with the feature, we created a high level plan on how it was going to be done. Exploratory work was already done a few years ago that outlined the risks and a possible solution. We used this as a basis for our initial design. One of the complexities of changing your Firefox Account email is that our login procedure combines email and password to derive a strong encryption key. This original design decision was driven by a security requirement and meant that we could not perform an email change in one operation, because we would lose part of the key. Considering these factors, we opted to create an intermediate feature, adding a secondary email address, that would solve a few of the original problems while being designed to allow easy changes to the user’s primary email. Secondary email addresses also receive security notifications and can verify login requests. While implementing secondary emails, we migrated from a single email on the account database table, to supporting multiple emails in separate emails table. Each email has a couple of flags to signify whether or not they are they primary and verified. Additionally, we wrote several migration scripts that populated our new emails table while falling back to using the account table if there wasn’t any email. Doing this phased approached allowed us to safely rollback if any issues were found. After adding the s[...]

The Mozilla Blog: Setting the stage for our next chapter

Thu, 08 Mar 2018 15:02:23 +0000

2017 was a great year for Mozilla. From new and revitalized product releases across our expanding portfolio to significant progress in advocating for and advancing the open web with new capabilities and approaches, to ramping up support for our allies in the broader community, to establishing new strategic partnerships with global search providers — we now have a much stronger foundation from which we can grow our impact in the world.

Building on this momentum, we are making two important changes to our leadership team to ensure we’re positioned for even greater impact in the years to come.  I’m pleased to announce that Denelle Dixon has been promoted to Chief Operating Officer and Mark Mayo has been promoted to Chief Product Officer.

As Chief Operating Officer, Denelle will be responsible for our overall operating business leading the strategic and operational teams that work across Mozilla to ensure we’re scaling our impact as a robust open source organization. Aligning these groups under Denelle’s leadership will ensure a holistic approach to business growth, development and operating efficiency by integrating the best of commercial and open innovation practices across all that we do.

As Chief Product Officer, Mark will oversee existing and new product development as we deepen and expand our product portfolio. In his new role, Mark will oversee Firefox, Pocket, and our Emerging Markets teams. Having all our product groups in one organization means we can more effectively execute against a single, clear vision and roadmap to ultimately give people more agency in every part of their connected lives.

Our mission is more important and urgent than ever, our goals are ambitious and I’m confident that together we will achieve them.


The post Setting the stage for our next chapter appeared first on The Mozilla Blog.

Wladimir Palant: Implementing safe sync functionality in a server-less extension

Thu, 08 Mar 2018 13:34:02 +0000

The major change in PfP: Pain-free Passwords 2.1.0 is the new sync functionality. Given that this password manager is explicitly not supposed to rely on any server, how does this work? I chose to use existing cloud storage like Dropbox or Google Drive for this, PfP will upload its encrypted backup file there. This would be pretty trivial, but sync functionality is also supposed to sync records if data is modified by multiple clients concurrently. Not just that, sync has to work even when passwords are locked, meaning: without the possibility to decrypt data. The latter is addressed by uploading local data without any modifications. Records are encrypted in the same way both locally and remotely, so decrypting them is unnecessary. Merging changes without access to decrypted data is more complicated. This is done by using record identifiers that are both deterministic (same site and password name result in the same record identifier on all devices) and opaque (don’t allow any conclusions about site and password name). PfP uses HMAC to create record identifiers, with the HMAC secret being a random byte sequence that is stored encrypted. When sync is set up for a device, its HMAC secret is replaced to make it match the HMAC secret of other devices connected to the same storage. After that a particular site/password combination is guaranteed to be stored with the same record identifier on all devices. The merge operation itself is comparably easy then: PfP downloads remote data and replaces any records (by record identifier) that changed locally since the previous sync by local versions. It then needs to make sure that no conflicting changes by two clients are uploaded at the same time. This is fairly straightforward for Dropbox, you can always specify the file version you want to replace — if the file changed in the meantime, the operation fails and sync is restarted. Google Drive API makes it more complicated, you have to use underdocumented ETag functionality and cannot avoid conflicts when creating a new file. Worse yet, this feature only exists in the v2 API, whereas the newer v3 API has no conflict resolution whatsoever. One has to hope that Google doesn’t decide to deprecate v2 API soon. Altogether, the sync functionality required more effort than I imagined but it works really well. And what about the Edge version that I promised before? Stuck in traffic. I figured out everything necessary with the 2.0.2 release a month ago already. However, turned out that uploading Edge extensions to the Windows Store requires a special permission. I requested this permission and that’s where we still are. Microsoft is making t[...]

Mozilla Addons Blog: Theme API Update

Thu, 08 Mar 2018 12:00:19 +0000

This article is written by Michael de Boer, Mozilla Engineering Manager working on the Firefox Frontend team. Mike has been actively involved in themes for a long time and is excited to share the improvements coming to the WebExtensions Theme API. Last spring we announced our plans to improve themes in Firefox and today I’d like to share our progress and what you can expect in the next few releases! We started off with laying the groundwork to get a new type of Theme supported; a new ‘theme’ WebExtension namespace was created and we made the Addon Manager aware of WebExtension Themes. Our first milestone was to completely support the LightWeight Theme (LWT) features, because they’re so simple. This way we had our first new-style themes that are able to change the background image, background color and foreground text color working very quickly. We continued to implement more properties on top of this solid base and are moving toward Chrome compatibility at a good pace. If you’ve created an extension before, writing your new Theme will be a walk in the park; you can use about:debugging and an extensive toolbox to load up and inspect your manifest-based theme or WebExtension that uses the ‘theme’ JavaScript API and has obtained the ‘theme’ permission. What you can use today Since Firefox 55, extension developers have been able to create extensions that can request permission to change the theme that’s currently active and use a number of JavaScript APIs provided by the `browser.theme` namespace. We fondly call them ‘dynamic themes’, because you can mix and match WebExtension APIs to create wholly unique browser experiences that may reactively update parts of the browser theme. In Firefox Quantum 57 you can use the following methods: theme.update([windowId]), with which you can update the browser’s’ theme and optionally do that only for a specific window. theme.reset([windowId]), which removes any theme updates made in a call to `theme.update()`. The optional windowId argument allows you to reset a specific window. And in Firefox 58 you can use these: theme.getCurrent(), which get the currently applied browser theme, theme.onUpdated, an event that’s fired whenever the active theme is updated. As you might have noticed, the theme.update() method is where the magic happens. But it only does something pretty when you feed it a bag of properties that you want it to change. These properties are defined in the schema and the current set is: images additional_backgrounds: This is a list (JavaScript Array) of image URLs that will be used as the background of a browser window. [...]

Rabimba: HackRice 7.5: How "uFilter" was born

Thu, 08 Mar 2018 07:59:38 +0000

I have a thing for Hackathon. I am a procrastinator. A lazy and procrastinator graduate student, not a nice combination to have. But still when I see hundreds of sharp minds in a room scrabbling over idea, hungry to build and prototype their idea. Bring it to life, it finally pushes me to activity, makes me productive. That is why I love Hackathon, that is why I love HackRice, our resident Hackathon of Rice University.TL;DR: if you just want to try the extension, chrome version is here and Firefox version is here.I have been participating at HackRice since 2014, when I think for the first time it was open for non-rice students, and have been participating ever since. What a roller coaster ride it has been, but that is a story for another day.HackRice 7.5 being the last one I will be able to attend at Rice, it was somewhat special and emotional for me.Hackrice 7.5 starts now!HackRice 7.5 was a tad different form the other iterations. For starters it was the first time it was being held in Spring semester, and hence on a smaller scale and only to Rice Students. And also instead of normal 26 hours, it was exactly 24 hours. The venue was Liu Idea Lab. I have never been to the lab before, and it seemed to be a nice place to sit and work. The event started on Friday evening and ended on Saturday evening.The event had two tracks, with a beginner and a Data Science track. The organizers had two in depth workshop/tutorials set up for both of these tracks to help out starters. Which I though was really cool. Even though I was brainstorming and prototyping on something different, I sat through them anyway and felt they were really thorough.Being a one person team, and not really knowing anybody else I decided to work on a relatively smaller project which I can finish instead of trying anything in Data Science track. The idea I initially had was of a privacy filter. After some more brainstorming realized to properly make one, taking account of all anonymizing factors it probably will take me more time than 24 hours. I decided to settle on more of a toxic/malicious/sanity/trigger word filter. The Idea: Create a browser based extension that can filter out abusive posts, word, sentences paragraphs.Inspiration: Lately a lot fo us have started noticing the rise of cyber bullying and abusive behaviors across the internet. Be that reddit or facebook group. Often I see it gets me rallied up just before I goto sleep. Often I wish if only I did not read that. Recent increase in cyber bullying is one of the primary reason for the tool. Mental health and online harassment are major, relevant [...]

David Teller: Thinkerbell Postmortem/Brain dump

Thu, 08 Mar 2018 07:50:05 +0000

Two years ago, I was working on a research project called “Project Link” as part of the Connected Devices branch of Mozilla. While this branch has since been stopped, some part of Project Link lives on as Project Things.

One of the parts of Project Link that hasn’t made it to Project Things (so far) was Thinkerbell: a Domain-Specific Language designed to let users program their SmartHome without coding. While only parts of Thinkerbell were ever implemented, they were sufficient to write programs such as:

Whenever I press any button labelled “light” in the living room, toggle all the lights in the living room.


If the entry door is locked and the motion detector notices motion, send an alarm to my SmartPhone.

Thinkerbell also had:

  • semantics that ensured that scripts could continue/resume running unmonitored even when hardware was replaced/upgraded/moved around the house, including both the server and the sensors;
  • a visual syntax, rather than a text syntax;
  • a novel type system designed to avoid physical accidents;
  • a semantics based on process algebras.

Ideally, I’d like to take the time to write a research paper on Thinkerbell, but realistically, there is very little chance that I’ll find that time. So, rather than letting these ideas die in some corner of my brain, here is a post-mortem for Thinkerbell, in the hope that someone, somewhere, will pick some of the stuff and gives it a second life.

Note that some of the ideas exposed here were never actually implemented. Project Link was cancelled while Thinkerbell was still in its infancy.

Mozilla Marketing Engineering & Ops Blog: MDN Changelog for February 2018

Thu, 08 Mar 2018 00:00:00 +0000

Here’s what happened in February to the code, data, and tools that support MDN Web Docs: Migrated 14% of compatibility data, leaping to 57% completion for the conversion effort. Improved and extended interactive examples Prepared for a CDN and Django 1.11 Shipped tweaks and fixes by merging 413 pull requests, including 147 pull requests from 47 new contributors. Here’s the plan for March: Move developers to Emerging Technologies Meet in Paris for Hack on MDN Evaluate proposals for a performance audit Done in February Migrated 14% of compatibility data In February, we asked the MDN community to help convert compatibility data to the browser-compat-data repository. Florian Scholz led this effort, starting with a conference talk and blog post last month. He created GitHub issues to suggest migration tasks, and added a call to action on the old pages: The response from the community has been overwhelming. There were 203 PRs merged in February, and 96 were from 23 first-time contributors. Existing contributors such as Mark Boas, Chris Mills, and wbamberg kept up their January pace. The PRs were reviewed for the correctness of the conversion as well as ensuring the data was up to date, and Florian, Jean-Yves Perrier, and Joe Medley have done the most reviews. In February, the project jumped from 43% to 57% of the data converted, and the data is better than ever. There are two new tools using the data. SphinxKnight is working on compat-tester, which scans an HTML, CSS, or Javascript file for compatibility issues with a user-defined set of browsers. K3N is working on mdncomp, which displays compatibility data on the command line: If you have a project using the data, let us know about it! Improved and Extended Interactive Examples We continue to improve and expand the interactive examples, such as a clip-path demo from Rachel Andrew: We’re expanding the framework to allow for HTML examples, which often need a mix of HTML and CSS to be interesting. Like previous efforts, we’re using user testing to develop this feature. We show the work-in-progress, like the demo, to an individual developer, watch how the demo is used and ask for feedback, and then iterate on the design and implementation. The demos have gone well, and the team will firm up the implementation and write more examples to prepare for production. The team will also work on expanding test coverage and formalizing the build tools in a new package. Prepared for a CDN and Django 1.11 We made many changes last [...]

K Lars Lohn: Things Gateway - Part 6

Wed, 07 Mar 2018 22:12:13 +0000

Today I'm going to play around with some switches from TP-Link with the experimental Things Gateway from Mozilla. Previously in this series I covered other home automation technologies (Zigbee, Z-Wave, Philips Hue) from the perspective of the Things Gateway.While TP-Link makes a varieties of devices: plugs, switches and bulbs, I only had access to a pair of the Smart Plugs.Because the TP-Link devices use the local WiFi for all their communication, they are among the scariest devices on my local area network.  They are black boxes and I must implicitly trust the manufacturer that they are secure: forever.  Yeah, I've expressed trepidation over smart hubs (Samsung Smart Things, Philips Hue Bridge, etc) for the same reason, but these are even scarier.  Why? Because there's potentially an army of these devices in a smart home.  They may last for years and years, but how long will they receive firmware security updates?  Updating the firmware requires action on the part of the owner. Electrical outlets should just work, I don't want to have to track them all.  Missing just one in a security update may be all it takes to compromise the local area network.Goal: Pair the Things Gateway with a pair of TP-Link Smart Plugs ItemWhat's it for?Where I got itThe Raspberry Pi and associated hardware from Part 2 of this series minus the DIGI X-stickthis is the base platform that we'll be adding ontofrom Part 2 of this seriesTP-Link Smart Plug HS-110a smart plug to pair with the Things GatewayAmazonAn iOS or Android phone or tabletThe set up of the Smart Plugs requires a controller app on a mobile deviceI used my Android phoneThe first word that came to mind when I opened the package for a TP-Link HS-110 Smart Plug was "humongous".  In a standard wall outlet, they block both receptacles no matter which one is used.  On the power strip that I used for testing, two smart plugs used four receptacles and they could not be placed next to each other.  This a poor design that makes me think they were not tested in real world applications.  While physical design problems do not automatically imply software design problems, I am wary.   Step 1: The devices need to access the local WiFi network for communication.  This involves downloading the TP-Link Kasa for Mobile app on a mobile device. I chose my Android Phone for this process.On starting Kasa for Mobile, the first thing I encountered was a login page.  Because I don't want these devices communicating outside my local area network, I declined by pres[...]

Air Mozilla: Bugzilla Project Meeting, 07 Mar 2018

Wed, 07 Mar 2018 21:00:00 +0000

(image) The Bugzilla Project Developers meeting.

Firefox Test Pilot: Welcome Teon Brooks to the Test Pilot Team!

Wed, 07 Mar 2018 20:59:41 +0000

Late last year, the Test Pilot team welcomed a new data scientist, Teon Brooks. In this post, Teon talks about some of his recent work and his role with Test Pilot.How would you describe your role on the Test Pilot team?I work as the team’s data scientist. I am responsible for providing data insights from our participants’ engagement and interactions to help improve the user experience.What does a typical day at Mozilla look like for you?A typical day for me consists of me learning about the new features we are building in Test Pilot and conceptualizing what types of measurements we should have to evaluate the effectiveness of a given product. I also spend my time doing data exploration to better understand how users engage with our products.Where were you before Mozilla?I am a cognitive scientist by training; I spent the past decade as an experimental researcher looking at the how the brain processes and understands language. Over the past five years, I have become an open-source developer working on the MNE project, a data analysis and visualization package for time-series brain recording. I first came to the Mozilla Foundation as a “Mofo-er” through its Science Fellowship program where I worked on developing data standards for time-series brain data.On Test Pilot, what are you most looking forward to and why?I am excited to see how Test Pilot grows as a platform for testing new ideas for Firefox with users in the loop. We want to empower our users to have control over their experience on the web and Test Pilot allows us to build the tools to help with that.Tell me something most people at Mozilla don’t know about you.I am a huge fan of the performing arts, especially dance. Misty Copeland is one of my heroes in the ballet world. I’m not only a fan of dance but I enjoy performing. I competed as an amateur Latin ballroom dancer for six years. In recent years, I have taken up ballet.Welcome Teon Brooks to the Test Pilot Team! was originally published in Firefox Test Pilot on Medium, where people are continuing the conversation by highlighting and responding to this story.[...]

David Humphrey: On standards work

Wed, 07 Mar 2018 20:18:43 +0000

This week I'm looking at standards with my open source class. I find that students often don't know about standards and specs, how to read them, how they get created, or how to give feedback and participate. The process is largely invisible. The timing of this topic corresponds to a visit from David Bruant, who is a guest presenter in the class this week. I wanted to discuss his background working "open" while he was here, and one of the areas he's focused on is open standards work for the web, in particular, for JavaScript. All of the students are using JavaScript. Where did it come from? Who made it? Who maintains it? Who defines it? Who is in charge? When we talk about open source we think about code, tests, documentation, and how all of these evolve. But what about open standards? What does working on a standard look like? There's a great example being discussed this week all over Twitter, GitHub, Bugzilla and elsewhere. It involves a proposal to add a new method flatten() to Arrays. There are some good docs for it on MDN as well. The basic idea is to allow an Array containing other Arrays, or "holes" (i.e., empty elements), to be compressed into a new "flat" Array. For example, the "flattened" version of [1, 2, [3, 4]] would be [1, 2, 3, 4]. It's a great suggestion, and one of many innovative and useful things that have been added to Array in that last few years. However, changing the web is hard. There's just so much of it being used (and abused) by people all over the world in unexpected ways. You might have a good idea for a new thing the web and JavaScript can do, but getting it added is not easy. You might say to yourself, "I can see how removing things would be hard, but why is adding something difficult?" It's difficult because one of the goals of the people who look after web standards is to not intentionally break the web unnecessarily. Where possible, something authored for the web of 1999 should still work in 2019. So how does flatten() break the web? Our story starts 150 years ago, back in the mid 1990s. When it arrived on the scene, JavaScript was fairly small and limited. However, people used it, loved it, (and hated it), and their practical uses of it began to wear grooves: as people wrote more and more code, best practices emerged, and some of those calcified into utility functions, libraries, and frameworks. One of the frameworks was MooTools. Among other conveniences,[...]

Air Mozilla: The Joy of Coding - Episode 131

Wed, 07 Mar 2018 18:00:00 +0000

(image) mconley livehacks on real Firefox bugs while thinking aloud.

Air Mozilla: Computer Security In The Past, Present and Future, with Mikko Hypponen

Wed, 07 Mar 2018 18:00:00 +0000

(image) Computer security researcher Mikko Hypponen has been hunting hackers since 1991. Join us to hear his insights and stories on computer security history. Mikko will...

Air Mozilla: Weekly SUMO Community Meeting, 07 Mar 2018

Wed, 07 Mar 2018 17:00:00 +0000

(image) This is the SUMO weekly call

Hacks.Mozilla.Org: Building an Immersive Game with A-Frame and Low Poly Models

Wed, 07 Mar 2018 16:11:13 +0000

Note: This is Part 1 of a two-part tutorial. There is a big difference between immersion and realism. A high-end computer game with detailed models and a powerful GPU can feel realistic, but still not feel immersive. There’s more to creating a feeling of being there than polygon count. A low poly experience can feel very immersive through careful set design and lighting choices, without being realistic at all. Today I’m going to show you how to build a simple but immersive game with A-Frame and models from the previous Sketchfab design challenge. Unlike my previous tutorials, in this one we will walk through creating the entire application. Not just the basic interaction, but also adding and positioning 3d models, programmatically building a landscape with rocks, adding sounds and lighting to make the player feel immersed in the environment, and finally interaction tweaks for different form factors. I hope this blog will inspire you to submit to the current challenge we are running with SketchFab. There’s still time to enter before submissions close on April 2nd. Boilerplate Our WebVR Whack-an-Imp game is a variation on Whack-A-Mole, except in our case it will be an imp flying out of a bubbling cauldron. Before we get to fancy 3D models, however, we must begin with an empty HTML file that includes the A-Frame library. At first we won’t make the scene pretty at all. We just want to prove that our concept will work, so we will keep it simple. That means no lighting, models, or sound effects. Once the underlying concept is proven we will make it pretty. Let’s start off with a scene with stats turned on, then add a camera with look-controls at a height of 1.5 m; which is a good camera height for VR interaction (roughly corresponding to the average eye height of most adult humans). Notice the a-cursor inside of the camera. This will draw a little circular cursor, which is important for displays that don’t have controllers, such as Ca[...]

Hacks.Mozilla.Org: Building an Immersive Game with A-Frame and Low Poly Models (Part 2)

Wed, 07 Mar 2018 16:10:59 +0000

In part one of this two-part tutorial, we created an A-Frame game using 3D models from Sketchfab and a physics engine. Whack-an-Imp works and it has nice landscaping but it still doesn’t feel very immersive. The lighting is all wrong. The sky is pure white and the ground is pure red. The trees don’t have shadows and there is no firelight coming from the cauldron. The moon is out so it must be night time, but we don’t see reflections of moonlight anywhere. A-Frame has given us default lighting but it no longer meets our needs. Let’s add our own lighting. Lighting Change the color of the ground to something more ground-like, a dark green. I did try adding fog for extra mood, but it simply blocked the sky, so I took it out. For the moonlight we will use a directional light. This means the light comes from a particular direction but is positioned infinitely far away so that the light hits all surfaces equally. For something like the moon, this is what we want. Here’s what it looks like now: Hmm… We are getting there but it’s still not quite right. The moonlight certainly reflects nicely off the tops of the rocks, but the bottoms of the rocks and trees are too dark to see. While this might be a realistic scene it doesn’t feel like a place that I would want to visit. A common movie trick for shooting a night scene is to have a colored light shining up to illuminate the undersides of objects without making the scene so bright that the illusion of nighttime is ruined. We can do this with a hemisphere light. A hemisphere light gives us one color above and one below. I used white for the upper and a sort of purplish dark blue for the lower, at an intensity of 0.4. Feel free to experiment with different settings. Now just one more thing. The fire under the cauldron should emit a warm red glow and the nearby rock should reflec[...]

Air Mozilla: NYU MSPN Webinar Series - Women in Tech

Tue, 06 Mar 2018 21:30:00 +0000

(image) This is a panel discussing being a woman in the field of technology.

Mozilla Reps Community: New Review Team Member 2018

Tue, 06 Mar 2018 13:31:07 +0000

Hi amazing Reps!

We’re so very happy to announce the new Review Team members who have just been officially on boarded. Welcome Michael, Pushpita, Jason, and Arturo to the team!

(image) The Review Team is a specialized group responsible in reviewing and approving or rejecting every budget requests made by Mozilla Reps. This team is working in close coordination and supervision of Reps Council. The new Review Team will replace the old members and team up with the 3 remaining members to continue the work for a year. You can check more information about The Review Team in this wiki page.

Last but not least, I would also like to thank and appreciate the previous Review Team members Dian Ina, Priyanka, Faisal, and Flore for all their contribution for the past year in the Review Team. Your contribution & dedication has been a great help for the program so far. We can’t thank you enough for that.

Please join me to congratulate all of them on the Discourse topic!

This Week In Rust: This Week in Rust 224

Tue, 06 Mar 2018 05:00:00 +0000

Hello and welcome to another issue of This Week in Rust! Rust is a systems language pursuing the trifecta: safety, concurrency, and speed. This is a weekly summary of its progress and community. Want something mentioned? Tweet us at @ThisWeekInRust or send us a pull request. Want to get involved? We love contributions. This Week in Rust is openly developed on GitHub. If you find any errors in this week's issue, please submit a PR. Updates from Rust Community News & Blog Posts 🎈🎉 Announcing Rust 1.24.1. 🎉🎈 Announcing the CLI working group. Come join the Rust and WebAssembly working group. Why Rust has macros. Writing a microservice in Rust. Futures 0.2 is nearing release. Writing your first compiler: Making a Brainfuck to C compiler in Rust. Stopping a Rust worker. Serializing awkward data with Serde. An introduction to writing platform agnostic drivers in Rust using the MCP3008 as an example. Opportunistic mutations for the mutagen - a Rust mutation testing framework. This week in Rust docs 95. [podcast] New Rustacean: Rust 1.24. Performance wins, incremental compilation, and the Rust 2018 Roadmap and Epoch. [podcast] Rusty Spike Podcast - episode 21. SIMD, WebAssembly for performance, the embedded working group, the Rust+WebAssembly working group, and the return of the Servo newsletter. Crate of the Week This week's crate is trace, a crate to allow for quick debug outputs without println!. Thanks to gilescope for the suggestion. Submit your suggestions and votes for next week! Call for Participation Always wanted to contribute to open-source projects but didn't know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started! Some of these tasks may also have mentors available, visit the task page for more information. Rust CLI Survey – Help the CLI WG determine which problems to tackle. Help write the Embedded Rust Book - an official guide to using Rust on microcontrollers. Get started with these beginner-friendly issues. Cargo: Abort crate resolution if too many candidates have been tried. Cargo: Command to update Cargo.lock to minimal versions. If you are a Rust project owner and are looking for contributors, please submit tasks[...]

Air Mozilla: Mozilla Weekly Project Meeting, 05 Mar 2018

Mon, 05 Mar 2018 19:00:00 +0000

(image) The Monday Project Meeting

Mozilla Addons Blog: Updates to Add-on Review Policies

Mon, 05 Mar 2018 17:00:45 +0000

The Firefox add-ons platform provides developers with a great level of freedom to create amazing features that help make users’ lives easier. We’ve made some significant changes to add-ons over the past year, and would like to make developers aware of some updates to the policies that guide add-ons that are distributed publicly. We regularly review and update our policies in reaction to changes in the add-on ecosystem, and to ensure both developers and users have a safe and enjoyable experience. With the transition to the WebExtensions API, we have updated our policies to better reflect the characteristics of the new technology, and to better clarify the  practices that have been established over the years. As existing add-ons may require changes to comply with the new policies, we would like to encourage add-on developers to preview the policies, and make any necessary preparations to adjust their add-ons. Some notable changes and clarifications include: With some minor exceptions for add-ons listed on, all policies apply to any add-ons that are distributed to consumers in any manner. Add-on listings should have an easy-to-read description about everything it does. Add-ons that contain obfuscated, minified or otherwise machine-generated code, must provide the original, non-generated source code to Mozilla during submission as well as instructions on how to reproduce the build. Add-ons that collect, store, use or share user data must clearly disclose the behavior in the privacy policy and summarize it in the description. Users must be provided with a way to control the data collection. Collecting data not explicitly required for the add-on’s basic functionality is prohibited. Add-ons must only collect information about add-on performance and/or use. If you have questions about the updated policies or would like to provide feedback, feel free to reply on the discourse thread. The new policies will be effective April 1, 2018. The post Updates to Add-on Review Policies appeared first on Mozilla Add-ons Blog.[...]

Hacks.Mozilla.Org: How to Write CSS That Works in Every Browser, Even the Old Ones

Mon, 05 Mar 2018 15:38:50 +0000

Let me walk you through how exactly to write CSS that works in every browser at the same time, even the old ones. By using these techniques, you can start using the latest and greatest CSS today — including CSS Grid — without leaving any of your users behind. Along the way, you’ll learn the advanced features of Can I Use, how to do vertical centering in two lines of code, the secrets to mastering Feature Queries, and much more.

For more videos on CSS Grid, other new CSS, and how to create great layouts on the web, subscribe to Layout Land on YouTube.

We’d love to hear what you think. Comment on YouTube.

Mozilla GFX: WebRender newsletter #15

Mon, 05 Mar 2018 15:28:11 +0000

I was in Toronto (where a large part of the gfx team is) last week and we used this time to make plans on various unresolved questions regarding WebRender in Gecko. One of them is how to integrate APZ with the asynchronous scene building infrastructure I have been working on for the past few weeks. Another one is how to separate rendering different parts of the browser window (for example the web content and the UI) and take advantage of APIs provided by some platforms (direct composition, core animation, etc.) to let the window manager help alleviating the cost of compositing some surfaces and improve power usage. We also talked about ways to improve pixel snapping. With these technical questions out of the way the rest of the week -just like the weeks before that- revolved around the usual stabilization and bug fixing work. Notable WebRender changes Nical implemented the infrastructure for asynchronous scene building. This will allow us to move expensive operations out of the critical path and ensure that scrolling and animations are always smooth. Kats fixed a render backend shutdown bug. Kvark fixed the ordering of resource cache operations furing frame capture. Nical fixed some issues with the way pipeline epochs are tracked. Glenn removed an optimization that had become obsolete. Martin cleaned up the scene building code. Glenn made drop-shadow and blur filters use the brush image shader. Kvark fixed a hang with wrench on Windows. Kvark properly cleaned up resources in wrench. Martin fixed a clipping issue with fixed position children elements. Martin relaxed the checks that detect 2D translations, to avoid a lot of expensive and unnecessary 3D transform inversions. Martin optimized out more 3D transform inversions. Glenn shared GPU cache entries for repeated gradient primitives. Kvark fixed some issues with the YUV shader (2). Martin removed some hash map lookups (2). Glenn fixed inverted texture coordinates with the image brush shader. Patrick improved anti-aliasing quality. Glenn implemented clip masks for picture tasks. Glenn ported the YUV shader, the radial gradient shader and t[...]

QMO: Firefox 59 Beta 14 DevEdition Testday Results

Mon, 05 Mar 2018 10:38:08 +0000

Hi everyone,

Friday 2nd of March we held 59.0b14 DevEdition testday.

Thank you Iryna Thompson, Adam24 and Logicoma for making Mozilla a better place.

Thank you India community: Surentharan R.A and SurenVino,
Fahima Zulfath A, Ajay Sharvesh, Aishwarya Narasimhan.



  • several test cases executed for Toolbars & window controls and Default & custom theme support
  • one new bug reported: 1442754
  • 3 bugs verified: 1427595 , 1413051, 1419336

Thanks for another successful testday! (image)

We hope to see you all in our next events, all the details will be posted on QMO!



Firefox Nightly: These Weeks in Firefox: Issue 33

Mon, 05 Mar 2018 06:43:49 +0000

Highlights Added section context menus to Activity Stream, allowing for more in-page customizations like reordering. Heads up: The Symantec CA distrust policy action is underway in Nightly. This policy is being implemented by Chrome in M66, which will release ahead of Firefox 60. You are likely to get certificate errors for some popular websites in Nightly until they change their configuration. Note that filing bugs for particular websites is not useful; we’ve been duping them on Bug 1436062. TLS Canary shows ~300 high-ranking sites broken. Some larger UI changes to about:preferences landed last week, combining cookies, site data and cache into a single section. The previously rather buried cookie settings should now be more easily accessible. Friends of the Firefox team Resolved bugs (excluding employees): More than one bug fixed: :prathiksha Arthur Edelstein [:arthuredelstein] Oriol Brufau [:Oriol] Richard Marti (:Paenglab) Tim Nguyen :ntim New contributors (🌟 = First Patch!) 🌟 Apoorv Goel made it so that about:telemetry uses the new Symbol Server 🌟 Connor Masini made it so that WebExtensions can theme arrow panels 🚀 Dark Theme Darkening 🌘 update #3 was sent to firefox-dev Project Updates Add-ons WebExtension changes in Firefox 59: Buncha test fixes, notably chasing down NS_ERROR_FILE_ACCESS_DENIED. Fixed browser and page actions cleared when navigating. Fixed pageAction visibility error (conflict between show_matches and hide_matches). WebExtension changes in Firefox 60: Only one homepage can be set by extensions. Clearer messages for when an extension is controlling New Tab and Home pages. The API has been implemented – this is mostly useful for DevTools extensions. Battling FOUC (“Flash of unstyled content”) by running document_idle after DOMContentLoaded and after layout has had a chance to start. Theming of arrow panels! Popup opened by WebExtensions now get focus. Hidden tabs are restored when the extension that hid them [...]