Not the answer #9
Comments
|
As I am in China's timezone, it was night and I was exhausted, so I could not continue the conversation on the bug tracker, so my apologies for any frustrations you had in spending time to try to get it to work. I think my latest advice, to use the XPI from Github, will definitely solve your problem as that preferences issue was related to Firefox 19/20, which I fixed. If not, let me know. I also agree with you as far as the fact that my addon could use a bit of a user-friendliness makeover, but my goal was to first implement a high and fine degree of control over security settings to overcome the objections of Mozilla toward getting the addon accepted at AMO, allowing the defaults to be strict so as to avoid too easy of social engineering by malicious hackers. If AsYouWish can be hosted at AMO (and though I agree with you that their endorsement is not strictly necessary and I hope to persist regardless), we can thereby assuage some concerns users may have that the addon itself could be insecure or unsafe (as opposed to the potential for malicious sites to use AsYouWish to ask the user for permission to do bad things--which we unfortunately can't avoid here). Once the granular level of control is completed (as mentioned, I still want to allow file and database access to be more specific if so requested), I think I may be able to focus on splitting up the dialog into a "Basic" and "Advanced" mode, so as not to deter people who just want to get going with the addon quickly (and I am open to suggestions or pull requests on how to better name or frame things). My personal aim is to avoid personally taking too confrontational lines (though I admit I may have been a bit abrasive or at least intolerant and verbose in complaining to Mozilla from time to time, as I feel I think similar to you in the great importance of this issue), but I also support the goal of freedom, and think it can be best served by focusing our energy on working alternatives. That being said, if we can do it with Mozilla's blessing, even if their security review is not perfect, I think it should be a lot smoother for everybody, not only for their visible stamp of approval, but also for their own potential to keep in mind that this addon exists, is dependent upon their APIs, etc. As far as forking Firefox to reapply enablePrivilege, I am afraid this is not within my competence, nor do I have time or energy to learn. Don't let me discourage you if you feel there is a need to do it, but I hope you will at least bear with me to get AsYouWish working, so you can make an informed decision (and perhaps enlighten me in turn as to deficits in my own approach). I think my current approach in being a light wrapper for the SDK APIs has the following advantages:
|
|
I don't think users think Moz's approval matters (particularly not Firefox users). All they really want is indemnity... they think issues with Firefox will hurt the sales of their phones. They never should have gotten into the phone business... major tactical and moral error. Doubtless they're just being used by Google. I've about isolated where the code is. The actual ability to work with files in Firefox is of course completely untouched... they've just removed the XPCOM wrapper. Trying to find where that wrapper is in FF14.... You know your add-on isn't gonna become anywhere near standard practice for users. They will eventually finish the file API (probably by 2015) and then we'll quite frankly use that. It would make more sense not to confront Moz, but the File API pointman in Moz by working to implement it ourselves. That will at least force him to get off his ass. |
|
"All they really want is indemnity". Who is the "they" here? I'm sorry, but I don't understand your argument. To me it is desirable to be able to have an open, JavaScript-hackable platform for use on mobile devices, consistent in approach with the desktop. Thank you for your candor on AYW. It makes sense. I would indeed not expect any add-on to become standard practice. I do hope it provides something useful in the interim though (not only for file access, but for any privileged API access), including I hope more web developers leveraging it when packaging files for other developers that need to create files. Also, I'm not sure that the standardization process will ever be fully robust... Will one be able to create a cross-browser desktop browser with the finalized file API, for example? I am all in support of using standard means where present (I wish there wasn't any need for AsYouWish at all). That is encouraging to hear of your apparent interest to help implement the file API. I really wish I could assist (my biggest interest is to see https://bugzilla.mozilla.org/show_bug.cgi?id=618354 implemented). |
|
Per your question on https://bugzilla.mozilla.org/show_bug.cgi?id=797443 . I've opened a GoToMeeting now as I am free to answer questions and I figure it should be less frustrating to have a chance to ask follow-up questions, etc. I'll hang around for a while so we can do a screen sharing audio session if you like. (If not, there are the docs or demos.)
Dial +1 (773) 897-3000 Meeting ID: 412-783-505 GoToMeeting® Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app. |
|
I closed the meeting, but let me know if you'd like to schedule a time. Or on Skype (brettz9). |
|
Tomorrow same time would be fine. I'll make note. |
|
I guess you mean 9am China time +8 UTC when I sent the last invite? In case you're free now, I'll hang around a little while again at:
Dial +1 (773) 897-3015 Meeting ID: 383-380-185 GoToMeeting® Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app. |
|
I'll close the issue for now, but feel free to add further comments here. |
|
Does this work on Firefox Mobile? |
|
I was able to reuse the XPCOM API after obtaining chrome privileges. Thanks. :) Gamestar works now. 💃 I'd love to see Gamestar run in Firefox Mobile. I realize maybe you don't have a dog in that fight, but I'll perform the adaptation myself if necessary. |
|
As far as the XPCOM API, that is great--glad to hear it! If you haven't seen it already, there is a FAQ entry on XPCOM API usage: https://github.com/brettz9/asyouwish/wiki/Developer-FAQ As far as Mobile, it appears that addons (as opposed to web apps) can currently only be made for Android and Maemo. However, I suppose at least theoretically, AYW-like functionality could be added into the source code for the "Web browser" app of Firefox OS (if Mozilla isn't already planning some kind of addon system--from the current code, it doesn't appear so, though I've added a bug for it, along with requesting other related features, at https://bugzilla.mozilla.org/show_bug.cgi?id=848647 ), since everything is still built on top of Gecko (not sure if all XPCOM interfaces are available though). Source code of the browser is at https://github.com/mozilla-b2g/gaia/blob/master/apps/browser/js/browser.js (for the sake of interest (but not relevant to AsYouWish unless it was to allow APIs to overlay it), the source of the code showing the list of apps themselves is at https://github.com/mozilla-b2g/gaia/tree/master/apps/system ). So I'm certainly interested to know what might be doable for mobile, yes, but it's not at the top of my current priority list--unless I might discover it will not be difficult/time-consuming to adapt. If you decide to investigate, an overview of architecture is documented at https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Platform/Architecture and there are some browser-specific docs at https://wiki.mozilla.org/Gaia/Browser and a proposed API for browsers at https://wiki.mozilla.org/WebAPI/BrowserAPI which Firefox OS' browser apparently already implements. Mention is made at https://developer.mozilla.org/en-US/docs/Apps/Manifest for "privileged" and "certified" type of apps which is what I believe the add-ons of "Web Browser" ought to run under (which perhaps they would automatically given that "Web Browser" is packaged as a "certified" app). Generic info on Firefox OS is at https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS and the WebBrowser APIs are listed at https://wiki.mozilla.org/WebAPI/ . Also, if in the unlikely event you happen to discover in the course of any investigation into the mobile browser, any way in which browser code might be applied to the desktop to allow independent browsing navigation controls on iframes (per my request at https://bugzilla.mozilla.org/show_bug.cgi?id=618354 ), I would be most grateful. |
|
If you like and it is ready for the public, you are welcome to send me a URL to Gamestar so I can add it to the list at https://github.com/brettz9/asyouwish/wiki/Published-apps-using-AsYouWish |
|
It doesn't work on Firefox Mobile. I got an error: "This add-on is incompatible with Firefox 19". I got this error for both the current version and the one on AMO. I'm honestly not sure why it doesn't work. Probably because it didn't have the mobile id in the install.manifest. May give that a try and see what happens. As for Firefox OS, File API will probably be done by the time it ships.. |
|
Which Firefox Mobile? There is no add-on capability in the new Firefox OS yet. Did you try in Firefox for Android? Also, are you using the add-on XPI from Github instead of AMO? |
|
I downloaded FF for Android. That's what I got the error on. I tried both. |
|
Hmm, sorry, don't know about it. |
|
Why not create an issue for Firefox for Android, and I'll ask someone from Moz to look at it? They may also know something about the Firefox OS plans. |
|
Or if you have time, we can go over to Moz chat right now together and see if we can get attention. |
|
Sorry, busy these my day-times until Sunday. |
|
I built AYW for mobile with the SDK ("cfx xpi --force -mobile"). It installed fine but even after setting things up on the options panel it didn't work. The permission dialog itself doesn't show and neither does the widget not the HTML panel. |
|
Although this was a year ago, I see per I'm afraid this is not high on my priority list at the moment, but Brett On 3/9/2013 7:41 AM, tcaudilllg wrote:
|
|
I've been investigating all the alternatives, and it seems like the best On Sun, Mar 10, 2013 at 8:18 AM, Brett Zamir [email protected]:
|
|
Nice to hear you found something that works. That does like a good solution, though I will try to keep my eyes open if chances permit on usage within Firefox for Android. |
|
Having gotten fed up (and aware enough that I need authority from on high to get anywhere with official builds) I've done the standards people's work for them: https://hacks.mozilla.org/2012/07/why-no-filesystem-api-in-firefox/comment-page-1/#comment-2041377 You support is suggested and would be appreciated. |
|
So it seems Moz has left us on our own with respect to the addons issue. |
|
Why not a fully client-side solution? Would be faster... If you don't want to have your users install AsYouWish, you could still build an add-on Builder in AsYouWish. :) Mozilla has the zip facilities to do this... |
|
Well if it's got zip, that's all that's needed. I didn't think zip was I have nothing against AsYouWish... simply an issue that most people trust On Wed, Jan 15, 2014 at 12:22 AM, Brett Zamir [email protected]:
|
|
As far as zip and Mozilla, I mean within an addon (or within AsYouWish), you could get access to: https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIZipWriter . However, it seems there are facilities now even in vanilla JavaScript to do zipping: http://stackoverflow.com/questions/2095697/unzip-files-using-javascript and http://stuk.github.io/jszip/ , for example, though I haven't used them. Yeah, well, first of all, maybe I should remove some (though not all) of the scary warnings at the AsYouWish repo page. Are the issues you faced getting users to install because they are deterred by the concept or because they have difficulty figuring out how to use it? |
|
Both. Most people won't bother with something that implies risk in the On Thu, Jan 16, 2014 at 8:24 AM, Brett Zamir [email protected]:
|
|
Would be enough to modify the helper, I'd think. Of course, if you think As regards modifying the helper, it would be easy to port my file access On Thu, Jan 16, 2014 at 11:58 AM, Anthony Caudill [email protected]:
|
|
Good point about the relative safety of cards. What are you referencing by "modify the helper"? The readme or the zip libraries I mentioned? |
|
Have you joined INTP group on Facebook? I think you'd find it useful. I mean the addon builder helper addon that flightdeck used. On Thu, Jan 30, 2014 at 1:52 AM, Brett Zamir [email protected]:
|
|
well we'd access the zip libs from within the helper via chrome. We could On Thu, Jan 30, 2014 at 8:44 PM, Anthony Caudill [email protected]:
|
|
Brett, I investigated some of my suspicions about mozilla recently. Particularly 16:14 *** tcaud2 joined #amo-editors As I see it, there are two ways forward. Addons as we know them are In general, it seems like there are just a few dominant personalities Mozilla is a paper tiger... they say they despise the NSA, but are no In the US, anyway. In developing markets it aims to be a leader, and Google On Thu, Jan 30, 2014 at 8:46 PM, Anthony Caudill [email protected]:
|
|
I'd like to stop the slide, but it's hard given the concerted undercover Regardless, I am firmly convinced that something must change in the browser On Fri, Jan 31, 2014 at 7:04 PM, Anthony Caudill [email protected]:
|
|
One that will happen if AYW gets approved: all the download sites will I'm really thinking that the thing to do would be to simply offer a version On Fri, Jan 31, 2014 at 7:11 PM, Anthony Caudill [email protected]:
|
|
The problem, as I see it, isn't Firefox. The problem is that people are On Fri, Jan 31, 2014 at 8:10 PM, Anthony Caudill [email protected]:
|
|
Busy at the moment, but plan to get back to you with more on this soon... That was some helpful information to have about the review status, as I hadn't been fully clear on that myself... |
|
There may be an alternative. I had a discussion with DougT, the former Anyway, he explained that there are two instances of Javascript running at On Sat, Feb 1, 2014 at 8:45 PM, Brett Zamir [email protected]:
|
|
Nevermind. Tried fooling with those and Firefox crashed. Had to reinstall A new tool is available which does you XPI building for you! On Sun, Feb 2, 2014 at 12:53 AM, Anthony Caudill [email protected]:
|
|
Regarding full approval vs. preliminary approval, again thank you very much for getting this clarification. Mozilla documents this, but I hadn't been clear because my impression was that they weren't going to accept it which I had interpreted as meaning they wouldn't give even preliminary approval. I thought they had disapproved it but had just neglected to take it off AMO, but it appears the reason is just because they are still supposed to do a preliminary approval check which would be great (for reasons such as you aptly stated of people wanting to know that the add-on would not by itself steal their credit card info). Why do you say "Addons as we know them are untenable..." and "Jetpack is an irredeemable mess"? As far as security principal, FYI, in #4 , I am hopeful that we may have a way now to allow the DOM to become privileged as well (if approved by the user of course). For WebAppFind as well as AsYouWish, I'd be interested in seeing the security principal be used, if it is possible, to optionally cause networking to be prevented or maybe preventing everything except a whitelist of sites where networking was allowed (I need to take a closer look at the suggestion at http://stackoverflow.com/questions/18369052/firefox-add-on-to-load-webpage-without-network-access ). Users would thus be able to get the benefits people with Mozilla have cited as existing for installed apps which would not exist otherwise for AsYouWish web apps: namely, that one could review the source code of just one version of a web app source code and trust that it wasn't going to be able to change into something insecure (or not need to review it at all if they were ok knowing there was no networking and the AYW privilege they had granted for the web app was not a risk). Such a feature is also described at http://en.wikipedia.org/wiki/Site-specific_browser , and it states that Chrome already has this capability via application shortcuts (but without having looked at this, my guess would be that this wouldn't allow integration with other browser add-ons, not to mention not being privileged). As far as Facebook, thank you for the suggestion, but with my fatigue, I really have to prioritize the groups I join. All the best, |
|
? Somebody take over your account? |
|
When? On Tue, Jun 24, 2014 at 2:03 AM, Brett Zamir [email protected]
|
|
Come to the Github site and look at the advertisement above... |
|
sigh maybe so. I use an easy password... I'll change it. On Tue, Jun 24, 2014 at 2:58 AM, Brett Zamir [email protected]
|
|
You might also check whether you have any third party services associated with your account--I doubt they'd be causing trouble, but in case you wish to be certain... |
I am quite convinced at this point that the only real answer to this is to make a fork of Firefox that combines 19 and 14. This isn't as hard as it sounds... Firefox's code is pretty well documented and contrary to what Moz may imply, it doesn't change that often. The core is still held over from Netscape. The changes between the versions are so minor it would not be hard to restore the functionality of enablePrivilege. Mozilla as we know it is gone. The noble vision of Blake Ross.... corrupted beyond restoration. Like you said, this is a feudal fife governed by group-think. It's like Netscape all over again, and it will invariably suffer a similar fate. But in these times, people are afraid. Unless we wage the revolt... no one will. Only INTPs like us are so obsessed with abstracted responsibility that we'd go this far, am I right? ;)
I do think people inside Moz will help us if we ask. There are still a lot of rebels there, and even some arrogant enough to give us what we want if it'll shut us up. It might seem scary to not have Moz's security fixers at your back but these people really don't test their stuff to any meaningful extent. The security flaws are a result of their carelessness, and besides, it takes time to capitalize on them. There are other builds that aren't updated as often, and you don't hear complaints about them. It's not the end of the world.
But if we fight them here, it'll be a major coup for freedom. It'll change the whole web.
The text was updated successfully, but these errors were encountered: