Wladimir Palant: More Last Pass security vulnerabilities |
With Easy Passwords I develop a product which could be considered a Last Pass competitor. In this particular case however, my interest was sparked by the reports of two Last Pass security vulnerabilities (1, 2) which were published recently. It’s a fascinating case study given that Last Pass is considered security software and as such should be hardened against attacks.
I decided to dig into Last Pass 4.1.21 (latest version for Firefox at that point) in order to see what their developer team did wrong. The reported issues sounded like there might be structural problems behind them. The first surprise was the way Last Pass is made available to users however: on Addons.Mozilla.Org you only get the outdated Last Pass 3 as the stable version, the current Last Pass 4 is offered on the development channel and Last Pass actively encourages users to switch to the development channel.
My starting point were already reported vulnerabilities and the approach that Last Pass developers took in order to address those. In the process I discovered two similar vulnerabilities and a third one which had even more disastrous consequences. All issues have been reported to Last Pass and resolved as of Last Pass 4.1.26.
Having your password manager fill in passwords automatically is very convenient but not exactly secure. The awareness for the issues goes back to at least year 2006 when a report sparked a heavy discussion about the Firefox password manager. The typical attack scenario involves an (unfortunately very common) Cross-site scripting (XSS) vulnerability on the targeted website, this one allows an attacker to inject JavaScript code into the website which will create a login form and then read out the password filled in by the password manager — all that in the background and almost invisible to the user. So when the Firefox password manager requires user interaction these days (entering the first letter of the password) before filling in your password — that’s why.
Last Pass on the other hand supports filling in passwords without any user interaction whatsoever, even though that feature doesn’t seem to be enabled by default. But that’s not even the main issue, as Mathias Karlsson realized the code recognizing which website you are on is deeply flawed. So you don’t need to control a website to steal passwords for it, you can make Last Pass think that your website malicious.com is actually twitter.com and then fill in your Twitter password. This is possible because Last Pass uses a huge regular expression to parse URLs and this part of it is particularly problematic:
(?:(([^:@]*):?([^:@]*))?@)?
This is meant to match the username/password part before the hostname, but it will actually skip anything until a @ character in the URL. So if that @ character is in the path part of the URL then the regular expression will happily consider the real hostname part of the username and interpret anything following the @ character the hostname — oops. Luckily, Last Pass already recognized that issue even before Karlsson’s findings. Their solution? Add one more regular expression and replace all @ characters following the hostname by %40. Why not change the regular expressions so that it won’t match slashes? Beats me.
The bug that Karlsson found was then this band-aid code only replacing the last @ character but not any previous ones (greedy regular expression). As a response, Last Pass added more hack-foo to ensure that other @ characters are replaced as well, not by fixing the bug (using a non-greedy regular expression) but by making the code run multiple times. My bug report then pointed out that this code still wasn’t working correctly for data: URLs or URLs like http://foo@twitter.com:123@example.com/. While it’s not obvious whether the issues are still exploitable, this piece of code is just too important to have such bugs.
Of course, improving regular expressions isn’t really the solution here. Last Pass just shouldn’t do their own thing when parsing URLs, it should instead let the browser do it. This would completely eliminate the potential for Last Pass and the browser disagreeing on the hostname of the current page. Modern browsers offer the URL object for that, old ones still allow achieving the same effect by creating a link element. And guess what? In their fix Last Pass is finally doing the right thing. But rather than just sticking with the result returned by the URL object they compare it to the output of their regular expression. Guess they are really attached to that one…
I didn’t know the details of the other report when I looked at the source code, I only knew that it somehow managed to interfere with extension’s internal communication. But how is that even possible? All browsers provide secure APIs that allow different extension parts to communicate with each other, without any websites listening in or interfering. To my surprise, Last Pass doesn’t limit itself to these communication channels and relies on window.postMessage() quite heavily in addition. The trouble with this API is: anybody could be sending messages, so receivers should always verify the origin of the message. As Tavis Ormandy discovered, this is exactly what Last Pass failed to do.
In the code that I saw origin checks have been already added to most message receivers. However, I discovered another communication mechanisms: any website could add a form with id="lpwebsiteeventform" attribute. Submitting this form triggered special actions in Last Pass and could even produce a response, e.g. the getversion action would retrieve details about the Last Pass version. There are also plenty of actions which sound less harmless, such as those related to setting up and verifying multifactor authentication.
For my proof-of-concept I went with actions that were easier to call however. There was get_browser_history_tlds action for example which would retrieve a list of websites from your browsing history. And there were setuuid and getuuid actions which allowed saving an identifier in the Last Pass preferences which could not be removed by regular means (unlike cookies).
Last Pass resolved this issue by restricting this communication channel to lastpass.com and lastpass.eu domains. So now these are the only websites that can read out your browsing history. What they need it for? Beats me.
When looking into other interactions with websites, I noticed this piece of code (reduced to the relevant parts):
var src = window.frameElement.getAttribute("lpsrc");
if (src && 0 < src.indexOf("lpblankiframeoverlay.local"))
window.location.href = g_url_prefix + "overlay.html" + src.substring(src.indexOf("?"));
This is how Last Pass injects its user interface into websites on Firefox: since content scripts don’t have the necessary privileges to load extension pages into frames, they create a frame with an attribute like lpsrc="http://lpblankiframeoverlay.local/?parameters". Later, the code above (which has the necessary privileges) looks at the frame and loads the extension page with the correct parameters.
Of course, a website can create this frame as well. And it can use a value for lpsrc that doesn’t contain question marks, which will make the code above add the entire attribute value to the URL. This allows the website to load any Last Pass page, not just overlay.html. Doesn’t seem to be a big deal but there is a reason why websites aren’t allowed to load extension pages: these pages often won’t expect this situation and might do something stupid.
And tabDialog.html indeed does something stupid. This page still has a message handler reacting to messages sent via window.postMessage() without checking the origin. And not only that, the command it is expecting is “call” — it would call an arbitrary function with the parameters supplied in the message. Which function did I choose? Why, eval() of course! Game over, we have arbitrary websites inject JavaScript code into the extension context, they can now do anything that the Last Pass user interface is capable of.
The security issues discovered in Last Pass are not an isolated incident. The base concept of the extension seems sound, for example the approach they use to derive the encryption key and to encrypt your data before sending it to the server is secure as far as I can tell. The weak point is the Last Pass browser extension however which is necessarily dealing with decrypted data. This extension is currently violating best practices which opens up unnecessary attack surfaces, the reported security vulnerabilities are a consequence of that. Then again, if Tavis Ormandy is right then Last Pass is in good company.
https://palant.de/2016/09/16/more-last-pass-security-vulnerabilities
|
|
About:Community: Firefox 49 new contributors |
With the release of Firefox 49, we are pleased to welcome the 48 developers who contributed their first code change to Firefox in this release, 39 of whom were brand new volunteers! Please join us in thanking each of these diligent and enthusiastic individuals, and take a look at their contributions:
https://blog.mozilla.org/community/2016/09/16/firefox-49-new-contributors/
|
|
Kat Braybrooke: PhD Fieldwork, Day 1: A Researcher in Residence at the Tate (^.^) |
Today is a big day in the web-wolf glitter land that is my PhD. After a crazy and wonderful year of reading, discussing, traveling and (over!)thinking everything there is to think about spaces for digital making, cultural institutions, methodologies and open creative practices, I start the pilot stage of my doctoral fieldwork at the Tate Britain, situated within the ever-colourful Taylor Digital Studio as its new Researcher-in-Residence. I have consent forms ready from the University of Sussex, about a thousand web broswer windows open on the Tate’s computers, a T4 file full of community photos and about 20 pages of to-do’s - and yet, it feels no small task to get started.
As a part of the study I’m undertaking with the Tate and other cultural institutions in the UK, my aim in hanging out, messing around and geeking out at these spaces, in addition to implementing more formal qualitative methods like participant observation and interviews, is to engage with the situated knowledges and actor-network theories of Donna Haraway, Bruno Latour, Doreen Massey and other great thinkers as a user myself - not as an “objective” researcher, seemingly removed from the environments I am actually an active part of. This is because when we make things in a space like the Tate’s Digital Studio together, we all become connected - whether we happen to be a computer, a workshop participant, a gallery curator or an observer. We all help make these sites what they are. Without these interactions, a makerspace is just a conglomeration of infrastructures, plaster and walls alone, without meaning or identity.
This project’s data collection starts, perhaps fittingly, with making. From September to December, I’ll be spending my Fridays in the Studio, collaborating with other PhD and researcher groups and with the Tate’s excellent Digital Learning team members, while playing the role of both researcher and designer through a few different hands-on projects. The first intervention I’ll be working on is SPACEHACKER, an evolving artwork that I’ll be launching as part of MozEx, an exhibit curated by the Tate and the V&A as part of this year’s Mozilla Festival in London. SPACEHACKER implements critical and speculative design models by asking participants to sketch out their imaginaries of a digital space that members of their community would feel welcome at. For those interested in getting involved (I’d love collaborators on this project!), I’ll be presenting it along with a few other (mega talented!) MozEx artists in this public pop-up at the Tate on October 10th-11th.
Community making at a workshop entitled “Wandering Ruins” in 2014.
While learning about speculative user imaginations of digital spatiality through this artwork, I’ll also be working with Tate teams as a design practitioner, building a digital mosaic website on the ever-excellent Tumblr platform that highlights the many workshops and community happenings that have occurred at the Digital Studio since it opened in November 2013. Through these hands-on methods and more traditional qualitative observation and interviews, I hope to help build a public-minded narrative of the myriad experiences of users at this site, and the groups who have helped bring them to life - while building an understanding of the politics and institutional apparatuses of access, ownership and power that may also weave themselves around these interactions. My goal with this multi-level approach is to keep the research process as open, iterative and participatory as possible - which makes blog posts like this (and the discussions they bring about) just as important to me as formal academic journal articles and conference presentations. It just wouldn’t feel right to not share this work openly with the communities of makers, thinkers, curators and users who are actually involved in it!
As you can probably tell from my e-tone, I’m massively excited to be getting started on fieldwork this autumn with the Tate and other institutions who are quickly becoming pioneers of digital participation by mixing spaces for making with cultural spaces. I will keep sharing work here as it evolves, and in the meantime I’ll be heading to Johannesburg for a few days to see whether there are similar-minded initiatives that merge culture with digital learning and making in their communities (have any ideas? Please let me know!), and I’ll also be talking about these ideas and others on a panel entitled “Who is the digital revolution for?” in Brighton at the end of this month for those who are in town. Summer may be winding down and the days of sun getting shorter, but it’s shaping up to be an exciting autumn - and I’m already looking forward to meeting, making and thinking these ideas over with many of you throughout it!
|
|
Daniel Stenberg: A sea of curl stickers |
To spread the word, to show off the logo, to share the love, to boost the brand, to allow us to fill up our own and our friend’s laptop covers I ordered a set of curl stickers to hand out to friends and fans whenever I meet any going forward. They arrived today, and I thought I’d give you a look. (You can still purchase your own set of curl stickers from unixstickers.com)
The sticker is 74 x 26 mm at its max.
https://daniel.haxx.se/blog/2016/09/16/a-sea-of-curl-stickers/
|
|
Wil Clouser: Getting Firefox Nightly to stick to Ubuntu's Unity Dock |
I installed Ubuntu 16.04.1 this week and decided to try out Unity, the default window manager. After I installed Nightly I assumed it would be simple to get the icon to stay in the dock, but Unity seemed confused about Nightly vs the built-in Firefox (I assume because the executables have the same name).
It took some doing to get Nightly to stick to the Dock with its own icon. I retraced my steps and wrote them down below.
My goal was to be able to run a couple versions of Firefox with several profiles. I thought the easiest way to accomplish that would be to add a new icon for each version+profile combination and a single left click on the icon would run the profile I want.
After some research, I think the Unity way is to have a single icon for each
version of Firefox, and then add Actions to it so you can right click on the
icon and launch a specific profile from there.
If you don't have Nighly yet, download Nightly (these steps should work fine with Aurora or Beta also). Open a terminal:
$ mkdir /opt/firefox
$ tar -xvjf ~/Downloads/firefox-51.0a1.en-US.linux-x86_64.tar.bz2 /opt
You may need to chown some directories to get that in /opt which is fine.
At the end of the day, make sure your regular user can write to the directory or
else you won't be able to install Nightly's updates.
Then create a file in your home directory named nightly.desktop and paste this
into it:
[Desktop Entry]
Version=1.0
Name=Nightly
Comment=Browse the World Wide Web
Icon=/opt/firefox/browser/icons/mozicon128.png
Exec=/opt/firefox/firefox %u
Terminal=false
Type=Application
Categories=Network;WebBrowser;
Actions=Default;Mozilla;ProfileManager;
[Desktop Action Default]
Name=Default Profile
Exec=/opt/firefox/firefox --no-remote -P minefield-default
[Desktop Action Mozilla]
Name=Mozilla Profile
Exec=/opt/firefox/firefox --no-remote -P minefield-mozilla
[Desktop Action ProfileManager]
Name=Profile Manager
Exec=/opt/firefox/firefox --no-remote --profile-manager
Adjust anything that looks like it should change, the main callout being the
Exec line should have the names of the profiles you want to use (in the above
file mine are called minefield-default and minefield-mozilla). If you have
more profiles just make more copies of that section and name them appropriately.
If you think you've got it, run this command:
$ desktop-file-validate nightly.desktop
No output? Great -- it passed the validator. Now install it:
$ desktop-file-install --dir=.local/share/applications nightly.desktop
Two notes on this command:
/usr/share/applications/ and
affect all users of the computer. You'll probably need to sudo the
command if you want that.--dir=~/.local/... and it literally made a directory named ~ in my home
directory, so, if the menu isn't updating, double check the file is getting
copied to the right spot.Some people report having to run unity again to get the change to appear, but
it showed up for me. Now left-clicking runs Nightly and right-clicking opens a
menu asking me which profile I want to use.
I also wanted to launch profiles off the regular Firefox icon in the same way.
The easiest way to do that is to copy the built-in one from
/usr/share/applications/firefox.desktop and modify it to suit you.
Conveniently, Unity will override a system-wide .desktop file if you have one
with the same name in your local directory so installing it with the same
commands as you did for Nightly will work fine.
I should probably add a disclaimer that I've used Unity for all of two days and there may be a smoother way to do this. I saw a couple of 3rd-party programs that will generate .desktop files but I didn't want to install more things I'd rarely use. Please leave a comment if I'm way off on these instructions! :)
http://micropipes.com/blog//2016/09/16/getting-firefox-nightly-to-stick-to-ubuntus-unity-dock/
|
|
Mozilla Open Design Blog: Progress in the making |
If you’re just joining this process, you can get oriented here and here. We’re grateful that this process has sparked such interest among Mozillians, those who care about Mozilla, and the global design community—dozens of articles, hundreds of tweets, thousands of comments, and perhaps tens of thousands of words of feedback. As believers in transparency at Mozilla, we consider this a success.
Thanks to all of you who have added your voice to the conversation. Your many constructive comments and suggestions have helped us chart a path forward. Some of you will find that your favored design directions have been let go in the pursuit of something better. We hope you’ll find a design here that you feel best represents Mozilla today and tomorrow.
For many, The Impossible M was an early favorite, but we discovered that it was just too close to other design treatments already in the public domain. The Connector stayed in the running for some time, but was eventually overtaken by new ideas (and always slightly suffered from being a bit too complex).
What we resolved to do next.
Working in tandem with our London agency partner johnson banks and making the most of our time zone difference nearly around the clock, we agreed to redirect efforts toward these design goals:
The Pioneers: This is still a strong and resonant territory, and one that works well with at least one of the final four.
Taking a stand: This positioning emerged directly from our earliest discussions and is still very strong.
The maker spirit: We’ve seen from the first round, the community of Mozillians is vocal and engaged and is key to the organization going forward.
The Health of the Internet: This is a new idea that posits Mozilla is a guardian and promoter of the Internet’s overall well-being.
So there you have it: four final directions. Let us know what you think!|
|
Mozilla Open Design Blog: Route Four: Dino 2.0 |
Comments from the first round on ‘The Eye’ route confirmed a suspicion that the typography might suggest something we didn’t intend, so first we looked at ways to make this creature more approachable.
The, we took a step back and looked again for ways to hint at a ‘zilla (whilst not being too specific), and create the basis of a wide-ranging design scheme. After weeks of experiments and simplification, Dino 2.0 emerged.
Essentially this Dino is just a red chevron and some white type – but somehow that one raised eye can watch and blink in a very unique way. And those jaws can merrily chomp when needs be.
We see this Dino as someone who can straddle two narratives – one that can stand up, be counted, shout, bark and bite when needed – yet act as a figurehead for Mozilla’s maker community across the globe. We’re developing a kind of ‘agit’ toolkit for this route, with crude hand-drawn industrial typefaces, and a suitably red, white and black colour scheme.
We’ve discovered Dino 2.0 successfully change its spots for communities and countries too.
|
|
Mozilla Open Design Blog: Route Three: Burst |
This route has stemmed from two trains of thought – firstly a new narrative direction where we have been actively considering Mozilla’s role in recording and advancing the health of the Internet. Visually we’ve been investigating data-led ideas and classic internet imagery, whilst not forgetting some of the thinking of ‘Wireframe World’ from the first round.
As we looked harder at data sources we realised that five was a key number: Mozilla is collecting data around five key measurements of Internet health as we type (and you read), and there are five nodes in a capital ‘M’. So we combined the two thoughts.
This creates a very beautiful, almost fragile idea that we know has great potential in online and animated forms. It also lends itself well to a set of interlinked images for Mozilla’s many initiatives.
|
|
Mozilla Open Design Blog: Route Two: Flame |
This is a completely new direction. Whilst rooted in the ethos of the ‘Pioneer’ thinking it also crosses over into the ‘Taking a stand’ narratives. We started to think that a flame could be a powerful symbol of Mozilla’s determination to remain the beacon for an open, accessible and equal internet for all, and something that a community gathers around for warmth.
As we started to experiment with flame symbolism, one simple design won through which simply merges an ‘M’ and a flame. After some experimentation, we think a dot/pixellated form for this idea work nicely. It animates nicely, and might even be dynamically generated with lightweight code.
Here are some key slides showing applications out to sub-brands, community designs and merchandise.
Save
|
|
Mozilla Open Design Blog: Route One: Protocol 2.0 |
Protocol is a strong contender from the first round of ideas that we’ve continued to work on and improve. By putting the internet http:// protocol directly into the word – Moz://a – it creates a type-able word mark, and by doing so alludes to Mozilla’s role at the core of the Internet (and hence the ‘Pioneers’ positioning).
We’ve been strengthening the typography from the first round and looking at ways to expand the graphic language out across a typographic and pictogram language. We’ve also enhanced the blue to reflect the palette of the early Web. Here’s an early exploration:
We’re also experimenting with a thought that some of the characters in the mark could swap in and out, randomly, pulling fonts characters or emoticons from a local computer or the web itself. A freaky thought, but could be great.
|
|
Support.Mozilla.Org: What’s Up with SUMO – 15th September |
Hello, SUMO Nation!
We had a bit of a delay with the release of the 49th version of Firefox this week… but for good reasons! The release is coming next week – but our latest news are coming right here, right now. Dig in!
If you just joined us, don’t hesitate – come over and say “hi” in the forums!
We salute you!
OK, I admit it, I’m not very good at making hardware jokes. I’m sorry! I guess you’ll have to find better jokes somewhere on the internet – do you have any interesting places that provide you with fun online? Tell us in the comments – and see you all next week!
https://blog.mozilla.org/sumo/2016/09/15/whats-up-with-sumo-15th-september/
|
|
Mozilla Localization (L10N): Localization Hackathon in Kuala Lumpur |
The last weekend of August saw the largest localization hackathon event the l10n-drivers ever organized. Thirty-four community contributors representing 12 languages from 13 East and Southeast Asian countries journeyed to Kuala Lumpur, Malaysia on Friday, August 26. Jeff, Flod, Gary Kwong and I arrived in time for the welcome dinner with most of the community members. The restaurant, LOKL Coffee, was ready for a menu makeover and took the opportunity to use this Mozilla event to do just that. A professional photographer spent much of the evening with us snapping photos.
We started off Saturday morning with Spectrogram, where l10n contributors moved from one side of the room to another to illustrate whether they agreed or disagreed with a statement. Statements help us understand each community’s preferences to address localization requests. An example: There are too many translation/localization tasks for me to keep up; I want to work on 2000 strings sliced up in 1 year, twice, 6 weeks, 4 weeks, weekly, every other day, daily.
Jeff, the newly appointed localization manager, updated everyone on l10n organization change; the coming attraction of the l20n development; Pontoon as one of the centralized l10n tools; and the ultimate goal of having a single source of l10n dashboard for the communities and l10n project managers.
Flod briefed on the end of Firefox OS and the new initiatives with Connected Device. He focused on Firefox primarily. He discussed the 6-week rapid release cycles or cadence. He also covered the five versions of Firefox: Aurora, nightly, beta, release, and ERS. He described the change to a single source of repository, allowing strings move to production sooner. Firefox for iOS and Android were also presented. It was welcome news that the localized product can be shipped through automatic signoff, without community’s involvement.
I talked about the importance of developing a style guide for each of the languages represented. This helps with onboarding new comers, consistency among all contributors and sets the style and tone for each of the Mozilla products. I also briefly touched upon the difference between brand names and product names. I suggested to take this gathering as an opportunity to work on these.
For the rest of the weekend, our communities worked through the goals they set for ourselves. Many requested to move their locales to Pontoon, causing a temporarily stall in sync. Others completed quite a few projects, making significant advances on the dashboard charts. Even more decided to tackle the style guides, referencing the template and leveraging information from established outlets. When the weekend was over, nine communities reported to have some kind of draft versions, or modified and updated an existing one. Other accomplishments included identifying roles and responsibilities; making plans for meetup for the rest of the year; tool training; improving translation quality by finding critical errors; updating glossaries; completing some high priority projects.
The weekend was not just all work, but filled with cultural activities. Our Saturday dinner at Songket Restaurant was followed by almost an hour of Malaysian cultural dances from across the country, showcasing the diverse cultures that made up Malaysia. Many community members were invited to the stage to participate. It was a fun evening filled with laughter. Our Sunday dinner was arranged inside Pasar Seni, or the Central Market, a market dating back to 1888. It is now filled with shops and restaurants, giving all visitors a chance to take home some souvenirs and fond memories. Many of us visited the near by Pedaling Street, sampling tropical fruits, including Durian, made in all shapes and forms.
Putting together the largest l10n hackathon ever is a big achievement and lots of credit goes to our local support. 
A big thanks to our Malaysian community, led by Syafiq, who was our eyes and ears on the ground from day one, planning, selecting the venue location, advising us on restaurants, lodging, transportation and cultural events. Not only we accomplished what we set out to do, we did it safely, we all had fun and we made more friends. Also a shout-out to Nasrun, our residence photographer for documenting the weekend through his lens. And a thank you to everyone for sharing a very special and productive weekend with fellow Mozillians! See you next time at another hackathon!
https://blog.mozilla.org/l10n/2016/09/15/localization-hackathon-in-kuala-lumpur/
|
|
Air Mozilla: Reps weekly, 15 Sep 2016 |
This is a weekly call with some of the Reps to discuss all matters about/affecting Reps and invite Reps to share their work with everyone.
|
|
Firefox Nightly: Get a Nightly that speaks your language! |
Over the last months, Kohei Yoshino and myself worked on improving the discoverability of Firefox Nightly desktop builds and in particular localized builds.
Until recently, the only way to get Firefox Nightly for desktop was to download it in English from nightly.mozilla.org or, if you wanted a build in say Japanese, Arabic or French, look for the right FTP sub-folder in ftp.mozilla.org. Nightly.mozilla.org is itself a static HTML page based on a script that scraps the FTP site for builds periodically.
Of course, as a result, about 90% of our Nightly users use an en-US build. The few thousand users using a localized build are Mozilla localizers and long term contributors that knew where to search for them. We were clearly limiting ourselves to a subset of the population that could be using Firefox Nightly which is not a good thing when you want to actually grow the number of nightly users so as to get more feedback (direct and anonymous). The situation was so frustrating to some of our community members that they created their own download pages for Nightly in their language over time.
Then why didn’t we have a proper download page on www.mozilla.org as we do for all Firefox channels (release, beta, dev edition) ? Why are nightly builds available only from a separate sub-domain? One of the reasons was technical, www.mozilla.org uses data provided by the Release Management team through a public JSON API called product-details and that API didn’t provide any information about Nightly. Actually, this API was a typical legacy piece of code that had been doing the job well for a decade but was meant to be rewritten and replaced by another tool year after year. Until the switch to a new compatible API and the addition of Nightly data there, mozilla.org just didn’t know anything about Nightly.
So first we had to actually end the work on the migration from the old to the new API and mozilla.org switched to this new API in August.
Now that the data about Desktop Nightly was available to mozilla.org (and to any django-based Mozilla site that includes the django-product-details library), the front-end work could be started by Kohei so as to create a page that would list all platforms and localized builds and that would reuse as much code and existing assets as possible. And here is the result at mozilla.org/en-US/firefox/nightly/all:
We are working on making that page linked from the nightly site in bug 1302728. That’s only a start of course, we still have a lot of work to make it easier for advanced testers to find our pre-release builds, but now when somebody will ask you for a comprehensive list of Desktop Nightly builds, you’ll know what address to share!
Many thanks to Kohei and the mozilla.org Webdev team for their help on making that happen!
https://blog.nightly.mozilla.org/2016/09/15/get-a-nightly-that-speaks-your-language/
|
|
Jared Wein: <select> dropdown update 2 |
Mike and I met with the “select dropdown” team today and discussed where they’re at and the work that they can focus on for the next week. We are discussing a possible “hack-weekend” October 1st and 2nd at Michigan State.
Freddy got XCode up and running and can debug processes at the single-process/multi-process fork. Jared and Miguel are having issues getting their debugger to work. Freddy will be helping Jared and Miguel with their setup to compare what is different, with the fallback being Jared and Miguel using LLDB as their debugger.
In the past week, the team has also been spending time working on presentations and project plans.
For C++ code, their initial plan was to fake the single-process to run through the multi-process code path by removing the checks for if the code is running in a content process and if a special e10s desktop preference is enabled.
As a quick technical dive: When a select dropdown is clicked, we determine that we’re running in a content process, and we fire an event (“mozshowdropdown”). A content script running in the content process listens for the “mozshowdropdown” event and opens the popup.
The plan to fake the single-process to run through the multi-process won’t work though, because the content script mentioned above won’t be loaded and thus there won’t be an event listener. The content-script is only loaded right now through the remote-browser.xml binding. The content-script would have to be loaded through the non-remote-browser binding (browser.xml) as well as the various message listeners and event listeners.
While working on this, it would be a good idea to move the code from select-child.js to browser-content.js, since we don’t really need a separate file for select items and browser-content.js is loaded in single-process Firefox.
As for styling changes, the students were able to use the Browser Toolbox to change web content through forms.css and see how things like input textboxes could get different default colors. To change the styling of a select dropdown, the students will play around in browser.css to tweak the styling. In the end they’ll want to make sure that the styling exists under the /themes directory, and likely within /themes/shared/.
One of the students asked if we had ideas about specific algorithms or design-patterns that the search-within-the-dropdown implementation should use. We pointed them at the Browser Console’s filtering ability and asked that the students follow the implementation there.
That wraps up our notes from this week’s meeting. We’ll be meeting regularly for the next 10-ish weeks as the students make progress on their work.
https://msujaws.wordpress.com/2016/09/14/select-dropdown-update-2/
|
|
Mozilla Addons Blog: Add-ons Update – 2016/09 |
Here’s what’s going on in the add-ons world this month. I’m changing the cadence (down from every 3 weeks) to better align with other work and spend less time writing these.
In the past month, 1,891 listed add-on submissions were reviewed:
There are 159 listed add-ons awaiting review.
You can read about the improvements we’ve made in the review queues here.
If you’re an add-on developer and are looking for contribution opportunities, please consider joining us. Add-on reviewers are critical for our success, and can earn cool gear for their work. Visit our wiki page for more information.
As we announced before, we simplified the review process by removing preliminary review, making an add-on review a more straightforward pass/fail decision.
All add-ons on AMO have been migrated to the new system, so add-ons that were preliminarily reviewed before are now fully reviewed, but with the experimental flag on by default. We will send a notification email after we iron out some minor bugs that came up after the migration.
The compatibility blog post for Firefox 50 is up, and the bulk validation will be run in a couple of weeks.
Multiprocess Firefox is now enabled for users without add-ons, and add-ons will be gradually phased in, so make sure you’ve tested your add-on and either use WebExtensions or set the multiprocess compatible flag in your add-on manifest.
As always, we recommend that you test your add-ons on Beta and Firefox Developer Edition to make sure that they continue to work correctly. End users can install the Add-on Compatibility Reporter to identify and report any add-ons that aren’t working anymore.
We would like to thank Atique Ahmed Ziad, Surya Prashanth, weaksauce, zombie, jorgk, and Trishul Goel for their recent contributions to the add-ons world. You can read more about their work in our recognition page.
https://blog.mozilla.org/addons/2016/09/14/add-ons-update-87/
|
|
Mozilla Localization (L10N): This is what the power of the open Web looks like |
One of the main goals of Pontoon is lowering barriers to entry. Especially for end users (mainly localizers), but also for contributors to the codebase, since many of our localizers have a developer background.
I’m happy to acknowledge that in the last 30 days there has been more activity from volunteer contributors in Pontoon development than ever before! Let’s have a closer look at what have they been working on:
Last month’s Pontoon contributors
Michal Vas'icek
Michal came up with the idea to highlight matches in original and translated strings when searching in the sidebar. He created a patch, but couldn’t finish it due to his school duties. It was taken over by Jarek, who earlier played a great role in reviewing the original patch by Michal.
Being only 14 years old, Michal is the youngest Pontoon contributor!
Jarek 'Smiejczak (jotes)
Since he became an active Pontoon contributor over a year ago, Jarek has evolved from being not just a great developer but also a fantastic mentor; helping onboard new contributors and review their work. One way or another, he’s been involved with all bugs and features listed in this blog post.
Of course that doesn’t mean he stopped contributing code. On the contrary, he just completed a Firefox Accounts based authentication support which will soon replace Persona. And, he’s already busy working on bringing terminology support to Pontoon too.
Victor Bychek
A lot of our users have been complaining about their email addresses being exposed publicly in Pontoon UI and URLs, even if it complies with Commit Access Requirements. Thanks to Victor, these days are over: we no longer reveal email addresses in top contributor pages and filter by user selector, as long as you set a display name.
Victor is a pleasure to work with and is already busy with his next task, which will allow you to apply multiple filters at the same time.
Stoyan Dimitrov
As the new leader of the Bulgarian localization team, Stoyan takes his duties very professionally. He started by creating a vector version of Pontoon logo and changing the copy.
Later on he created a Firefox Add-On called Pontoon Enhanced, which can add new features to Pontoon before they are deployed or even implemented in the application. It’s basically a Test Pilot for Pontoon.
Michal Stanke
As an agile bug reporter, Michal has been one of the most valuable early adopters of Pontoon. Now he has decided to take a step further.
He set up his local Pontoon instance, fixed a few developer documentation bugs along the way and provided a patch that fixes one of the bugs he reported. It allows us to properly detect placeables of form %(thisIsVariable)s.
Get involved!
I consider myself lucky to be working with this great team. It is particularly valuable to see contributions coming from people who actually use the product. This is what the power of the open Web looks like!
You too can shape the future of Pontoon by filing a bug or starting to work on one of the mentored ones. The barriers to entry are low!
https://blog.mozilla.org/l10n/2016/09/14/this-is-what-the-power-of-the-open-web-looks-like/
|
|
Ben Hearsum: What's New with Balrog - September 14th, 2016 |
The pace of Balrog development has been increasing since the beginning of 2016. We're now at a point where we push new code to production nearly every week, and I'd like to start highlighting all the great work that's being done. The past week was particularly busy, so let's get into it!
The most exciting thing to me is Meet Mangukiya's work on adding support for substituting some runtime information when showing deprecation notices. This is Meet's first contribution to Balrog, and he's done a great job! This work will allow us to send users to better pages when we've deprecated support for their platform or OS.
Njira has continued to chip away at some UI papercuts, fixing some display issues with history pages, addressing some bad word wrapping on some pages, and reworking some dialogs to make better use of space and minimize scrolling.
A few weeks ago Johan suggested that it might be time to get rid of the submodule we use for UI and integrate it with the primary repository. This week he's done so, and it's already improved the workflow for developers.
For my part, I got the final parts to my Scheduled Changes work landed - a project that has been in the works since January. With it, we can pre-schedule changes to Rules, which will help minimize the potential for human error when we ship, and make it unnecessary for RelEng to be around just to hit a button. I also fixed a regression (that I introduced) that made it impossible to grant full admin access, oops!
I also want to give a big thank you to Benson Wong for his help and expertise in getting the Balrog Agent deployed - it was a key piece in the Scheduled Changes work, and went pretty smoothly!
http://hearsum.ca/blog/whats-new-with-balrog-september-14th-2016.html
|
|
Air Mozilla: The Joy of Coding - Episode 71 |
mconley livehacks on real Firefox bugs while thinking aloud.
|
|
Air Mozilla: Weekly SUMO Community Meeting Sept14, 2016 |
This is the sumo weekly call
https://air.mozilla.org/weekly-sumo-community-meeting-sept14-2016/
|
|