The Java Debacle

In case you weren't aware, last week, on Friday October 18, all versions of Java were marked as unsafe in Firefox 24. You can see the details in bug 914690.

When Monday rolled around reports of problems started coming in. Companies unable to use their software. People unable to do their banking. Citizens unable to access government sites. Hundreds of millions of users affected.

It took three days for the decision to be made to remove the block, and since the blocklist is cached, even more for users to see the results.

Looking back, I'm surprised out how lightly this change was taken. Marking Java as unsafe is a major change that affects millions of users; it should have been handled much better. Here are some of the things that were wrong with this decision:

  • The decision was made without involving the major stakeholder (Oracle). The change took them completely by surprise.
  • The decision was made out of band. There had just been an upgrade to Firefox 24 with no problems. Then all of a sudden Java stopped working.
  • The decision was made with no communication. There were some articles a few months ago (none official from Mozilla), but there was no discussion or notification of this specific change. (And please don't call the platform newsgroup communication.)
  • The change was made without proper testing. After it was rolled out, it became pretty clear that there were quite a few cases where users were not being notified about the block. People were also having trouble navigating the UI when it appeared.
    • The saddest part about this entire change is that the latest version of Java IS click to play! Oracle already has warnings that are better than what Firefox displays.

      I understand the need to protect users, but when major decisions like this are made, developers need to think about ALL of the implications. Otherwise, the fallout can be disastrous.

All versions of Java blocked by default in Firefox

UPDATE: This change has been reverted for now. It will take a couple days for the blocklist to be updated on everyone's machine.

A while back, Mozilla had announced a plan to block all versions of Java by default. While that didn't happen when Firefox 24 shipped, it has been done via an update to the blocklist. See bug 914690.

It's unfortunate that this happened on the ESR, since Java is still essential for some enterprise applications (and apparently the entire country of Denmark).

I don't have any information yet if you can use the permissions API to enable Java for necessary sites. For now, you might just have to turn off the blocklist by setting extensions.blocklist.enabled to false.

UPDATE: You can also use the Click-To-Play Manager add-on to update the domain whitelist. I'll be adding support for this into CCK2.

Mozilla Summit - Reframing the Enterprise Discussion

Recently, hundreds of Mozillians from all over the world gathered in three different locations for the Mozilla Summit. I had the opportunity to attend the summit in Toronto.

While I was there, I attended a couple sessions where the Firefox UX team talked about Firefox User Types in North America. The UX team did an incredible job framing the various types of Firefox users. It made me realize that the same thing is important to do for the types of people that need an "enterprise Firefox."

When I say "enterprise Firefox," the only use case that most people think about is big companies limiting what end-users can do. But there are very valid reasons why someone would need to configure Firefox in a very specific way.

Sometimes the reason is physical safety. Think about a browser on medical equipment or a factory floor.

Sometimes the reason is online safety. Think about a browser at an elementary school or shared by members of a family with different ages.

Sometimes the reason is legal or regulatory. Think about a browser at a bank or a securities firm.

Sometimes the reason is simply that the computer is shared by a lot of people. Think about a browser at a library or a nursing home or a web cafe or a homeless shelter.

I think for a lot of us, we tend to see other computer users exactly like ourselves. We need to realize that people (and organizations) use computers in completely different ways, ways that most of us don't even know about. As long as we build software primarily for ourselves, we're going to completely miss out on opportunities for Firefox.

Sometimes the user of Firefox is not the end-user. It's the administrator or company that wants to deploy Firefox to their end-users. We need to make sure that Firefox is a great browser for them as well.

We need to balance end-user desires with administrator constraints.

Maybe what we need here is a new word? Enterprise doesn't really capture the spirit of what I'm trying to do. Anyone have any ideas?

Getting ready for CCK2

The first version of the CCK Wizard was released on AMO on May 11, 2006. It was designed for Firefox 1.5 and copied the original Netscape CCK. Back then, I was just getting my feet wet in writing Firefox extensions and the CCK Wizard shows it. The core CCK Wizard hasn't even changed much over the past seven years. It's time for a change.

I'm excited to announce today that I'm working on a brand new CCK that is completely rewritten from the ground up. I'm calling it CCK2. It incorporates many requested features and most importantly, it allows just about everything that previously could only be configured via an extension to be configured via autoconfig (assuming the core CCK2 management extension is loaded into the Firefox distribution directory.)

As part of this move, I'll be creating a CCK support mechanism which I'll be detailing in the next few weeks.

I'm also setting up a newsletter for CCK2 as well as for Firefox enterprise news in general. This newsletter will be the only place I announce betas for CCK2. I will also be asking for feedback on various aspects of development. I strongly recommend you sign up if you have any interest in the future of the CCK or Firefox in the enterprise.

So please sign up and stay tuned for some great stuff.



Extension Update UI

If you're upgrading your users and you don't want the extension update dialog to show, just set the preference extensions.showmismatchUI to false.

The Return of Operator (sort of) and other Mobile Add-ons

I did a few add-ons for the Amp Your Firefox Contest. I was waiting to publicize them just in case I needed to beg for votes. Sadly, I don't.

The first one is Total Title. It allows you to easily see the full title text for images. It's primarily for comic sites like xkcd that hide additional jokes in the title attribute.

The second one is Site Shaker. If you go to a web site, you can shake your phone and it will take you to a random link on that site. It's a fun way to navigate through Wikipedia.

The third one is Operator Mobile. Using Glenn Jones' awesome microformat-shiv, I was able to implement microformat support on Firefox Mobile. It allows the export of contacts and calendar events to your mobile device, as well as the opening of addresses into whatever mapping app you are using. I'm investigating a new desktop version of Operator as well, but it's taken a back seat to other efforts. Hopefully I'll be able to put something together soon.

Enjoy.

Keyword Search Updated


Version 1.0.5 of Keyword Search is up.

It adds:

  • Setting the search engine for about:home
  • I'm Feeling Lucky support for Google
  • Browse by Name support for Google
  • I'm Feeling Ducky support for DuckDuckGo

I'm really trying to avoid adding support for custom URLs (like keyword.URL). I'd rather try to address the reasons why people need to use custom URLs. If there is some other reason you prefer to use a URL, please let me know.

I've also fixed a few bugs:

  • When you disabled the add-on it was still functional.
  • Using search engines with non English names didn't work.
  • Sometimes searches would go to the wrong window/tab.

I've had some reports of searches in other languages not working, but I haven't been able to recreate it. Honestly, this shouldn't happen because the method I'm using to invoke the search is the exact same method that Firefox uses when it does a keyword search. If you are able to recreate this consistently, I'd love to hear from you.

Keyword Search and Firefox 23

UPDATED: 1.0.2 adds support for POST search engines. You'll have to install it manually if you have 1.0, since non approved add-ons don't get updated automatically.

If you've been keeping up with the development of Firefox 23, you know that one of the big complaints is the change to keyword search. Starting with Firefox 23, searches in the URL bar will always use the search engine that is set in the search bar. So if you change your search bar to Wikipedia, and then do a search in the URL bar, it will use Wikipedia.

I've built an add-on that allows you to set the keyword search engine separately from the search bar. It can be any search engine you have installed. It's called Keyword Search and it's available from AMO.

Also note that this add-on includes DuckDuckGo as a recommended search engine. If you like the work I do, please consider trying it out and seeing if you like it.

Shameless Plug for TrackIF

This is a shameless plug for an add-on I worked on. It's called TrackIF. The way it works is that when you see a product you want to track the price of, you click the add-on button and add it to your tracker list. It will then notify you when the price drops or reaches a specific threshold. And it's not just about stores, you can track craiglist, eBay or even real estate.

The Firefox extension is available here.