A few months ago, you might have seen me on Twitter or Facebook promoting a movie called Blue Like Jazz. If you don't know the story, you should read it. The movie wasn't going to be made, but through an incredible Kickstarter campaign, they raised almost $350,000 and were able to complete and release the movie.
As part of the promotion for the movie, they hid 28 boxes in 28 cities where the movie was opening. I haven't seen many people talk about the box, so I thought I would do a quick post about the box I found.
Another question that comes up a lot is how to prevent users from installing add-ons. There's a preference, xpinstall.enabled, but it's useless because it does nothing to prevent access to the Add-ons Manager. The reason this is a problem is because you can install add-ons from AMO there from the Get Add-ons tab. In addition, when you try to install an add-on with the pref set to false, Firefox lets you enable it with one click. So we need to make that preference more effective and we need to hide the add-ons manager.
In Firefox 13 (actually, Firefox 12), Firefox introduced the ability to override the new tab page with the preference browser.newtab.url. For extension developers, this is great because it because it allows us to remove all of the different hacks we were using to add content to the new tab page. Unfortunately it can also create problems as various extensions stomp on each other trying to take over the new tab page.
I've added support for overriding the new tab page to three different extensions, so I've learned a great deal about using this new preference in a way that coexists with other extensions and does the right thing for the user. My goal with this post is to give some best practices for overriding the new tab page in your extension. The code samples in this post assume a basic knowledge of how Firefox extensions work, including preference observers. You probably won't be able to just cut and paste them into your extension.
I was reminded that there is one more way to get to private browsing - typing about:privatebrowsing in the URL bar. This gives us a chance to talk about another thing you can do in chrome.manifest - override.
So in case anybody cares, what happened was that I apparently have a theme that got hacked. It appears to be a theme called super blogger had a helper.php file in it's images directory which allowed files to be posted into that directory.
Using that uploaded file, extra code was added to my functions.php file in my standard theme which opened a backdoor and gave free reign.
Many thanks to Alex McKee who helped me track things down.
I recommend reading this post from Dave Meehan for more detail.
FYI, a couple things that should have clued me in (which I'll look for in the future). First, I started getting an error on my admin console about extra data sent before the headers. I stupidly went into functions.php and fixed it (even working with 8Bit support) without noticing the added code. Second, in the source to my pages, there was a misspelled "Wordpres Counter." That should have clued me in as well.
My WordPress site was hacked and apparently over the past couple days there was an embedded iframe that was causing a virus to be sent down. I did not totally determine what happened, but I'm continuing to investigate. I removed some bad code I saw.
Please make sure you use antivirus and your definition are current. If you do get a warning on any page, please let me know so I can investigate.
Update: I was reminded that using visibility: collapse for menu items leaves them in the key navigation. Instead, you should use hidden="true" or in places that doesn't work (context menus) display: none.
In my previous post, I showed how to setup a basic extension in Firefox. Having this extension will allow us to do some Firefox customization. Before I get into this post, though, I wanted to clarify one thing. I had you put your XUL overlay in the root directory and point your content directory to ./. I did that to make things simpler but in practice you'll want to separate your files. The structure most commonly used is a chrome directory with a content subdirectory underneath. In that case, the directory in the chrome manifest would be chrome/content/.
With that out of the way, let's customize Firefox. We're going to prevent a user from accessing private browsing. We need a disclaimer here, though. We are not removing private browsing, we are just removing access. So if the user has an add-on that invokes private browsing, or if they have access to about:config, they can still turn on private browsing. For any of these customizations, there's an expectation that the right things have been done to prevent the user from accessing functionality via other means.
I've decided I'm going to expand on my earlier post about customizing Firefox with extensions. A lot of the things people have asked for recently can only be accomplished with extensions, so I want to try to give people a very basic handle on creating extensions so I can then give sample code of the specific things people are trying to do.
My goal here is NOT to teach people how to build extensions. You can find that information on AMO or MDN. My goal is give people a very basic understanding of how one particular type of extension works so I can produce simple code snippets you can drop in and use for your Firefox distribution. If you need anything more complex, you're going to have to hire me.
Recently I had to modify a page to work with Pinterest. The problem was that all the images on the page were either CSS background images or had a height or width of less than 80 pixels. In those cases, the Pin It bookmarklet simply ignores the images. So the question I had was how to make a page Pinterest friendly without impacting the design.
This article on Ars Technica seemed to fly under the radar, so I wanted to make sure people saw it.
Ars browser shootout: which Web browser is best for business?
I was interviewed for the article. You can see my comments on page 4.