Yulia Startsev from Mozilla’s SpiderMonkey team joins Jerod & Feross to talk compilers, going back to get your Master’s, making decisions as a group, process of shepherding a feature through TC39, how Firefox actually works, and LavaMoats. Yes, LavaMoats.
If you updated your Firefox to version 89 and were not-so-pleasantly surprised by the brand new Proton interface, this Lepton project may be of interest to you. Lepton doesn’t throw Proton out with the bath water, but aims to improve some key aspects the author didn’t appreciate.
ClearURLs is an add-on based on the new WebExtensions technology and is optimized for Firefox and Chrome based browsers.
This extension will automatically remove tracking elements from URLs to help protect your privacy when browse through the Internet, which is regularly updated by us and can be found here.
Remember Xmarks? It was great. Floccus does the same thing and even allows you to sync with whatever server you want: any Google Drive, any Nextcloud, any WebDAV server. With more backends in the works.
Today we are pleased to announce Total Cookie Protection, a major privacy advance in Firefox built into ETP Strict Mode. Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site.
You gotta love to see it. 👏
supercookies can be used in place of ordinary cookies to store user identifiers, but they are much more difficult to delete and block. This makes it nearly impossible for users to protect their privacy as they browse the web. Over the years, trackers have been found storing user identifiers as supercookies in increasingly obscure parts of the browser, including in Flash storage, ETags, and HSTS flags.
To hell with these trackers and the tech they rode in on.
In Firefox 85, we’re introducing a fundamental change in the browser’s network architecture to make all of our users safer: we now partition network connections and caches by the website being visited. Trackers can abuse caches to create supercookies and can use connection identifiers to track users. But by isolating caches and network connections to the website they were created on, we make them useless for cross-site tracking.
You gotta love it 🍻
A Chrome and Firefox extension that mounts your browser tabs as a filesystem on your computer.
This gives you a ton of power, because now you can apply all the existing tools on your computer that already know how to deal with files – terminal commands, scripting languages, point-and-click explorers, etc – and use them to control and communicate with your browser.
Now you don’t need to code up a browser extension from scratch every time you want to do anything. You can write a script that talks to your browser in, like, a melange of Python and bash, and you can save it as a single ordinary file that you can run whenever, and it’s no different from scripting any other part of your computer.
Command line tool to extract the main content from a webpage, as done by the “Reader View” feature of most modern browsers. It’s intended to be used with terminal RSS readers, to make the articles more readable on web browsers such as lynx. The code is closely adapted from the Firefox version and the output is expected to be mostly equivalent.
I could see this fitting in nicely in a pipeline between
curl and, well, lots of other commands.
The fallout from Mozilla’s August shake-up is beginning to land and Firefox Send has been officially shuttered. The free file sharing service was already taken offline over the summer to fend off some spear phishing attacks, but any hopes of it coming back online are now dashed.
The project’s GitHub repo continues to trend in Changelog Nightly despite its now-archived status. Why all the posthumous starring? Maybe people are quietly paying their respects for the deceased… 🤔
Coil is a web monetization effort where you subscribe for $5 a month and get access to various exclusive content things on participating websites. I think of it like Brave meets Patreon.
Firefox Reality is “mixed reality” (AR/VR) games and experiences from around the web.
The news here is that Mozilla is adopting Coil to experiment with monetization on Firefox Reality. Coil is for-profit, which adds a wrinkle to things. It uses Interledger to move money, which means creators can work in whichever currency they like. Lots of details and explanations in the linked post from Mozilla’s blog.
Firefox is mostly written in C and C++. These languages are notoriously difficult to use safely, since any mistake can lead to complete compromise of the program.
The team has thus far had 2 strategies for securing the codebase, breaking code into multiple sandboxed processes with reduced privileges and rewriting code in a safe language like Rust.
today, we’re adding a third approach to our arsenal. RLBox, a new sandboxing technology developed by researchers at the University of California, San Diego, the University of Texas, Austin, and Stanford University, allows us to quickly and efficiently convert existing Firefox components to run inside a WebAssembly sandbox.
This strikes me as a bonkers idea and kinda brilliant.
The core implementation idea behind wasm sandboxing is that you can compile C/C++ into wasm code, and then you can compile that wasm code into native code for the machine your program actually runs on.
Click through to read more about how they’re pulling this off.
The main differences with existing extensions are: multiple selections, keyboard layout agnostic, SOV (subject–object–verb) constructs and simple interaction with external programs. It is also quite usable with the mouse.
A fully private memory-boosting extension to eliminate time spent bookmarking, retracing steps to recall an old webpage, or copy-pasting notes into scattered documents. Its name and functionalities are heavily inspired by Vannevar Bush’s vision of a Memex.
“Memex” is thought by some to be a portmanteau of “memory” and “index”. Makes sense to me.
The WebSocket Inspector is part of the existing Network panel UI in DevTools. It’s already possible to filter the content for opened WS connections in this panel, but till now there was no chance to see the actual data transferred through WS frames.
This is rad. It’ll ship to all Firefox users in version 71, but it’s available in Firefox Developer Edition today.
This in-beta feature should be stolen by all browser DevTools teams. Such a great idea!
A collective effort by browser makers (Microsoft, Mozilla, and Google) to understand where the dev community would like them to invest their energy.
We started this project to collect your feedback about the current state of the web and to give you a voice to help shape what the future of web.
They’re taking this effort on the road to various conferences, but there’s also a non-geographically-constrained way of sounding off as well: you can fill out the form on the website. 😄
Those sneaky Mozillians are up to no good with their new tool to confound advertisers:
Let us open 100 tabs of pure madness to fool trackers into thinking you’re someone else.
Mozilla has officially released Firefox Monitor, which gives us a glossy front-end to review the many breaches out there.
I signed into my Firefox account, registered a few emails, and got the news (see image). Give it a try while I go delete some old accounts…
This is a fully-featured Firefox Send client. Max file size is 2GB and recipients can download the file via the same tool or their web browser.
Called “letterboxing,” this new technique adds “gray spaces” to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished.
This appears to be a major win for privacy advocates. It also seems like a chink in the armor of Chrome’s dominance, given that many people have lost trust in its privacy model.
Gervasio Marchand lays out all the ways in which Slack’s threads feature is lacking. Then he goes one to describe why his browser extension, Refined, makes threads better.
Should I read this 22 minute read on the state of web browsers? Sure. Count me in!
Microsoft has confirmed the rumor to be true. We now have one less browser engine, and a last man standing (Firefox) in deep trouble (reasons below).
The web now runs on a single engine. There is not a single browser with a non-Chromium engine on mobile of any significance other than Safari. Which runs webkit, kind of the same engine as Chromium, which is based on webkit.
Several major browsers you and I use everyday are capable of leaking our browsing history, and they all know about it. Caroline Haskins at Motherboard writes:
Most modern browsers—such as Chrome, Firefox, and Edge … have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user’s web history, per new research from the University of California San Diego.
In a statement provided to Motherboard via email, senior engineering manager of Firefox security Wennie Leung said that Firefox will “prioritize our review of these bugs based on the threat assessment.” Google spokesperson Ivy Choi told Motherboard in an email that they are aware of the issue and are “evaluating possible solutions.”
Ben Adida shared this on Twitter:
When first web history sniffing attacks came out, I suggested we had to change the notion of a visited link: a link would be marked visited by origin (edges, not nodes.) That was considered too dramatic a change. Maybe it’s necessary after all.
Who’s ready to dig into this research and share how vulnerable we really are and what types of malicious websites could/would extract our browsing history? If you do, let us know so we can link it up.
Specifically, they are considering making CloudFlare the default nameserver. A new feature called “Trusted Recursive Resolver” (TRR) could be turned on by default, and therefore override the DNS changes you’ve configured in your network.
Cloudflare says it takes your privacy more seriously than telecommunication service providers do because this DNS query will be encrypted, unlike regular DNS. They also promise not to sell your data or engage in user profiling.
This is a deep subject with many, many layers. Dig deep on this one. So, the question is — under what circumstances would it be OK for Cloudflare (or any other third party) to take over our DNS by default?