Thread: The Technology Vent and Rant Thread
View Single Post
Old 10-07-2018, 01:40 PM   #453
DMcCunney
New York Editor
DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.DMcCunney ought to be getting tired of karma fortunes by now.
 
DMcCunney's Avatar
 
Posts: 6,384
Karma: 16540415
Join Date: Aug 2007
Device: PalmTX, Pocket eDGe, Alcatel Fierce 4, RCA Viking Pro 10, Nexus 7
Quote:
Originally Posted by Toxaris View Post
If I recall correctly, there were serious security flaws with the XUL extension. The flaws were due to the design of the extension framework, not necessarily the extensions themselves. To fix those designs a complete redesign of the framework was required, as the issues were in the base of the framework.
XUL is an XML language intended for creating user interfaces. The Gecko rendering engine underlying all Mozilla products understood and rendered HTML and CSS, and the IonMonkey JavaScript engine embedded in Gecko ran JavaScript. Gecko also understood and rendered XUL, and the "look and feel" of Mozilla products was provided by XUL, CSS and widget sets, with JavaScript performing the actions when you clicked an icon or select4ed a menu choice. If you were fluent in XUL, you could totally revamp what the products looked like, and people did.

The browser was simply an instance of something Gecko rendered, and it didn't have to be a browser. There was work back when to break out Gecko as a stand alone runtime that could be installed once and used by any Mozilla product, instead of embedding a copy in each program. It would have been possible to craft a complete, cross platform UI for the host machine using Gecko.

Mozilla worries about XUL running at a higher privilege level than JavaScript as an attack vector. I'd take that more seriously if I'd ever heard of an actual verified attack using it. (I keep up on that stuff and likely would have.)

Since XUL couldn't make the leap to mobile the point is moot, and one goal these days is pure JavaScript extensions written using the WebEx API that will install and work in mobile devices as well as the desktop.

Quote:
Not to sure though, I abandoned Firefox many years ago.
In favor of what?

I began using Mozilla code when Mozilla was still the internal name for Netscape Communications internal effort to create the next generation follow on for Netscape Communicator 4. The result was more secure than then dominant Internet Explorer, but that wasn't hard to accomplish. Netscape 7/Mozilla Suite/Firefox simply didn't support IE Active-X controls. (There was an extension that would add that support, but it was a "Not recommended and you better know what you're doing!" exercise. I could have but didn't.)

I used Mozilla products because they were more powerful than anything else, and the extension capability was the reason. I still use them because of that.

I have current versions of other things, like MS Edge, Google Chrome, Opera and Falken to keep track of development, but FF is still my browser of choice.
______
Dennis
DMcCunney is offline   Reply With Quote