Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Thursday November 16 2017, @09:42AM   Printer-friendly
from the my-extensions-dont-work dept.

From Firefox's faster, slicker, slimmer Quantum edition now out

[...] Collectively, the performance work being done to modernize Firefox is called Project Quantum. We took a closer look at Quantum back when Firefox 57 hit the developer channel in September, but the short version is, Mozilla is rebuilding core parts of the browser, such as how it handles CSS stylesheets, how it draws pages on-screen, and how it uses the GPU.

This work is being motivated by a few things. First, the Web has changed since many parts of Firefox were initially designed and developed; pages are more dynamic in structure and applications are richer and more graphically intensive. JavaScript is also more complex and difficult to debug. Second, computers now have many cores and simultaneous threads, giving them much greater scope to work in parallel. And security remains a pressing concern, prompting the use of new techniques to protect against exploitation. Some of the rebuilt portions are even using Mozilla's new Rust programming language, which is designed to offer improved security compared to C++.

Also at: Firefox aims to win back Chrome users with its souped up Quantum browser

The fastest version of Firefox yet is now live


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by FakeBeldin on Thursday November 16 2017, @09:45AM (20 children)

    by FakeBeldin (3360) on Thursday November 16 2017, @09:45AM (#597628) Journal

    Though a few have updated. I believe no-script, mublock origin, and https everywhere exist now in usable form for the new firefox.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 5, Informative) by KritonK on Thursday November 16 2017, @10:59AM (9 children)

    by KritonK (465) on Thursday November 16 2017, @10:59AM (#597637)

    Noscript is still being worked on. It should become available any day now, but it is not ready yet. Ublock origin is already available, but with some minor problems regarding <noscript> tags, which is unknown if they will be fixed: from what I understand, uBlock origin's developer has requested additional functionality from the WebExtensions API, but according to noscript's developer, equivalent functionality is already present and is being used by noscript.

    The photon UI is a step away from the ugliness of Australis, while the modern ugliness of Photon, with its monochromatic black icons can be overriden using CSS (check here [github.com] for a nice set of presets from which to chose from, created by the author of Classic Theme Restorer), so when the above two addons become ready for prime time, it might not be as inconceivable to keep using Firefox, as we originally thought, even if many of the other plugins have stopped working. Until these two are ready, however, I won't even consider switching from Waterfox.

    • (Score: 2) by Nerdfest on Thursday November 16 2017, @01:42PM (8 children)

      by Nerdfest (80) on Thursday November 16 2017, @01:42PM (#597676)

      If uBlock has migrated, odds are that uMatrix has as well, and in my opinion, it's superior to NoScript.

      • (Score: 2) by takyon on Thursday November 16 2017, @01:58PM (6 children)

        by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Thursday November 16 2017, @01:58PM (#597687) Journal

        uBlock is for scrubs, uMatrix is for PROs.

        --
        [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
        • (Score: 2) by RS3 on Thursday November 16 2017, @04:16PM (3 children)

          by RS3 (6367) on Thursday November 16 2017, @04:16PM (#597748)

          uBlock is for scrubs, uMatrix is for PROs.

          I guess I'm somewhere in between. uBlock0 is usually on; uMatrix when I'm in the mood to do a ton of clicking. Unlike so many control panels / options / settings menus these days, you have to be sure to save after teaching uMatrix, or all that clicking was for naught. Not sure if they have a way to export that info, it would be great to be able to copy it to other computers.

          • (Score: 1, Informative) by Anonymous Coward on Thursday November 16 2017, @08:03PM (2 children)

            by Anonymous Coward on Thursday November 16 2017, @08:03PM (#597862)

            1. You can use the sync feature to sync setting between computers or just export the rules in the dashboard for bot uMatrix and uBlock.

            2. You can set uBlock to "I am an advanced user" and then it adds a clickable field like uMatrix, but not quite as detailed. See: https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode [github.com] although I use "hard mode" myself.

            • (Score: 2) by RS3 on Thursday November 16 2017, @09:14PM (1 child)

              by RS3 (6367) on Thursday November 16 2017, @09:14PM (#597903)

              Awesome, very informative, thank you!

              My typical brute-force mode is to just copy the extension's whole sub-directory.

              • (Score: 0) by Anonymous Coward on Friday November 17 2017, @02:28AM

                by Anonymous Coward on Friday November 17 2017, @02:28AM (#598039)

                I forgot to mention, Firefox and Chrome both have limits on how much data you can sync, so if you have too many, you may have to roll your own. Luckily, that is stupidly easy if you know what you are doing, but can be frustratingly difficult if you don't.

        • (Score: 0) by Anonymous Coward on Thursday November 16 2017, @08:57PM

          by Anonymous Coward on Thursday November 16 2017, @08:57PM (#597892)

          Fine, scrubs whatever. Do I have the TIME to clickify everything? That is where NoScript operates so easily. With FF57, what add-ons should I add. Is uMatrix a superset of uOrigin, so no need for the latter, or totally different? What else should I add in? Not trying to be funny here, but there are thousands of add-ons and most of them are nonsense, but a few can enhance security and improve the surfing experience.

        • (Score: 1) by Crash on Friday November 17 2017, @09:03AM

          by Crash (1335) on Friday November 17 2017, @09:03AM (#598113)
          uMatrix is pretty awesome (and works for 95%+ of my usage), but it does not allow you to blacklist-or-whitelist specific resources. So you pretty much need to use both of Gorhill's extensions (uMatrix & uBlock) if you need finer than domain-level contol.
      • (Score: 2) by KritonK on Thursday November 16 2017, @02:12PM

        by KritonK (465) on Thursday November 16 2017, @02:12PM (#597698)

        Indeed, it has migrated. Not much of a surprise, as it was already working in chrome. It probably needed few, if any, changes, to run in firefox.

        As to which is better, that is a matter of preference. With noscript, I have enabled "Temporarily allow top-level sites by default / Base 2nd level Domains", and most sites work as intended, with the possible exceptions of embedded multimedia, if they are served from another host, e.g., youtube, in which case I only need to allow that host. With uMatrix, I have to micromanage every single site, specifying not only the hosts from which it is allowed to use resources, but the kind of resources it is allowed to use as well. Theoretically, one can come up with the minimum amount of permissions that one needs to enable, in order for a site to work. In practice, this is way too much work, not to mention that one needs to actually understand what all these kinds of resources are. With uMatrix, I find myself enabling all the resources of host after host (example.com, cdn.example.com, images.example.com, whydotheyusesomanyhostnamesat.example.com, etc.), then doing it again, as some resources need to be enabled individually, with the process often getting out of hand, as the list of hosts keeps increasing, each time one is enabled. Thus, I prefer using noscript.

  • (Score: 3, Insightful) by TheRaven on Thursday November 16 2017, @11:04AM (7 children)

    by TheRaven (270) on Thursday November 16 2017, @11:04AM (#597638) Journal

    The problem is not that Firefox is breaking compatibility with addons, it's that they waited so long to do it. Chrome was release 9 years ago with per-tab sandboxing. Safari had it shortly after. Edge has had it since its creation. It's something that is now considered such a basic feature of web browsers that no one bothers to mention it in their marketing. Firefox 57 finally starts to introduce this. Adding per-tab sandboxing was always going to mean changes to the add-on model, because the classic add-on model had no thought to security and gave every add-on complete access to every browsing context. You don't want to go to the trouble of compartmentalising your web browser and then allow every add-on that people use to be an exploit vector for bypassing it.

    The writing has been on the wall for almost a decade. I think I last actively used Firefox on the desktop[1] in 2012, because even then running a web browser with no sandboxing seemed irresponsible.

    [1] I actually like Firefox on Android, and don't mind so much the lack of compartmentalisation there because I don't log into any web sites with my phone and the OS provides sandboxing to isolate the browser from the rest of the system. Unfortunately, they screwed up distribution to the point where it was pulled from F-Droid. I'd use it again if Mozilla would publish an F-Droid repo.

    --
    sudo mod me up
    • (Score: 1, Interesting) by Anonymous Coward on Thursday November 16 2017, @04:31PM

      by Anonymous Coward on Thursday November 16 2017, @04:31PM (#597755)

      The real problem, of course, is that browsers have tabs at all. Window managing should be left to the window manager, and any decent window manager will provide options for the user to group them (likewise we have finally moved away from the MDI [wikipedia.org] abomination). Process spawning should again be left to user preference or system settings, as should worrying about "sandboxing" to prevent leakage (of which there are a varity of ready-made [wordpress.com] tools [sandboxie.com]).
      Or put another way, the whole "the browser is the system" mentality is the cancer that is has killinged internet browsers.

    • (Score: 0) by Anonymous Coward on Friday November 17 2017, @08:54AM (5 children)

      by Anonymous Coward on Friday November 17 2017, @08:54AM (#598108)

      That makes no sense to me.

      The browser has full access to every tab, not matter what you do. I don't see the browser as more trusted than add-ons, I more see the add-ons (such as Classic Theme Restorer) as the browser, and the actual browser as the rendering engine. But then, most of the add-ons I have installed were originally Firefox features that became add-ons when the features were removed from Firefox.

      • (Score: 2) by TheRaven on Friday November 17 2017, @10:08AM (4 children)

        by TheRaven (270) on Friday November 17 2017, @10:08AM (#598126) Journal

        The browser has full access to every tab, not matter what you do

        I don't know how far Firefox has gone, but that's certainly not true for Chrome or Safari. The browser is split into multiple compartments, which are isolated by putting them in different processes. Network processing is isolated from the UI and each tab has a separate renderer process that receives the data for that tab, runs the scripts, and renders into a texture in shared memory. The 'browser' (parent) process transfers this texture to the screen and sends messages to the renderer process in response to user input (e.g. click here, scroll down, zoom out). The parent process has no visibility into the DOM for any page, nor access to JavaScript state. It validates URL requests, but that's about it. For security, the interface between the renderer process is as narrow as possible so that a compromise in the renderer has a narrow attack surface.

        If you want to support add-ons in this model, you have to make them run either in the renderer process (in which case they can do arbitrary things to the DOM, but can't be allowed access to any global state without compromising the security model), or in the parent process (in which case they can do arbitrary things to the UI, can block network connections, but can't access the DOM). The old Firefox extension model had no separation there and most extensions used interfaces that touched both the DOM and the exterior UI (it didn't help that XUL effectively made the rest of the UI a DOM, so these APIs were the same in many cases). There is no way to make that work with a compartmentalised model.

        --
        sudo mod me up
        • (Score: 1, Interesting) by Anonymous Coward on Friday November 17 2017, @10:48AM (3 children)

          by Anonymous Coward on Friday November 17 2017, @10:48AM (#598132)

          The browser (code that you downloaded from either mozilla.org or google.com) has access to everything.

          Sure it's compartmentalized, but there is still communication between compartments, otherwise the UI wouldn't work. That communication can be done for add-ons also.

          Compartmentalizing these things are not to defend the page against the browser, but to prevent bugs in the parts of the browser in contact with one page to take down every page open in the browser. A good idea, especially considering the stability of browsers at the time this was introduced, but not something that add-ons should need to care about.

          • (Score: 2) by TheRaven on Sunday November 19 2017, @09:00PM (2 children)

            by TheRaven (270) on Sunday November 19 2017, @09:00PM (#599034) Journal
            So you're saying that add-ons should be allowed to communicate between the unprivileged and privileged parts of the application, across security boundaries within the application, and shouldn't have to think about security? I have no words for how terrible an idea that is.
            --
            sudo mod me up
            • (Score: 2) by FakeBeldin on Tuesday November 21 2017, @08:50AM (1 child)

              by FakeBeldin (3360) on Tuesday November 21 2017, @08:50AM (#599586) Journal

              Naah, GP is saying that browsers should be secure no matter what the plugins are doing.
              I have no words for how wonderful an idea that is ;-)

              • (Score: 2) by TheRaven on Tuesday November 21 2017, @09:48AM

                by TheRaven (270) on Tuesday November 21 2017, @09:48AM (#599595) Journal
                That's precisely what Chrome and Firefox are doing (or, at least, trying to do), by forcing the plugins to respect the compartmentalisation policy and not communicate across security boundaries.
                --
                sudo mod me up
  • (Score: 2) by bart9h on Thursday November 16 2017, @11:44AM (1 child)

    by bart9h (767) on Thursday November 16 2017, @11:44AM (#597644)

    I can switch back to Firefox when there's a working Vimperator-style addon.

    Meanwhile I'll stick with cVim [github.com].

    • (Score: 3, Interesting) by bart9h on Thursday November 16 2017, @12:01PM

      by bart9h (767) on Thursday November 16 2017, @12:01PM (#597646)

      I just downloaded FF57 to give it a try anyway, and to my surprise (apart from it loading really fast) there *were* some results for "Vim" on the addons search.

      I'll try and see if any of them is good enough.