These are some of the good posts coming up in the new SpreadFirefox blogs.
Update: Get involved with the GMail project, if you have invites, get in touch with Robin Monks.
Recently, from a post sent by Peter-Paul Koch to css-discuss, I discovered a security flaw using <input type="file"> controls, CSS and JavaScript. Peter’s explained a techniqe that allows authors to have more control over the style of file upload controls. For those of you who don’t know, browser vendors limit the amount of styling and DOM access to file upload controls for security reasons. This technique can be used to make the user think they are simply entering text into an ordinary text box, when infact they are entering it into a file upload control.
It works by positioning an ordinary text box underneath a file upload control and then setting opacity for the file upload control to 0:
input.file {
/* Assumes the file upload control has a
* class="file" attribute
*/
-moz-opacity: 0; /* For Mozilla */
opacity: 0; /* For CSS3 compliant UAs including
* recent Mozilla builds */
filter:alpha(opacity: 0); /* For IE */
}JavaScript is used to copy the text from the file upload control to the text box behind, as it’s entered by the user. This security hole applies to Mozilla, Firefox and Internet Explorer.
I created some demonstrations to show how this could potentially be used. Combine that with the security holes discussed in bug 57770, and that’s quite a serious exploit. I reported it on bugzilla, and to Microsoft. Although Microsoft’s feedback mechanism was not very easy to find, I eventually found an e-mail address and actually recieved a prompt reply thanking me for taking the time to contact them with my constructive feedback (It was not just an automated response). I’m yet to hear anything from Bugzilla, nor a reply to my post to the WHAT-WG mailing list. Let me know how serious you think this is, or if you feel like putting it to some practical use. ?
PS. I still have 2 GMail invites available. e-mail me if you want one.
The day we, as web developers, have been looking forward to for years may finally be upon us sooner than we think. Many of us have known for years about the many flaws in Internet Explorer with regard to standards, security and even usability features compared with other alternatives such as Mozilla, Firefox, Opera, Safari, OmniWeb, Konqueror, Camino, iCab and many more. We’ve dreamed of the day when we can cease supporting Internet Explorer with the many CSS hacks required for a standards compliant layout to render correctly; and the day we can finally fully adopt XHTML, although IE isn’t the only user agent holding us back on that point.
The campaigns have started with
the momentum of a freight train. There have been many
positive news reports that favourably mention alternative browsers, and
recommend switching from IE. The Mozilla
Foundation have started a 10
week marketing campaign to coincide with the release of Firefox 1.0 due
on September 14th. WaSP are sponsoring
the Browse
Happy campaign incorporating the four major browsers. Some individuals are
taking action, such as Jakob Perry who has started switch2firefox.com.
Although the site would qualify as a pirated
site for copying the Apple Switch
campaign, let’s not discredit someone who’s doing something really positive. Thousands
of websites have joined in the action by adding Get
Firefox and Browse
Happy buttons — it just goes to show how much we, as a community, can do
to Lead the
Web to it Full Potential
. I urge you to get on board and help out.
So what more can be done? How can you get involved? Well, if you haven’t already, choose from one of those browsers I listed above and switch to it. Then, visit some of those campaign websites and see what they’re asking for — help them out in any way you can, but don’t stop there. There’s no reason the campaign has to be kept on the Internet…
Let your friends and family know there are alternatives, buy a t-shirt, or Firefox plush-toy for your child. Join the marketing public mailing list. Approach your school and let them know why all students should be using a better browser in classes. Approach your work place and let your system administrator know how switching can seriously improve security. Let them know about Thunderbird while your at it — the vast majority of e-mail viruses, worms and trojan horses only propagate through Microsoft Outlook’s many security holes. If you’re really keen, you could even suggest they switch from Windows to Mac or Linux, however simply switching browser and e-mail clients can close many security holes. Take part in this weeks College Campaign — design a poster, join the steering time, become a college rep or simply share your ideas with the community.
If you have any access to publications in Newspapers, Magazines or even Television, get in contact with in contact with Blake Ross and see what you can do. If you’re an e-mail spammer, we don’t want to hear from you — it will only serve to alienate people. However, even advertising on your blog, or your corporate website will help. Approach your boss, and see if they’ll allow you to add a Firefox or Browse Happy button to the site. If they’re technically inclined, I’m sure they’ll see the benefit straight away. The problem is getting the idea past the marketing minds of the business people that actually run the business. I know this is a problem — the boss where I work is, AFAIK, still using IE 5.5; and our system administrator won’t do a thing about it! However, I think he’s a twit anyway — he didn’t want me using Mozilla, Firefox or Thunderbird for security reasons! ?
Even if you only get one person to switch, it’s still worth it — every little bit counts. Of course we’d appreciate a lot more, but if it’s all you can do then that’s ok. We’ve come a long way, and we’ve got a lot longer to go. So, do what you can, and just help out!