Private FireFox plugin - firefox

I'm looking at getting a FireFox plugin developed - but is it possible to create a plugin that is for private use only, so only those I share it with have it and not open to the masses? Need this for 2 reasons; 1) while in BETA and 2) for my clients use only to start with.

Of course: just distribute the plugin install package (XPI if I am not mistaking) to the target users.
Note that won't prevent leaks, if any.
You could also be more fancy and "lock" the plugin to a set of computers: you have access to the whole machine when you design a plugin (e.g. NPAPI based). Then again, a determined hacker can always find a way.

Yes, of course this is possible.
Extensions (mentioning these because the term "plugin" is often misused to mean "extension") can be packed in a .xpi file that can be opened and installed by Firefox; see also this tutorial.
Proper plugins are a bit more work, see the Mozilla developer wiki.

While this works mostly on a psychological level, prominently displaying identifying information such as the user's name/email address or a company name/logo, may also help prevent users from distributing your work because it is obviously personalized/tailored software, and they may not want this information to be distributed along with your software.
Also, once you do distribute your extension to your target users, you can digitally sign the XPI files for each individual user (i.e. fingerprinting individual files within the XPI package), so that you can track back any leaks.
In addition, you as the author of the extension are of course free to implement a simple "talkback" mechanism so that you can track use of your extension, along with all sorts of other information that may be relevant to you (i.e. usage stats).
Similarly, XPI files are conventional ZIP files, so you can also password-protect them to make it more complicated to install them without proper instructions.

Related

FIrefox add-ons and running executable binaries

I would like to run my own executable binary file (generated from C code) bundled along with other regular files in my Firefox add-on. Since, it needs to create a new process for that, I think I should use either sdk/system/child_process or a native OS API by using js-ctypes.
My question is that does creating a new process have any negative impact on the add-on publishing process? Does it violate any Mozilla's rule?
Creating a new process has a severe impact on the add-on publishing process but it does not violate the rules.
By interacting with the system in such a low-level way, your add-on will be flagged for administrative review which can result in even trivial updates taking up to 3 months to be approved. It certainly won't always take that long (and the reviewers are very good at rushing through reviews which fix critical or security impacting bugs if you explain the mitigating circumstances to them) but for a typical new version it can be months between submitting the XPI file for review and it actually being delivered to users.
At the moment you can avoid that delay by hosting your add-on outside of the AMO ecosystem but that will change in the next 1-2 months when the add-on signing requirements come into play. They say that the reviews for non-hosted add-ons will be faster and I hope that this will be the case but even so, the need for a manual review might be a serious problem if you're looking to get a regular automated test and deployment process in place for your add-on.
I wouldn't be surprised if Mozilla make further changes in this area later in the year in order to stem the loss of their add-on developer community. In particular, it seems crazy that even unchanged code will trigger the need for a review for every minor update.
As for how you go about implementing it, I've not used the SDK before so your suggestions are probably best but a third option to consider is the use of the XPCOM nsIProcess interface. I don't use ctypes in my add-on any more but I would expect that to be flagged for admin review in the same way as any other approach that could feasibly launch an executable.
As far as the bundling is concerned, that shouldn't be a problem but you will need to supply the source code to Mozilla so they can ensure it is safe.

How to get your site trusted by AV?

I want to make an exe file available to download from my website, but when I do a test download, Norton deletes the file without any option to keep it. Presumably most AV does the same thing, so nobody is ever going to be able to download it.
Wrapping the exe in a zip seems to make the exe completely invisible to Norton, so that is one approach, but it just adds an extra step for users to go through. And I have downloaded exe files from other sites, so it is certainly possible.
Would signing the exe help? What other factors affect my site's apparent lack of trustworthiness?
Signing your EXE is probably the best way to go... As far as "trusting" a website goes, I can't speak for Norton but I know that McAfee has user feedback mechanisms for rating sites, and that's what their products use to filter bad actors on the web.
Putting the executable in a zip file is indeed the way to go. Norton is extreme pain, but most browsers and/or anti-virus applications will at least warn the user when he attempts to download an executable. It is more important to instil confidence in your users than to make life easy for them, and if they see any kind of warning message they are likely to pull the plug.

How does Firefox Version 3 invoke the anti-virus feature on Windows to scan a download?

Another question on StackOverflow is asking how this is done, but the general question of how Firefox manages this is even more useful, and would answer that question also.
Without reading all the source code to firefox (I haven't time) - is anyone familiar enough with Firefox V3's ability to invoke a scan on any downloaded EXE file to know how it works?
I would think any anti-virus program with active protection would hook into windows and be run automatically. Does firefox detect these hooks and bring them up by creating a windows folder and moving the file after it is downloaded from a temporary filename, to a new file name with .exe in the name, thus triggering the automatic protection? Or do they do something else?
(This is a programming question in that I want to know how to write this in general, and this would answer the above question, but also be a good piece of knowledge to add to the knowledgebase-that-is-stackoverflow.)
Also, any programmatic SDKs and APIs that commercial anti-virus programs provide for end-user application integration, I would like to know about. Especially MS Forefront, MS Security Essentials, Norton, or any other major players.
OESIS from opswat appears to provide this as a commercial SDK/application, which is a surprise when it probably should be a Windows API, given that what we're doing here is in the public good of all humans who have to use windows.] - actually it is - it is built into the windows shell. See the first link in this question for more resources.
I did a quick search through the Mozilla code base and found these source files:
./toolkit/components/downloads/src/nsDownloadScanner.cpp
./toolkit/components/downloads/src/nsDownloadScanner.h
A comment close to the top may have your answer:
Download scanner attempts to make use
of one of two different virus scanning
interfaces available on Windows -
IOfficeAntiVirus (Windows 95/NT 4 and
IE 5) and IAttachmentExecute (XPSP2
and up). The latter interface
supports calling IOfficeAntiVirus
internally, while also adding support
for XPSP2+ ADS forks which define
security related prompting on
downloaded content.

Winlibre - An Aptitude-Synaptic for Windows. Would that be useful?

Last year, in 2009 GSoC, I participated with an organization called Winlibre. The basic idea is having a project similar to Aptitude (or Apt-get) and a GUI like Synaptic but for Windows and just to hold (initially), only open source software. The project was just ok, we finished what we considered was a good starting point but unfortunately, due to different occupations of the developers, the project has been idle almost since GSoC finished. Now, I have some energy, time and interest to try to continue this development. The project was divided in 3 parts: A repository server (which i worked on, and which was going to store and serve packages and files), a package creator for developers, and the main app, which is apt-get and its GUI.
I have been thinking about the project, and the first question that came to my mind is.. actually is this project useful for developers and Windows users? Keep in mind that the idea is to solve dependencies problems, and install packages "cleanly". I'm not a Windows developer and just a casual user, so i really don't have a lot of experience on how things are handled there, but as far as I have seen, all installers handle those dependencies. Will windows developers be willing to switch from installers to a packages way of handling installations of Open source Software? Or it's just ok to create packages for already existing installers?
The packages concept is basically the same as .deb or .rpm files.
I still have some other questions, but basically i would like to make sure that it's useful in someway to users and Windows developers, and if developers would find this project interesting. If you have any questions, feedback, suggestions or criticisms, please don't hesitate posting them.
Thanks!!
be sure to research previous efforts on this. Google turns up several similar/relevant efforts.
http://en.wikipedia.org/wiki/Package_management_system#Microsoft_Windows
http://windows-get.sourceforge.net
http://pina.plasmite.com
IIRC there was an rpm for windows at some point
Also I think there was some guy (who used to work at MS) in the news recently that basically is starting up a very similar project. I can't find a link to this now.
But anyway, yeah, it would be awesome if there was such a standard tool and repository.
I can only speak for myself, but obviously I could definitely make use of such a tool as I found your post through googling! ;)
My two use cases for this tool would the following ones:
1. I generally avoid to re-install my system as long as possible (in fact I manage to do so only for switching to a reasonable (not each an every) new version of Windows every few years or to setup new computers). But still I'd like my software to be up-to-date. Neither do I want to have to go to all the web pages and check manually if there are compatibility issues with the new version of Doxygen, Graphviz and the latest version of MikTeX for example, nor do I want to have to navigate to the download pages and run the setups all by myself. I just want to schedule ONE SINGLE (!) tool, which checks whether there are new updates or not and updates those applications which are not in conflict with any other application version.
If it unavoidably happens to me that I have to re-install my system, I don't want to get the new setups neither (and check compatibility). I even don't want to wait for one setup to finish in order to start the next one, I just want to check the tools I need, or even better, I want to simply load my "WinApt XML" batch installation file, which gets the installers and handles the setups sequentially all by itself.
I don't know enough about the architecture of .deb or .rpm but IMHO the most reasonable would be to maintain a DB with only the names, versions, dependencies and the location of the different versions' download locations. I mean, most of the tools available for Windows provide .msi packages anyways, which (I guess) is the application itself and some custom installation properties (really not sure how scripting is handled, but I know that creating a MSI in Visual Studio has very limited abilities to create custom installation steps and I can only imagine this is due to limitations of MSI protocol).
I guess a GUI will be mandatory for Windows users ;) but I personally would prefer the additional ability to handle the setups with the console.
Well, I like the idea and would love to hear from that (or such a) tool in the future.
Cheers
Check out NSIS. It's an open source MSI creator. You might be able to use it as part of your package creation software.
http://nsis.sourceforge.net/Main_Page
For the ALT-.Net tool/lib stack there have been some affords in this direction: Horn Get
However, the usability in a real world project has been subject in this SO question.

Windows Help files - what are the options?

Back in the old days, Help was not trivial but possible: generate some funky .rtf file with special tags, run it through a compiler, and you got a WinHelp file (.hlp) that actually works really well.
Then, Microsoft decided that WinHelp was not hip and cool anymore and switched to CHM, up to the point they actually axed WinHelp from Vista.
Now, CHM maybe nice, but everyone that tried to open a .chm file on the Network will know the nice "Navigation to the webpage was canceled" screen that is caused by security restrictions.
While there are ways to make CHM work off the network, this is hardly a good choice, because when a user presses the Help Button he wants help and not have to make some funky settings.
Bottom Line: I find CHM absolutely unusable. But with WinHelp not being an option anymore either, I wonder what the alternatives are, especially when it comes to integrate with my Application (i.e. for WinHelp and CHM there are functions that allow you to directly jump to a topic)?
PDF has the disadvantage of requiring the Adobe Reader (or one of the more lightweight ones that not many people use). I could live with that seeing as this is kind of standard nowadays, but can you tell it reliably to jump to a given page/anchor?
HTML files seem to be the best choice, you then just have to deal with different browsers (CSS and stuff).
Edit: I am looking to create my own Help Files. As I am a fan of the "No Setup, Just Extract and Run" Philosophy, i had that problem many times in the past because many of my users will run it off the network, which causes exactly this problem.
So i am looking for a more robust and future-proof way to provide help to my users without having to code a different help system for each application i make.
CHM is a really nice format, but that Security Stuff makes it unusable, as a Help system is supposed to provide help to the user, not to generate even more problems.
HTML would be the next best choice, ONLY IF you would serve them from a public web server. If you tried to bundle it with your app, all the files (and images (and stylesheets (and ...) ) ) would make CHM look like a gift from gods.
That said, when actually bundled in the installation package, (instead of being served over the network), I found the CHM files to work nicely.
OTOH, another pitfall about CHM files: Even if you try to open a CHM file on a local disk, you may bump into the security block if you initially downloaded it from somewhere, because the file could be marked as "came from external source" when it was obtained.
I don't like the html option, and actually moved from plain HTML to CHM by compressing and indexing them. Even use them on a handful of non-Windows customers even.
It simply solved the constant little breakage of people putting it on the network (nesting depth limited, strange locking effects), antivirus that died in directories with 30000 html files, and 20 minutes decompression time while installing on an older system, browser safety zones and features, miscalculations of needed space in the installer etc.
And then I don't even include the people that start "correcting" them, 3rd party product with faulty "integration" attempts etc, complaints about slowliness (browser start-up)
We all had waited years for the problems to go away as OSes and hardware improved, but the problems kept recurring in a bedazzling number of varieties and enough was enough. We found chmlib, and decided we could forever use something based on this as escape with a simple external reader, if the OS provided ones stopped working and switched.
Meanwhile we also have an own compiler, so we are MS free future-proof. That doesn't mean we never will change (solutions with local web-servers seem favourite nowadays), but at least we have a choice.
Our software is both distributed locally to the clients and served from a network share. We opted for generating both a CHM file and a set of HTML files for serving from the network. Users starting the program locally use the CHM file, and users getting their program served from a network share has to use the HTML files.
We use Help and Manual and can thus easily produce both types of output from the same source project. The HTML files also contain searching capabilities and doesn't require a web server, so though it isn't an optimal solution, works fine.
So far all the single-file types for Windows seems broken in one way or another:
WinHelp - obsoleted
HtmlHelp (CHM) - obsoleted on Vista, doesn't work from network share, other than that works really nice
Microsoft Help 2 (HXS) - this seems to work right up until the point when it doesn't, corrupted indexes or similar, this is used by Visual Studio 2005 and above, as an example
If you don't want to use an installer and you don't want the user to perform any extra steps to allow CHM files over the network, why not fall back to WinHelp? Vista does not include WinHlp32.exe out of the box, but it is freely available as a download for both Vista and Server 2008.
It depends on how import the online documentation is to your product, a good documentation infrastructure can be complex to establish but once done it pays off. Here is how we do it -
Help source DITA compilant XML, stored in SCC (ClearCase).
Help editing XMetal
Help compilation, customized Open DITA Toolkit, with custom Perl/Java preprocessing
Help source cross references applications resources at compile time, .RC files etc
Help deliverables from single source, PDF, CHM, Eclipse Help, HTML.
Single source repository produces help for multiple products 10+ with thousands of shared topics.
From what you describe I would look at Eclipse Help, its not simple to integrate into .NET or MFC applications, you basically have to do the help mapping to resolve the request to a URL then fire the URL to Eclipse Help wrapper or a browser.
Is the question how to generate your own help files, or what is the best help file format?
Personally, I find CHM to be excellent. One of the first things I do when setting up a machine is to download the PHP Manual in CHM format (http://www.php.net/download-docs.php) and add a hotkey to it in Crimson Editor. So when I press F1 it loads the CHM and performs a search for the word my cursor is on (great for quick function reference).
If you are doing "just extract and run", you are going to run in security issues. This is especially true if you are users are running Vista (or later). is there a reason why you wanted to avoid packaging your applications inside an installer? Using an installer would alleviate the "external source" problem. You would be able to use .chm files without any problems.
We use InstallAware to create our install packages. It's not cheap, but is very good. If cost is your concern, WIX is open source and pretty robust. WIX does have a learning curve, but it's easy to work with.
PDF has the disadvantage of requiring the Adobe Reader
I use Foxit Reader on Windows at home and at work. A lot smaller and very quick to open. Very handy when you are wondering what exactly a80000326.pdf is and why it is clogging up your documents folder.
I think the solution we're going to end up going with for our application is hosting the help files ourselves. This gives us immediate access to the files and the ability to keep them up to date.
What I plan is to have the content loaded into a huge series of XML files, each one containing help for a specific item. This XML would contain links to other XML files. We would use XSLT to display the contents as necessary.
Depending on the licensing, we may build a client-specific XSLT file in order to tailor the look and feel to what they need. We may need to be able to only show help for particular versions of our product as well and that can be done by filtering out stuff in the XSLT.
I use a commercial package called AuthorIT that can generate a number of different formats, such as chm, html, pdf, word, windows help, xml, xhtml, and some others I have never heard of (does dita ring a bell?).
It is a content management system oriented towards the needs of technical documentation writers.
The advantage is that you can use and re-use the same content to build a set of guides, and then generate them in different formats.
So the bottom line relative to the question of choosing chm or html or whatever is that if you are using this you are not locked into a given format, but you can provide several among which the user can choose, and you can even add more formats as you go along, at no extra cost.
If you just have one guide to create it won't be worth your while, but if you have a documentation set to manage then it is the best to my knowledge. Their support is very helpful also.

Resources