Helping fix Firefox and adapting to it at the same time

Hank Williams over at Why does everything suck? wonders how to best report an obscure and weird browser bug.  He’s got the right idea: save a static copy of the HTML, JavaScript, and CSS, and then strip out everything unrelated until you have the minimal chunk of code required to duplicate the bug. You can speed this up by making an educated guess at which code is related, and doing a binary search from there. Include the minimal test case with the bug report, and the Firefox (or WebKit) team will love you for finding a test case for such a wacky, rare bug.

I’ve done this a few times for Mosuki, and each time, I discovered a workaround before I got to reporting the bug. Each time, the bug was either the result of a interaction between components I thought were unrelated, or I found some other method of achieving the same result that didn’t trigger the bug. (Of course, it was usually an Internet Explorer bug that I was fixing, so there was no way to report the bugs.)

HttpOnly cookies in Python & Pylons

Thanks to Jeff Atwood for posting about the benefits of the HttpOnly flag on cookies. Support for HttpOnly cookies has now been added to Python 2.6’s Cookie module, and Paste’s WSGIResponse. Pylons applications can now use the HttpOnly flag to protect cookies, significantly raising the bar against XSS attacks on users of those applications.

Latest versions of Firefox, Opera, and Internet Explorer already support HttpOnly. Now all that’s left is for Apple to fix CFNetwork to support HttpOnly and then WebKit/Safari will be able to support it too.

Rebuild mail-notification to support SSL under Ubuntu/Debian

Because of a four-year-old disagreement on the legal interpretation of the GPL and OpenSSL licenses, Debian is shipping a neutered and useless version of mail-notification without SSL support. Ubuntu hasn’t resolved the issue, so they’re shipping the same broken package too. People arguing about why they can’t fix bugs bores me. So here is a script to download the source packages, and rebuild them with SSL enabled. It even bumps the version number so that the package manager doesn’t try to overwrite your working package with the broken one in the repository. It also keeps track of the (on my system) thirty-seven megabytes of build dependency packages that it installs and removes them once the package is installed.

Continue reading

Google Chrome

Google makes it really difficult for me to to keep thinking of them as the new evil empire when they release things like Google Chrome, and say things like “we need the internet to be a fair, smart, safe place.”

A browser with a “privacy mode” where “nothing that ever occurs in that window is ever logged onto your computer?” Where do I sign up? I’m ready to throw away my separate Firefox profile just for guests and browsing XSS-vulnerable sites like MySpace.

One question: do Firefox employees still get to ride the Google bus to work for free? I hope so.