I dunno what audience this article is aimed at, but it could do with trying to use less abbreviations - I've never seen the new tab page be abbreviated to NTP (that's the time server thing after all).
Big companies tend to do this sort of thing, they are large enough to ignore convention 'outside' and it tends to give the insiders the feeling that they are special, it's another form of gatekeeping. You see the same in the military with endless acronyms.
On a smaller scale, tech people do the same thing by using more complex terms for simple things to appear to have some kind of special knowledge. It's all about who is on the inside and who is on the outside. Highly annoying.
Such DSLs can serve to increase the speed of communication but more often than not they are simply used for obfuscation purposes.
> Such domain specific languages can serve to increase the speed of communication but more often than not they are simply used for obfuscation purposes.
> You see the same in the military with endless acronyms.
The military take the abbr.hl. to the next level. But atleast the abbreviations are properly documented there. I guess the root is keeping telegraphy short?
On my last job it was so bad that it took like a year before you could follow conversations properly. Also old deprecated abbreviations were used for extra flavor. E.g. calling projects or departments by their former former name.
My current employer is similarly terrible in this area. It took a year before I felt like I fully understood people’s day-to-day conversations.
On top of the usual acronym madness, nearly everything is always referenced by code name, versioned according to arcane and strange conventions, and the mapping to released product names and real version numbers is not always documented or obvious.
> Just kidding, trick question, the answer is NEVER.
What? The answer is ALWAYS. Set your start page to be `about:blank` and you see a blank page. I've had this as my starting page in every single browser since the 90s.
You can have about:blank be the on start up page and the home button, but not for new tabs. You used to be able to do that. Won't be surprised when start page will need to be an https link, you know for security reasons.
As a side note, only yesterday (on a Windows 7, so not an issue related to the latest Windows) I couldn't initially connect with Chrome to a (of course local) oldish router (actually an access point) to change a setting (Wi-Fi channel) because it "talked http" while Chrome wanted a "https" (for security reasons).
Chrome has that setting too, but it's not that simple. It's only available as an enterprise policy. If anyone doesn't know about this, Chrome has tons of hidden settings configurable through Group Policy on Windows and through /etc/opt/chrome/policies/managed/policies.json on Linux.
I have a personal new tab chrome / firefox extension that does exactly this. A black screen, a button, that's it. Don't install someone else's extension -- make your own off a minimal example on github. It's... well it's about the simplest bit of code I've written that I rely on daily.
The first thing that I do is turn off these fancy new tab pages. Very often, there is no option to have a blank page instead and less and less people know about pages like about:blank
Correct. I feel Mozilla is starving Firefox and using the money somewhat frivolously.
Mozilla have many interesting projects and several of them may be good, but none of them have had such impact or has such potential for the future as Firefox.
Edit: and I'm willing to pay $10 - $50 a month to someone who will create and maintain a patched version of the latest Firefox that fixes the worst problems like not being able to hide the standard tabs (in addition to any sponsored search deals they may get).
I suspect I'm not alone: for many(most?) of us our browser is one of our most important tools, the other being and IDE, an editor or some graphics tool.
Edit 2: Paid Chromium based doesn't count for me. A major point is to counter the Chrome monoculture.
Well, that's a really bad reason to use chrome or some other chromium based browser.
But if you are willing to fork Firefox, that's a very good reason. I just don't think any fork will be as long as the majority of users are on a chromium based browser, those are toxic to the ecosystem.
> Well, that's a really bad reason to use chrome or some other chromium based browser.
Who said I do, I often have multiple months between every time I use a Chrome or Chrome based browser.
Edit, I use a multipronged approach:
- I use only Firefox - except once in a blue moon to verify if something is an actual Firefox bug or a general bug.
- and develop in Firefox. Bonus: Without testing in any other browsers most weeks I can count on one finger the times I have introduced cross browser defects
- I raise awareness that Mozilla is extracting money from Firefox, not funding it.
- I raise awareness about how Google is pushing to kill competition in the browser markets (besides here on HN and contacting authorities myself I have also urged a grumpy colleague today to contact relevant competition authorities)
- I rise awareness about the likely outcome of a Chrome monoculture: mostly that ad blocking will disappear, the web as a platform will stagnate and we will have to live with more nasty restrictions.
Firefox opens new tabs saying “We care about your privacy, look, LOOK!” every time you start, sometimes two of those tabs (release notes + privacy). I wish I could just deactivate those built-in ads.
Recently, they had this annoying modal ad (with no "close when clicking outside" feature) telling me that I can make my browser colorful. I care about web-health and containers is far too much of a must-have feature to make me switch, but I’m finally starting to get annoyed.
Without containers, I’d probably bite the bullet and start using some chrome fork that doesn’t show me useless ads.
Recently they also changed the urlbar to do a search when you type anything... even localhost. INFURIATING. To stay polite.
Messed with about:config but did not find a way to disable that crap.
So Chrome and FF are in the same boat: "UX" "designer" taking non-sensical decisions for the whimsical greater good.
The Settings have several checkboxes to switch of (or on):
* Tips and News from Mozilla and Firefox
* Recommendations while surfing
* Recommend addons while surfing
I'm not entirely sure what you saw that made you angry, but I'm pretty sure you can switch them off rather than abandon the entire browser.
That goes for a lot of Firefox hate, I find: quite often people are ranting online about some new or removed feature, which they can dis- or enable easily in the settings. Or -a tad harder- in about:config. Or even a tad harder, with an addon.
That makes me think those ranters don't really want their problem solved, but just want to vent some anger about X changing something that they are emotionally not ready to see changed.
All the others (according to the linked information) are irrelevant for intrusive pop-up ads. By all means, please explain to me which of those settings do something different from what they are supposed to do, or tell me about an about:config settings that tells Firefox to never show me pop-up ads.
What made me angry: https://i.imgur.com/s9hC23U.png which blocks the interaction with any part of Firefox until I click "Not Now"
How much does all iOS browsers being built on top of Safari actually limit what one can do?
Obviously the actual page rendering and JavaScript executing would be Safari. But 99% of the time when I hear people advocating for browser X over browser Y it is not because X has better rendering or a better JS engine. It is because of higher level things, like containers (Firefox over Chrome) or better profile handling (Chrome over Firefox) or better spell checking (everything over Firefox).
Does having to build on top of Safari on iOS also constrain those higher level things?
No, Chrome does not support this feature on iOS (https://support.google.com/chrome/answer/2364824?hl=en&co=GE...). iOS' WebKit limits this to only one permanent profile and one ephemeral profile. You can technically have multiple profiles in the iPad - that is, if you're a school, and that's really more of a OS-wide user account thing. (G did a hack over this by rewriting that profile when switching profiles - but it's not truly a multitask thing, and violates Apple Developer Guidelines).
> better spell checking (everything over Firefox)
No, and for more sensible reasons. Users do expect consistent spell checking because they use the keyboard to do that. Regardless, if you want to implement spell checking in-browser, that's impossible. If you want to do it outside of Safari, go ahead - it's just not integrated to those Apple things (more of a dedicated Grammarly interface rather than desktop spell checking).
I found the colored browser cool, but the infuriating part is that Firefox is deliberately only offering features for a limited time. And if I didn't want to pick a color, not being able to click outside to close would be annoying.
Unlike many here, I don’t mind FF giving their browser more mass-appeal (here in Germany it’s still a major browser), so adding that color feature is fine. I just don’t need intrusive advertisement about it. It’s even worse for me, because I use FF on multiple machines and with several profiles, so I saw the ad over 10 times in total.
Can I easily disable the post-update splash page telling me how great the latest Firefox is (or something like that)? I use developer edition to test Firefox compatibility of my webapps, I seem to get that a lot, and I really don’t care about that marketing.
On the contrary, there is no option that says “Stop bugging the user with ads for Mozilla.” They keep coming back with another form of showing up (button in the top bar, label on the new tab experience, new tab experience itself, Mozilla login…) and you have to disable it again. It’s like spam when they use several Mailchimp accounts, reupload your email and tell you “but it’s easy to unsubscribe!”
Does Firefox actually get hate? I don't think I've seen people actually make digs at FF.
For me it would be Edge that gets the most laughs but I find is a better performing browser, at least in terms of UI than FF or Chrome. Side-bar tasks, grouping, integrated screen-shot, etc.
Mozilla management gets hate. They have had a string of controversies, policy upheavals that have bad optics and layoffs etc. They are often on HN for all the bad reasons.
Maybe not Firefox itself but Mozilla’s “We need more than deplatforming” blog post burnt a lot of good will towards them. I think that kind of censorial ethos is at odds with the majority of people who would specifically choose firefox over chrome.
Interesting article but the issue is that it's mashing together the Chromium Browser and Google Chrome. I'm sure that Chromium itself is safe but the prvacy concers arise from the "Google bits" rather that the browser engine itself.
Some of the statements in this article are just not true. The post seems to get frequent edits and always looks new/recent when I visit it, though I’ve seen and rebutted it several times over the last years. Yet, apparently nobody made the effort to verify the claims with more recent analyses.
It wasn't a particularly likely exploitation route... The user had to already be double-clicking files they'd downloaded from a malicious webpage. At that point, it might as well have been an .exe file.
And after all that, all it can do is run a search query. It can't leak all your Gmail emails or exploit the local machine.
> And after all that, all it can do is run a search query. It can't leak all your Gmail emails or exploit the local machine.
Doesn't that contradict the following?
> “However, because the IPC channel was exposed to JS directly in New Tab page, the XSS in Chrome’s NTP can be treated as the equivalent of renderer process RCE.”
I also hate not having option to make my new tab page empty but thinking about the time I have spent for people I know to make their browser homepage cleared ... I won't object it being managed by the browser companies... if you know what I mean... mendokusai...
Google VRP is giving the wrong incentives here, as such a small (insulting?) reward will surely orient some researchers to exploit market rather than responsible disclosure.
Q: Do you have enough domain knowledge to be judging the incentives ?
Well... I don't know. Does anyone have to be a domain expert to say that security reporting that affects tens or hundreds of million of people should be compensated better than 1k USD?
I dislike a bit the "justified" argument, as very often it dismisses important weak signal warnings. Our work in Security is often about being sensitive and not dismissal. But here you go:
I'm infosec since 1987 (34 years) and never left it, so I'll let you decide ;-) even if i'm a dinosaur in Internet times ;-)
Q: What do you think would be a fair amount ?
IMHO, the fair amount is definitely in the tens of thousands.
But we could attempt a quantified approach, always debatable (Risk = Likelihood * Consequence), eg. Likelihood based on fishing campaign success per country or global, and then mean / average cost of theft when leveraging the full exploit chain (IPC included), i.e. cookies -> auth -> leveraged identity theft impact. And then give percentage of cost as an bounty-based "insurance" mechanism. Not easy but attempt could be done. Surely that would result in way higher compensation.
The Likelihood of this bug being exploited is damn low. It requires the download of an html file, and then the target would have to double click it. On top of that the Consequences of it are not that serious.so you provided you answer as to why the bug only got $1000
I'd be interested to know what the market would have paid for this bug. I don't really see why it would be useful to anyone but I am far from an expert.
