Comments on: Refractor, aka prism-ext, aka Prism for Firefox, aka… http://cesarmoco.wordpress.com/2008/03/12/refractor-aka-prism-ext-aka-prism-for-firefox-aka/ White and creamy wtf Wed, 07 Oct 2009 09:32:38 +0000 http://wordpress.com/ hourly 1 By: tonikitoo http://cesarmoco.wordpress.com/2008/03/12/refractor-aka-prism-ext-aka-prism-for-firefox-aka/#comment-520 tonikitoo Thu, 13 Mar 2008 16:17:59 +0000 http://cesarmoco.wordpress.com/?p=29#comment-520 cesar, I cant see "install this webapp in your desktop using prism" banner if I am on to gmail with refractor installed. Should I ? cesar, I cant see “install this webapp in your desktop using prism” banner if I am on to gmail with refractor installed. Should I ?

]]> By: -dis http://cesarmoco.wordpress.com/2008/03/12/refractor-aka-prism-ext-aka-prism-for-firefox-aka/#comment-519 -dis Thu, 13 Mar 2008 12:03:30 +0000 http://cesarmoco.wordpress.com/?p=29#comment-519 Cesar: OK but maybe us users should be able to distinguish between "possibly dangerous" webapps and plain webpage apps (no webapp.js). A simple webapp bundle that only includes a customized icon, title etc but no .js should be safe and should be treated like a bookmark or a feed. Cesar: OK but maybe us users should be able to distinguish between “possibly dangerous” webapps and plain webpage apps (no webapp.js). A simple webapp bundle that only includes a customized icon, title etc but no .js should be safe and should be treated like a bookmark or a feed.

]]> By: Cesar Oliveira http://cesarmoco.wordpress.com/2008/03/12/refractor-aka-prism-ext-aka-prism-for-firefox-aka/#comment-518 Cesar Oliveira Wed, 12 Mar 2008 18:11:28 +0000 http://cesarmoco.wordpress.com/?p=29#comment-518 -dis: Correct, webapp.js runs with full chrome privileges (this was always a concern). It was never a closely held secret either, it's on devmo. I don't think the security threat is as big a problem as people are claiming it to be. It does not install a webapp by itself without first prompting the user if they want to install it. This is not a whole lot different from installing an extension on a non-AMO webpage (the very fact that it is on AMO would suggest a more peer-reviewed, quality extension. But that's <a href="http://ted.mielczarek.org/code/mozilla/index.html" rel="nofollow">not always</a> <a href="http://www.oxymoronical.com/" rel="nofollow">the case</a>). I suppose the real concern must be that we should have a large modal dialog box warning people of malicious content. That can always be a future enhancement. -dis: Correct, webapp.js runs with full chrome privileges (this was always a concern). It was never a closely held secret either, it’s on devmo.

I don’t think the security threat is as big a problem as people are claiming it to be. It does not install a webapp by itself without first prompting the user if they want to install it. This is not a whole lot different from installing an extension on a non-AMO webpage (the very fact that it is on AMO would suggest a more peer-reviewed, quality extension. But that’s not always the case). I suppose the real concern must be that we should have a large modal dialog box warning people of malicious content. That can always be a future enhancement.

]]> By: -dis http://cesarmoco.wordpress.com/2008/03/12/refractor-aka-prism-ext-aka-prism-for-firefox-aka/#comment-517 -dis Wed, 12 Mar 2008 11:53:14 +0000 http://cesarmoco.wordpress.com/?p=29#comment-517 Great! Correct me if I'm wrong but doesn't code in webapp.js run with chrome privileges? Webapps can become a lot more if they are able to access the filesystem, do xss or use drawWindow with no restrictions and I'm in favor of them being able to but there has to be a way to restrict them. Ideally they'd run with web privileges and only be able to use specific and sandboxed (i.e. only files in the webapp's folder) features. Great! Correct me if I’m wrong but doesn’t code in webapp.js run with chrome privileges?
Webapps can become a lot more if they are able to access the filesystem, do xss or use drawWindow with no restrictions and I’m in favor of them being able to but there has to be a way to restrict them. Ideally they’d run with web privileges and only be able to use specific and sandboxed (i.e. only files in the webapp’s folder) features.

]]> By: Ted Mielczarek http://cesarmoco.wordpress.com/2008/03/12/refractor-aka-prism-ext-aka-prism-for-firefox-aka/#comment-516 Ted Mielczarek Wed, 12 Mar 2008 11:16:04 +0000 http://cesarmoco.wordpress.com/?p=29#comment-516 anonymous: except there's no real installation here at all. Prism just runs your webapps in a separate window, still on the web. No less secure than running them in your web browser. anonymous: except there’s no real installation here at all. Prism just runs your webapps in a separate window, still on the web. No less secure than running them in your web browser.

]]> By: an0n1 m0us http://cesarmoco.wordpress.com/2008/03/12/refractor-aka-prism-ext-aka-prism-for-firefox-aka/#comment-515 an0n1 m0us Wed, 12 Mar 2008 09:17:19 +0000 http://cesarmoco.wordpress.com/?p=29#comment-515 let me get this straight. After so many years of trying to get people aware that "installing" software off the web is a very dangerous habit and that simply using Explorer is a security risk in itself because of - as much as any other reason - that ActiveX beast, we are now encouraging people to download applications even easier (there appears no UI to really distinguish between downloading a webapp and bookmarking RSS) than ever before. Brilliant! Instead of developing an easy method for web site developers (like CMS authors such as myself) to bundle up a single-site (more secure) environment as an alternative to Exploder, which users can install through a proper installer (with all appropriate security warnings and license agreement sign-offs) procedure that many are familiar with, we are encouraging people to one-click install potentially harmful applications. Yay! Can't wait to see all the fishing sites add a 50 pixel high grey div at the top of their sites prompting users to "install this on your desktop in one easy click" and before you know it, the average joe's machine is the next node on a botnet. let me get this straight. After so many years of trying to get people aware that “installing” software off the web is a very dangerous habit and that simply using Explorer is a security risk in itself because of – as much as any other reason – that ActiveX beast, we are now encouraging people to download applications even easier (there appears no UI to really distinguish between downloading a webapp and bookmarking RSS) than ever before.

Brilliant!

Instead of developing an easy method for web site developers (like CMS authors such as myself) to bundle up a single-site (more secure) environment as an alternative to Exploder, which users can install through a proper installer (with all appropriate security warnings and license agreement sign-offs) procedure that many are familiar with, we are encouraging people to one-click install potentially harmful applications. Yay!

Can’t wait to see all the fishing sites add a 50 pixel high grey div at the top of their sites prompting users to “install this on your desktop in one easy click” and before you know it, the average joe’s machine is the next node on a botnet.

]]> By: Dan http://cesarmoco.wordpress.com/2008/03/12/refractor-aka-prism-ext-aka-prism-for-firefox-aka/#comment-514 Dan Wed, 12 Mar 2008 03:30:15 +0000 http://cesarmoco.wordpress.com/?p=29#comment-514 Psst... Google Gears crashes Firefox 3 betas (including Prism I assume... it crashes the Firefox Add-on version at least!). Also Google Gears is a bit hard to get working in Prism to even see it crash. Basically you have to copy C:\Program Files\Google\Google Gears\Firefox to %APPDATA%\Mozilla\Firefox\Profiles\.\extensions\refractor@*\extensions\{000a9d1c-beef-4f90-9363-039d445309b8} {000a9d1c-beef-4f90-9363-039d445309b8} being Google Gear's extension GUID thing. There's some blog post about doing it differently keeping the original folder but it only applies to the old Prism... the extension version seems to ignore the Firefox extensions registry key Google Gears uses to tell Firefox where it is, and I couldn't see how to add arbitrary folders as extensions into Refractor through the registry. Psst… Google Gears crashes Firefox 3 betas (including Prism I assume… it crashes the Firefox Add-on version at least!).

Also Google Gears is a bit hard to get working in Prism to even see it crash. Basically you have to copy C:\Program Files\Google\Google Gears\Firefox to %APPDATA%\Mozilla\Firefox\Profiles\.\extensions\refractor@*\extensions\{000a9d1c-beef-4f90-9363-039d445309b8}

{000a9d1c-beef-4f90-9363-039d445309b8} being Google Gear’s extension GUID thing.

There’s some blog post about doing it differently keeping the original folder but it only applies to the old Prism… the extension version seems to ignore the Firefox extensions registry key Google Gears uses to tell Firefox where it is, and I couldn’t see how to add arbitrary folders as extensions into Refractor through the registry.

]]> By: Percy Cabello http://cesarmoco.wordpress.com/2008/03/12/refractor-aka-prism-ext-aka-prism-for-firefox-aka/#comment-513 Percy Cabello Wed, 12 Mar 2008 03:24:05 +0000 http://cesarmoco.wordpress.com/?p=29#comment-513 That's a great feature. Just tried it but found it must be rel="webapp" to work. That’s a great feature. Just tried it but found it must be rel=”webapp” to work.

]]>