Archive for the 'firefox' Category

FoXRI Updated for Firefox 3

Saturday, October 18th, 2008

Prompted by Emanuel in a comment to my post on i-names, I’ve finally tended to the long-overdue item in my TODO queue, i.e. update FoXRI to work with Firefox 3.

The request from Emanuel came almost serendipitously 2 days after =les nonchalantly asked me if I had plans to update it to FF3, to which I answered “one of these days.”

New in this version are 2 patches from Michael Krelin which adds detection of URIs for more OpenID versions, and the handling of append attribute values. Changelog for the patches are available at his git repository.
Thanks, Michael!

Due to what seems like a new security restriction that protocol handlers are not allowed to link to chrome URIs, I can’t seem to get it to load the CSS and icons from the chrome any more. Therefore, those files are now hosted remotely at so if you see requests to that host, please don’t be alarmed.

Security Restricted Domains Database

Monday, January 22nd, 2007

This was going to be a “Dear LazyWeb” request, but after some research I found what I wanted.

Recent discussions about security and phishing on the OpenID list got me thinking about the problem space.

DNS plays a critical role in the security of OpenID because

  1. URL is the identifier type used
  2. User should only trust the OP with which he/she has an account with.

The “Phishing and OpenID” discussions on the OpenID list actually hinges on point #2 above. Ben Laurie wrote about it here. In short, OpenID opens the door for a malicious RP to send a user to a spoofed OP-lookalike and collect his/her password.

Back to DNS. I have, on numerous occasions in the past, tried to look for a list of domains where registrations are open for public. This varies from TLD to TLD, e.g. .biz accepts registration directly on the second level, .us also does but delegates two-letter subdomains to US states, and .uk only accepts registrations on the third level after,, etc.

Well, it turns out that the Mozilla folks needed this list in order to disallow web sites setting cookies for the entire or similar domains. Currently, they block just the TLDs so cannot set a cookie for .com, but 2nd level onwards domain cookies are allowed. This could easily cause cookies to be stolen by any site rooted in the same domain.

So, this advisory started this bugzilla entry at Mozilla and it eventually led to the creation of this API and this list (see attachment). They call it the “Effective TLD” list, which is really a misnomer because they are not necessary just TLDs. It was decided in the bug discussions that the term “effective TLD” is easier to digest that anything else, though I’d prefer to call it “Security Restricted Domains”. Whatever, as long as it gives me the content I want.

Many will probably criticize Mozilla for creating yet another list that gets stale the moment it is created. Indeed, TLDs get created and 2LDs within TLDs are introduced and deprecated so often that such a list will be hard to maintain. Moreover, many organizations assign names to registrants at a level that doesn’t involve the TLD registry. Examples include CentralNIC’s .<country-code>.com and *, and countless others. Add to it the introduction of IDN TLD may well be in less than 2 years. Keeping a definitive list is not feasible. Nevertheless, I would argue that depending on your needs, this list could still be very valuable, as is the case with the cookie problem that they are trying to solve.

So, what has this got to do with OpenID? I shall leave that to a different post.

FoXRI updated for Firefox 2.0

Saturday, November 4th, 2006

Just a quick mention that I’ve updated FoXRI to be compatible to Firefox 2.0. I haven’t had time to implement URI construction (which explains why some URI links don’t work in the FoXRI explorer).

Thanks to Gabe and Ken Walsh for the reminder.

New FoXRI Out Now

Monday, August 21st, 2006

I’ve just released version 1.1 of FoXRI – XRI extension for Firefox (and Flock!).

This version features an XRDS explorer that renders an XRI (I-name or I-number) in a nice user interface (see screenshot below).

Go install it at xri://=wil (oh you’re not XRI-enabled yet? No problem, go here instead).

Under the hood

The extension installs an XUL overlay that autocorrects an I-name / I-number in shorthand notation (e.g. =wil or @neustar) to the full version with “xri://” prefix. This is only for XRIs entered on the URL bar. Everything else is left untouched and functions as per normal.

At the same time, it installs an XRI protocol handler (XPCOM component implemented in Javascript) that takes care of resolving the XRI. For “bare” XRI – no path or query e.g. xri://=wil , it fetches the XRDS document from the proxy and renders it in HTML. Otherwise, the XRI is simply prefixed with and hands it off to the normal HTTP handler.

technorati tags:, , ,

Blogged with Flock

I’m Flocked

Monday, August 21st, 2006

Flock: The web browser for you and your friends.

Just downloaded flock and am totally lovin’ it. Being able to manage my flickr and photobucket account with drag-n-drop and a feed reader that rocks plus all host of goodies tucked in unobtrusive corners are just the beginning. Buit on the Firefox engine, Flock supports all the extensions that are built for Firefox.

This post was created using Flock’s built-in blog composer – what can I say?

I’m totally flocked!

technorati tags:,

Blogged with Flock