Planet Mozilla

With Firefox, getting around the internet is fast, straight-forward and easy. Now you can go beyond the basics with these secret and not-so-secret tricks that make your internetting experience even more fun. Read on for some of our favorite Firefox features that you may not know about… yet.

1. Send tabs across the room

If you’ve ever been reading an article, recipe or website on your phone and thought it would look better and bigger on your computer, what do you do? Email or text yourself the link, right? Friends, there is a better way to do this with Firefox. Send that tab (or several tabs) to any device where you’re logged into your Firefox account, and it’ll be waiting for you when you get there. It also works in reverse, so you can send a tab from your computer to your phone as well. Pick up where you left off with send tabs in Firefox.

How to do it:

From Firefox on your computer: Right-click (PC) or two-finger tap (Mac) on a tab and select Send Tab to Device.
From Firefox on your phone: Tap the share icon, which will open up the Send to Device option.
Don’t see these options? Sign into your Firefox account on both devices, then they’ll appear.

2. Search for a needle in a tabstack

Tab hoarders, we see you. Heck, we are you. Don’t ever let anyone shame you for having dozens (and dozens³) of open tabs, implying you don’t have it together and can’t find the right one. Instead, dazzle them with this trick. Add a % sign to your URL search to search specifically through all your open tabs, including tabs in different windows. Then you can click over to the already open tab instead of creating a duplicate, not that anyone has ever done that.

Bonus tip: If you love that tab search trick, try searching through your Bookmarks with * or your History with ^.

3. Screenshots made simple

Ever need a screenshot, but don’t remember how to do it? Or you snapped one successfully but lost it in the bowels of your hard drive? The built-in Firefox screenshot feature takes all the stress away. Right-click (PC) or two-finger tap (Mac) to call up the Firefox action menu (see above tip) and scroll to Take Screenshot. Bam, you’re screenshotting!

Bonus tip: Here’s how to add a screenshot button to your Firefox toolbar so it’s at your fingertips.

4. Reopen a closed tab

Tabs are life, and life is in tabs. Closing the wrong one leads to that sinking oh no feeling we know all too well. So we made a fix for that.

How to do it: Type Ctrl + shift + T for PC. Command + shift + T for Mac. Boom, tab instantly resurrected. You can even do that multiple times to reopen multiple closed tabs.

5. Pocket the best for later

There is so much good stuff to read and watch online that you’re not going to finish the internet in your lifetime. But, you can save the best for later. Click the Pocket icon to save any article, video or page straight from Firefox. Then, when you’ve got some extra time on your hands, it’ll be waiting in the Pocket app (available for Android and iOS) on your phone. How brilliant is that?

Where to get it: Look for the Pocket symbol to the right of your toolbar to get started saving any article, video or page from Firefox.

6. Video multitasking with picture-in-picture

Got things to do and games to watch? One of our most popular features, picture-in-picture, lets you pop out a video from Firefox so that it plays over the other windows on your screen. It’s perfect for watching things on the side — sports, hearings, live news, soothing scenes and, even cute animals. Plus, it has multi-mode.

Where to get it: Hover over any playing video and look for the picture-in-picture icon. Try it:

7. Sample any color with the built-in eyedropper

This one is for the creators out there. The web is a colorful place, and every color has a code called a HEX value assigned to it. With the eyedropper tool built into Firefox, you can go around the web quickly sampling colors and copying the HEX value to use elsewhere.

How to use it: Click the main menu in the upper right corner, scroll to More Tools and then to the eyedropper. Have fun sampling!

8. Fuggedaboutit!

There might be times when you want to erase your recent browsing history super fast, and when that time comes, Firefox is here for you with the forget feature. Instead of asking a lot of complex technical questions, forget asks you only one: how much do you want to forget? Once you tell Firefox you want to forget the last 5 minutes, or 2 hours or 24 hours, it takes care of the rest. This is extra handy if you share a computer with friends or family. Or if you forgot to open a private browsing window. Or if you just don’t want your recent browsing history (~~royal family gossip~~) reappearing.

Where to get it:

Click the main menu in the upper right corner and select More Tools.
Next, select Customize Toolbar.
Locate the Forget shortcut
Grab it with your mouse and drag it up to the Toolbar.
Then click the Done button.
Now the Forget button is at your fingertips everywhere you go in Firefox.

9. Password headache fixer

If you’ve heard it once, you’ve heard it a million times — use strong unique passwords. You might complain that it’s easier said than done, but in Firefox it’s actually so easy to do. With the built-in password generator, you can create and save strong unique passwords without ever leaving Firefox. No extra downloads, software or sketchy websites needed. Bonus tip: Sync your Firefox account between multiple devices to get your logins and passwords on your mobile.

How to use it:

Right-click in the Password field and select Suggest Strong Password.

To find saved passwords on your computer: Click the main menu in the upper right corner and select Passwords.
To find saved passwords on your phone, go to your Firefox settings and select Logins and Passwords.

Bonus tip: Set up a Primary Password to guard all those strong, unique passwords.

10. Restore session

Everyone has been through the struggle of restarting their computer or just the browser and losing tabs. It’s soul draining. By default, Firefox starts with a single open window. If you want to get back to where you left off, use the session restore feature that revives everything you had open last time. Tap the main menu in the upper right. Click History, then select Restore Previous Session. Soul restored.

Make it permanent: You can set Firefox to always show the windows and tabs from your previous session each time you start Firefox. Here’s how.

11. The hidden menu

Maybe you know about this one, but for those who do not, it’s essential. You need to know about the hidden Firefox action menu that appears and changes depending on where you open it. When you open the menu on a website, an image or the menu bar, the actions are contextual to what you’re doing at the moment. Smart! Fun fact: The top 25 context menu entries cover 97% of the things people want to do.

How to use it: Right-click (PC) or two-finger tap (Mac) throughout Firefox.

Now that you’re practically a pro, pass this article onto your friends to share the secret tips of Firefox.

The post 11 secret tips for Firefox that will make you an internet pro appeared first on The Mozilla Blog.
by M.J. Kelly at June 08, 2021 09:40 PM
Dennis Schubert — WebCompat Tale: CSS Flexbox and the order of things
Have you thought about the order of things recently? Purely from a web development perspective, I mean.

The chances are that you, just like me, usually don’t spend too much time thinking about the drawing order of elements on your site when writing HTML and CSS. And that’s generally fine because things usually just feel right. Consider the following little example:

Source:

<style> #order-demo-one { position: relative; height: 100px; width: 100px; } #order-demo-one .box { position: absolute; bottom: 0; left: 0; right: 0; top: 0; } #order-demo-one .first { background-color: blue; } #order-demo-one .second { background-color: red; } </style> <section id="order-demo-one"> <div class="box first"></div> <div class="box second"></div> </section>

Result:

You could probably tell, without even looking at the result, that the second box - the red one - should be “on top”, completely covering up the blue box. After all, both boxes have the same size and the same position, but since the second box is placed after the first box, it’s drawn on top of the first one. To me, this feels pretty intuitive.

Let’s add some Flex to it

Now, let’s make things a bit more complicated. If you’re reading this article, I hope you’re at least slightly familiar with CSS Flexbox. And as you might know, flex-items have an order property, which you can use to reorder the items inside a flex container. Here’s the same example as before, but this time inside a flexbox container, with the items reordered. Note that this demo uses the same source as above, but I’m only showing relevant changes here.

Source:

<style> #order-demo-two { display: flex; } #order-demo-two .first { order: 2; } #order-demo-two .second { order: 1; } </style> <section id="order-demo-two"> <div class="box first"></div> <div class="box second"></div> </section>

Result:

Okay, now we used order to swap positions of the first and second boxes. And as you can see in the demo … nothing changed. What? This is where things start becoming a bit counter-intuitive because this test case is actually a bit of a trick question.

Here is what the CSS Flexbox spec says about the order property:

A flex container lays out its content in order-modified document order, starting from the lowest numbered ordinal group and going up. Items with the same ordinal group are laid out in the order they appear in the source document.

This also affects the painting order, exactly as if the flex items were reordered in the source document.

Absolutely-positioned children of a flex container are treated as having order: 0 for the purpose of determining their painting order relative to flex items.

(List points added by me; the original is a single block of text.)

Point 1 is what we intuitively know. An element with order: 2 is shown after order: 1. So far, so good. Point 2, however, says that if you specify order, the elements should behave as if they have been reordered in the HTML. For our example above, this should mean that both of these HTML snippets should behave the same:

<section id="order-demo-two"> <div class="box first"></div> <div class="box second"></div> </section>

<section id="order-demo-two"> <div class="box second"></div> <div class="box first"></div> </section>

But we can clearly see that that’s not how it works. That is because in the spec text above, point 3 says that if a flex item is absolutely-positioned, it is always treated as having order: 0, so what we define in our CSS doesn’t actually matter.

Flex order, for real this time.

So instead of having the absolutely positioned element as the flex item, let’s build another demo that has the absolute element inside the flex item.

Source:

<style> #order-demo-three { display: flex; position: relative; height: 100px; width: 100px; } #order-demo-three .first { order: 2; } #order-demo-three .second { order: 1; } #order-demo-three .inner { position: absolute; bottom: 0; left: 0; right: 0; top: 0; } #order-demo-three .first .inner { background-color: blue; } #order-demo-three .second .inner { background-color: red; } </style> <section id="order-demo-three"> <div class="box first"> <div class="inner"></div> </div> <div class="box second"> <div class="inner"></div> </div> </section>

Result:

And now, I might have lost you. Because, as of the time of writing this, what you see as the result depends on which browser you read this blog post in. In Firefox, you’ll see the blue box on top; but pretty much everywhere else, the red box will still be on top.

The question now is: who is right? And instead of just telling you the answer, let’s work it out together. Rule 3 from above does not apply here: The flex items are not absolutely positioned, so the order should be taken into consideration. To check if that’s the case, we can look at rule 2: the code should behave the same if we reorder the elements in the HTML. We can build a test for that:

Source:

<section id="order-demo-four"> <div class="box second"> <div class="inner"></div> </div> <div class="box first"> <div class="inner"></div> </div> </section>

Result:

(again, the code is the same as the one in #order-demo-three, but I’m just showing the HTML to keep it easier to read)

If you’re reading this in Firefox, then the last two test cases behave the same: they’ll show the blue box. However, if you’re in Chrome, Safari, or Edge, there will be a difference: the first case will show the red box, the second case shows the blue box. If you now think that this is a bug in Blink and WebKit: you are right, and that bug has been known for a while.

Uh, what now?

This might sound like a super weird edge-case, and that’s probably right. It is a weird edge case. But unfortunately, as with pretty much all things that end up on my desk, we discovered this edge-case by investigating real-world breakage. Here, we received a report about the flight date picker on flydubai.com being broken, where in Firefox, there is an advertising banner on top of the picker. That’s caused by what I described here.

The Blink issue I linked earlier was opened in 2016, and there hasn’t been much progress on there since. I’m not saying this to blame Google folks; that’s just highlighting that changing things like this is a bit tricky sometimes. While there appears to be a consensus that Firefox is right, changing Chrome to match Firefox could result in an undefined number of broken sites. So you have to be careful when pushing such a change.

For now, I decided to go ahead and add a web-platform-test for this, because there is none yet. Currently, there’s also a cross-browser compat effort, “Compat2021”, going on, and CSS Flexbox is one of the key areas everyone wants to work on to make it a bit less of a pain for web developers. Maybe we can get some progress done on this issue as well. I will certainly try!

And with that, I have to end this post. There is no happy end, there isn’t even a certainty on what - if anything - will happen next. Sometimes, that’s the nature of our work. And I think that’s worth sharing, too.
by Dennis Schubert at June 08, 2021 06:40 PM
Hacks.Mozilla.Org — Implementing Private Fields for JavaScript
This post is cross-posted from Matthew Gaudet’s blog

When implementing a language feature for JavaScript, an implementer must make decisions about how the language in the specification maps to the implementation. Sometimes this is fairly simple, where the specification and implementation can share much of the same terminology and algorithms. Other times, pressures in the implementation make it more challenging, requiring or pressuring the implementation strategy diverge to diverge from the language specification.

Private fields is an example of where the specification language and implementation reality diverge, at least in SpiderMonkey– the JavaScript engine which powers Firefox. To understand more, I’ll explain what private fields are, a couple of models for thinking about them, and explain why our implementation diverges from the specification language.

Private Fields

Private fields are a language feature being added to the JavaScript language through the TC39 proposal process, as part of the class fields proposal, which is at Stage 4 in the TC39 process. We will ship private fields and private methods in Firefox 90.

The private fields proposal adds a strict notion of ‘private state’ to the language. In the following example, #x may only be accessed by instances of class A:

class A { #x = 10; }

This means that outside of the class, it is impossible to access that field. Unlike public fields for example, as the following example shows:

class A { #x = 10; // Private field y = 12; // Public Field } var a = new A(); a.y; // Accessing public field y: OK a.#x; // Syntax error: reference to undeclared private field

Even various other tools that JavaScript gives you for interrogating objects are prevented from accessing private fields (e.g. Object.getOwnProperty{Symbols,Names} don’t list private fields; there’s no way to use Reflect.get to access them).

A Feature Three Ways

When talking about a feature in JavaScript, there are often three different aspects in play: the mental model, the specification, and the implementation.

The mental model provides the high-level thinking that we expect programmers to use mostly. The specification in turn provides the detail of the semantics required by the feature. The implementation can look wildly different from the specification text, so long as the specification semantics are maintained.

These three aspects shouldn’t produce different results for people reasoning through things (though, sometimes a ‘mental model’ is shorthand, and doesn’t accurately capture semantics in edge case scenarios).

We can look at private fields using these three aspects:

Mental Model

The most basic mental model one can have for private fields is what it says on the tin: fields, but private. Now, JS fields become properties on objects, so the mental model is perhaps ‘properties that can’t be accessed from outside the class’.

However, when we encounter proxies, this mental model breaks down a bit; trying to specify the semantics for ‘hidden properties’ and proxies is challenging (what happens when a Proxy is trying to provide access control to properties, if you aren’t supposed to be able see private fields with Proxies? Can subclasses access private fields? Do private fields participate in prototype inheritance?) . In order to preserve the desired privacy properties an alternative mental model became the way the committee thinks about private fields.

This alternative model is called the ‘WeakMap’ model. In this mental model you imagine that each class has a hidden weak map associated with each private field, such that you could hypothetically ‘desugar’

class A { #x = 15; g() { return this.#x; } }

into something like

class A_desugared { static InaccessibleWeakMap_x = new WeakMap(); constructor() { A_desugared.InaccessibleWeakMap_x.set(this, 15); } g() { return A_desugared.InaccessibleWeakMap_x.get(this); } }

The WeakMap model is, surprisingly, not how the feature is written in the specification, but is an important part of the design intention is behind them. I will cover a bit later how this mental model shows up in places later.

Specification

The actual specification changes are provided by the class fields proposal, specifically the changes to the specification text. I won’t cover every piece of this specification text, but I’ll call out specific aspects to help elucidate the differences between specification text and implementation.

First, the specification adds the notion of [[PrivateName]], which is a globally unique field identifier. This global uniqueness is to ensure that two classes cannot access each other’s fields merely by having the same name.

function createClass() { return class { #x = 1; static getX(o) { return o.#x; } }; } let [A, B] = [0, 1].map(createClass); let a = new A(); let b = new B(); A.getX(a); // Allowed: Same class A.getX(b); // Type Error, because different class.

The specification also adds a new ‘internal slot’, which is a specification level piece of internal state associated with an object in the spec, called [[PrivateFieldValues]] to all objects. [[PrivateFieldValues]] is a list of records of the form:

{ [[PrivateName]]: Private Name, [[PrivateFieldValue]]: ECMAScript value }

To manipulate this list, the specification adds four new algorithms:

PrivateFieldFind

PrivateFieldAdd

PrivateFieldGet

PrivateFieldSet

These algorithms largely work as you would expect: PrivateFieldAdd appends an entry to the list (though, in the interest of trying to provide errors eagerly, if a matching Private Name already exists in the list, it will throw a TypeError. I’ll show how that can happen later). PrivateFieldGet retrieves a value stored in the list, keyed by a given Private name, etc.

The Constructor Override Trick

When I first started to read the specification, I was surprised to see that PrivateFieldAdd could throw. Given that it was only called from a constructor on the object being constructed, I had fully expected that the object would be freshly created, and therefore you’d not need to worry about a field already being there.

This turns out to be possible, a side effect of some of the specification’s handling of constructor return values. To be more concrete, the following is an example provided to me by André Bargull, which shows this in action.

class Base { constructor(o) { return o; // Note: We are returning the argument! } } class Stamper extends Base { #x = "stamped"; static getX(o) { return o.#x; } }

Stamper is a class which can ‘stamp’ its private field onto any object:

let obj = {}; new Stamper(obj); // obj now has private field #x Stamper.getX(obj); // => "stamped"

This means that when we add private fields to an object we cannot assume it doesn’t have them already. This is where the pre-existence check in PrivateFieldAdd comes into play:

let obj2 = {}; new Stamper(obj2); new Stamper(obj2); // Throws 'TypeError' due to pre-existence of private field

This ability to stamp private fields into arbitrary objects interacts with the WeakMap model a bit here as well. For example, given that you can stamp private fields onto any object, that means you could also stamp a private field onto a sealed object:

var obj3 = {}; Object.seal(obj3); new Stamper(obj3); Stamper.getX(obj3); // => "stamped"

If you imagine private fields as properties, this is uncomfortable, because it means you’re modifying an object that was sealed by a programmer to future modification. However, using the weak map model, it is totally acceptable, as you’re only using the sealed object as a key in the weak map.

PS: Just because you can stamp private fields into arbitrary objects, doesn’t mean you should: Please don’t do this.

Implementing the Specification

When faced with implementing the specification, there is a tension between following the letter of the specification, and doing something different to improve the implementation on some dimension.

Where it is possible to implement the steps of the specification directly, we prefer to do that, as it makes maintenance of features easier as specification changes are made. SpiderMonkey does this in many places. You will see sections of code that are transcriptions of specification algorithms, with step numbers for comments. Following the exact letter of the specification can also be helpful where the specification is highly complex and small divergences can lead to compatibility risks.

Sometimes however, there are good reasons to diverge from the specification language. JavaScript implementations have been honed for high performance for years, and there are many implementation tricks that have been applied to make that happen. Sometimes recasting a part of the specification in terms of code already written is the right thing to do, because that means the new code is also able to have the performance characteristics of the already written code.

Implementing Private Names

The specification language for Private Names already almost matches the semantics around Symbols, which already exist in SpiderMonkey. So adding PrivateNames as a special kind of Symbol is a fairly easy choice.

Implementing Private Fields

Looking at the specification for private fields, the specification implementation would be to add an extra hidden slot to every object in SpiderMonkey, which contains a reference to a list of {PrivateName, Value} pairs. However, implementing this directly has a number of clear downsides:

It adds memory usage to objects without private fields

It requires invasive addition of either new bytecodes or complexity to performance sensitive property access paths.

An alternative option is to diverge from the specification language, and implement only the semantics, not the actual specification algorithms. In the majority of cases, you really can think of private fields as special properties on objects that are hidden from reflection or introspection outside a class.

If we model private fields as properties, rather than a special side-list that is maintained with an object, we are able to take advantage of the fact that property manipulation is already extremely optimized in a JavaScript engine.

However, properties are subject to reflection. So if we model private fields as object properties, we need to ensure that reflection APIs don’t reveal them, and that you can’t get access to them via Proxies.

In SpiderMonkey, we elected to implement private fields as hidden properties in order to take advantage of all the optimized machinery that already exists for properties in the engine. When I started implementing this feature André Bargull – a SpiderMonkey contributor for many years – actually handed me a series of patches that had a good chunk of the private fields implementation already done, for which I was hugely grateful.

Using our special PrivateName symbols, we effectively desuagar

class A { #x = 10; x() { return this.#x; } }

to something that looks closer to

class A_desugared { constructor() { this[PrivateSymbol(#x)] = 10; } x() { return this[PrivateSymbol(#x)]; } }

Private fields have slightly different semantics than properties however. They are designed to issue errors on patterns expected to be programming mistakes, rather than silently accepting it. For example:

Accessing an a property on an object that doesn’t have it returns undefined. Private fields are specified to throw a TypeError, as a result of the PrivateFieldGet algorithm.

Setting a property on an object that doesn’t have it simply adds the property. Private fields will throw a TypeError in PrivateFieldSet.

Adding a private field to an object that already has that field also throws a TypeError in PrivateFieldAdd. See “The Constructor Override Trick” above for how this can happen.

To handle the different semantics, we modified the bytecode emission for private field accesses. We added a new bytecode op, CheckPrivateField which verifies an object has the correct state for a given private field. This means throwing an exception if the property is missing or present, as appropriate for Get/Set or Add. CheckPrivateField is emitted just before using the regular ‘computed property name’ path (the one used for A[someKey]).

CheckPrivateField is designed such that we can easily implement an inline cache using CacheIR. Since we are storing private fields as properties, we can use the Shape of an object as a guard, and simply return the appropriate boolean value. The Shape of an object in SpiderMonkey determines what properties it has, and where they are located in the storage for that object. Objects that have the same shape are guaranteed to have the same properties, and it’s a perfect check for an IC for CheckPrivateField.

Other modifications we made to make to the engine include omitting private fields from the property enumeration protocol, and allowing the extension of sealed objects if we are adding private field.

Proxies

Proxies presented us a bit of a new challenge. Concretely, using the Stamper class above, you can add a private field directly to a Proxy:

let obj3 = {}; let proxy = new Proxy(obj3, handler); new Stamper(proxy) Stamper.getX(proxy) // => "stamped" Stamper.getX(obj3) // TypeError, private field is stamped // onto the Proxy Not the target!

I definitely found this surprising initially. The reason I found this surprising was I had expected that, like other operations, the addition of a private field would tunnel through the proxy to the target. However, once I was able to internalize the WeakMap mental model, I was able to understand this example much better. The trick is that in the WeakMap model, it is the Proxy, not the target object, used as the key in the #x WeakMap.

These semantics presented a challenge to our implementation choice to model private fields as hidden properties however, as SpiderMonkey’s Proxies are highly specialized objects that do not have room for arbitrary properties. In order to support this case, we added a new reserved slot for an ‘expando’ object. The expando is an object allocated lazily that acts as the holder for dynamically added properties on the proxy. This pattern is used already for DOM objects, which are typically implemented as C++ objects with no room for extra properties. So if you write document.foo = "hi", this allocates an expando object for document, and puts the foo property and value in there instead. Returning to private fields, when #x is accessed on a Proxy, the proxy code knows to go and look in the expando object for that property.

In Conclusion

Private Fields is an instance of implementing a JavaScript language feature where directly implementing the specification as written would be less performant than re-casting the specification in terms of already optimized engine primitives. Yet, that recasting itself can require some problem solving not present in the specification.

At the end, I am fairly happy with the choices made for our implementation of Private Fields, and am excited to see it finally enter the world!

Acknowledgements

I have to thank, again, André Bargull, who provided the first set of patches and laid down an excellent trail for me to follow. His work made finishing private fields much easier, as he’d already put a lot of thought into decision making.

Jason Orendorff has been an excellent and patient mentor as I have worked through this implementation, including two separate implementations of the private field bytecode, as well as two separate implementations of proxy support.

Thanks to Caroline Cullen, and Iain Ireland for helping to read drafts of this post, and to Steve Fink for fixing many typos.

The post Implementing Private Fields for JavaScript appeared first on Mozilla Hacks - the Web developer blog.
by Matthew Gaudet at June 08, 2021 03:26 PM
The Talospace Project — Firefox 89 on POWER
Firefox 89 was released last week with much fanfare over its new interface, though being the curmudgeon I am I'm less enamoured of it. I like the improvements to menus and doorhangers but I'm a big user of compact tabs, which were deprecated, and even with compact mode surreptitously enabled the tab bar is still about a third or so bigger than Firefox 88 (see screenshot). There do seem to be some other performance improvements, though, plus the usual more lower-level changes and WebRender is now on by default for all Linux configurations, including for you fools out there trying to run Nvidia GPUs.
The chief problem is that Fx89 may not compile correctly with certain versions of gcc 11 (see bugs 1710235 and 1713968). For Fedora users if you aren't on 11.1.1-3 (the current version as of this writing) you won't be able to compile the browser at all, and you may not be able to compile it fully even then without putting a # pragma GCC diagnostic ignored "-Wnonnull" at the top of js/src/builtin/streams/PipeToState.cpp (I still can't; see bug 1713968). gcc 10 is unaffected. I used the same .mozconfigs and PGO-LTO optimization patches as we used for Firefox 88. With those changes the browser runs well.
While waiting for the updated gcc I decided to see if clang/clang++ could now build the browser completely on ppc64le (it couldn't before), even though gcc remains my preferred compiler as it generates higher performance objects. The answer is now it can and this time it did, merely by substituting clang for gcc in the .mozconfig, but even using the bfd linker it makes a defective Firefox that freezes or crashes outright on startup; it could not proceed to the second phase of PGO-LTO and the build system aborted with an opaque error -139. So much for that. For the time being I think I'd rather spend my free cycles on the OpenPOWER JavaScript JIT than figuring out why clang still sucks at this.
Some of you will also have noticed the Mac-style pulldown menus in the screenshot, even though this Talos II is running Fedora 34. This comes from firefox-appmenu, which since I build from source is trivial to patch in, and the Fildem global menu GNOME extension (additional tips) paired with my own custom gnome-shell theme. I don't relish adding another GNOME extension that Fedora 35 is certain to break, but it's kind of nice to engage my Mac mouse-le memory and it also gives me a little extra vertical room. You'll notice the window also lacks client-side decorations since I can just close the window with key combinations; this gives me a little extra horizontal tab room too. If you want that, don't apply this particular patch from the firefox-appmenu series and just use the other two .patches.
by ClassicHasClass at June 08, 2021 01:37 AM
The Rust Programming Language Blog — Announcing Rustup 1.24.3
The rustup working group is happy to announce the release of rustup version 1.24.3. Rustup is the recommended tool to install Rust, a programming language that is empowering everyone to build reliable and efficient software.

If you have a previous version of rustup installed, getting rustup 1.24.3 is as easy as closing your IDE and running:

rustup self update

Rustup will also automatically update itself at the end of a normal toolchain update:

rustup update

If you don't have it already, you can get rustup from the appropriate page on our website.

What's new in rustup 1.24.3

This patch release focusses around resolving some regressions in behaviour in the 1.24.x series, in either low tier platforms, or unusual situations around very old toolchains.

Full details are available in the changelog!

Rustup's documentation is also available in the rustup book.

Thanks

Thanks again to all the contributors who made rustup 1.24.3 possible!

Alexander (asv7c2)

Ian Jackson

pierwill

二手掉包工程师 (hi-rustin)

Robert Collins

Daniel Silverstone

by The Rustup Working Group at June 08, 2021 12:00 AM
June 07, 2021
The Mozilla Blog — Feel at home on your iPhone and iPad with Firefox
When we set out earlier this year to reimagine Firefox for desktop to be simpler, more modern and faster to use, we didn’t forget about your Apple mobile devices. We use our laptops and computers for work and play, but our tablets and phones sit a lot closer. They’re the first screens we see in the morning, and the last we see before we go to bed.

Firefox is only one of the many apps you use throughout the day, so our browser can’t just look good. It also needs to feel at home. The newest Firefox for iOS and iPadOS represents what we think online life should be: fast, beautiful and private – presented in a package that looks and feels intuitive and natural.

It’s fast

You can already one-tap to go to your top sites, and we’ve brought the same speed to search. Every time Firefox or a new tab opens, the keyboard will now come up, ready for you to start searching right away.

When typing takes too long, you can build search suggestions word by word.

Firefox syncs your bookmarks, history, passwords and more between devices. But when you have many tabs open on your iPhone, iPad and computer, they’re often hard to find. Now you can simply start typing the tab’s name, and Firefox will show the tabs you have opened, no matter where they’re located.

And if you don’t quite know what something is called, you can browse for it easily. Open the main application menu, and all your bookmarks, history, downloads and reading list are there.

It’s beautiful

We’ve rebuilt parts of Firefox in native components, making it feel more iPhone and iPad-like than ever before. You’ll notice design elements that look and work identically to those found in many other apps, so our browser feels instantly familiar. We’ve also taken a major step up in accessibility. Firefox now supports more text sizes and integrates better with screen readers.

Our menus take up less space and work like all other menus you’re used to.

Before After

All your tabs, including ones synced from other devices, now appear side by side. And your bookmarks, history, downloads and reading list are browsed just like tabs do. Switching between them is a breeze.

Before After

And we’ve given Firefox for iPadOS the same productivity-inspired new tab design, simplified navigation and streamlined menus. Your favourite browser now looks and feels consistent, no matter where you are.

It’s private

The App Store now includes app privacy labels that help you understand our data collection practices.

Here’s what we collect and why:

When you sign into your Firefox account with your email, you’ll receive updates about all the awesome things happening at Mozilla in your inbox. You can manage your Newsletter subscriptions here.

You may choose to share information about feature usage, crashes and other technical data with us. We collect them, but we do not link them to your Firefox account identity! This information helps us improve Firefox performance and stability, and to support our marketing. You can read more about it here.

What’s next for Firefox

We’re excited to share a fast, beautiful and private Firefox experience across all your devices. No matter what device you choose to tackle the web in the future, Firefox will be there for you. Download the latest version of Firefox for your iOS and Mac and to experience the latest fresh clean look and feel.

The post Feel at home on your iPhone and iPad with Firefox appeared first on The Mozilla Blog.
by Bram Pitoyo at June 07, 2021 04:00 PM
Daniel Stenberg — Bye bye metalink in curl
In 2012 I wrote a blog post titled curling the metalink, describing how we added support for metalink to curl.

Today, we remove that support again. This is a very drastic move, and I feel obliged to explain it so here it goes! curl 7.78.0 will ship without metalink support.

Metalink problems

There were several issues found that combined led us to this move.

Security problems

We’ve found several security problems and issues involving the metalink support in curl. The issues are not detailed here because they’ve not been made public yet.

When working on these issues, it become apparent to the curl security team that several of the problems are due to the system design, metalink library API and what the metalink RFC says. They are very hard to fix on the curl side only.

Unusual use pattern

Metalink usage with curl was only very briefly documented and was not following the “normal” curl usage pattern in several ways, making it surprising and non-intuitive which could lead to further security issues.

libmetalink is abandoned

The metalink library libmetalink was last updated 6 years ago and wasn’t very actively maintained the years before that either. An unmaintained library means there’s a security problem waiting to happen. This is probably reason enough.

XML is heavy

Metalink requires an XML parsing library, which is complex code (even the smaller alternatives) and to this day often gets security updates.

Not used much

Metalink is not a widely used curl feature. In the 2020 curl user survey, only 1.4% of the responders said that they’d are using it. In the just closed 2021 survey that number shrunk to 1.2%. Searching the web also show very few traces of it being used, even with other tools.

The torrent format and associated technology clearly won for downloading large files from multiple sources in parallel.

Violating a basic principle

This change unfortunately breaks command lines that uses --metalink. This move goes directly against one of our basic principles as it doesn’t maintain behavior with previous versions. We’re very sorry about this but we don’t see a way out of this pickle that also takes care of user’s security – which is another basic principle of ours. We think the security concern trumps the other concerns.

Possible to bring back?

The list above contains reasons for the removal. At least some of them can be addressed given enough efforts and work put into it. If someone is willing to do the necessary investment, I think we could entertain the possibility that support can be brought back in a future. I just don’t think it is very probable.

Credits

Image by Ron Porter from Pixabay
by Daniel Stenberg at June 07, 2021 07:06 AM
June 05, 2021
The Talospace Project — Progress on the OpenPOWER SpiderMonkey JIT
Progress!
% gdb --args obj/dist/bin/js --no-baseline --no-ion --no-native-regexp --blinterp-eager -e 'print("hello world")' GNU gdb (GDB) Fedora 10.1-14.fc34 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "ppc64le-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at:     <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from obj/dist/bin/js... (gdb) run Starting program: obj/dist/bin/js --no-baseline --no-ion --no-native-regexp --blinterp-eager -e print\(\"hello\ world\"\) warning: Expected absolute pathname for libpthread in the inferior, but got .gnu_debugdata for /lib64/libpthread.so.0. warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. [New LWP 2797069] [LWP 2797069 exited] [New LWP 2797070] [New LWP 2797071] [New LWP 2797072] [New LWP 2797073] [New LWP 2797074] [New LWP 2797075] [New LWP 2797076] [New LWP 2797077] hello world [LWP 2797072 exited] [LWP 2797070 exited] [LWP 2797074 exited] [LWP 2797077 exited] [LWP 2797073 exited] [LWP 2797071 exited] [LWP 2797076 exited] [LWP 2797075 exited] [Inferior 1 (process 2797041) exited normally]
This may not look like much, but it demonstrates that the current version of the OpenPOWER JavaScript JIT for Firefox can emit machine language instructions correctly (mostly — still more codegen bugs to shake out), handles the instruction cache correctly, handles ABI-compliant calls into the SpiderMonkey VM correctly (the IonMonkey JIT is not ABI-compliant except at those edges), and enters and exits routines without making a mess of the stack. Much of the code originates from TenFourFox's "IonPower" 32-bit PowerPC JIT, though obviously greatly expanded, and there is still ongoing work to make sure it is properly 64-bit aware and takes advantage of instructions available in later versions of the Power ISA. (No more spills to the stack to convert floating point, for example. Yay for VSX!)
Although it is only the lowest level of the JIT, what Mozilla calls the Baseline Interpreter, there is substantial code in common between the Baseline Interpreter and the second-stage Baseline Compiler. Because it has much less overhead compared to Baseline Compiler and to the full-fledged Ion JIT, the Baseline Interpreter can significantly improve page loads all by itself. In fact, my next step might be to get regular expressions and the OpenPOWER Baseline Interpreter to pass the test suite and then drag that into a current version of Firefox for continued work so that it can get banged on for reliability and improve performance for those people who want to build it (analogous to how we got PPCBC running first before full-fledged IonPower in TenFourFox). Eventually full Ion JIT and Wasm support should follow, though those both use rather different codepaths apart from the fundamental portions of the backend which still need to be shaped.
A big shout-out goes to Justin Hibbits, who took TenFourFox's code and merged it with the work I had initially done on JitPower way back in the Firefox 62 days but was never able to finish. With him having done most of the grunt work, I was able to get it to compile and then started attacking the various bugs in it.
Want to contribute? It's on Github. Tracing down bugs is labour-intensive, and involves a lot of emitting trap instructions and single-stepping in the debugger, but when you see those small steps add up into meaningful fixes (man, it was great to see those two words appear) it's really rewarding. I'm happy to give tips to anyone who wants to participate. Once it can pass the test suite at some JIT level, it will be time to forward-port it and if we can get our skates on it might even be possible to upstream it into the next Firefox ESR.
For better or worse, the Web is a runtime. Let's get OpenPOWER workstations running it better.
by ClassicHasClass at June 05, 2021 11:53 PM
June 04, 2021
Mozilla Open Policy & Advocacy Blog — The Van Buren decision is a strong step forward for public interest research online
In a victory for security research and other public interest work, yesterday the U.S Supreme Court held that the Computer Fraud and Abuse Act’s (CFAA) “exceeding authorized access” provision should be narrowly interpreted and cannot be used to criminalize every single violation of a computer-use policy. This is encouraging news for journalists, bug bounty hunters, social science researchers, and many other practitioners who could legitimately access information in a myriad of ways but were at the risk of being prosecuted as criminals.

As we stated in our joint amicus brief to the Court in July 2020, over the years some federal circuit courts had interpreted the CFAA so broadly as to threaten important practices to protect the public, including research and disclosure of software vulnerabilities by those in the security community. The scope of such broad interpretation went beyond security management and has also been used to stifle legitimate public interest research, such as looking into the advertising practices of online platforms, something Mozilla has pushed back against in the past.

In its ruling, the Supreme Court held that authorized access under the CFAA is not exceeded when information is accessed on a computer for a purpose that the system owner considers improper. For example, the ruling clarifies that employees would not violate the CFAA simply by using a work computer to check personal email if that is contrary to the company’s computer use policies. The decision overrules some of the most expansive interpretations of the CFAA and makes it less likely that the law will be used to chill legitimate research and disclosures. The decision does, however, leave some open questions on the role of contractual limits in the CFAA that will likely have to be settled via litigation over the coming years.

However, the net impact of the decision leaves the “exceeding authorized access” debate under the CFAA in a much better place than when it began and should be celebrated as a clear endorsement of the years of efforts by various digital rights organizations to limit its chilling effects with the goal of protecting public interest research, including in cybersecurity.

The post The Van Buren decision is a strong step forward for public interest research online appeared first on Open Policy & Advocacy.
by Udbhav Tiwari at June 04, 2021 09:30 PM
Firefox Nightly — These Weeks in Firefox: Issue 95
Headlines

Firefox 89 released this week! This version includes a major UI redesign and thoughtful touches throughout. See the release notes here.

We launched ideas.mozilla.org, a new platform for the Mozilla community to share their feedback and ideas. While technical feedback and bug reports should still go to Bugzilla, please post product feedback and new feature recommendations to ideas.mozilla.org. Product managers, engineers, and designers will be engaging with the community there to refine and prioritize the suggestions!

Fission is now rolled out to ~50% of Nightly users. For those who don’t yet have it, you can opt-in to using Fission on Nightly, Beta or Release channels by setting `fission.autostart` to `true` followed by a Firefox restart. You will start to see a [F] in the tab hover that confirms that Fission is turned on.

We released Total Cookie Protection in private browsing mode in Firefox 89.

Friends of the Firefox team

For contributions from May 19 to June 1 2021, inclusive.

Introductions/Shout-Outs

Resolved bugs (excluding employees)

Geoff Lankow extracted uses of gBrowser in PrintUtils in a way that can be easily overridden

Sarah Ukoha fixed a bug with opening PDF files when set to save automatically

Danilo B removed obsolete checks and references related to wyciwyg protocol

Andreu Botella updated the WebExtensions’ multipart/form-data parser to match Chrome

Petr Sumbera added missing ScopeExit header

kaira fixed alignment of numbers on Import Summary Page in about:logins

Fixed more than one bug

🌟 Ava Katushka moved recording new download to telemetry from DownloadsCommon to DownloadsList for more accurate download count and created pref for downloads panel improvements

Michelle Goossens removed browser.proton.enabled checks/setters from tests, removed checks for protonAppMenuEnabled or protonToolbarEnabled smart pref getters from tests, removed gProtonDoorhangers, gProtonDoorhangersEnabled, gProtonAppMenuEnabled from various jsms and other frontend (non-test) code, removed -proton from pageActions-proton and browser-proton directory names, removed checks for gProton and gProtonDoorhangers smart pref getters from tests, and disabled browser_accessibility_context_menu_inspector.js on OS X 10.15

New contributors (🌟 = first patch)

🌟 Calum Smith changed Reader Mode so we don’t override <ol>s’ list-style-type in reader mode

🌟 jha.ashray12 fixed size of links in CSV import dialog and report

🌟 siddhant disabled saving to file when screenshot to clipboard is enabled. Updated inspector and developer tools toolbar

Project Updates

Add-ons / Web Extensions

Addon Manager & about:addons

Fixed a small bug in about:addons that was mistakenly allowing a user to remove an extension locked by an enterprise policy – Bug 1658768

WebExtensions Framework

Bug 1709687 – NotFoundError: Could not open the file webext.sc.lz4

Barret landed a fix to avoid some log spam introduced by the changes originally landed as part of Bug 1649593

The id of the extension that is redirecting an intercepted webRequest is now being stored into the channel properties bag (as we are already doing for the extension id that is blocking an intercepted webRequest) – Bug 1711924

The devtools are not currently using this new property set on the channel, and so it is not going to be visible anywhere in the UI at the moment, we will be filing a follow up to track it as a possible addition to the DevTools network panel.

Gijs fixed a bug that was making Firefox to show the “external protocol permission prompt” when an url for an WebExtension-controlled protocol handler was passed on the command line – Bug 1700976 (originally regressed in Firefox 88 from Bug 1678255)

WebExtension APIs

In Firefox 89, the webRequest multipart/form-data parser has been updated to better match the spec (as well as how this API behaves in Chrome) – Bug 1697292

Developer Tools

Font preview for HTTP font requests (bug, contributed by Sebastian Zartner, :sebo)

Supporting private fields in DevTools (bug)

Fission

Targeting Fission M8 – reaching feature parity with pre-Fision state. Also focusing on issues related to BFCache changes (changes behind a pref now, but will be enabled in Nightly soon – check: fission.bfcacheInParent)

Fission

Fission team is fixing the last couple of test failures with the new BFCache in parent process architecture. It is now ready for your testing and experience. Users can set `fission.bfcacheInParent` pref to `true` followed by a Firefox restart to enable this.

Please file any Fission bugs you encounter using this template.

macOS Spotlight

Work continues on supporting native fullscreen. See bug 1631735. Try the behaviour early by enabling full-screen-api.macos-native-full-screen.

Work continues on improved dark mode support. See bug 1623686. Try the behaviour early by enabling widget.macos.respect-system-appearance.

Fixed a bug where context menus would sometimes not appear on a two-finger click: bug 1710474.

Preliminary work to improve high contrast mode on Mac: Bug 1711261 – Address bar and Search bar lack contrast in OSX High Contrast mode.

Preliminary work on reducing power consumption when watching videos.

Messaging System

Updated both about:welcome and upgrade dialog for macOS pinning and from pinning experiment learnings to ask pin then default

Better support local dynamic about:welcome behaviors, e.g., app is pinned or has return-to-AMO attribution, already default, with remote experiment configuration

More polishing of onboarding, e.g., updated noodle colors to match marketing, hover effect for Arabic “sign in,” better font-size scaling for narrow windows

New Tab Page

Work continues on remaining proton redesign work. Meta: Bug 1707989.

Continuing to file bugs about this work that include some front-end good first bugs. (:amy is happy to mentor bugs)

Bug 1712297 Pinned topsites search shortcuts left hanging when @search_engine gets removed. Fix landed including tests. Thank you :standard8, :aflorinescu & :dao!

Password Manager

:dimi updated the heuristics model for determining if there’s a new password field on a page so that the password manager more accurately offers password generation on register pages.

Tim :tgiles is finishing up improving the password generation experience for many sites.

Thanks to the following two contributors for their help!

Kaira (anshukaira) fixed an alignment issue in the Login CSV import report page.

Ashray (jha.ashray12) fixed some links being too large in the Login CSV import report page.

Performance

Doug and Florian have worked on improving our BHR (Background Hang Reporter) data and visualizing that data

Dashboard link

Doug’s been working on recording JS stacks for late write reports to help stop us writing to disk during shutdown, removing jank caused by session restore, and improving mouse event IPC

Florian has fixed a number of issues with about:processes.

Emma has made a number of fixes to IO during the startup path to stop relying on OS.File

Performance Tools

You can now filter markers by their category in the marker chart and marker table.

No periodic sampling mode now collects thread CPU usage as well. Previously this section was blank. Example profile.

When importing a Linux perf profile into Firefox Profiler, the timeline will look better with less wasted empty space. Example profile.

Before

After

Made various improvements on the activity graph in the timeline. It’s more accurate now.

Privacy/Security

Updating site data clearing to also clear storage partitioned by Total Cookie Protection – Bug 1646215

Rather than clearing per host, we will clear by “Cookie Jar” (by eTLD+1)

We’re teaching all the storage cleaner implementations how to do that – Bug 1705032, Bug 1705033, Bug 1705035, Bug 1709621

Search and Navigation

Drew added new nontechnical address bar overview to source tree documentation, also explaining results composition

Drew continues to work on the next Firefox Suggest experiment

Daisuke fixed deduplication of search suggestions with the experimental unit conversion address bar provider (browser.urlbar.unitConversion.enabled) – Bug 1711156

Daisuke fixed spacing of search shortcut buttons – Bug 1710651

Harry fixed the reader view button tooltip – Bug 1712569

Screenshots

Kajal Sah started her outreachy internship last week!

Kajal is working on a patch to add the screenshot button to the context menu for iframes

Downloads Panel

Outreachy intern, Ava Katushka, started with us last week! She’ll be helping us implement fixes and features in the Downloads Panel to make the downloading experience smoother:

See meta bug to follow along

Work will be behind a pref: browser.download.improvements_to_download_panel (bug 1710929)

Ava fixed an issue where downloads telemetry was inflated (bug 1706355).

Ava is working on a change where if a user chooses to open a file with a computer application, it’s saved to the Downloads folder (bug 1710933).

by Harry Twyford at June 04, 2021 03:26 PM
June 03, 2021
Ryan Harter — Getting Credit for Invisible Work
Last month I gave a talk at csv,conf on "Getting Credit for Invisible Work". The (amazing) csv,conf organizers just published a recording of the talk. (slides here). Give it a watch! It's only 20m long (including the Q&A).

Invisible work is a concept I've been trying to …
by Ryan T. Harter at June 03, 2021 07:00 AM
June 02, 2021
About:Community — Firefox 89: The New Contributors To MR1
Firefox 89 would not have been possible without our community, and it is a great privilege for us to thank all the developers who contributed their first code change to MR1, 44 of whom were brand new volunteers!

rai.ankur0007: 1695253

rashadmad: 1702452

ryedu.09: 1633416, 1703119

theodorasabalou: 1703126

toby.she: 1703697

tom: 1695466

Aditi Singh: 1703128

Anshul Sahai: 1700195, 1702013

Ashita: 1697644, 1698105, 1699276

Ashwini Wankhede: 1702601, 1703597, 1703599

Bukola Felicia Akinnadeju: 1703596, 1704060, 1704976

Cameron: 1687318

Claudia Batista: 1625651, 1651012, 1701903

Darryl Pogue: 1350237

Dawit: 1701250

Dhanesh: 1679985, 1685806

Dylan Franken: 1680751

Evgenia Kotovich: 1703598, 1705198

Filipa Rocha: 1703131

Garima Mazumdar: 1687586, 1698595

George A. Michel: 1703408

Hamza Mahfooz: 1701460

Justus Winter: 1698510

Kajal Sah: 1664259, 1673269, 1701461, 1702538, 1702539, 1702542, 1702543, 1702557, 1702558, 1702559, 1702565, 1702567, 1702568, 1702570, 1702572, 1702573, 1702574, 1702575, 1702576, 1702578

Leslie: 1702451

Lia: 1699277

Luz De La Rosa: 1703579, 1703586, 1703626

Manuel Carretero: 1575105, 1667943

Michelle: 1704006

Osagie: 1702371

RJ Johnson: 1697721

Ramya Praneetha ramya: 1676067

Robert Bryer: 1698401

Sarah Ukoha: 1663143, 1700412, 1703813

Swapnik Katkoori: 1697616

TheEvilSkeleton: 1648029

Thomas Kluyver: 1705130

Tilda Udufo: 1631570

Umar: 1703155

Victor Alvarez: 1704425

akshita gupta: 1622676

disha: 1702372

mehaboob shariff: 1699273

pavel: 1699275, 1699279

by mhoye at June 02, 2021 07:29 PM
Data@Mozilla — This week in Glean: Glean Dictionary updates
(“This Week in Glean” is a series of blog posts that the Glean Team at Mozilla is using to try to communicate better about our work. They could be release notes, documentation, hopes, dreams, or whatever: so long as it is inspired by Glean.) All “This Week in Glean” blog posts are listed in the TWiG index (and on the Mozilla Data blog).

Lots of progress on the Glean Dictionary since I made the initial release announcement a couple of months ago. For those coming in late, the Glean Dictionary is intended to be a data dictionary for applications built using the Glean SDK and Glean.js. This currently includes Firefox for Android and Firefox iOS, as well as newer initiatives like Rally. Desktop Firefox will use Glean in the future, see Firefox on Glean (FoG).

Production URL

We’re in production! You can now access the Glean Dictionary at dictionary.telemetry.mozilla.org. The old protosaur-based URL will redirect.

Glean Dictionary + Looker = ❤️

At the end of last year, Mozilla chose Looker as our internal business intelligence tool. Frank Bertsch, Daniel Thorn, Anthony Miyaguchi and others have been building out first class support for Glean applications inside this platform, and we’re starting to see these efforts bear fruit. Looker’s explores are far easier to use for basic data questions, opening up data based inquiry to a much larger cross section of Mozilla.

I recorded a quick example of this integration here:

Note that Looker access is restricted to Mozilla employees and NDA’d volunteers. Stay tuned for more public data to be indexed inside the Glean Dictionary in the future.

Glean annotations!

I did up the first cut of a GitHub-based system for adding annotations to metrics – acting as a knowledge base for things data scientists and others have discovered about Glean Telemetry in the field. This can be invaluable when doing new analysis. A good example of this is the annotation added for the opened as default browser metric for Firefox for iOS, which has several gotchas:

Many thanks to Krupa Raj and Leif Oines for producing the requirements which led up to this implementation, as well as their evangelism of this work more generally inside Mozilla. Last month, Leif and I did a presentation about this at Data Club, which has been syndicated onto YouTube:

Since then, we’ve had a very successful working session with some people Data Science and have started to fill out an initial set of annotations. You can see the progress in the glean-annotations repository.

Other Improvements

Lots more miscellaneous improvements and fixes have gone into the Glean Dictionary in the last several months: see our releases for a full list. One thing that irrationally pleases me are the new labels Linh Nguyen added last week: colorful and lively, they make it easy to see when a Glean Metric is coming from a library:

Future work

The Glean Dictionary is just getting started! In the next couple of weeks, we’re hoping to:

Expand the Looker integration outlined above, as our deploy takes more shape.

Work on adding “feature” classification to the Glean Dictionary, to make it easier for product managers and other non-engineering types to quickly find the metrics and other information they need without needing to fully understand what’s in the source tree.

Continue to refine the user interface of the Glean Dictionary as we get more feedback from people using it across Mozilla.

If you’re interested in getting involved, join us! The Glean Dictionary is developed in the open using cutting edge front-end technologies like Svelte. Our conviction is that being transparent about the data Mozilla collects helps us build trust with our users and the community. We’re a friendly group and hang out on the #glean-dictionary channel on Matrix.

by Will Lachance at June 02, 2021 04:16 PM
William Lachance — Glean Dictionary updates
(this is a cross-post from the data blog)

Lots of progress on the Glean Dictionary since I made the initial release announcement a couple of months ago. For those coming in late, the Glean Dictionary is intended to be a data dictionary for applications built using the Glean SDK and Glean.js. This currently includes Firefox for Android and Firefox iOS, as well as newer initiatives like Rally. Desktop Firefox will use Glean in the future, see Firefox on Glean (FoG).

Production URL

We’re in production! You can now access the Glean Dictionary at dictionary.telemetry.mozilla.org. The old protosaur-based URL will redirect.

Glean Dictionary + Looker = ❤️

At the end of last year, Mozilla chose Looker as our internal business intelligence tool. Frank Bertsch, Daniel Thorn, Anthony Miyaguchi and others have been building out first class support for Glean applications inside this platform, and we’re starting to see these efforts bear fruit. Looker’s explores are far easier to use for basic data questions, opening up data based inquiry to a much larger cross section of Mozilla.

I recorded a quick example of this integration here:

Note that Looker access is restricted to Mozilla employees and NDA’d volunteers. Stay tuned for more public data to be indexed inside the Glean Dictionary in the future.

Glean annotations!

I did up the first cut of a GitHub-based system for adding annotations to metrics — acting as a knowledge base for things data scientists and others have discovered about Glean Telemetry in the field. This can be invaluable when doing new analysis. A good example of this is the annotation added for the opened as default browser metric for Firefox for iOS, which has several gotchas:

Many thanks to Krupa Raj and Leif Oines for producing the requirements which led up to this implementation, as well as their evangelism of this work more generally inside Mozilla. Last month, Leif and I did a presentation about this at Data Club, which has been syndicated onto YouTube:

Since then, we’ve had a very successful working session with some people Data Science and have started to fill out an initial set of annotations. You can see the progress in the glean-annotations repository.

Other Improvements

Lots more miscellaneous improvements and fixes have gone into the Glean Dictionary in the last several months: see our releases for a full list. One thing that irrationally pleases me are the new labels Linh Nguyen added last week: colorful and lively, they make it easy to see when a Glean Metric is coming from a library:

Future work

The Glean Dictionary is just getting started! In the next couple of weeks, we’re hoping to:

Expand the Looker integration outlined above, as our deploy takes more shape.

Work on adding “feature” classification to the Glean Dictionary, to make it easier for product managers and other non-engineering types to quickly find the metrics and other information they need without needing to fully understand what’s in the source tree.

Continue to refine the user interface of the Glean Dictionary as we get more feedback from people using it across Mozilla.

If you’re interested in getting involved, join us! The Glean Dictionary is developed in the open using cutting edge front-end technologies like Svelte. Our conviction is that being transparent about the data Mozilla collects helps us build trust with our users and the community. We’re a friendly group and hang out on the #glean-dictionary channel on Matrix.
by William Lachance at June 02, 2021 04:01 PM
Mozilla Security Blog — Updating GPG key for signing Firefox Releases
Mozilla offers GPG signing to let you verify the integrity of our Firefox builds. GPG signatures for Linux based builds are particularly important, because it allows Linux distributions and other repackagers to verify that the source code they use to build Firefox actually comes from Mozilla.

We regularly rotate our GPG signing subkey — usually every two years — to guard against the unlikely possibility that the key has been leaked without our knowledge. Last week, such a rotation happened, and we switched over to the new signing subkey.

The new GPG subkey’s fingerprint is 14F2 6682 D091 6CDD 81E3 7B6D 61B7 B526 D98F 0353, and will expire on 2023-05-17.

If you are interested in performing a verification of your copy of Firefox, you can fetch the public key directly from our KEY files from the Firefox 89 release, or alternatively directly from below.

-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFWpQAQBEAC+9wVlwGLy8ILCybLesuB3KkHHK+Yt1F1PJaI30X448ttGzxCz PQpH6BoA73uzcTReVjfCFGvM4ij6qVV2SNaTxmNBrL1uVeEUsCuGduDUQMQYRGxR tWq5rCH48LnltKPamPiEBzrgFL3i5bYEUHO7M0lATEknG7Iaz697K/ssHREZfuuc B4GNxXMgswZ7GTZO3VBDVEw5GwU3sUvww93TwMC29lIPCux445AxZPKr5sOVEsEn dUB2oDMsSAoS/dZcl8F4otqfR1pXg618cU06omvq5yguWLDRV327BLmezYK0prD3 P+7qwEp8MTVmxlbkrClS5j5pR47FrJGdyupNKqLzK+7hok5kBxhsdMsdTZLd4tVR jXf04isVO3iFFf/GKuwscOi1+ZYeB3l3sAqgFUWnjbpbHxfslTmo7BgvmjZvAH5Z asaewF3wA06biCDJdcSkC9GmFPmN5DS5/Dkjwfj8+dZAttuSKfmQQnypUPaJ2sBu blnJ6INpvYgsEZjV6CFG1EiDJDPu2Zxap8ep0iRMbBBZnpfZTn7SKAcurDJptxin CRclTcdOdi1iSZ35LZW0R2FKNnGL33u1IhxU9HRLw3XuljXCOZ84RLn6M+PBc1eZ suv1TA+Mn111yD3uDv/u/edZ/xeJccF6bYcMvUgRRZh0sgZ0ZT4b0Q6YcQARAQAB tC9Nb3ppbGxhIFNvZnR3YXJlIFJlbGVhc2VzIDxyZWxlYXNlQG1vemlsbGEuY29t PokCOAQTAQIAIgUCValABAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ Ybe1JtmPA1NQqg//Rr6/V7uLqrIwx0UFknyNJasRJZhUkYxdGsLD18zO0Na8Ve3Q sYpOC3ojpqaFUzpqm6KNv8eXfd/Ku7j3WGr9kPkbjZNghvy6V5Lva4JkxO6LMxKk JYqiqF2o1Gfda8NfcK08GFy4C0L8zNwlADvmdMo4382tmHNGbTTft7BeVaRrE9xW 9eGmGQ2jYOsjxb5MsadAdZUuK8IC95ZHlUDR3gH9KqhfbQWp5Bo924Kiv+f2JUzN rrG98eOm1Qb8F9rePzZ2DOYRJyOe4p8Gpl+kojCXNntkJgcwJ1a1yRE6wy9RzpeB lCeoQuLS92MNne+deQZUskTZFoYXUadf6vbdfqL0nuPCKdl9lhef1QNwE30IRymt 6fhJCFffFQjGdeMfSiCHgcI8ichQbrzhBCGGR3bAHan9c2EbQ+puqG3Aa0YjX6Db GJjWOI6A61bqSPepLCMVaXqV2mZEIaZWdZkOHjnRrU6CJdXG/+D4m1YBZwYM60eJ kNu4eMMwMFnRsHiWf7bhqKptwuk8HyIGp2o4j8iqrFRVJEbK/ctdhA3H1AlKug9f NrfwCfqhNCSBju97V03U26j04JMn9nrZ2UEGbpty+8ONTb38WX5/oC61BgwV8Ki4 6Lwyb7fImUzz8jE83pjh7s3+NCKvvbH+VfT12f+V/fsphN3EwGwJPTC3fX2IRgQQ EQIABgUCVaz/SwAKCRB2JUA9fw0VsVNkAKDjhUW5GyFNcyj9ot48v+lSh5GBIACf Ten/Rpo5tf77Uq7445cVs80EK5CIRgQQEQIABgUCVa064wAKCRDDTldH4j3WdwW5 AKCVDRxKjb/XYqGhjBCKYhbQ4xJuOACfVIpzE3wGLC/cm9eUnSVnv+elQnKIXgQQ EQgABgUCVgZXYwAKCRACWrAQaxfqHqzWAP9dzEHoZNwH5JYxotudv3FOotVThaQr jnk+5StnObpxnAD9FmYyAyYGh4o7axeDCgmW1J89+1cZtDnFPKnBpGFMB4uIXgQQ EQoABgUCVa0s/gAKCRDwqefc055FLpQGAP99Z2ISKW+7FYoKJ3vDrxTtfcbZEff7 8ufoinmAlZb2bQD/a2fOcprjWDal9Orfq7g6htkX3VISemg+SDQ/ig+b3uyJARwE EAECAAYFAlWs/X4ACgkQs8WpWFCKQ/JrjAf7B+fGzEs8xfc010a6KZXcO1W4/Va0 Q+zcqF+DpQwK7b3S6oD5tCVKD9oFyDXkrlT6Tnwuu+slZwRDIyH6hI6tPb3G8Gsk vjXMeL0IdgZsw1DSxN0pZ0Z9mxFq/UkC/6TmFA1IJmOWtFCH/1irQWqbDxPmWp+d Xs2EhH8QzX1KQOE9v/YlsCdmTstMiHy3R8r7prsonpCa36zGheC/UNDpycKdT8JL zeCFcIWXmA7SCTeJ0XCSuS68FOwfe7nn9oagQZZe/6gh5ecuCoW9HLBWpyIPqUCz 1CXSImLc6BbZYMpAetacarVPa6hiltNicxFE/A3T1F8ZjAcugPKBngUR/4kBHAQQ AQIABgUCVa0XXAAKCRBlc4Lb/yURCkCYB/95w/9/0rpi+5xtoO2NR0KlqYVG5+NF 1r42XB6t7gVJ9UGF3meV+ekgDSzNrfroqxpzWmV1t3MRJeSMmVS25nC1hAZVQHKd gX9xVxW3SSufX/jPstvo2U/X3k8q8PhLS6Ihk8YJC3ScjMiNMRpkITMeVdXsdQsY WStiT48wlWK4gSNMCG5iovdGDTEKErHTIWJl/Wx5el1kvUwg1rKo9uRS2CS/lnlV 6YztDY0cBBOqXP6pXXiWBuVW39LJxsSHq13vpeQ/GHeDxAJ6Y+fPuaV3qBmGZ91o 1/HkxTABFPkISylkPo/2PCoo4Hu31MZ0jQWdihJ7gzf+B7/w6whS79eAiQEcBBAB AgAGBQJVrWVaAAoJEOQyfGw+ApnAc7AH/0TKg3VR4IEB3NP2C7dX/72PWO0EOh8J w67XDccRK0lXDILg/CujsYq9EzEofv2LmQFvCuCkoBFEcGas+J2vP3jsY/G5bjZp XALHkAx7MKlOgsgfeVqMtwaHIoR+y9Hg12TjM7Gt970UBwTIqC8SG6Z1bVWxUdc+ 7Zsn43Dq8z99saOUKD6HMyl9upbjAYwL28NRQtIrNiDZ5lEmDOLh+4hWblxjxWMX AKjg6sucrNzKD2uKGe9XdB6IkYpdfrNGPtgcnXWdfaRNk16eGVzWDVI/9mkY/G+L E40eK6oRyMf736CvlQjcv7JBVGTsj3W28phNLLU0UidYK/QmS3AVmBeJARwEEAEC AAYFAlXBWXAACgkQiRc/lXxV+V6gKQf/d/KfgiYg0Z4dqO3g1p40sgLuxVplhpDk J4yP5K2isdb6I7GJykVw+po6tUCfB7KeLWiZy0I3KJDU1Ikk+Jv3uGSRMT1riSpM Ja2pVhh+jaamHIFj2o0mG9HmEAuGKktJH8s6Jax3SiPGODRhFO8suc7B8FpB7f5q TUDK2J18MlnSK3NN1/zl6OdXScrISQ0cNyJ0RMgW5RSXC7wKzR89tfcDK1wInD8r cOMHz6Va5g8ehq2XCPKvBAlgo8El17+4UaRLhS0suVz4THPsGASYzZVKIhQQBf+8 xDXd6zJ/UgkC4iBWHtLm5jvm6Xhsu04s28TmgiH4FKLsstAUFzbiQYkBHAQQAQIA BgUCVdIa6gAKCRCtfLmfgki6D8xCB/9Q+rCTDQCbWQkRoSV77+kmIb+KVFTcgxfR Z1L0bKL5YqI6HuCJLgU1ioTxq8W4g+SDv4s69/LIajYYZvSRNv0kGRzm2D4vpcnw ymyYCJkzcZkuBeyR50S69+1cStbFb7jZMpyZ6rwnKdYOccDSMdaynJGt4rqiY+ra DPF0H4LExx9a1JFh21Fd0MDc15vsoRZtrOkM8QaKD85hZ/AGOwlw+Kb3DEfjNGcv nuNp54HfJc0Z5kwVYoOKUatBgjLpRRvl43lUGRaaCCMaNpNZXM20ZhrbTjXRlko8 QVMUXqE20sDNwv+dDa6G8nBkIGNIHeixrVrVPP7hH5JRMtjZbsWFiQEcBBABCAAG BQJVrQFGAAoJEFbucY3ODhVLNDgH/izNHcsr1BRnV3yQ6T9sTJJ187BwF1hRLR+Y 3op+fJr+nQ9301XAqLqNbzEB91hRUi2Gb8LTZxxq0gahWzSqmdAE0ObXGGlrEmfj FSSTFyQ1xRvzooYNZzTjN91XX1dERjyj9SOHBETsZrN01BZB1t3EgoDM7PCNTsX0 qC65unWvBDftnLdiJ6s3UC9sorMk8q3Zl6DacFw8QKSmJL1R0OPvXiSOZtGQK9Jg YyHiXQE3MOP5SFSk61e1IawocYn32CXM+EkgtXK5q/thc8OdwsgLAJmGpVB3qd2K 9OaEOKCUV/V91a2P8hCx8MMV2sQgHcMB221wDIWbD5PTHNtCegaJARwEEAEIAAYF AlWtIrEACgkQo9ZSFzt2Po+mXgf/dUPf6q+aDFoDjLIsfJH5QS8Nn/7frUUdElg8 PdGxtZ6SQep6uR5fgc+PwOElhUxa665WYtRJ459RWAYmbh2kkP/paGBf9nW0A2wS koXyJNydJcanyjwHyqKUbBLsXJAvGFtbYRsbeXkEPM5CaKgRUwc8Ilzo9/53CZF/ avZK4FJX00lZq0/Z8dIY8jUEF64IbJgbaUe1gkuxu7zURgjVKK4bb4lLy/s3tRe0 00hrKVbFcaNoIZs+Vk/3A/TFdYHFY6I2JpLIeSSJd/Ywh6/YZfGkSHfzn87Dfkyr gXKQMQ5JvQQgKbO6GPBZSygxWU7R2tNNAJKHSh0/PJ8J7yrqj4kBHAQQAQgABgUC Va05AwAKCRD20Pdh3MzspCvWB/9DAEaNx5WF3ktmw6jP5cCv60HDwgsmJHusGyAo 53Gwjo4Fx6hv5QYQpTbO4af+4KpFGkex+bZniOJWpT+NJkhx55xbzA903MoZ9+dI oCtG4K41kA2mMYSpR097yF3fwtuP70UgMZqiCmz/iKFzsrdhjE0KvBjptnYGEWk5 MMh5xlpzGom3LV/A+KAmEdPw+GCaj5H6qG3/PtWXz+RmjG0sRPycHaNJCWuLz4xM xV28oAG53Gqc3cDes4Hpds4fPOa8+we7yKTK/2O3lfOUOvKncsoS3vHC/GNfGD86 RX/vz2TW4GMaLmn75xcAYT0MINIFBf/tXjN1BNrmvrGkkxnbiQEcBBABCgAGBQJV rQlbAAoJEDNC4bZno4hjKL8H/An2CRzW8IsEjFKD+J+xa5hJYQbcb5W5wjGSs9PL /pRbH0t8FNS1DevRqoq3xdL5EEUpUgae54gix0An0qKhzC4MRdD9sYFy42mDP7f6 8Vw2sCZltfBtOHaha7Qj2U28DE9j7Dx04lkHWjdHudJV5PVaPpelW8EDIOMx+4nG WnXiYEKKMRWpR2BVV1FXnsfbfP2HWpxVaxxWt7WqOmswU0lJCb2bSLteEn8YoA1i CMLMdMaVXyX92v8Quh2N0NWtzXgc94ug8GiucGKoo2SpdFlXVCysqlPfKBestJlL 93dqP6dOwqoHqOscTJB6rvNzi2tmtAu7WDy4C+BBXNhbYpGJAhwEEAECAAYFAlWs +ygACgkQljt4MQo3sXysaw/+J6Ztawe/qT5aLW6it+zLq+3oD21UgM1TVP81CjwL hlHj9wuuGDe+xE8dZA7kvpngKjAxxXPQX/B4rz27Y+kHCvelOSrLW5kodTsPWIkL cSYMRo4Pws0RIGQBXI8tDIaJJcj7BYb9O7OjCziTEjP5KxDeZ6o4n0NFnZk5NNhS 6B1VnC3Y34DIj4koxm1N5O5br4z8kTc5PN9bMxOZn2u+KxGIeEwZJbHvtrgeAxUP 96B2dUo+jgSuro5jSkIyD+wpfo5o6+/kCtDiXEWo//AHJAwOal02QAodUtrMggwz J19FfnU8RgiKFjivrbfZi6ITM6RHg+DSF+KnaW2wkc3mGTB0qJsgSLGwOgfv37Qx O1tTdPxbSfWnZJAspylC74dgh+XOYYDji9tjPtrKZ8sEaHiUVFlO4QTOTlB9yYwO E7uI/3MKe3Q+0M2a85gvX+S0CdznpXo71aMFj0Hd/7ZMuKNausJZhagHAILbve1M IATkkfbCTxg5bdYgvdVGAIgUEAAO8mvLl1EvOJgkME5a/I/mK6MLxByuCMaT0RMr U9S881f+AJuJ3Qxbbo8vN0Iy9KmiCIptcSMKBKLHeMonYaXM8O392/XUKbgSBXkL oTOybMT+LZhO0upOhpRJqmtyDT1Wjxp7FBku/sUjJXCVy7YpjwkkLxZmvWIhleb7 S8uJAhwEEAECAAYFAlWs/LgACgkQEstOl+B+Z9HYNA//UKMSIfS0bdY6K+zhxuMS lIyol8Z/ynkDZSZ8SOeXZViLyRCRoXhY2g6JsygWLsZpthI8fnleQhwy1GLCxWMF n/PiRjj++VHoJYK/ANP23bC+tyl+jT9gwoPF0eGdWnnot1jGO6f6jFqam0KAL/XN 6ePUrNo0jbrYVrEUer20PYsM3tqGlGgOOFikMoYWwsAVOEh2I5Sgi6iAYfx12RYW eKw37loDwSr2FNZ5zjxdIyUQnKN1YMd0/Rfi2d86OVD7dV2qa94TFUvYmicpdcOM 9pogKVGmbhz7lirjuAidRhdZkuU+rxvIAd07Oc3bQRdsUCJAs/kjO71v9ov/NqKu j/BLixxIa0D0eKE41yL13RCfZIG46nI/F5PvLXhDp7sIeohIWsvYv239A9yXfq6B TeXZ1j8YTlY86yN38JStf8pbGWKlGARM7e1o9DHYY3irLCOWCAnKmF14wbbTMOAe w2VzxV8895Bweeo2fyCOGFI6SzvOSaOQPUlfmiKmtJrwreg71Vsv64X8X6FHajZY V9dYJFS2gO8cYJ/zajzn/oeYVTtpsFpJmq7fWByjGd7pAnZHuuSEy/57GEptmYRu zmI2gn7vYz1rZAbLThFsk/auCU3VYke8Dd3jHnxBuq2+Pa8TmLxibvnE1ZKd0gqZ dMNY/rT4+LZI+xDczzF3Z7mJAhwEEAECAAYFAlWtLOIACgkQirEyljoGU3rjMhAA ijskigHf8Q3D3B4Oz673cLNOGfAyEdHWNqlJW0Vcdo05iF8q8utwqmziRWw4PbpO cdPpUqLb61rWfjSkq4PVTOr8leHHNj/a4aiAYt8DtnpcwJqTmktiijo0Ptn0v8ao fdRJSVLtPcV0FydLzK6oLovszdWAQ4iVdFjppvdDJtjT4ooXFmZgZg6KzqjEGm8G 4wS4tMlFR4AJZIpWN5gAeLZhCg3jfuKWEgAIVwJZfVPp8qFTIMDCbHGcmszqeDKj G5hY8q+KeQBs7/jjibY7QjSk+qFvWPlES2NGCnjrD5NL+T5W0AlQZS3kgbDWbnSm r/xr6OzL8+bi03J3gRW/oWmCIlzvxUJuLgR5M3TRS4GqYfNVs4etgIW7QZXwTo/5 W8zd5P8UcKOuEFPtmfRjoRZYY30TqrmO9BQkHLKcDbqgnWcm55HaRdkK6+j4tKik f12/VXez1tP4CkHcMJWE4g3poANtZmHia2MPO9/+1P/pCxUb5jwBF+CDiDhDel1Y 8b7u/ERIugpl8TqGJx+GkUlw0cotZ7BoweNwLXwDDDQlIoA4BT+LFLGQBtUQKMQY TrDv4PUucMfB96yiEwlw40IdkmHgcBxXFNNxDHMsxEIW2TYoITfmkShiIm7XkcSE oilPpHFmh6JXpnqOsBhfO0FxKSWkNjsCKCMUGLww5kKJAhwEEAEIAAYFAlWs//EA CgkQP/MbrxBL+eLdOg//Z9Tcp9kElDdZl3e6aJqGpGviNqIA20KbvYrham5Kn3B9 1LhvMkypT6fZWAwbNCBHxvOSbOolcSSLpbaHK3A5jsg5MhLJ2G3Xpf7Z91+Mqg/H iOiJkaAhPoJ0Ny6BCB7jg3yaKLDP4wBwDbOH7JWuP7uQmQ12mqu6WFxok7e53bH5 i4gmu3QIO21RXyWoLJy/1Y5X3ljPZ1tNawy/Sz8UjeLau2Sl1mQ6JxWWCeLp7Cvw p+j6nKOFm/hVDlgnFrfIp9aYHjR2fVpwIFxvfff94gm20EywerlcGOAMeT+1QKZy 1V1ekBVX+2zdQ8RPJGZPqXyxnLg9SyUhdLJBPNDNe5ALfolfn2pvBGM3hnRunGOs PrK53WjGqvXXYhyIkJEd+UoyQBp6zUY/KKFK/7yjgZxX7sCSwNjDlFT2fB1gfll1 vKoYocPQl2t/B3beKOZJzBkSMk1hBdE0A7URkOoYrFQTdzsSUVwY+/0IAhvxqGKc HhinLDFON6ee082511VVMrSbCxcnsThjc61CMYA1TxL01Jzb3QIoTWT3W1t2HRZD /aXcDsg6UMHm1xC1MdZKeKpdJWrnnseC9b/tGuqw2EHitYDquVBmPkx0UoAdsbB5 ec3q8n4J45VJFJcSrrps/vRSNn0bUqcZlpZSZERdqBTBkbizxgFnvJx734JLhlaJ AhwEEAEIAAYFAlWtG6MACgkQlWNH9vvzpBVikRAAmfUzps72Opq31lRHZXXGD4/H FP9SyYRnWzaOWGDMfgO9p3IcRl3qRwOuThCvn+qxTHmRT8KUD8uko9zIU+ttx/zx An3hvO1nCzsiW33N4vU+Y78Uvs7Rumm2CNif+dKDL41FnVpA191b3T3NGWfigvqB 78fWv/WJIuPJuAhCoJYFbK0Vv2/QF2UAo9O2wdBo0ELZKmP5tWfJuLbc8XzuzgaP 4xzRdgJ+P+IFA4q1zQ49FHQeRWBSWkxFAp3iI9sdH5Na+Lup2vLSDYYmdDOyII5w 5QQ+Y8M78Bvt5GBOk52KfTH3oNjDwtd7ae46yWrSy7razs75klSxi125IfcPr/r8 e6jt08WVDZRak5mLPryNlf/Y+ymFe07aIp3eiKO1/SJp2K73fCTslXDt/OuzKZSp 656hybxUrRPiXBxHMOWkcPllZqBXf6GxnN+Fdyutk/e+0EBjpK02AxHY3igA3411 2ZGTGXNCL8ywTidVweOfjyqiWAnCSUvF6+efjRgg2mlD1g6ZDRiKpl9p/ZGETjCh urlpGSKhtCZWZIGt0x0iSLy4surqDrwwuBqEPSZ08KRr+q9R8HIPuAwjq2CjqDyj DFNuLx8dhbUUVIAl7a9nJotsph5VK7c/BF0uLW5YnPJYsXG7z1KixL2ydoH1kL41 zXdcIWBP8H7yPVgUxCKJAhwEEAEIAAYFAlWtG98ACgkQvBcwG0kbPyEIVxAA4imw p7Df/j5ZZcZ+kkBwAhFO+WnJMfkNNl4g/7vsFKbWFBpiYuGmlvX+poM3nTsWCuEv v3QohbZHGJS/hY2kdAuxurTI6w4FvvJ0Akz1DUANIF9gfJ9Omu2Znb9xG1fzyCSc EzUgaf3aim7zyp0arjjqR/msmd2sCjqvy5VgRK21tYAfhWmzdJQntIlCEExfTh9x guELDLSK3j7ngZla1T3BwE1dlcPVD6l9bl/7ZV5uXmotOqFU+1dBcFG4NKNXmnG5 TV7x3Ih6Xt982SCpBgVsEow1XFPf0jflPBn6DGJsgpmuIjdymgpJacwZCYkGbTSj wAeSibYvCw1MRYtrCXd7KlmmQxhYTvvzyoQSqaiIQM8daaXddcy4IdHoOoEJVzfA /BCyEkb0KhhjTWXQoRBXcxhJYOUjH5nhHd+zml+MHHiy1dL+xANHaBzFaNHpxYUs FN2MLcMW4rpCnOx/8pRu/o757Y2Ps+ypLUbGPxZJJa26zYXXTAUDDEgEFFM9Rifu jVCps146sRbrodzgIajc4ScgAWVkHDTKYfq6IBLJZHp8KB1fYFkVrUtwjMmyZCpG 7FqWITGTWOoRbYAsInWuzT7PN+vb/sk0xOk1PzSJV1CmCH9izKrTqRAU42jd4yqV IuQ3hN8wXoeolSlK3wl27fDtK2EDzVhklvjGdreJAhwEEAEIAAYFAlbwOBsACgkQ RPRuFG0COV30vQ//Vzyu44NJZrDWdrAyMngMOZ+qIUkeRdtKHEzAFXl6je1ZLyXT aSKhyWtdxD+NPA4E8vQbEqbcpvzkBhOgfNgVOxWUxC+njB5xhg4PuZLcffm+98S3 ncyu+bYuhA/kLgOJA2HL1vIQEobdM0XJhVM8G7bhKKSdS5NUd6BS8AgKL5YXbguO ZwDVq0yuVPg9VNqG5eTwL8fvZhH4L6I5Rh/wv1g++FvnEGRR+7ePprkc2pnJC8j3 7Z08YzRf5aWCJu89EDsL8wWI/jydPcGLnitNEROfovRX/A647VUl7M4kL0oyblJb 9JFbzPK97YeMwQTUYQOHIp8KsYYKjuBvq9q/Rr9DNpyijp1pshfjEiEZ4YDjTkGX uWu5EMSlVpC4nEtiBlKT3kMk1mqmc2F7A/g5ug1w+e72E1EbVJMDtAgzjc0+V4kt RxtTGa8PlfyWouBwL6ReVpEyVz3NS7++QcSY98DgMODMxFggna/zf3bef/lC6RGk kHyIOC+IhI+q72m0MjdCmzsSA8fqT0PNYs349+sCKw6ocgjSHZlR/8gEZbZC+Fwx Jf6be2N7eo6hYctOe5XpLaMApVnD3qtw6C9CxWJ4zT6WLyI0SAF3YWmIgLtlYhfF nRs0ObRXiO7tz0FBuTXD3vljjzq7t8DDK1IS4Cx5AnTZI4rz+/aiD0k5AhmJAhwE EAEIAAYFAlbwOPIACgkQt4bvJaijiaC0TBAAppcnj7MhOQh+yQCzljw403/hEW5/ iVEyhfkEtF8lnJQPwSCvKphln4B9/E/Z6HBZ5MNew9xj/JrL/JZfk+E81vSs/fhg lCXB83bFo/fZ6cnqhubcPlXyXLSAY7J195n+DdInbza5ABuaJW6UeVHbGGM+th7L S6sYmzoOM1oU8mLzugo57M2a0SZNE2GTjeHFzdeFmKtjk6zGhJcdDMvKNalQZyuf KSEc7+9j5r0KlJOWY4VMqfYMY6qgiQ89IVSutWbhj+oiivCgi030sXmrdOSwG8/G gufKpYOQ1ZLXrxzowYJ02vAewYCe20PTyzGt5ReB9XkokffvHnKcxHxhyC6HiAyG B+8+yf0tJk4Fd7uW6zjGDvphPQhH6bPObVVaMiayEfJhhHbRNmJnUKXRc2CGL0X6 vbZ12Y1bAALAttEpsNC544WMwLfUCcGfaRTF1E4OpQucU/uizaxGPiUd8Ateqt+m 3GwjY9HAb9QN8ejiOTkH6XsYSzw4KA4iPqqMySHY/DMyfFuilNWd8m93agApO+8r 9+6xjurnbkh50rYtunP3FCMul2QW1wXaGxPTt7a/IcL00NRVwZmJwa3Ys1OrYMRA OXM0QvRzpHZOsuqHG45jjaRejMZKSQL0zJOyKgtv4YrG1fceLrZWvu7ZjWVNd+0B nGitgBkGm5VQMuGJAhwEEAEIAAYFAlbwjIoACgkQpIWg7VG4t8QFOw//YFD2UifK W2VfUy2ig+ewXOwe/BzVfweN/Im+HSN94ooTEwR5wgdYIjxPV+eEKFfAEsazv8b3 ktZJI+/IxEalHBA+mR4TC2/UlrOgsVCnTHYKL5yJRVHPrdOQ+Zm+kk4vszYocDtC SPp+/aoRE8u91i6Qu0UdGjMe82HG6qdzVj6bXH9ZFRiWRsfkGxB31cnvfE+aZB+V qfuy0pbqegJXUE/6In8XRsS12xAk58KM0b8jKQGqYaBB6xE9WDpip5sPycougy6U 29170n+U57c6+x5JQhHC/Rb2AqB8Yl1msC4bj4UsqxWHmLRdcqZs04GiVsrk2fLD fSfsu023IZPyOhaV/t2KE4DwnAu4b9Sq7PNNzf9yrsgRL4c4OzWEYpMzt38V5QRt ETJvuuthOypREVNuIs21oRomMJd+PjGsayDuKA7xe/SxDe8tPkoy+FdAfevPXfhy NWX0vTtcZDpVustEMmoDs7EzlBddrNplsnRZoqW2JyMLErLujc5N8juDPqmAASVy d7SBUD03e8apjzZSfJhbZsxw4W9z7+rETRSy7o2DPXCabjTGwB1naIc9W4wU/aWU N81qZZecKLVLxpiXeoUwF3VIJme5Ye1KumsQpTJoi3tVmJ7XDaW9OD8shJtvhlOc ddt1E4kl9iximuLfhzUjPJyS/ASYhpPNMVSJAhwEEAEKAAYFAlWtDgMACgkQw701 5G3UXaVUfg/+P9+3vFqijhzT7XkLuNrI9GTn3KslTAPU0Oe/BdLPTMKELqn1YVxk lnrznLbjL9qkwYwXxY5HT6ykeS+CzQIDLLtXqR1NAz3EWVAm4dT+xqaJZmfCoJ40 +VqZdQHLjgmj9PFTK7f3vyZ3Ux6em7Z+h7C1ba8jYZS+6GnmGw6+v6LxzRh1SFUm YBj/X+GPBYg6cnymr+9b2CwTMbczO5XN3hU9UtdF4UlupPvEuV5XWFpCw64kVwxP OQvvUJ3aTqEGiCAqd8ntyVZ1MWtaob7GI/bj7dTOoSogUqF3aZawfoUHPp6izTd4 8aRnZhpsK47Y6jIaHDCILhKoAESTnpN1yjqaRIbviHJyYFOHnQESTS7AWrolQVmP +pmThZWauh+PLVcs4ktp/6CKYvmgnP30HhrPczE7RVKIT32LU3MvT3nFzDmKUruK eLUNO6LnJ8XwZEVIE3TOVcF+2ME3EcKfV4RwAlBBgYa8DB/CM/rCtoyxdxYSRpHn 9bxbNL6kn+CPAwRZGAChfOPGMhHBh3iDUJaIt79Cq9j6QcZUYfhj1sIvvkDyl0Bc 5U4slbTM6KP5aZgFlCcI9HWwGx/5qIbb1rQNVjxwtiUWediS04YaQ6yt7f/yXbdl hxPdXDMe/9gdDyuDvP4+1FZbDiV6VT7Bl+UhQnkwf4kuCbSMFjdu+cyJAjMEEAEI AB0WIQRZyp4tKjMd4lGqJCdfA8dnwkek1QUCWQ72QgAKCRBfA8dnwkek1aBpEACI 6mkO7aXYQyejkTbSyLdE7FoNI4Nq6aKvvQLt+vlGATLgSdz8v7QLGd3KkJYoO5SY kKjrkGZG4Nb3GOCnWnewBmvCqt7C5/Idl1JTVPdF9CgMHQkwP2F8Tg5X1Ag9oZeL yRKB/xWbX1LGizRy5s9G6yhq1rwoatNI+Wz36fdCmCqmphm92uPyxuAxy+JZhAbT /vmANGKlEN5Wjryrp3tmMEhnuJykWq2ZxYiJ9jpx/cNLyjf8fSDBhLXOTG0FYBrZ k+ZJtw1LlzA36K7IbnunO2qOJzDgvemo5FmGYcm6hyYCzqxBj1VJDmhHu7NZMeMn vT4d8Py1xBPGPFRYmaK5AP/D07cdDPYawlZA6dMPGE8xSfQxbrayJrj0+vpjSJPt DUHrg7L+PdpvyVxi8Py0Zfe05h6SjBPrw3eTQS6ODkoZQyh8D7M2HKUiUxvfufvn LEfeWpd7Vp7hl/VdP3TtbOzL9H/89O5ywf7S/oRKaqgOWkYhs3cfyjqz2boQk8nw N29sLzm5cH+APxNcju7sz07klp8dRNeImbmgj8mT1xId10mAixJ0NOY8udLhlwg1 UfsYhP+Yvy9yMcoSZOs5+RjluW/E2qubP3RUt81ohUupdM0NVUJiR/I3Ri6ARb3V S2aAGtW4oS6PpyVT0dkWrlp8VqFpNTUKE95dNi5Og7kCDQRgos3VARAAtSRABroy kqOO+3Zq3pehRGM2aft2djiigKhhVg+eJr+YffIU2Q73l9zniYSzVMkFVuJPd7Wk BnlEMIn8BUGh04op6MV+kzX0guu3v/9i/0agNS31xAdXzmf1i5sbQU1eRylyZRSi sM2iuF7BYrfSsOBHv71cf+iM94KxrzXiB1bDNL4DN0T5+vCoDjgHaXbten4Qdm6O djBCUv9Ix8dhT4OzHwHOUK7gomTrQM6Hyb0vgQsDXKV2Ps/pWOSk/J2cCrQUrafF qkVAAC3m6kaGU8te6YlAU7GFcf4MOPw15WTM2iaKWwPkwK9b/Ro/5RfZbqnde8EB AoFkg0X8mshGVDBtYCaW+1qUA3ZBcQzUvosYUsNQC9Nx8Y9/tkqCwIBUzsxuIrSY HxeqPThxSMvCmg2qHXmmbAxsbOz3DTOwKpWSRGOCTGFpsLBqWigjG+L+9iIx+7kr 2gH8tYck1RPyQm04k9udD8wwXCvylTUzNVd876sN3o1xySaO5nz8JtM//xPPctFF MZmC01bBn+jRuapDqY+qTFL+eKherOUZgs3nHt7cEBz3m8neGg0/JhyBwS6sQF7h 0ETBapVDlKCRuvAgJHIrjejL5v+kVRrH9L6ey5CAdRG9SbffsNwZoo5o8SrdGcX6 hpFiqg1jZWvZv5x7/PPSW7fPuNNHsoxVRn8AEQEAAYkEcgQYAQoAJhYhBBTyZoLQ kWzdgeN7bWG3tSbZjwNTBQJgos3VAhsCBQkDwmcAAkAJEGG3tSbZjwNTwXQgBBkB CgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmCizdUACgkQ6+QekPbxL22N6w/+ ObmFWpCr0dmV1tm+1tuCL05sJ031KFl3EkH389FmrMMoVk49e7H5Urn77ezQXO9M e8R0nZgVUavJdKcJzgf1IZtLq5Vq5q563I8gglr8rJaaefGYuv9jitx/Ca2s+uvJ MUHgMeBPmFFOKoIF8QgOJdkSht2lIkd6bd89ayLLoIXlGi8d6K4tEWeMigtds9FY cyX7o8xXmt9XqCIaMbkJtiUzjz63dN0O81UCj0TvK17KXAvclhzrriZuo2rOeDTB cQmKKy2UKZaJjUqiezuOg1t513ZIzhy1oXzg5CJb5jgsmZmjtJjr161fv5d8Yock j73z2/z47wry6ThESfYSkIxJIiIP5SwZyNMeeHSZUnaMTqzd5kDL5qnNrhJHCBBy xcIBcGppv3VjZ1QNU1k0Tx+MzpfZtbE//idw+Q7Iz9T/3zjN79JhYi1tzzaaQR6J oEiNMpHHkdkOGRwfdipM7oKl7HKl+zJCzaLTE4mbInCxSgn+1RhI+rGzTXVxqIKo nYrWra4EVBAgguMrxNMjuEtbsF54Q27x2+H/Mew+et6K/suqyh63Szfd14LWEj4N aR89tEz76nJyJFuFtDeGSmu68/Pi5S8Ls9MxKJJiIJmc3lQqDUTHEiLc7RtZAsgA WlLc6UnFsaCqXKJxuaMs7qFD7pqSGfHxYboBxax7Sqrttw//eC7rghiFzfcnEZQn 6+GPW3FJc5P1diSLto99six3uaWKjvSnZScvPOe8ogJt1JQpQAABoHfd7HzzlGzJ tU/yDL931WD6nETp6b/dk7t3aUpk8WFMG19L+L9QbEpjxDi2wozO7CGg6FhC7mu+ KsSsorLqd3QYKoBLG0Pb2K3Zz3PN7y17kf1Aixa2//prFNfpEGwP9flz2TUvSdtd 9JvcnDz+/3yB63tmuCsUPZaR3lhTkNiXZG7WTALA1AqIUKFpxI+cOQxaO2+H6XXi ON3x8A2Pzd1mZyuUMPk2c6I/c1ZfzJXxF/WJVfuztZXNCGocYF4kB3X07uOuiKrI DMXDT3Op3wJ0RInpjyyPlwwov3zIVQcG3mfWPclXNcIRSAdadLq6yhTBUVbhMd2j 2qga1vtaVlH/m0zFhib88RLf1/FiVX76D1q+anG+gT+SsMPd7hSGQQ2+6ngBAvx4 T1IHtFgPqfNaA49m8b3aAorGo6Bbzmwh4Xr+7DM2fSskBskGdIPZgA4Vyu4/PC5a CTyd0NqlBgj/g7XRQMGvFRkdnEIcVZbvxdzn4j16dS+43dUzFMLKThRbkUaunaYo ZPIYuiqbwCoFX7vJdgBMaTxYfkClc5LJSVr+X+9RYNwlOn4kiQzKstVtl/qfpDow 6QsGmA9J7v8Vt9JEg052REcZZmC5Ag0EValA9AEQAK/z677fpoVUj4zQz0g60wVW f+1y2lGb8iFYICmvrJyaEra5SRkyihYA1WmEzhN4T//tHw3UIfe646+GkY3eIQW2 jY9DM2XaElmMN8k/v54nbn5oD7rNEyCTFTvCOq5d74HH1vw96Lzay1vy45E7jPWv qfg9Se8KAnzElohTJjizyhU+0QbmPHnQlY8gOkT/SvRo9bFEUnqjWh0fRq+K1tdL PhcFB1scc25iFqh9IAKUGDur8jQ+SDHCjgQlkFOg3rbqtaUOnVHPohfrBM90ZNwu neFgQY7ZFSUidCimp/EN4CXnzgjDYXUUA42S8G86+G4KAJC22gRQo4mcVmehwHTH 0glfLmUK7TEu29A1KWNL3R/R7ZdyajjpCvUaK2A0Abj3ZE2BSDbJrVlbBVfy5kfP dZjhd3wUWqFaDHiVcImcjZRWPncllhcy6fhqEy3ELZrkezpJjnARsVkij3GXz6oX +HVULne2w0dkTXydR6muZI/GeNtrLHmA8B3/0/TllmLy8ChmYZVIKZ8zt1ghq3f+ hFTXgtZil7eBewZgA6L+EXXK6dZj14lbe6CMS2kungTX9stU1s42I+WRbiqiLpAx CX6qcLBOWrJwsOep2nvu5bhrPHptSfRhF4Vs1xteVFckCWhcLgdYi/Je1XBEM+AA Va0k1FiywCg7MqlG6toLABEBAAGJBEQEGAECAA8FAlWpQPQCGwIFCQPCZwACKQkQ Ybe1JtmPA1PBXSAEGQECAAYFAlWpQPQACgkQHGnE5V6ZBdsvxQ/6A62ZteN0b/TV fSJ51SdG66amwe2rpRX4UdSw7ifxo3qhgEICQmXR5c09qXwl17MFJWM3FhGrbxnA 5KGgeWGtqrPup4QZPKU+l2Ea2QLSJSiBq5QqqEgZvR14Lhr/hCGhBAq9s/xbp8fb KNJj/uWiZ+uTPbt5T5rgKJ4+g3B6DNO1rH7F70OLrd32mxZs4pSxngHRAyiMPB59 yQVDsVMha0JTqC+P96itUzvnInc/9mwE0EMiBtpDTkoBwbJVPnuv+7FjkOLn5s5u 3RLH9fe8z1xnV0fPC0/ndrlNiuBpAn3zVCsWasvW18Vz8K+CQY8Sw0Jw75edBgFo z2QMFxHfDpMJefvMadB7mdte1lKk/Im9KFFH8Idh9b6zD0a/+Ooujukx6QpFfAVh e2sT2CIm2nmMAuAZI2cCt7SC+REn9n9MSuIWxN8YTE3qgAUB6F3ea0O0hGlLl+z5 UOfX0bNAs+ebx/P6PczJtDzeqpmRb0QXqo55JWXLvmXT/fgjF7fNTTLsyCtV+xH6 ZFKGpvGJGJMHApEbz2a0hy12RZH58eI1ueN3Tzn8nI57+oYSsqFw/QgcdGXDonLG JsPVzIpQRg92/GXSukWF+MsCjVOilHRSY1wfPPmJ7+kMQ4rdXpjAhwNYJc1ff5N+ omCxCKoFgYsCXlFCHFKs4JwRbTdd3MkuqBAAlBlIjym8NyJIBltfWckuhQTX4BiB ltGPNga9CpQsml519EePuLtoe5H0fTUp4UYbL0ZzyJImQE2uw/hMNZ36bA057YtH OoP4FcPUwv6wsl5JC87UR1XFhAXb5xSU0qdi3hWh0hm772X6CBlM8lM6GtT/fDZk SGNXMQaIs1X/O9vf8wGg+HwLJcaCvybI4w7w1K0R7WjWZlJXutCZf8hRc0d88W/q SZYooKD9q2S7foqaJhySIaF11sH5ETvVP3oCfGVIVhKWb0Tp2jXPXlXLeRAQA8S+ 4B1o5XHiM+J3SNXhPQHRGQ3VGcDn45itg3F4xQX2Qvo4SV42NMYd6TykM/dIfQyJ DOVg3CT3+nqfjCknf94SNvyZprHEPmpcDeseoPMw8kjKNwDwPXFLxBRntPgnqVXD cNN41OH2kqx4jF7FLlRmwNpB2mFVH8xeVuRm7h2WZRsaEoqvivhzRtESVA2um5Eg 763CVTcNYlK6MD/iy8JzbMuZBrlOHr58HKDdcOy1W0z2quESGoqrwA995IgPav/1 DSpyuJPNc/oUTWlhpYshqYKoflezAyKj30+UzC3R/mY03ri6zUvCgXHNgZlKUsM3 VEXk6h5oDuaXniHLLzuxjTBVrILnGYgHSFRP80L/knz+o4Uvq4wj7NHnruc5fP1f oFxRNsMt40yRJfW5Ag0EWUvZtQEQAL4dTYeBoI6UxWcu7kERc+Tz13WUwSPmOIU6 RdoXqBc2QyOki8s+uDqIJbpt2YJUPWnPgoU0rDt+msOG9tpAjPVg5pHJe8H9tXxv aPICQ1YxYw1m8E1kRGio4EurP2G/H/YI3vwRskqI8cp04t88k1DfeKvXYVY34kO/ VM12XTfRcsiMdmDubTqNPYU1kmYNeqMT+OzI9QE2kulCK0DHDJzqdJLnOkrn1z0l rFAPoNpVtHZh4D7yB8FH3I1qk9npRdNXvSjhXu4ptvRuszktjEcfHK+ikYP3jVqR 4eWiOKrkVIWJOCsOKIUE27PXndGLbUuDzCvrKusR6W9vF+mYK1p3pT2PYX8HEeJu zrd1UFBvCWPf2k5RQqHk4JIaKfjAlCPnSXmPHXqSGtD083RJhFkbz4U07/glHWer +M+Sw+hYT/v+XOhQm3CG/PUaeX2ud6GFefymX/tA1FYJqVxVOye2axoA3lO7yM5s K/JHMdL7bFZtXVcGCwAqU2mkD2yEkFAzPLBHKigKg+4VimsTbG9jPOS+qtv65x6u IOOsic3Ud2/BB/lfbvplIvQyJYw8HKb8O0XkUPcD3Q1i8p54JSHhiJm42H699uMm iJeLzTkQJG7KApEv6nOb+jLyr2DZXuX82/UvZAmzWZg/XOf2xz44/RDXkL865dqR YenXNaOXABEBAAGJBHIEGAEIACYWIQQU8maC0JFs3YHje21ht7Um2Y8DUwUCWUvZ tQIbAgUJA8JnAAJACRBht7Um2Y8DU8F0IAQZAQgAHRYhBNzqxdlhNbkcTqZyq7u+ vbskxvNVBQJZS9m1AAoJELu+vbskxvNVBVMP/21uU+8NpPLpBn6SHJtIAffFYMSn p0gplOjfiItA8HDbc1vqZlVpdk2xyFw6b7g+vTg1gQzF7uoAZK1czRLCt7ocxntL VgPuSO1ZHt4hJG5Ze1UUJSDq8Pp+TTL43rg6irDLdYDBBHYESnXWAKRAIuPb1e15 6pAdpSynwJ3+qPyqj5vDLkPrtMWGp7qWQpXcHaXMea8m4+/RLNIjvRof/t6jrUer mzs91Z+/C3N8ugD/aZrXTiNkF/H6BiuITZoB0j+rjy4fxEQvTYq9C3NoaBIRxJEP ApxGnHKe9K9N1ZBELjCUCT1MkbBmf4CJtEgJvSScVh1yZNv+TVDfN6RwF9CwOM8b VrOH1VuX/L/XiIRRT02eGrvv3EvQ+BhceJpWN+GsHKQM658trZ7RhHo2PR0ib+D7 hWQprcktqutTfRFPMrgcFTPXKeR57cxvjk+B2LoLSOom3oTNEtUaMuBE8E/jbONX 34QsHWDKfLc3XpLEN+bO65AfTiR4/qtnZBmldBUG9xbrW0qcWz+M5P3S6ssbor3V DxxrX+Fv6pJccwlgYNFQxQOz8GrZhF0cU48e+0XpU2NFeyueHQ8lb9yYdvhc7mkG c87iIb+ILah57Wqi52Jd4f0DS2zkxN6ab5/UVEkffNwXfjN0IW28Ga4BtZvoXVGV Jo4vsGytMFdMRzRB/uAQAI21c3TTrO4TL42NcFQ0RY7yAlaKzXTXVNxC8v/QQKIs DrNvs4w15rF/t2LXc8Cr3aUNuDtE7x+FaNwZLypCe+RFOy66AG2ENuNt5tTGN3mg bJZl+01Cd1xPpOzmRfAJnH7YD+J4QuCEEgraAXPfp3MhjeHWtQaWDu29fbTtPx0k /Bh0qxHFPWxhnYpktnjZEoMmwPMBeitCvcr66UzUmezgVZc0HxJ/LO9Bss7P3egv 60wPnXn579wDGnIriDUhHRcn2KuMI7eT4pL4HHjAAJB/8+vcUzYPuqtxULf5ciu8 V+ajzHtqBcgwNR/gm/7i+4qKPo14fYBftH5PDj9iD88WIQX7paVbYHJZjrmnpM2i niL/DRVuxqAPToIc4hMXj8YPeTqS/1ckOzyYgFI9aRaLxZOR0uno1WTRBifwOcy3 NTwSHK/6YbtJbqoVwISJrGUuvOfBlkJZVlCzVsPG1+QZaPAL3HxVXavYgCu2hze4 OOWUe2Xuqihw8hb+F1rhP64/QtpjPxgLLb1NIBpm6OgdZjRjCbl9xnd3RvH6hYxO +zgdn3icn2fFHhdZ7xtYcZZrg9QOXuv6LDvVe5I4VyszNs0jtdcx0P+T5VIrKFAY yf0CCuL/UQTRrW0SrKOV/RZHuvdpVYK3YIAyd49kKjLk6O9awFQy7cXq3PhjatBi uQINBFzwOeoBEACt8eaLW7jX3n5tQQ+ICeGOBIVbzAnXlH9bjdTqollM+iiwkdlB NNEGku7+uQ9dTofem6cbSUXuh5kJNLy5tUIG4oGZLvpAjLdHP8zslgTglQymoWSb v2ss4pq8xoDbp6E51dkowkyFSuELZKMFHgPiJbfYXxQmbwEiFhGs4+21lwtI4tVO 9zs1XbzJD9XtomxkcYaePeBxpI9JnrWIUKt70JPZi/QcxPMG2si/YitnCVamcVw8 Wri+W7MAJW3SyNjJUqx/cIOib8vdZVxvdWRIZmdkWkFO6vv4IotEBCflt6cD0EIy 3Ijn3nDDf59v7wpdWXidjzVjKF0F8jUiX6S/ZuEz4lvdotpCgJGhDmdi4pVCYbmS hKbffgcSJ/BWn4wCOHKPA+XB75zzPj17dcWR8D9GM/sgusJy2fbHDcOdADPynKW3 Ok1CENJDx7DTDwm2fPRMut4utSL1FMSl7zBDRabcPr1nw+zERjmSjm3R91ayrQ9U KlP/4P8Xkhjc3FFWrRQ1Q7/SlkUmrTqSouQcOolGMa2ENNgqNeOY7oE5xnPs64TL AzQ9z66u0dHTMODAS1A6C0l66LrPVYGoQLDkM7WQn7zznFdnKR2nsPOUi0mMdyrG /62iARtNvuF4xdsUAoCKti3wOsXRuUhiXei4N4qdr8IaIEIFgYEKKtaqzwARAQAB iQRyBBgBCgAmFiEEFPJmgtCRbN2B43ttYbe1JtmPA1MFAlzwOeoCGwIFCQPCZwAC QAkQYbe1JtmPA1PBdCAEGQEKAB0WIQQJezEwd65ioC+E2k3xpmaPu31XLgUCXPA5 6gAKCRDxpmaPu31XLopQEACKv8mYt4aMc0oA25UJXMRig2lXJDqOZBUSvFFm8t6X gdG0zFdzFo4gqpje68kNyt9duhvOMsVwkzUr+5Di7FccvgwceU3X5ngWpnV/GcXg 79m5viipWUdBRoyZ90oi4D5K6fhlmszmWyiD7KDrjdtIdGnjAuprztkc/JBlIwlm u/40JyDR5Dfxp256DlzsJ/HH8LbdjJG/F0XvtZUwcHefa7mDXtIWszsMoJnEoLzO kZvJ13rhJcTHVQImClyS3o9+Pk6DTfy4Ad0w+9nF0rZp+8/GXZGilfn/NXMj0elY u5WiyCBqargRkrHpebNKW9jxRca02aDS2Yrf8dlseO1d9FXZPOBWIxDRG++TqRhB K8FUW00DikRDrrV5RsIiXtgtRqH+hwknE33i8m8/KKC5/pUl3Af5f+vMKsT3s1mM X2zA+NmLUxJCXLz70WqLoShI8QEj+RLk9yuk97bo7KoNSv6xNwXotJKzp08VAnVN X/QddmV6Z7SnocEs+S6Z0L69sEffMgUaCkH09mIt1yu0DaeOl7fM2iD3VcO6jJ94 Dg8olkhBgrZERe3sXR2fciFtsqHxYc9zP7YyL7vPbUQ8BogxEfIQZPGdpnG5pTM0 NSX/mgkOWI2VJFDe/rOFTdTk+8mKVnFdaUfHA48qIeS0V0zMLd4OZkrYlW3iKvZp s6IAEACauiivWdvKvJgKMyi3fvicXn4qL8nV1X6lmOBqDn4bb0N0mtpiqXfvG950 +29rcCJSj6qSMVj8ZHuwVktrEoWX6lpJbWwEdUh+35DnjfGOYN8gW8bx0CfyqEx5 0W++DK5Wj+L+DL7jgJ/l7dMKxLdjijkg+v4yI516nzRbrx3x77U8n+H1V9bHrDfS cESnr3PtWS4ze4yDrr9Xp+YK8A7RkIctH2ToyEixin8utvfa56dGpUai7gIRZ+0b tWY0FX6g/VRHwwhLIzTsaFveQGuzFbXaGkOhRASitKtbQo2fD39qAMixkKOctN9A /nA3dZU8BlJj7258+P36jQDOilr2Y7RlTSTZS5aXeAPbwILwKCNcDjV0keerGSqi V2zkiH0vAJcxVokn+iMj6VOaM1RyxskgFara0Vt3IuAjnirES/OVuIkhgpebmGXB PcHqLWpFDtEdLv6YtOwScE0eYb5/SA3XsmK3qgzEAzBfchwl4PqAhiQAf/tbx5Eg AUbFmwhEcgd9xMY5w6+8/5FjoXwHYmdfjKT9iD7QxF3LnymskoKQQGWBHiwJjaA8 LYPpopUg9we00zNdSGNXv1Lau9AM//ATiusH8iLJj33ofQh6FviQG6W3TlLPqx/o IxxNj5bPAQy6dRKB1TxlWr4X0pUWxuqBeObPoHS9j0ysxKPruw== =81zK -----END PGP PUBLIC KEY BLOCK-----

The post Updating GPG key for signing Firefox Releases appeared first on Mozilla Security Blog.
by Christoph Kerschbaumer at June 02, 2021 08:29 AM
This Week In Rust — This Week in Rust 393
Hello and welcome to another issue of This Week in Rust! Rust is a systems language pursuing the trifecta: safety, concurrency, and speed. This is a weekly summary of its progress and community. Want something mentioned? Tweet us at @ThisWeekInRust or send us a pull request. Want to get involved? We love contributions.

This Week in Rust is openly developed on GitHub. If you find any errors in this week's issue, please submit a PR.

Updates from Rust Community

No official blog posts or research papers this week.

Newsletters

RiB Newsletter #24 - Bridges

Project/Tooling Updates

rust-analyzer Changelog #79

GCC Rust Monthly Report #6 May 2021

This Week In TensorBase 5

Announcing tower-http

Turning rusty tech into Rust ~ When you need to FTP but don’t want to

Observations/Thoughts

Object Oriented Programming Concepts in Rust

My first cup of Rust

Demystifying Mutability and References in Rust

The simpler alternative to GCC-RS

Why I support GCC-rs

Taking Rust for a Test Drive

A Polkadot Postmortem - 24.05.2021

The Most Annoying Bug I've Had To Track Down

[video] There and back again - Our Rust adoption journey [Open Source North 2021 / Luca Palmieri]

Rust Walkthroughs

RESTful API in Sync & Async Rust

Rust Closures will make your life easy.

Idiomatic Rust Binary Search Extended

The Relation between “Rust and Safe Programming” !!

Tightness Driven Development in Rust

Writing a "hello world" Riscv Kernel with Nix in Rust

Rust for Fsharpers and F# for Rustaceans

Creating a Deno plugin with Rust

How to use the Firebird database with Rust language

Reactive UI components in Rust

Redis Streams in Action - Part 2 (Rust app to consume from the Twitter Streaming API)

How to make plugins system with Rust and WebAssembly

Getting started with ECS using Planck ECS

Designing Rust bindings for REST APIs

WebRTC Video chat tutorial using Rust+WASM

[ZH] Take Web Screenshot & Make Watermark in Rust (Rust 中，对网址进行异步快照，并添加水印效果的实践)

[video] A Firehose of Rust, for busy people who know some C++

Miscellaneous

New Rust book: Rust for Rustaceans by Jon Gjengset

Just to say, thank you

Crate of the Week

This week's crate is rust-codegen-gcc, a drop-in replacement for the LLVM-based rust compiler backend targetting GCC.

Thanks to Josh Triplett for the nomination

Submit your suggestions and votes for next week!

Call for Participation

Always wanted to contribute to open-source projects but didn't know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

If you are a Rust project owner and are looking for contributors, please submit tasks here.

Backroll-rs is looking for contributors

Updates from Rust Core

255 pull requests were merged in the last week

post-monomorphization errors traces MVP

make closures inherit their parent's "safety context"

fix low-memory issue and lower tier platforms with no sysinfo

fix bootstrap using host exe suffix for cargo

const-eval: disallow unwinding across functions that !fn_can_unwind()

deal with const_evaluatable_checked in ConstEquate

disallow shadowing const parameters

optimize proc macro bridge

fix incorrect suggestions for E0605

stabilize member constraints

E0599 suggestions and elision of generic argument if no canditate is found

a bit more polish on const eval errors

merge CrateDisambiguator into StableCrateId

do not try to build LLVM with Zlib on Windows

use u64 for the GroupWord on WebAssembly

don't hash thir_body

emit a hard error when a panic occurs during const-eval

don't sort a Vec before computing its DepTrackingHash

demote ControlFlow::{from, into}_try to pub(crate)

remove Ipv6Addr::is_unicast_link_local_strict

make Step trait safe to implement

fix unsoundness of Debug implementation for linked_list::IterMut

Weak's type parameter may dangle on drop

add TrustedRandomAccess specialization for Vec::extend()

enable Vec's calloc optimization for Option<NonZero>

prevent double drop in Vec::dedup_by if a destructor panics

fix pointer provenance in <[T]>::copy_within

add String::extend_from_within

add inline attr to CString::into_inner so it can optimize out NonNull checks

hashbrown: guard against allocations exceeding isize::MAX

futures: allow no limit for buffered stream combinators

cargo: cargo tree -e no-proc-macro to hide procedural macro dependencies

rustup: bring back x86_64-sun-solaris target to rustup

clippy: add avoid_breaking_exported_api config option

clippy: add lint suspicious_splitn

clippy: move semicolon_if_nothing_returned to pedantic

clippy: improve message for not_unsafe_ptr_arg_deref lint

clippy: fix ICE in too_many_lines

clippy: fix allow on some statement lints

clippy: fix missing_docs_in_private_items false negative

clippy: add the ability to invalidate caches to force metadata collection

Rust Compiler Performance Triage

Busy week, with several reverted PRs due to performance regressions, but overall a positive week.

Triage done by @simulacrum. Revision range: cdbe288..1160cf8

3 Regressions, 3 Improvements, 5 Mixed

Full report here.

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week:

RFC: 2021 Edition

Final Comment Period

Every week the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

RFCs

[disposition: merge] RFC: Supertrait item shadowing

[disposition: merge] Type-changing struct update syntax

[disposition: merge] RFC: Introduce concat_bytes!() to join [u8] and byte str analogous to concat! for str

[disposition: merge] RFC: Overconstraining and omitting unsafe in impls of unsafe trait methods

Tracking Issues & PRs

[disposition: merge] Re-add support for parsing (and pretty-printing) inner-attributes in match body

New RFCs

No new RFCs were proposed this week.

Upcoming Events

Online

June 8, 2021, Seattle, WA, US - Monthly meetup - Seattle Rust Meetup

June 10, 2021, Berlin, DE - Rust Hack and Learn - Berline.rs

June 16, 2021, Vancouver, BC, CA - Rust in Mozilla's Data Platform - Vancouver Rust

June 17, 2021, Denver, CO, US - Learning Rust as a Python/Javascript developer by Juhis - Rust Denver

North America

June 9, 2021, Atlanta, GA, US - Grab a beer with fellow Rustaceans - Rust Atlanta

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Rust Jobs

TrueLayer

Rust Backend Engineer (London, UK)

Ockam

Architect - Rust Library Design (Remote)

Applied Cryptographer - Rust (Remote)

Tweede golf

Lead Developer Embedded Rust (Nijmegen, NL)

Dedalus Healthcare

Medical Visualization Software Engineer (Remote, EU timezone)

Yat Labs

Senior Rust Developer (Remote, EU timezone)

Ubisoft

Software Engineer - Machine Learning (Remote)

NZXT

Senior Software Engineer for CAM (Remote)

Senior Software Engineer for Streaming Software (Remote)

Parity

Junior/Senior Rust Solution Engineer - Substrate (Remote)

Multiple Rust / Blockchain Engineering Positions Available

Kraken

Several Rust Engineering Positions Available

Tweet us at @ThisWeekInRust to get your job offers listed here!

Quote of the Week

I recently graduated with my Ph.D., after having worked on 5 different versions of my simulator, written in 4 different languages. The last version, written in pure, safe rust, worked correctly in part because of rust's strong guarantees about what 'safety' means, which I was able to leverage to turn what would normally be runtime errors into compile time errors. That let me catch errors that would normally be days or weeks of debugging into relatively simple corrections. [...] So, once again, thank you to everyone!

– Cem Karan on rust-internals

Thanks to Josh Triplett for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by: nellshamrell, llogiq, and cdmistman.

Discuss on r/rust
by TWiR Contributors at June 02, 2021 04:00 AM
June 01, 2021
The Mozilla Blog — Sharing your deepest emotions online: Did 2020 change the future of therapy?
COVID-19 forced the U.S. into a new era of telehealth. Therapists hope it’s here to stay.

———

2020 was the worst year of Kali’s life.

“Going through something like the pandemic and not having family around, feeling out of control—I was on edge all year,” says the 30-year-old Colorado resident. And she wasn’t alone.

Amid the COVID-19 lockdowns of early 2020, millions of Americans found themselves trapped at home with a backlog of unaddressed mental-health issues. As with so many other things, computer screens and video calls became the only portals out of lockdown—for work, entertainment and, ultimately, real psychological help.

By spring 2020, nearly all therapy was forced online, a shift that initially worried therapists and patients alike.

“You do all these years of school to become a psychologist and all the training is in-person,” says Dr. Justin Puder, a therapist and licensed psychologist based in Boca Raton, Florida. “So when you transition to online, you have these doubts—will the connection be as genuine? Will it be as effective?”

But by summer, many therapists, including Puder, were experiencing an unprecedented surge in new-patient inquiries.

“About six months into the pandemic, I was over capacity, and that was the first time that my private practice had filled up like that,” Puder says.

Many of Puder’s clients were teens or young adults struggling with the transition to online school and the loss of important milestones like prom or graduation. Other therapists, like Dr. Jeff Rocker in Miami, Florida, saw an influx of Black men seeking therapy after a summer of highly publicized shootings of unarmed Black males at the hands of police. Others still, like K. Michelle Johnson, a sex and relationship coach and therapist based in Denver, Colorado, saw their practices flooded with struggling couples.

“I think the pandemic created a bit of a pressure cooker for people who were suddenly unable to avoid or escape the issues they’d been having,” Johnson says.

For Johnson’s clients, the shift to virtual therapy had both pros and cons. One issue was privacy. Virtual therapy nearly always takes place on specialized HIPAA-compliant platforms that ensure a secure connection, but interruptions from nosy roommates, curious children and needy pets are facts of life at home.

Still, Jennifer Dunkle, a Certified Gottman Couples Therapist who specializes in financial coaching and is based in Fort Collins, Colorado, says many of the parents she works with still prefer online therapy—it freed them to get the help they needed without having to find or pay for childcare, she says.

That new therapy-from-anywhere paradigm has also helped improve access for people in more rural settings. Angela, 31, raises pigs and vegetables with her partner on a farm in southern Colorado. They live about 60 miles from the nearest mental health center.

With that commute, “Going into therapy could be a three-hour ordeal,” Angela says. “So virtual—I’m all about it.”

The Pocket Joy List Project
The stories, podcasts, poems and songs we always come back to

Virtual therapy also just feels more accessible for some patients.

Haley, a 26-year-old in Atlanta, Georgia, says the idea of having to meet a therapist face-to-face had always intimidated her. That was compounded by anxiety around having to locate a new office, find parking and be somewhere on time. Conversely, just opening up a laptop from the comfort of her kitchen or bedroom? “That felt so much easier,” she says.

Puder suspects that there’s another phenomenon at play in the public’s newfound openness to virtual therapy: social media.

Puder currently has 335,000 followers on his TikTok. Rocker, better known in Miami as the “Celebrity Therapist” for his work with elite athletes and entertainers, has over 62,000 followers on Instagram. Both are part of a new wave of influencer-therapists who build their followings through bite-size mental health tips, often infused with humor and a lot of personality.

The trend has been enormously effective, Rocker says.

“People are seeing that there are so many different approaches and ethnicities and cultures within the mental health space,” Rocker says. “People are seeing that they can receive mental health services from people who look like them and talk like them and who they can relate to.”

Puder also suspects that TikTok’s rise in popularity during the pandemic has helped cultivate a new light-hearted, open, stigma-free approach to mental health, which has in turn encouraged more people to give therapy a try. After all, the difference between watching weekly videos from your favorite therapist and signing up for weekly video chats is an easy leap to make.

Better yet: According to a 2018 analysis of 64 different trials, internet-delivered therapy is just as effective as face-to-face therapy. And for some patients, it could be even more effective. Johnson reports that when clients can talk to her from a serene setting like a park, they’re able to open up and be more vulnerable than they may have been in person.

“With virtual therapy, there’s that little bit of separation between me and the client,” she says. “Sometimes that helps them let their guard down a little more.”

Kali had been going to therapy for years to help her manage her anxiety and depression. Pre-pandemic, she says she never would have considered virtual therapy. But between the political and social unrest and general pandemic anxiety, she found herself making the switch from weekly in-person sessions to weekly online sessions — something she said was “absolutely” critical to her surviving 2020.

“I genuinely have no idea what I would have done without it,” she says. “I don’t know that I would have made it through this year.”

While she looks forward to going back to in-person sessions, Kali says her opinions of virtual therapy have changed.

“I do feel like that deep connection can still be felt,” she says, “Now when I’m away on a trip, I’m more inclined to keep therapy on the schedule.”

Johnson doesn’t expect virtual therapy to ever completely replace in-person therapy. After all, in-person sessions are still a better fit for some clients, like those who may be starting deep trauma work, she says. Rocker adds that kids and teens often have trouble focusing on a screen.

But one thing is certain: Virtual therapy is here to stay, and the events of 2020 have pushed the mental health conversation in America into a new era—one Puder expects to snowball as more people continue to try therapy and talk about it online.

“When you have the opportunity to be vulnerable and talk about a low you’re in, it’s freeing,” he says. “And I think when people get a taste of that, they’ll continue the conversation.”

The post Sharing your deepest emotions online: Did 2020 change the future of therapy? appeared first on The Mozilla Blog.
by Mozilla at June 01, 2021 03:59 PM
Hacks.Mozilla.Org — Looking fine with Firefox 89
While we’re sitting here feeling a bit frumpy after a year with reduced activity, Firefox 89 has smartened up and brings with it a slimmed down, slightly more minimalist interface.

Along with this new look, we get some great styling features including a force-colors feature for media queries and better control over how fonts are displayed. The long awaited top-level await keyword for JavaScript modules is now enabled, as well as the PerformanceEventTiming interface, which is another addition to the performance suite of APIs: 89 really has been working out!

This blog post provides merely a set of highlights; for all the details, check out the following:

Firefox 89 for developers on MDN

Firefox 89 end-user release notes

forced-colors media feature

The forced-colors CSS media feature detects if a user agent restricts the color palette used on a web page. For instance Windows has a High Contrast mode. If it’s turned on, using forced-colors: active within a CSS media query would apply the styles nested inside.

In this example we have a .button class that declares a box-shadow property, giving any HTML element using that class a nice drop-shadow.

If forced-colors mode is active, this shadow would not be rendered, so instead we’re declaring a border to make up for the shadow loss:

.button { border: 0; padding: 10px; box-shadow: -2px -2px 5px gray, 2px 2px 5px gray; } @media (forced-colors: active) { .button { /* Use a border instead, since box-shadow is forced to 'none' in forced-colors mode */ border: 2px ButtonText solid; } }

Better control for displayed fonts

Firefox 89 brings with it the line-gap-override, ascent-override and descent-override CSS properties. These allow developers more control over how fonts are displayed. The following snippet shows just how useful these properties are when using a local fallback font:

@font-face { font-family: web-font; src: url("<https://example.com/font.woff>"); } @font-face { font-family: local-font; src: local(Local Font); ascent-override: 90%; descent-override: 110%; line-gap-override: 120%; }

These new properties help to reduce layout shift when fonts are loading, as developers can better match the intricacies of a local font with a web font. They work alongside the size-adjust property which is currently behind a preference in Firefox 89.

Top-level await

If you’ve been writing JavaScript over the past few years you’ve more than likely become familiar with async functions. Now the await keyword, usually confined to use within an async function, has been given independence and allowed to go it alone. As long as it stays within modules that is.

In short, this means JavaScript modules that have child modules using top level await wait for that child to execute before they themselves run. All while not blocking other child modules from loading.

Here is a very small example of a module using the >a href=”https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API”>Fetch API and specifying await within the export statement. Any modules that include this will wait for the fetch to resolve before running any code.

// fetch request const colors = fetch('../data/colors.json') .then(response => response.json()); export default await colors;

PerformanceEventTiming

A new look can’t go unnoticed without mentioning performance. There’s a plethora of Performance APIs, which give developers granular power over their own bespoke performance tests. The PerformanceEventTiming interface is now available in Firefox 89 and provides timing information for a whole array of events. It adds yet another extremely useful feature for developers by cleverly giving information about when a user-triggered event starts and when it ends. A very welcome addition to the new release.

The post Looking fine with Firefox 89 appeared first on Mozilla Hacks - the Web developer blog.
by Chris Mills at June 01, 2021 03:19 PM
Henri Sivonen — Bogo-XML Declaration Returns to Gecko
Firefox 89 was released today. This release (again!) honors a character encoding declaration made via syntax that looks like an XML declaration used in text/html (if there are no other character encoding declarations).

Before HTML parsing was specified, Internet Explorer did not support declaring the encoding of a text/html document using the XML declaration syntax. However, Gecko, WebKit, and Presto did. Unfortunately, I didn’t realize that they did.

When Hixie specified HTML parsing, consistent with IE, he didn’t make the spec sensitive to the XML declaration syntax in a particular way. I am unable to locate any discussion in the WHATWG mailing list archives about whether an encoding declaration made using the XML declaration syntax in text/html should be honored when processing text/html.

When I implemented the specified HTML parsing algorithm in Gecko, I also implemented the internal encoding declaration handling per specification. As a side effect, in Firefox 4, I removed Gecko’s support for the XML declaration syntax for declaring the character encoding in text/html. I don’t recall this having been a knowingly-made decision: The rewrite just did strictly what the spec said.

When WebKit and Presto implemented the specified HTML parsing algorithm, they only implemented the tokenization and tree building parts and kept their old ways for handling character encoding declarations. That is, they continued to honor the XML declaration syntax for declaring the character encoding text/html. I don’t recall the developers of the either engine raising this as a spec issue back then.

The closest to the issue getting raised as a spec issue was for the wrong reason, which made people push back instead of fixing the spec.

When Blink forked, it inherited WebKit’s behavior. When Microsoft switched from EdgeHTML to Blink, Gecko became the only actively-developed major engine not to support the XML declaration syntax for declaring the character encoding text/html. Since unlabeled UTF-8 is not automatically detected, this became a Web compatibility issue with pages that declare UTF-8 but only using the XML declaration syntax (i.e. without a BOM, a meta, or HTTP-layer declaration as well).

And that’s why support for declaring the character encoding via the XML declaration syntax came to the HTML spec and back to Gecko.

What Can We learn?

When the majority of engines has a behavior, we should assume that content is authored with the expectation that that behavior exists, and we can’t rely on assuming that all content is tested with the engine that doesn’t have the behavior even if that engine has the majority market share.
(In general, the HTML parsing algorithm upheld IE behaviors a bit too much. I regret that I didn’t push for non-IE behavior in tokenization when a less-than sign is encountered inside a tag token.)

Instead of just trusting the spec, also check with other engines do.

If you aren’t willing to implement what the spec says, you should raise the issue of the standardization forum.

If an issue is raised for a bad reason, pay attention to if there is an adjacent issue that needs fixing for a good reason.

“We comply with the spec” is unlikely to be a winning response to a long-standing Web compatibilty bug.

by Henri Sivonen at June 01, 2021 02:02 PM
The Mozilla Blog — How to capture screenshots instantly with Firefox
Sometimes you need to take a screenshot of something online to save it or share it with someone. Firefox has a built-in feature that makes grabbing a screenshot quick and easy. Here’s how to use the Firefox screenshot feature in your desktop browser:

Use the menu

Right-click for Windows or two-finger tap on Mac to call up the Firefox main action menu.
Scroll to the Take Screenshot action.

Drag your mouse around the area of your screen that you want to capture.
Or, you can select one of the pre-set options:
Save visible captures only what you see in your browser window without scrolling.
Save full page captures everything on the page, which is handy for screenshotting a full webpage without awkwardly dragging your mouse the whole way down the screen.
Once you’ve selected the area to screenshot, you have two options.
Click the copy button to add it to your clipboard. Then paste it somewhere (control-v), like in a chat, email, document or presentation — and even other software other than Firefox.
Or you can download the screenshot image, which is handy for saving and reusing later.

Changed your mind about taking a screenshot? Hit the ESC key to back out.

Add the Firefox screenshot feature to your toolbar

If you love the screenshot feature and want it front and center, you can add it as a button in the space next to the Firefox toolbar. Here’s how:

Click the main menu in the upper right corner and select More Tools.
Next, select Customize Toolbar.
Locate the Screenshot shortcut:

Grab it with your mouse and drag it up to the Toolbar.
Then click the Done button.
Now the Screenshot shortcut is at your fingertips everywhere you go in Firefox.

Using the Firefox screenshot feature is so easy anyone can use it. You don’t need to remember any shortcuts or download additional software. It’s all built-in and ready to roll with Firefox.

The post How to capture screenshots instantly with Firefox appeared first on The Mozilla Blog.
by M.J. Kelly at June 01, 2021 01:00 PM
The Mozilla Blog — A fresh new Firefox is here
Even though we’re in the web browser business, we know you don’t go online to look at Firefox, it’s more that you look through Firefox to get to everything on the open web. In today’s major release, Firefox sports a fresh new design that gets you where you’re going online, fast and distraction-free. And since we’re all about privacy, we’re also expanding integrated privacy protections in Firefox, so you feel safe and free to be yourself online thanks to fewer eyes following you across the web.

It’s all happening starting today in Firefox.

A sleek, clean Firefox design backed by research

Going into the Firefox redesign, our team studied how people interact with the browser, observing their patterns and behaviors. We listened to feedback and gathered ideas from regular people who just want to have an easier experience on the web. We obsessed over distractions, extra clicks and wasted time. The resulting new design is simple, modern and fast and delivers a beautiful experience to support what people do most in Firefox.

Bright and buoyant throughout

The fresh new Firefox is easy on the eyes, bright and buoyant on screens of all sizes — computers, phones and tablets. A new icon set, crisp typography and thoughtful spacing throughout all reflect a modern aesthetic for 2021.

Streamlined toolbar and menus

The toolbar is naturally where you start every web visit. It’s the place where you type a URL to go somewhere online. After web page content, it’s what you look at most in Firefox. The new toolbar is simplified and clutter-free so you get to the good stuff effortlessly.

Menus are where key Firefox actions and commands live. We’ve consolidated extra menus to reduce clutter and be more intuitive through the three bars menu in the upper right or by right-clicking to activate it on your computer screen. The new look reorganized and streamlined our menus to put the best actions quickly at your fingertips.

When privacy protections are engaged in Firefox, the shield icon in the toolbar glows subtly indicating that we’re working behind the scenes to protect you from nosy trackers. Fun fact: Firefox has blocked more than 6 trillion — that’s trillion with a T — trackers since we rolled out enhanced tracking protection, stopping thousands of companies from viewing your online activity.. We’re talking about tracking cookies, social media trackers, fingerprinters, cryptominers and more. Go ahead and click on the shield to see who and what Firefox is blocking… you might be surprised by what you find out.

A new look for tabs

Based on our research, we found out that more than half of you have 4+ tabs open all the time, and some of you have more, a lot more. And we feel that! Tab as much as you like, friends. Tabs got a makeover so they are now gently curved and float above the toolbar. It’s an exciting change that also serves as a reminder that tabs aren’t stationary. So grab those tabs, move them around and organize them as you like. Tabs also got a glow-up to be a touch brighter when active.

Shhhhhh…. notifications

No one likes to be interrupted when they’re in the flow, but if you must be alerted to something, at least it can look good. We’ve updated notifications and alerts of all kinds in Firefox to take up less space for less jarring interruptions. Plus, non-essential alerts and messages have been removed altogether. Media autoplay is turned off by default, so you won’t be interrupted by a random video blasting unexpectedly. Spotting a noisy tab is easy, and unmuting/muting takes just a quick click on the tab itself.

Expanded privacy protections

Mozilla makes it our mission to put your privacy and security first in the technology we develop. Our goal is for you to worry less every time you go online. The latest Firefox release comes to you with next-level security and privacy that you’ve come to expect from us.

The best private browsing mode out there

All browsers have a private browsing mode, but none match Firefox. The popular Total Cookie Protection moves from the optional strict setting to always-on in private browsing. This feature maintains a separate “cookie jar” for each website you visit while browsing privately. Any time a site deposits a cookie, Firefox locks it up in its own cookie jar so that it can’t be shared with any other website.

An even better Firefox for iOS and Android

The fresh new look covers Firefox everywhere, from desktop browsers to Android and iOS mobile devices. The iOS experience is optimized for iPhone and iPad, with key actions now taking fewer steps for quicker searches, navigation and tab viewing. With refinements in iconography and menu names, the whole browsing experience is more cohesive and harmonious across every platform.

“What inspires us the most are the people that love and use Firefox.”
Firefox design team

Backed by Mozilla, the non-profit that puts people first

Firefox was created by Mozilla as a faster, more private alternative to browsers like Internet Explorer, and now Chrome. Today, our mission-driven company and volunteer community continue to put your privacy above all else. Even as the internet grows and changes, Firefox continues to focus on your right to privacy — we call it the Personal Data Promise: Take less. Keep it safe. No secrets. Your data, your web activity, your life online is protected with Firefox, on your computer, your phone and anywhere you use it.

Things are looking different in 2021

We’re always excited when a new Firefox launches, and when it comes to this major redesign, we’re even more stoked for you to experience it. If you left Firefox behind at some point, this modern approach — inside and out — is designed to win you back and make it your go-to browser.

Keep an eye out for the new look in Firefox for desktop and mobile, rolling out starting today. Download and install for desktop, Android and iOS so you have all the best of Firefox everywhere you browse.

The post A fresh new Firefox is here appeared first on The Mozilla Blog.
by M.J. Kelly at June 01, 2021 01:00 PM
The Mozilla Blog — Modern, clean new Firefox clears the way to all you need online
We set out in 2021 to reimagine Firefox’s design to be fast, modern and inviting the first time you run it and every day after. We’ve always had your back on privacy, and still do. Now with today’s new Firefox release we’re also bringing you a modern new look designed to streamline and calm things down so you have a fresh new web experience every time you use Firefox.

We’re living in a frenetic time, where people are dealing with tough changes in our daily lives and hard to solve problems are popping up everywhere. We think the browser should be a piece of software you can rely on to have your back, pleasant to look at and working seamlessly with the web.

We’re also on a mission to save you time, whether that’s by making pages load faster, using less memory, or by streamlining everyday use of the browser. Good design is invisible. So if things just work, you don’t really think about it. But a ton of thought has been put into the flow. Our users who have tried the new Firefox have said, “the fact that I was using a new web browser slipped into the background of my consciousness.” And that’s just what we were going for.

Today’s desktop and mobile releases represent the intentional and thoughtful touches we made to give you a safe, calm, and useful experience online. We made these changes with you and your online habits in mind. Check it out for yourself:

Today’s Firefox gets you where you want to go online

Here’s a quick and easy breakdown of what you’ll find:

For starters we’ve cleaned up the amount of things that demand your attention from prompts and notifications to actions in the menu bar.

Simplified unencumbered navigation: The first step to going anywhere online is the toolbar, just type in the URL and press return/enter, and you’re off. In some ways this area serves as your car’s dashboard that you look at every time you get behind the wheel. We kept it simple and focused on these three key areas of the toolbar: 1) Navigation – back, forward and refresh 2) Address Bar – privacy shield (so you know your ambient information is always protected), security lock and where to type in your URL. 3) Frequently Used Settings – reader mode, zoom level and bookmark. Our intent was to make it easier for people to focus on the frequently used items in this area and easily get to where they needed to go.

Streamlined clutter-free menus: There are many ways to get to your preferences and settings, and we found that the two most popular ways were: 1) the hamburger menu – button on the far right with three equal horizontal lines – and 2) the right-click menu. So, we prioritized the content based on what people clicked on when they visited the menu. We made the labels less cryptic and clear and easier to understand, and we removed some icons so that it was easier for people to see at a glance where they wanted to go.

Productivity-inspired new tab design: Tabs. We use them every day. They signal where you are, but we need them to do more work. Everything from conveying information about what video is playing to where your next Zoom meeting is. It’s no surprise that more than 50% of people have 4 tabs or more open. We redesigned these tabs so that they floated neatly, and we added the visual indicators, like blocking autoplay videos until you’re ready to visit that tab. We detached the tab from the browser to invite you to move, rearrange and pull out tabs into a new window to suit your flow, and organize them so they’re easier for you to find.

We shushed notifications: Your web experience shouldn’t be bogged down by a bunch of notifications, and if you have to be given a heads-up on something, it should look good and not be a distraction. You’ll see consolidated the panels so you can respond more quickly and get back to why you were online in the first place faster. We specifically reduced some of the frustration and re-prompting associated with getting in and out of Google Meet meetings. Thanks to this pared down interface, you can get to all your web calls and meetings with fewer clicks.

Fresh, new Firefox for iOS: And we took care to pay attention to the key touches particularly on Apple devices. The improved iPhone and iPad experience includes a modernized, optimized and differentiated Firefox user interface. We reduced the steps to search in a new tab by automatically popping up the keyboard, emphasizing the ability to do quick searches with the search engine logo, and adding the append feature. You’ll see improved navigation around the app with new tab views and moved the synced tabs into the tab tray for better discoverability on any device. We refreshed design elements such as iconography and menu items naming to be consistent across our desktop and Firefox for Android platforms.

17 billion clicks drove us to create a new Firefox

As you can see for the past couple of months we’ve obsessed over everything from the icons you click to the address bar to the navigation buttons and menus you use. When we embarked on this journey to redesign the browser, we started by taking a closer look at where people were spending their time in the Firefox browser. We needed to know what clicks led to an action and if people accomplished what they set out to do when they clicked. For a month, we looked closely at the parts of the browser that were “sparking joy” for people, and the parts that weren’t:

We learned there was an opportunity to create a more streamlined environment to get people where they needed to go with less clicks and distractions. Our goal was to get people to their destination faster, with the least amount of clicks. Based on our user data, we observed how people used Firefox to get to their online destinations:

In one month, there are 17 billion clicks in the Firefox browser. Out of those 17 billion clicks, there were three major areas within the browser they visited:

Tab Bar – About 43% of the clicks go to the top portion of the browser where they can open as many tabs as they want
Navigation Bar – About 33% of the clicks go to the area below the tab bar where people can move forward, backward or refresh; and add the URL in the address bar, as well as other functions on the navigation bar
Bookmark bar – About 5% of the clicks go to the section where people bookmark their frequently visited place

Another area we observed was the menu area. Previously, we had three menus: right-click menu, the meatball menu (it appears as three dots at the end of the address bar), and the hamburger menu (it appears as three parallel lines at the far right of the address bar). The two popular menus were the right-click menu and the three parallel lines menu. People love or intuitively believe what they need is in the right click menu. We also saw differences around the world like:

Canada – Gets the crown for efficiency with an average of 12+ keyboard shortcuts per user and about 19 right clicks per user.
France – At an average of about 93 clicks pers user, France users click around the most within the browser.
Great Britain – We always wondered which country had the most tab hoarders? In the UK, users have the most tabs opened at about 7% of users who have 16 or more tabs opened.
India – Are the tidiest in terms of how they use browsers with over 60% of the users having 3 or less tabs opened.
United States: We found they topped the list of countries who like to go to their settings and personalize their browser.

With these insights we wanted to create a place that felt fresh and modern, and kept things like icons and menus flowing in a cohesive way. This meant using simple design and easy-to-understand language to lessen people’s cognitive load, essentially getting them faster to the places they wanted to go. It also meant retiring intrusive alerts and messages to avoid a jarring experience and provide a more calming environment. Throughout this process, our extraordinary team of designers really thought about the colors and iconography and wanted to make them more refined and consistent.

We’ve taken Private Browsing mode to the next level

We’ve designed the new Firefox to ensure that using a browser with industry-leading privacy is always an inviting experience. For those who browse exclusively or occasionally in Private Browsing mode, we take privacy to another level with today’s privacy protections. In February, we rolled out Total Cookie Protection in ETP (Enhanced Tracking Protection) strict mode. This privacy protection stops cookies from tracking you around the web by creating a separate cookie jar for every website. Today, Total Cookie Protection is now available in Private Browsing mode.

What’s next for Firefox

We’re excited to share this new Firefox experience across your devices. We’re planning exciting new features to roll out this year that will build on the modern web redesign this new Firefox delivers. No matter what device you choose to tackle the web in the future, Firefox will be there for you. We’ll share more details once we have them.

You can download the latest version of Firefox for your desktop and mobile devices and get ready for a new look and feel.

The post Modern, clean new Firefox clears the way to all you need online appeared first on The Mozilla Blog.
by Selena Deckelmann at June 01, 2021 01:00 PM
Mozilla Security Blog — Firefox 89 blocks cross-site cookie tracking by default in private browsing
At Mozilla, we believe that your right to privacy is fundamental. Unfortunately, for too long cookies have been used by tracking companies to gather data about you as you browse the web. Today, with the launch of Firefox 89, we are happy to announce that Firefox Private Browsing windows now include our innovative Total Cookie Protection by default. That means: when you open a Private Browsing window, each website you visit is given a separate cookie jar that keeps cookies confined to that site. Cookies can no longer be used to follow you from site to site and gather your browsing history.

What is Total Cookie Protection?

In February of this year we introduced Total Cookie Protection, a new, extra-strong protection against cross-site tracking cookies. Since Firefox 86, Total Cookie Protection has been available for users who have ETP Strict Mode enabled. Now, with Firefox 89, we are extending this same protection to Private Browsing windows.

To recap: a cookie is a small piece of data that websites can ask your browser to store on your computer. Traditionally, browsers have allowed websites to share cookies in what is effectively a single cookie jar. Firefox’s Total Cookie Protection is a sophisticated set of privacy improvements that enforce a simple, revolutionary principle: your browser should not allow the sharing of cookies between websites. This principle is now enforced in Firefox Private Browsing windows by creating a separate cookie jar for every website you visit, as illustrated here:

Previously, third-party cookies were shared between websites. Now, every website gets its own cookie jar so that cookies can’t be used to share data between them. (Illustration: Meghan Newell)

As we described in February, Total Cookie Protection covers not just cookies but a variety of browser technologies that previously were able to be used for cross-site tracking. To ensure a smooth browsing experience, Total Cookie Protection makes occasional exceptions to share cookies between websites when they are needed for cross-site logins or similar cross-site functionality.

Firefox Private Browsing Windows, now with even more privacy

With the addition of Total Cookie Protection, Firefox’s Private Browsing windows have the most advanced privacy protections of any major browser’s private browsing mode. The following protections are included in Private Browsing windows by default:

Total Cookie Protection isolates cookies to the site where they were created

Supercookie protections stop supercookies from following you from site to site

Cookies and caches are cleared at the end of every Private Browsing session, and aren’t shared with normal windows

Trackers are blocked, including cookies, scripts, tracking pixels and other resources from domains on Disconnect’s list of known trackers

Many fingerprinting scripts are blocked, according to Disconnect’s list of invasive fingerprinting domains.

SmartBlock intelligently fixes up web pages that were previously broken when tracking scripts were blocked

If you have Firefox installed, you don’t need to do anything special to benefit from this upgrade to Private Browsing windows. To open a Private Browsing window, click on the Application Menu button (☰) and choose “New Private Window”:

Or, if you like keyboard shortcuts, just press Ctrl + Shift + P (Cmd + Shift + P on Mac). When you are done with that private browsing session, you can simply close all your Private Browsing windows. All the cookies and other stored data from the websites you visited will be immediately deleted!

As we continue to strengthen Firefox’s privacy protections, Mozilla is committed to maintaining state-of-the-art performance and a first-class browsing experience. Stay tuned for more privacy advances in the coming months!

Thank you

We are grateful to the many Mozillians who have contributed to or supported this new enhancement to Firefox, including Steven Englehardt, Andrea Marchesini, Tim Huang, Johann Hofmann, Gary Chen, Nihanth Subramanya, Paul Zühlcke, Tanvi Vyas, Anne van Kesteren, Ethan Tseng, Prangya Basu, Wennie Leung, Ehsan Akhgari, Dimi Lee, Selena Deckelmann, Mikal Lewis, Tom Ritter, Eric Rescorla, Olli Pettay, Philip Luk, Kim Moir, Gregory Mierzwinski, Doug Thayer, and Vicky Chin.

The post Firefox 89 blocks cross-site cookie tracking by default in private browsing appeared first on Mozilla Security Blog.
by Arthur Edelstein at June 01, 2021 12:55 PM
May 31, 2021
Daniel Stenberg — curl localhost as a local host
When you use the name localhost in a URL, what does it mean? Where does the network traffic go when you ask curl to download http://localhost ?

Is “localhost” just a name like any other or do you think it infers speaking to your local host on a loopback address?

Previously

curl http://localhost

The name was “resolved” using the standard resolver mechanism into one or more IP addresses and then curl connected to the first one that works and gets the data from there.

The (default) resolving phase there involves asking the getaddrinfo() function about the name. In many systems, it will return the IP address(es) specified in /etc/hosts for the name. In some systems things are a bit more unusually setup and causes a DNS query get sent out over the network to answer the question.

In other words: localhost was not really special and using this name in a URL worked just like any other name in curl. In most cases in most systems it would resolve to 127.0.0.1 and ::1 just fine, but in some cases it would mean something completely different. Often as a complete surprise to the user…

Starting now

curl http://localhost

Starting in commit 1a0ebf6632f8, to be released in curl 7.78.0, curl now treats the host name “localhost” specially and will use an internal “hard-coded” set of addresses for it – the ones we typically use for the loopback device: 127.0.0.1 and ::1. It cannot be modified by /etc/hosts and it cannot be accidentally or deliberately tricked by DNS resolves. localhost will now always resolve to a local address!

Does that kind of mistakes or modifications really happen? Yes they do. We’ve seen it and you can find other projects report it as well.

Who knows, it might even be a few microseconds faster than doing the “full” resolve call.

(You can still build curl without IPv6 support at will and on systems without support, for which the ::1 address of course will not be provided for localhost.)

Specs say we can

The RFC 6761 is titled Special-Use Domain Names and in its section 6.3 it especially allows or even encourages this:

Users are free to use localhost names as they would any other domain names. Users may assume that IPv4 and IPv6 address queries for localhost names will always resolve to the respective IP loopback address.

Followed by

Name resolution APIs and libraries SHOULD recognize localhost names as special and SHOULD always return the IP loopback address for address queries and negative responses for all other query types. Name resolution APIs SHOULD NOT send queries for localhost names to their configured caching DNS server(s).

Mike West at Google also once filed an I-D with even stronger wording suggesting we should always let localhost be local. That wasn’t ever turned into an RFC though but shows a mindset.

(Some) Browsers do it

Chrome has been special-casing localhost this way since 2017, as can be seen in this commit and I think we can safely assume that the other browsers built on their foundation also do this.

Firefox landed their corresponding change during the fall of 2020, as recorded in this bugzilla entry.

Safari (on macOS at least) does however not do this. It rather follows what /etc/hosts says (and presumably DNS of not present in there). I’ve not found any official position on the matter, but I found this source code comment indicating that localhost resolving might change at some point:

// FIXME: Ensure that localhost resolves to the loopback address.

Windows (kind of) does it

Since some time back, Windows already resolves “localhost” internally and it is not present in their /etc/hosts alternative. I believe it is more of a hybrid solution though as I believe you can put localhost into that file and then have that custom address get used for the name.

Secure over http://localhost

When we know for sure that http://localhost is indeed a secure context (that’s a browser term I’m borrowing, sorry), we can follow the example of the browsers and for example curl should be able to start considering cookies with the “secure” property to be dealt with over this host even when done over plain HTTP. Previously, secure in that regard has always just meant HTTPS.

This change in cookie handling has not happened in curl yet, but with localhost being truly local, it seems like an improvement we can proceed with.

Can you still trick curl?

When I mentioned this change proposal on twitter two of the most common questions in response were

can’t you still trick curl by routing 127.0.0.1 somewhere else
can you still use --resolve to “move” localhost?

The answers to both questions are yes.

You can of course commit the most hideous hacks to your system and reroute traffic to 127.0.0.1 somewhere else if you really wanted to. But I’ve never seen or heard of anyone doing it, and it certainly will not be done by mistake. But then you can also just rebuild your curl/libcurl and insert another address than the default as “hardcoded” and it’ll behave even weirder. It’s all just software, we can make it do anything.

The --resolve option is this magic thing to redirect curl operations from the given host to another custom address. It also works for localhost, since curl will check the cache before the internal resolve and --resolve populates the DNS cache with the given entries. (Provided to applications via the CURLOPT_RESOLVE option.)

What will break?

With enough number of users, every single little modification or even improvement is likely to trigger something unexpected and undesired on at least one system somewhere. I don’t think this change is an exception. I fully expect this to cause someone to shake their fist in the sky.

However, I believe there are fairly good ways to make to restore even the most complicated use cases even after this change, even if it might take some hands on to update the script or application. I still believe this change is a general improvement for the vast majority of use cases and users. That’s also why I haven’t provided any knob or option to toggle off this behavior.

Credits

The top photo was taken by me (the symbolism being that there’s a path to take somewhere but we don’t really know where it leads or which one is the right to take…). This curl change was written by me. Mike West provided me the Chrome localhost change URL. Valentin Gosu gave me the Firefox bugzilla link.
by Daniel Stenberg at May 31, 2021 01:39 PM
Karl Dubost — Get Ready For Three Digits User Agent Strings
In 2022, Firefox and Chrome will reach a version number with three digits: 100. It's time to get ready and extensively test your code, so your code doesn't return null or worse 10 instead of 100.

Some contexts

The browser user agent string is used in many circumstances, on the server side with the User-Agent HTTP header and on the client side with navigator.userAgent. Browsers lie about it. Web apps and websites detection do not cover all cases. So browsers have to modify the user agent string on a site by site case.

Browsers Release Calendar

According to the Firefox release calendar, during the first quarter of 2022 (probably March), Firefox Nightly will reach version 100. It will set Firefox stable release version around May 2022 (if it doesn't change until then).

And Chrome release calendar sets a current date of March 29, 2022.

What Mozilla Webcompat Team is doing?

Dennis Schubert started to test JavaScript Libraries, but this tests only the libraries which are up to date. And we know it, the Web is a legacy machine full of history.

The webcompat team will probably automatically test the top 1000 websites. But this is very rudimentary. It will not cover everything. Sites always break in strange ways.

What Can You Do To Help?

Browse the Web with a 100 UA string

Change the user agent string of your favorite browser. For example, if the string is Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0, change it to be Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0

If you notice something that is breaking because of the UA string, file a report on webcompat. Do not forget to check that it is working with the normal UA string.

Automatic tests for your code

If your web app has a JavaScript Test suite, add a profile with a browser having 100 for its version number and check if it breaks. Test both Firefox and Chrome (mobile and desktop) because the libraries have different code paths depending on the user agent. Watch out for code like:

const ua_string = "Firefox/100.0"; ua_string.match(/Firefox\/(\d\d)/); // ["Firefox/10", "10"] ua_string.match(/Firefox\/(\d{2})/); // ["Firefox/10", "10"] ua_string.match(/Firefox\/(\d\d)\./); // null

Compare version numbers as integer not string

Compare integer, not string when you have decided to have a minimum version for supporting a browser, because

"80" < "99" // true "80" < "100" // false parseInt("80", 10) < parseInt("99", 10) // true parseInt("80", 10) < parseInt("100", 10) // true

Comments

If you have more questions, things I may have missed, different take on them. Feel free to comment…. Be mindful.

Otsukare!
by Karl Dubost at May 31, 2021 02:43 AM
May 29, 2021
Cameron Kaiser — TenFourFox FPR32 SPR1 available
TenFourFox Feature Parity Release 32 Security Parity Release 1 "32.1" is available for testing (downloads, hashes). There are no changes to the release notes except that Mozilla has lengthened 78ESR by a couple more weeks, so the end of official builds is now extended to October 5, 2021. Assuming no major problems, FPR32.1 will go live Monday evening Pacific time as usual.
by ClassicHasClass at May 29, 2021 04:15 AM
The Mozilla Blog — Building a more privacy preserving ads-based ecosystem
Advertising is central to the internet economy. It funds many free products and services. But it is also very intrusive. It is powered by ubiquitous surveillance and it is used in ways that harm individuals and society. The advertising ecosystem is fundamentally broken in its current form.

Advertising does not need to harm consumer privacy. As a browser maker and as an ethical company driven by a clear mission, we want to ensure that the interests of users are represented and that privacy is a priority. We also benefit from the advertising ecosystem which gives us a unique perspective on these issues.

Every part of the ecosystem has a role to play in strengthening and improving it. That is why we see potential in the debate happening today about the merits of privacy preserving advertising.

As this debate moves forward, there are two principles that should anchor work on this topic to ensure we deliver a better web to consumers.

Consumer Privacy First

Improving privacy for everyone must remain the north star for review of proposals, such as Google’s FLoC and Microsoft’s PARAKEET, and parallel proposals from the ad tech industry. At Mozilla, we will be looking at proposals through this lens, which is always a key factor for any decision about what we implement in Firefox. Parties that aren’t interested in protecting user privacy or in advancing a practical vision for a more private web will slow down the innovation that is possible to achieve and necessary for consumers.

Development in the Open

It is important that proposals are transparently debated and collaboratively developed by all stakeholders through formal processes and oversight at open standards development organizations (“SDOs”). Critical elements of online infrastructure should be developed at SDOs to ensure an interoperable and decentralized open internet. Stakeholder commitment to final specifications and timelines is just as important, because without this, the anticipated privacy benefits to consumers cannot materialize.

At its core, the current proposals being debated and their testing plans have important potential to improve how advertising can be delivered but also may raise privacy and centralization issues that need to be addressed. This is why it’s so critical this process plays out in the open at SDOs.

We hope that all stakeholders can commit to these two principles. We have a real opportunity now to improve the privacy properties of online advertising—an industry that hasn’t seen privacy improvement in years. We should not squander this opportunity. We should instead draw on the internet’s founding principles of transparency, public participation and innovation to make progress.

For more on this:

How online advertising works today and Privacy-Preserving Advertising

Privacy analysis of FLoC

The post Building a more privacy preserving ads-based ecosystem appeared first on The Mozilla Blog.
by Mozilla at May 29, 2021 02:46 AM
The Mozilla Blog — The future of ads and privacy
The modern web is funded by advertisements. Advertisements pay for all those “free” services you love, as well as many of the products you use on a daily basis — including Firefox. There’s nothing inherently wrong with advertising: Mozilla’s Principle #9 states that “Commercial involvement in the development of the internet brings many benefits.” However, that principle goes on to say that “a balance between commercial profit and public benefit is critical” and that’s where things have gone wrong: advertising on the web in many situations is powered by ubiquitous tracking of people’s activity on the web in a way that is deeply harmful to users and to the web as a whole.

Some Background

The ad tech ecosystem is incredibly complicated, but at its heart, the way that web advertising works is fairly simple. As you browse the web, trackers (mostly, but not exclusively advertisers), follow you around and build up a profile of your browsing history. Then, when you go to a site which wants to show you an ad, that browsing history is used to decide which of the potential ads you might see you actually get shown.

The visible part of web tracking is creepy enough — why are those pants I looked at last week following me around the Internet? — but the invisible part is even worse: hundreds of companies you’ve never heard of follow you around as you browse and then use your data for their own purposes or sell it to other companies you’ve also never heard of.

The primary technical mechanism used by trackers is what’s called “third party cookies”. A good description of third party cookies can be found here, a cookie is a piece of data that a website stores on your browser and can retrieve later. A third party cookie is a cookie which is set by someone other than the page you’re visiting (typically a tracker). The tracker works with the web site to embed some code from the tracker on their page (often this code is also responsible for showing ads) and that code sets a cookie for the tracker. Every time you go to a page the tracker is embedded on, it sees the same cookie and can use that to link up all the sites you go to.

Cookies themselves are an important part of the web — they’re what let you log into sites, maintain your shopping carts, etc. However, third party cookies are used in a way that the designers of the web didn’t really intend and unfortunately, they’re now ubiquitous. While they have some legitimate uses, like federated login, they are mostly used for tracking user behavior.

Obviously, this is bad and it shouldn’t be a surprise to anybody who has followed our work in Firefox that we believe this needs to change. We’ve been working for years to drive the industry in a better direction. In 2015 we launched Tracking Protection, our first major step towards blocking tracking in the browser. In 2019 we turned on a newer version of our anti-tracking technology by default for all of our users. And we’re not the only ones doing this.

We believe all browsers should protect their users from tracking, particularly cookie-based tracking, and should be moving expeditiously to do so.

Privacy Preserving Advertising

Although third-party cookies are bad news, now that they are so baked into the web, it won’t be easy to get rid of them. Because they’re a dual-use technology with some legitimate applications, just turning them off (or doing something more sophisticated like Firefox Total Cookie Protection) can cause some web sites to break for users. Moreover, we have to be constantly on guard against new tracking techniques.

One idea that has gotten a lot of attention recently is what’s called “Privacy Preserving Advertising” (PPA) . The basic idea has a long history with systems such as Adnostic, PrivAd, and AdScale but has lately been reborn with proposals from Google, Microsoft, Apple, and Criteo, among others. The details are of course fairly complicated, but the general idea is straightforward: identify the legitimate (i.e., non-harmful) applications for tracking techniques and build alternative technical mechanisms for those applications without threatening user privacy. Once we have done that, it becomes much more practical to strictly limit the use of third party cookies.

This is a generally good paradigm: technology has advanced a lot since cookies were invented in the 1990s and it’s now possible to do many things privately that used to require just collecting user data. But, of course, it’s also possible to use technology to do things that aren’t so good (which is how we got into this hole in the first place). When looking at a set of technologies like PPA, we need to ask:

Are the use cases for the technology actually good for users and for the web?
Do these technologies improve user privacy and security? Are they collecting the minimal amount of data that is necessary to accomplish the task?
Are these technologies being developed in an open standards process with input from all stakeholders?

Because this isn’t just one technology but rather a set of them, we should expect some pieces to be better than others. In particular, ad measurement is a use case that is important to the ecosystem, and we think that getting this one component right can drive value for consumers and engage advertising stakeholders. There’s overlap here with technologies like Prio which we already use in Firefox. On the other hand, we’re less certain about a number of the proposed technologies for user targeting, which have privacy properties that seem hard to analyze. This is a whole new area of technology, so we should expect it to be hard, but that’s also a reason to make sure we get it right.

What’s next?

Obviously, this is just the barest overview. In upcoming posts we’ll provide a more detailed survey of the space, covering the existing situation in more detail, some of the proposals on offer, and where we think the big opportunities are to improve things in both the technical and policy domains.

For more on this:

Building a more privacy preserving ads-based ecosystem

Privacy analysis of FLoC

The post The future of ads and privacy appeared first on The Mozilla Blog.
by Eric Rescorla at May 29, 2021 02:45 AM
Sam Foster — Ideas on a lower-carbon internet through scheduled downloads and Quality of Service requests
Other titles:

The impact of internet use and what we might do about it?

Opportunities for powering more internet use with renewables

I want this thing, but not until later

A story of demand-side prioritization, scheduling and negotiation to take advantage of a fluxuating energy supply.

I recently got interested in how renewable power generation plays into the carbon footprint of internet usage. We need power to run and charge the devices we use to consume internet content, to run the networks that deliver that content to us, and to power the servers and data centers that house those servers.

Powering the internet eats up energy. The power necessary to serve up the files, do the computation, encode and package it all up to send it down the wire to each of the billions of devices making those requests consumes energy on an enormous scale. The process of hosting and delivering content is so power hungry, the industry is driven to large extent by the cost and availability of electricity. Data centers are even described in terms of the power they consume - as a reasonable proxy for the capacity they can supply.

One of the problems we hear about constantly is that the intermittent and relatively unpredicatable nature of wind and solar energy means it can only ever make up a portion of a region’s electricity generation capacity. There’s an expectation of always-on power availability; regardles of the weather or time of day, a factory must run, a building must be lit, and if a device requests some internet resource the request must be met immediately. So, we need reliable base load generation to meet most energy demands. Today, that means coal, natural gas, nuclear and hydro generation plants - which can be depended on to supply energy day and night, all year round. Nuclear and hydro are low-carbon, but they can also be expensive and problematic to develop. Wind and solar are much less so, but as long as their output is intermittent they can only form part of the solution for de-carbonizing electricity grids across the world - as long as demand not supply is king.

There are lots of approaches to tackling this. Better storage options (PDF) smooth out the intermittency of wind and solar - day to day if not seasonally. Carbon capture and sequestration lower the carbon footprint of fossil fuel power generation - but raise the cost. What if that on-demand, constant availability of those data centers’ capacity was itself a variable? Suppose the client device issuing the request had a way to indicate priority and expected delivery time, would that change the dynamic?

Wind power tends to peak early in the morning, solar in the afternoon. Internet traffic is at its highest during the day and evening, and some - most - is necessarily real-time. But if I’m watching a series on Netflix, the next episode could be downloaded at anytime, as long as its available by the next evening when I sit down to watch it. And for computational tasks - like compiling some code, running an automated test suite, or encoding video - sometimes you need it as soon as possible, other times its less urgent. Communicating priority and scheduling requirements (a.k.a Quality of Service) from the client through to the infrastructure used to fullfill a request would allow smarter balancing of demand and resources. It would open up the door to better use of less constant (non-baseload) energy sources. The server could defer on some tasks when power is least available or most expensive, and process them later when for example the sun comes up, or the wind blows. Smoothing out spikes in demand would also reduce the need for so-called “peaker” plants - typically natural gas power plants that are spun up to meet excess energy demand.

“Kestler: While intermittent power is a challenge for data center operations, the development of sensors, software tools and network capabilities will be at the forefront of advancing the deployment of renewables across the globe. The modernization of the grid will be dependent on large power consumers being capable of operating in a less stable flow of electrons.

What’s Ahead for Data Centers in 2021

Google already experimented with some of this, and its a fascinating and encouraging read.

“Results from our pilot suggest that by shifting compute jobs we can increase the amount of lower-carbon energy we consume”

Our data centers now work harder when the sun shines and wind blows

There are clearly going to be hurdles for wide-scale adoption of this kind of strategy, and its never going to work for all cases. But with a problem at this scale, a solution that shaves off 1%, or a fraction of 1% can still translate into huge monetary and carbon savings. So, what would it take? Are there practical steps that us non-data-center-operators can take to facilitate this kind of negotiation betweeen the client and the massive and indifferent upstream infrastructure that supports it?

The low hanging fruit in this scenario is video streaming. It represents an outsized percentage of all internet traffic - and data center load. Netflix alone generates 15% of all global internet traffic. What if even 1% of that could be shifted to be powered entirely by renewable energy, by virtue of the deferred-processing at the supply-side, or scheduled download at the client-side? Often its the case that when I click to watch video, I need it right there and then - perhaps it is a live event, or I didn’t know I needed it until that minute. Sometimes not though. If it was possible to schedule the download ensuring it was there on my device when I did need it, the benefits would ripple through the whole system - content delivery providers would save money and maybe the grid itself would be able to absorb more intermittent renewable generation.

There are other opportunities and I don’t want to get too hung up on specifics. But the notion of attaching Quality of Service in some way to some requests to facilitate smarter utilization of seasonal, regional and weather-dependent energy generation fluxuations seems promising to me. Fundamentally, power demand from worldwide internet traffic is extremely dynamic. We can better meet that demand with equally dynamic low and zero carbon sources if we can introduce patterns and signals at all levels of the system to allow it to plan and adapt.

…

When I get to the end of a piece like this I’m always left wondering “what is the point?”. Is this just a rant into the void, hoping someone listens? Its certainly not an actionable plan for change. Writing it down helps me process some of these ideas, and I hope it starts conversations and prompts you to spot these kind of indirect opportunities to tackle climate change. And if you are in a position to nudge any of this towards really existing in the world, that would be great. I work at Mozilla, we make a web browser and have our own substantial data-center and compute-time bill. I’ll be looking into what change I can help create there.

Some References
I collected a large list of papers and articles as I looked into this. Here’s a smaller list:

Netflix Environmental Social Governance Report (2019) (PDF)

“In 2019, Netflix’s direct energy use was about 94,000 megawatt hours” (Direct energy usage, not including cloud services)

Content delivery network includes “We partner with over a thousand ISPs to localize substantial amounts of traffic” so its partly local

“indirect energy use was about 357,000 megawatt hours in 2019”

167 million subscribers in 2019. Hours downloaded? (we have that 2011 study which claims 3.2billion hrs)

Estimating a Data Center’s Electrical Carbon Footprint

“Avoided emissions reflect the average activity of peaker plants in the local utility’s network”

Sandvine: Global Internet Phenomena Report 2018

Video is 58% of internet downstream traffic volume.

Netflix is 15% of all internet downstream traffic

Factcheck: What is the carbon footprint of streaming video on Netflix?

Carbon-aware Load Balancing for Geo-distributedCloud Services (PDF)

by Sam Foster at May 29, 2021 12:32 AM
May 28, 2021
Daniel Stenberg — Taking hyper-curl further
Thanks to funding by ISRG (via Google), we merged the hyper powered HTTP back-end into curl earlier this year as an alternative HTTP/1 and HTTP/2 implementation. Previously, there was only one way to do HTTP/1 and 2 in curl.

Backends

Core libcurl functionality can be powered by optional and alternative backends in a way that doesn’t change the API or directly affect the application. This is done by featuring internal APIs that can be implemented by independent components. See the illustration below (click for higher resolution).

This is a slide from Daniel’s libcurl under the hood presentation.

curl 7.75.0 became the first curl release that could be built with hyper. The support for it was labeled “experimental” as while most of all common and basic use cases were supported, we still couldn’t run the full test suite when built with it and some edge cases even crashed.

We’ve subsequently fixed a few of the worst flaws so the Hyper powered curl has gradually and slowly improved since then.

Going further

Our best friends at ISRG has now once again put up funding and I’ll spend more work hours on making sure that more (preferably all) tests can run with hyper.

I’ve already started. Right now I’m sitting and staring at test case 154 which is doing a HTTP PUT using Digest authentication and an Expect: 100-continue header and this test case currently doesn’t work correctly when built to use Hyper. I’ll report back in a few weeks and let you know how it goes – and then I don’t mean with just test 154!

Consider yourself invited to join the #curl IRC channel and chat if you want live reports or want to help out!

Fund

You too can fund me to do curl work. Get in touch!
by Daniel Stenberg at May 28, 2021 04:04 PM
Raphael Pierzina — Enable Fission tt(c) on more platforms
Last week my coworker Andrew Halberstadt talked me through the process of configuring Firefox CI to run a given test suite with Fission enabled on additional platforms. I am working on a patch to do this for our telemetry integration tests which are set up with mozharness and use treeherder symbol tt(c). Since the process should be close to identical for similar test suites, I decided to summarize what I’ve learned in this post, so next time someone on my team wants to do this, we don’t need to bug Andrew again.
by Raphael Pierzina at May 28, 2021 08:20 AM
Daniel Stenberg — Giving away an insane amount of curl stickers
Part 1. The beginning. (There will be at least one more part later on following up the progress.)

On May 18, 2021 I posted a tweet that I was giving away curl stickers for free to anyone who’d submit their address to me. It looked like this:

Everyone once in a while when I post a photo that involves curl stickers, a few people ask me where they can get hold of such. I figured it was about time I properly offered “the world” some. I expected maybe 50 or a 100 people would take me up on this offer.

The response was totally overwhelming and immediate. Within the first hour 270 persons had already requested stickers. After 24 hours when I closed the form again, 1003 addresses had been submitted. To countries all around the globe. Quite the avalanche.

Assessing the damage

This level of interest put up some challenges I hadn’t planned for. Do I have stickers enough? Now suddenly doing 3 or 5 stickers per parcel will have a major impact. Getting envelops and addresses onto them for a thousand deliveries is quite a job! Not to mention the cost. A “standard mail” to outside Sweden using the regular postal service is 24 SEK. That’s ~2.9 USD. Per parcel. Add the extra expenses and we’re at an adventure north of 3,000 USD.

For this kind of volume, I can get a better rate by registering as a “company customer”. It adds some extra work for me though but I haven’t worked out the details around this yet.

Let me be clear: I already from the beginning planned to ask for reimbursement from the curl fund for my expenses for this stunt. I would mostly add my work on this for free. Maybe “hire” my daughter for an extra set of hands.

Donations

During the time the form was up, we also received 51 donations to Open Collective (as the form mentioned that, and I also mentioned it on Twitter several times). The donated total was 943 USD. The average donation was 18 USD, the largest ones (2) were at 100 USD and the smallest was 2 USD.

Of course some donations might not be related to this and some donations may very well arrive after this form was closed again.

Cleaning up

If I had thought this through better at the beginning, I would not have asked for the address using a free text field like this. People clearly don’t have the same idea of how to do this as I do.

I had to manually go through the addresses to insert newlines, add country names and remove obviously broken addresses. For example, a common pattern was addresses added with only a 6-8 digit number? I think over 20 addresses were specified like that!

Clearly there’s a lesson to be had there.

After removing obviously bad and broken addresses there were 978 addresses left.

Countries

I got postal addresses to 65 different countries. A surprisingly diverse collection I think. The top 10 countries were:

USA 174
Sweden 103
Germany 93
India 92
UK 64
France 56
Spain 31
Brazil 31
The Netherlands 24
Switzerland 20

Countries that were only entered once: Dubai, Iran, Japan, Latvia, Morocco, Nicaragua, Philippines, Romania, Serbia, Thailand, Tunisia, UAE, Ukraine, Uruguay, Zimbabwe

Figuring out the process

While I explicitly said I wouldn’t guarantee that everyone gets stickers, I want to do my best in delivering a few to every single one who asked for them.

Volunteers

I have the best community. Without me saying a word or asking for it, several people raised their hands and volunteered to offload the sending to their countries. I could send one big batch to them and they redistribute within their countries. They would handle US, Czechia, Denmark and Switzerland for me.

But why stop at those four? In my next step I put up a public plea for more volunteers on Twitter and man, I got myself a busy evening and after a few hours I had friends signed up from over 20 countries offering to redistributed stickers within the respective countries. This way, we share the expenses and the work load, and mailing out many smaller parcels within countries is also a lot cheaper than me sending them all individually from Sweden.

After a lot of communications I had an army of helpers lined up.

28 distributors will help me do 724 sticker deliveries to 24 countries. Leaving me to do just the remaining 282 packages to the other 41 countries.

Stickers inventory

I’ve offered “a few” stickers and I decided that means 4.

978 * 4 = 3912

Plus I want to add 10 extra stickers to each distributor, and there are 28 distributors.

3912 + 28 * 10 = 4192

Do I have 4200 curl stickers? I emptied my sticker drawer and put them all on the table and took this photo. All of these curl stickers you see on the photo have been donated to us/me by sponsors. Most of the from Sticker Mule, some of them from XXXX.

I think I might be a little “thin”. Luckily, I have friends that can help me stock up…

(There are some Haxx and wolfSSL stickers on the photo as well, because I figured I should spice up some packages with some of those as well.)

Schedule

The stickers still haven’t shipped from my place but the plan is to get the bulk of them shipped from me within days. Stay tuned. There will of course be more delays on the route to their destinations, but rest assured that we intend to deliver to all who asked for them!

Will I give away more curl stickers?

Not now, and I don’t have any plans on doing this stunt again very soon. It was already way more than I expected. More attention, more desire and definitely a lot more work!

But at the first opportunity where you meet me physically I will of course give away stickers.

Buy curl stickers?

I’ve started looking into offering stickers for purchase but I’m not ready to make anything public or official yet. Stay tuned and I promise you’ll learn and be told when the sticker shop opens.

If it happens, the stickers will not be very cheap but you should rather see each such sticker as a mini-sponsorship.

Follow up

Stay tuned. I will be back with updates.
by Daniel Stenberg at May 28, 2021 06:28 AM
Mike Taylor — The hidden meaning of 537.36 in the Chromium User-Agent string
If you’re like me, first of all, very sorry to hear that, but you are probably spending your Friday morning wondering what the meaning of 537.36 is in the Chromium User-Agent string. It appears in two places: AppleWebKit/537.36 and Safari/537.36.

As any serious researcher does, the first place I went to for answers was numeroscop.net, to check out the “Angel Number Spiritual Meaning”.

(I enjoy a good data-collection-scheme-disguised-as-fortune-telling site as much as anyone else, don’t judge me.)

537 means:

“Positive changes in the material aspect will be an extra confirmation that you have made the right choice of a life partner”

And 36 means:

“[Y]es, you are doing everything right, but you are not doing everything that you could do”.

Angels probably use PHP, so let’s assume “.” is the string concatenation operator. Mashing those together, a meaning emerges: “537.36” represents the last shipping version of WebKit before the Blink fork.

Back in 2013 (right after the fork announcement), Ojan Vafai wrote,

“In the short-term we have no plans of changing the UA string. The only thing that will change is the Chrome version number.”

Darin Fisher (former engineering lead for the Chrome Web Platform Team) said the same in the recorded Q&A video (linked from the Developer FAQ).

Assuming Wikipedia is as trustworthy as that “why did I give the Angel Numerology site my email, birthdate, relationship status, and name, and why am I getting so many ads on other sites about healing crystals and clearance specials on hydroxychloroquine??” site, Chrome 27.0.1453 was the last version of Chrome shipping WebKit, which was at 537.36, and Chrome 28.0.1500 was the first version of stable channel release shipping the Blink engine.

So that’s why those numbers are in the User-Agent string. For obvious compatibility reasons, you can’t just remove strings like AppleWebKit/537.36 and Safari/537.36. And that’s why we’ll keep them there, likely frozen forever.
© Mike Taylor at May 28, 2021 05:00 AM
May 27, 2021
Daniel Stenberg — QUIC is RFC 9000
The official publication date of the relevant QUIC specifications is: May 27, 2021.

I’ve done many presentations about HTTP and related technologies over the years. HTTP/2 had only just shipped when the QUIC working group had been formed in the IETF and I started to mention and describe what was being done there.

I’ve explained HTTP/3

I started writing the document HTTP/3 explained in February 2018 before the protocol was even called HTTP/3 (and yeah the document itself was also called something else at first). The HTTP protocol for QUIC was just called “HTTP over QUIC” in the beginning and it took until November 2018 before it got the name HTTP/3. I did my first presentation using HTTP/3 in the title and on slides in early December 2018, My first recorded HTTP/3 presentation was in January 2019 (in Stockholm, Sweden).

In that talk I mentioned that the protocol would be “live” by the summer of 2019, which was an optimistic estimate based on the then current milestones set out by the IETF working group.

I think my optimism regarding the release schedule has kept up but as time progressed I’ve updated that estimation many times…

HTTP/3 – not yet

The first four RFC documentations to be ratified and published only concern QUIC, the transport protocol, and not the HTTP/3 parts. The two HTTP/3 documents are also in queue but are slightly delayed as they await some other prerequisite (“generic” HTTP update) documents to ship first, then the HTTP/3 ones can ship and refer to those other documents.

QUIC

QUIC is a new transport protocol. It is done over UDP and can be described as being something of a TCP + TLS replacement, merged into a single protocol.

Okay, the title of this blog is misleading. QUIC is actually documented in four different RFCs:

RFC 8999 – Version-Independent Properties of QUIC

RFC 9000 – QUIC: A UDP-Based Multiplexed and Secure Transport

RFC 9001 – Using TLS to Secure QUIC

RFC 9002 – QUIC Loss Detection and Congestion Control

My role: I’m just a bystander

I initially wanted to keep up closely with the working group and follow what happened and participate on the meetings and interims etc. It turned out to be too difficult for me to do that so I had to lower my ambitions and I’ve mostly had a casual observing role. I just couldn’t muster the energy and spend the time necessary to do it properly.

I’ve participated in many of the meetings, I’ve been present in the QUIC implementers slack, I’ve followed lots of design and architectural discussions on the mailing list and in GitHub issues. I’ve worked on implementing support for QUIC and h3 in curl and thanks to that helped out iron issues and glitches in various implementations, but the now published RFCs have virtually no traces of me or my feedback in them.
by Daniel Stenberg at May 27, 2021 09:56 PM
Mozilla Open Policy & Advocacy Blog — Advancing system-level change with ad transparency in the EU DSA
At Mozilla we believe that greater transparency in the online advertising ecosystem can empower individuals, safeguard advertisers’ interests, and address systemic harms. It’s something we care passionately about, and it’s an ethos that runs through our own marketing work. Indeed, our recent decision to resume advertising on Instagram is underpinned by a commitment to transparency. Yet we also recognise that this issue is a structural one, and that regulation and public policy has an important role to play in improving the health of the ecosystem. In this post, we give an update on our efforts to advance system-level change, focusing on the ongoing discussions on this topic in the EU.

In December 2020 the European Commission unveiled the Digital Services Act, a draft law that seeks to usher in a new regulatory standard for content responsibility by platforms. A focus on systemic transparency is at the core of the DSA, including in the context of online advertising. The DSA’s approach to ad transparency mandates disclosure well above the voluntary standard that we see today (and mirrors the ethos of our new Instagram advertising strategy).

Under the DSA’s approach, so-called ‘Very Large Online Platforms’ must:

Disclose the content of all advertisements that run on their services;

Disclose the key targeting parameters that are associated with each advertisement; and,

Make this disclosure through publicly-available ad archives (our recommendations on how these ad archives should operate can be found here).

The DSA’s ad transparency approach will give researchers, regulators, and advertisers greater insight into the platform-mediated advertising ecosystem, providing a crucial means of understanding and detecting hidden harms. Harms fester when they happen in the dark, and so meaningful transparency in and of the ecosystem can help mitigate them.

Yet at the same time, transparency is rarely an end in itself. And we’re humble enough to know that we don’t have all the answers to the challenges holding back the internet from what it should be. Fortunately, another crucial benefit of advertising transparency frameworks is that they can provide us with the prerequisite insight and evidence-base that is essential for effective policy solutions, in the EU and beyond.

Although the EU DSA is trending in a positive direction, we’re not resting on our laurels. The draft law still has some way to go in the legislative mark-up phase. We’ll continue to advocate for thoughtful and effective policy approaches for advertising transparency, and prototype these approaches in our own marketing work.

The post Advancing system-level change with ad transparency in the EU DSA appeared first on Open Policy & Advocacy.
by Owen Bennett at May 27, 2021 04:57 PM
Mozilla Addons Blog — Manifest v3 update
Two years ago, Google proposed Manifest v3, a number of foundational changes to the Chrome extension framework. Many of these changes introduce new incompatibilities between Firefox and Chrome. As we previously wrote, we want to maintain a high degree of compatibility to support cross-browser development. We will introduce Manifest v3 support for Firefox extensions. However, we will diverge from Chrome’s implementation where we think it matters and our values point to a different solution.

For the last few months, we have consulted with extension developers and Firefox’s engineering leadership about our approach to Manifest v3. The following is an overview of our plan to move forward, which is based on those conversations.

High level changes

In our initial response to the Manifest v3 proposal, we committed to implementing cross-origin protections. Some of this work is underway as part of Site Isolation, a larger reworking of Firefox’s architecture to isolate sites from each other. You can test how your extension performs in site isolation on the Nightly pre-release channel by going to about:preferences#experimental and enabling Fission (Site Isolation). This feature will be gradually enabled by default on Firefox Beta in the upcoming months and will start rolling out a small percentage of release users in Q3 2021.

Cross-origin requests in content scripts already encounter restrictions by advances of the web platform (e.g. SameSite cookies, CORP) and privacy features of Firefox (e.g. state partitioning). To support extensions, we are allowing extension scripts with sufficient host permissions to be exempted from these policies. Content scripts won’t benefit from these improvements, and will eventually have the same kind of permissions as regular web pages (bug 1578405). We will continue to develop APIs to enable extensions to perform cross-origin requests that respect the user’s privacy choices (e.g. bug 1670278, bug 1698863).

Background pages will be replaced by background service workers (bug 1578286). This is a substantial change and will continue to be developed over the next few months. We will make a new announcement once we have something that can be tested in Nightly.

Promise-based APIs: Our APIs have been Promise-based since their inception using the browser.* namespace and we published a polyfill to offer consistent behavior across browsers that only support the chrome.* namespace. For Manifest v3, we will enable Promise-based APIs in the chrome.* namespace as well.

Host permission controls (bug 1711787): Chrome has shipped a feature that gives users control over which sites extensions are allowed to run on. We’re working on our own design that puts users in control, including early work by our Outreachy intern Richa Sharma on a project to give users the ability to decide if extensions will run in different container tabs (bug 1683056). Stay tuned for more information about that project!

Code execution: Dynamic code execution in privileged extension contexts will be restricted by default (bug 1687763). A content security policy for content scripts will be introduced (bug 1581608). The existing userScripts and contentScripts APIs will be reworked to support service worker-based extensions (bug 1687761).

declarativeNetRequest

Google has introduced declarativeNetRequest (DNR) to replace the blocking webRequest API. This impacts the capabilities of extensions that process network requests (including but not limited to content blockers) by limiting the number of rules an extension can use, as well as available filters and actions.

After discussing this with several content blocking extension developers, we have decided to implement DNR and continue maintaining support for blocking webRequest. Our initial goal for implementing DNR is to provide compatibility with Chrome so developers do not have to support multiple code bases if they do not want to. With both APIs supported in Firefox, developers can choose the approach that works best for them and their users.

We will support blocking webRequest until there’s a better solution which covers all use cases we consider important, since DNR as currently implemented by Chrome does not yet meet the needs of extension developers.

You can follow our progress on implementing DNR in bug 1687755.

Implementation timeline

Manifest v3 is a large platform project, and some parts of it will take longer than others to implement. As of this writing, we are hoping to complete enough work on this project to support developer testing in Q4 2021 and start accepting v3 submissions in early 2022. This schedule may be pushed back or delayed due to unforeseeable circumstances.

We’d like to note that it’s still very early to be talking about migrating extensions to Manifest v3. We have not yet set a deprecation date for Manifest v2 but expect it to be supported for at least one year after Manifest v3 becomes stable in the release channel.

Get involved

We understand that extension developers will need to adapt their extensions to be compatible with Manifest v3, and we would like to make this process as smooth as possible. Please let us know about any pain points you might have encountered when migrating Chrome extensions to Manifest v3, and any suggested mitigations, on our community forum or in relevant issues on Bugzilla.

We are also interested in hearing about specific use cases we should keep in mind so that your extension will be compatible with Chrome for Manifest V3.

The post Manifest v3 update appeared first on Mozilla Add-ons Blog.
by Rob Wu at May 27, 2021 03:02 PM
May 26, 2021
Dennis Schubert — WebCompat PSA: Please don't use negative `text-indent`s for hidden labels.
During my work on Web Compatibility at Mozilla, I see many things that break in exciting ways. Sometimes, it’s obvious stuff like flexbox compat issues¹, but sometimes, the breakages are a bit surprising. Today, the star of the show is a single CSS instruction:

text-indent: -9999px

When we talk about web compatibility issues, most people think about an elite subset of “well-known” breakages or massive layout issues. They rarely think about innocent-looking things like text-indent. And to be fair, most of the time, neither do we browser people.

This large negative text-indent appears to be a hack, frequently used to “move away” labels next to icons, probably to hide them from view but keep them in the markup for screen readers and similar user agents. Please don’t do that, there are better alternatives for screenreaders. Even though having a negative indentation seems like a good solution, the unfortunate reality is that text-indent has some weird cross-browser quirks. Two examples that I stumbled across in the last month:

Some disagreement between browsers around using relative units in text-indent inside form elements.

A weird issue in Blink where it ignored text-indent on anonymous flex items.

… and there are a lot more.

text-indent does extend the size of an element, but not in a fixed direction, but depending on the direction of text flow. Here’s a quick example:

Source:

<style> #text-indent-demo p { text-indent: 100px; } </style> <section id="text-indent-demo"> <p style="direction: ltr;">one</p> <p style="direction: rtl;">two</p> <p style="direction: ltr; writing-mode: vertical-lr;">three</p> <p style="direction: rtl; writing-mode: vertical-lr;">five</p> </section>

Result:

one

two

three

five

As you can see, we have the same text-indent: 100px;, but in four different directions depending on the text direction and writing mode. This makes perfect sense if you think about it, but developers can get caught off-guard here, especially if working on a site that later gets translated. Or, well, if browsers misbehave.

On an Israeli site I recently looked at, a large negative text-indent caused the site to be extended to the right, which caused some viewport issues in Firefox for Android because we try to fit everything into your view. Another example is a report about a Romanian news site, where clicking on the social links left a dotted border all across the screen because they extended their buttons 9999px to the left without overflow: hidden‘ing it. In Chrome, this particular case is not noticeable because Chrome does not show focus borders the same way Firefox does, but the issue is still there. There are more examples of things going wrong in unexpected ways, but you get the gist.

While I am only talking about text-indent here, mainly because the text direction dependency adds an interesting twist, note that all methods of “moving something out of the screen to make it invisible” have similar issues. Even if you move things really far away, they still exist inside the document, and they can have unexpected side effects.

So… please don’t. The web is broken enough already. :)

Spoiler: there soon will be another blog post, about a flexbox issue! Wohoo! ↩

by Dennis Schubert at May 26, 2021 06:03 PM
Mozilla Open Policy & Advocacy Blog — Mozilla reacts to the European Commission’s guidance on the revision of the EU Code of Practice on Disinformation
Today the European Commission published its guidance for the upcoming revision of the EU Code of Practice on Disinformation. Mozilla was a founding signatory of the Code of Practice in 2018, and we’re happy to see plans materialise for its evolution.

Reacting to the guidance, Raegan MacDonald, Director of Global Policy, Mozilla Corporation said:

“We welcome the Commission’s guidance for the next iteration of the Code of Practice. We’re happy that the revised Code will provide a greater role for organisations with technical and research expertise, and we look forward to harnessing that opportunity to support the various stakeholders.

This guidance outlines a clear vision for how the fight against disinformation can sit within a future-focused and thoughtful policy framework for platform accountability. While we still need to ensure the DSA provides the fundamentals, we see the revised Code as playing an important role in giving practical meaning to transparency and accountability.”

The post Mozilla reacts to the European Commission’s guidance on the revision of the EU Code of Practice on Disinformation appeared first on Open Policy & Advocacy.
by Owen Bennett at May 26, 2021 04:05 PM
Mozilla Performance Blog — Performance Sheriff Newsletter (April 2021)
In April there were 187 alerts generated, resulting in 34 regression bugs being filed on average 6 days after the regressing change landed.

Welcome to the April 2021 edition of the performance sheriffing newsletter. Here you’ll find the usual summary of our sheriffing efficiency metrics, followed by some analysis on our invalid regression alerts and bugs. If you’re interested (and if you have access) you can view the full dashboard.

Sheriffing efficiency

All alerts were triaged in an average of 1.3 days

85% of alerts were triaged within 3 days

Valid regressions were associated with bugs in an average of 3.3 days

85% of valid regressions were associated with bugs within 5 days

Invalid Alerts

Sometimes we have alerts that turn out to be invalid. This usually means there were outliers in the results that triggered an alert, the results are multi-modal, or that the data is too noisy and the magnitude of the change is to small to confidently identify a culprit revision. Here’s an example of where outliers have caused invalid regression alerts:

Perfherder graph showing invalid alerts due to outliers

These invalid alerts are usually identified by the performance sheriffs. They can be an indicator for the quality of our data and our change detection algorithm. If the percentage of invalid alerts increases we’ll be spending more time sheriffing these alerts, and we may want to investigate.

Regression Alerts by Status (April 2021)

In April we saw 5 invalid alerts, which equates for 3% of all regression alerts. Over the last 6 months we’ve seen 93 invalid alerts out 1,371 total alerts, just under 7%.

Invalid Regression Bugs

Occaisionally we detect a performance regression, identify the suspected culprit, and open a regression bug only for it to be closed as invalid. There can be a number of reasons for this, but the most likely is that the suspected culprit was incorrect. As our performance sheriffs are not expected to be familiar with all of our performance tests or what might impact them, we rely on the authors of suspected culprits to point out when the performance impact doesn’t make sense. When queried, our sheriffs will trigger additional tests around the regression range and either confirm the original culprit or close the bug as invalid and open a new one. Note that until recently, sheriffs may have used the same bug and simply modified the “regressed by” field. We have changed this to allow us to track the number of invalid bugs over time.

Regression Bugs by Status (April 2021)

Note that bugs may have many alerts, and are often resolved some time before the alerts, which explains why there are more open alerts than bugs. Our sheriffs periodically run a query to identify alerts linked to bugs that have been resolved and use this to sanity check and update the alerts as necessary.

Summary of alerts

Each month I’ll highlight the regressions and improvements found.

😍 9 bugs were associated with improvements

🤐 11 regressions were accepted

🤩 10 regressions were fixed (or backed out)

🤥 0 regressions were invalid

🤗 1 regression is assigned

😨 9 regressions are still open

😵 0 regressions were reopened

Note that whilst I usually allow one week to pass before generating the report, there are still alerts under investigation for the period covered in this article. This means that whilst I believe these metrics to be accurate at the time of writing, some of them may change over time.

I would love to hear your feedback on this article, the queries, the dashboard, or anything else related to performance sheriffing or performance testing. You can comment here, or find the team on Matrix in #perftest or #perfsheriffs.

The dashboard for April can be found here (for those with access).
by Dave Hunt at May 26, 2021 09:02 AM
Daniel Stenberg — curl 7.77.0 – 200 OK
Welcome to the 200th curl release. We call it 200 OK. It coincides with us counting more than 900 commit authors and surpassing 2,400 credited contributors in the project. This is also the first release ever in which we thank more than 80 persons in the RELEASE-NOTES for having helped out making it and we’ve set two new record in the bug-bounty program: the largest single payout ever for a single bug (2,000 USD) and the largest total payout during a single release cycle: 3,800 USD.

This release cycle was 42 days only, two weeks shorter than normal due to the previous 7.76.1 patch release.

Release Presentation

Numbers

the 200th release
5 changes
42 days (total: 8,468)
133 bug-fixes (total: 6,966)
192 commits (total: 27,202)
0 new public libcurl function (total: 85)
2 new curl_easy_setopt() option (total: 290)
2 new curl command line option (total: 242)
82 contributors, 44 new (total: 2,410)
47 authors, 23 new (total: 901)
3 security fixes (total: 103)
3,800 USD paid in Bug Bounties (total: 9,000 USD)

Security

We set two new records in the curl bug-bounty program this time as mentioned above. These are the issues that made them happen.

CVE-2021-22901: TLS session caching disaster

This is a Use-After-Free in the OpenSSL backend code that in the absolutely worst case can lead to an RCE, a Remote Code Execution. The flaw is reasonably recently added and it’s very hard to exploit but you should upgrade or patch immediately.

The issue occurs when TLS session related info is sent from the TLS server when the transfer that previously used it is already done and gone.

The reporter was awarded 2,000 USD for this finding.

CVE-2021-22898: TELNET stack contents disclosure

When libcurl accepts custom TELNET options to send to the server, it the input parser was flawed which could be exploited to have libcurl instead send contents from the stack.

The reporter was awarded 1,000 USD for this finding.

CVE-2021-22897: schannel cipher selection surprise

In the Schannel backend code, the selected cipher for a transfer done with was stored in a static variable. This caused one transfer’s choice to weaken the choice for a single set transfer could unknowingly affect other connections to a lower security grade than intended.

The reporter was awarded 800 USD for this finding.

Changes

In this release we introduce 5 new changes that might be interesting to take a look at!

Make TLS flavor explicit

As explained separately, the curl configure script no longer defaults to selecting a particular TLS library. When you build curl with configure now, you need to select which library to use. No special treatment for any of them!

No more SSL

curl now has no more traces of support for SSLv2 or SSLv3. Those ancient and insecure SSL versions were already disabled by default by TLS libraries everywhere, but now it’s also impossible to activate them even in special build. Stripped out from both the curl tool and the library (thus counted as two changes).

HSTS in the build

We brought HSTS support a while ago, but now we finally remove the experimental label and ship it enabled in the build by default for everyone to use it more easily.

In-memory cert API

We introduce API options for libcurl that allow users to specify certificates in-memory instead of using files in the file system. See CURLOPT_CAINFO_BLOB.

Favorite bug-fixes

Again we manage to perform a large amount of fixes in this release, so I’m highlighting a few of the ones I find most interesting!

Version output

The first line of curl -V output got updated: libcurl now includes OpenLDAP and its version of that was used in the build, and then the curl tool can add libmetalink and its version of that was used in the build!

curl_mprintf: add description

We’ve provided the *printf() clone functions in the API since forever, but we’ve tried to discourage users from using them. Still, now we have a first shot at a man page that clearly describes how they work.

This is important as they’re not quite POSIX compliant and users who against our advice decide to rely on them need to be able to know how they work!

CURLOPT_IPRESOLVE: preventing wrong IP version from being used

This option was made a little stricter than before. Previously, it would be lax about existing connections and prefer reuse instead of resolving again, but starting now this option makes sure to only use a connection with the request IP version.

This allows applications to explicitly create two separate connections to the same host using different IP versions when desired, which previously libcurl wouldn’t easily let you do.

Ignore SIGPIPE in curl_easy_send

libcurl makes its best at ignoring SIGPIPE everywhere and here we identified a spot where we had missed it… We also made sure to enable the ignoring logic when built to use wolfSSL.

Several HTTP/2-fixes

There are no less than 6 separate fixes mentioned in the HTTP/2 module in this release. Some potential memory leaks but also some more behavior improving things. Possibly the most important one was the move of the transfer-related error code from the connection struct to the transfers struct since it was vulnerable to a race condition that could make it wrong. Another related fix is that libcurl no longer forcibly disconnects a connection over which a transfer gets HTTP_1_1_REQUIRED returned.

Partial CONNECT requests

When the CONNECT HTTP request sent to a proxy wasn’t all sent in a single send() call, curl would fail. It is baffling that this bug hasn’t been found or reported earlier but was detected this time when the reporter issued a CONNECT request that was larger than 16 kilobytes…

TLS: add USE_HTTP2 define

There was several remaining bad assumptions that HTTP/2 support in curl relies purely on nghttp2. This is no longer true as HTTP/2 support can also be provide by hyper.

normalize numerical IPv4 hosts

The URL parser now knows about the special IPv4 numerical formats and parses and normalizes URLs with numerical IPv4 addresses.

Timeout, timed out libssh2 disconnects too

When libcurl (built with libssh2 support) stopped an SFTP transfer because a timeout was triggered, the following SFTP disconnect procedure was subsequently also stopped because of the same timeout and therefore wasn’t allowed to properly clean up everything, leading to a memory-leak!

IRC network switch

We moved the #curl IRC channel to the new network libera.chat. Come join us there!

Next release

On Jul 21, 2021 we plan to ship the next release. The version number for that is not yet decided but we have changes in the pipeline, making a minor version number bump very likely.

Credits

7.77.0 release image by Filip Dimitrovski.
by Daniel Stenberg at May 26, 2021 06:39 AM
This Week In Rust — This Week in Rust 392
Hello and welcome to another issue of This Week in Rust! Rust is a systems language pursuing the trifecta: safety, concurrency, and speed. This is a weekly summary of its progress and community. Want something mentioned? Tweet us at @ThisWeekInRust or send us a pull request. Want to get involved? We love contributions.

This Week in Rust is openly developed on GitHub. If you find any errors in this week's issue, please submit a PR.

Updates from Rust Community

No official blog posts, newsletters, or research papers this week.

Project/Tooling Updates

rust-analyzer Changelog #78

This Week In TensorBase 4

rustc_codegen_gcc can now run libcore’s tests and pass most of them!

Parcel 2 beta 3

Announcing lettre 0.10.0-rc.1

Announcing typed-sql beta! Zero-cost ORM with fast compile times

Announcing Valuable, a library for object-safe value inspection

Observations/Thoughts

Why and how we wrote a compiler in Rust (blog post series 1/X): the context

2D Web Rendering with Rust

A fast-to-sync/search and space-optimized replication algorithm written in Rust, the gun-db data replication model

Adventures in rustc Forking

Baseline implementations should be predictable

Naming Your Lifetimes

Rucredstash release & Rust experience from a Haskeller

Rust Walkthroughs

Creating an Infinite Mixture Model in Rust with the rv crate

Debug rust application inside container

Write Rust lints without forking Clippy

Zig Makes Rust Cross-Compilation Just Work

Routing traffic in Rust using eBPF

How to to_string in Rust

Building small desktop apps with Ember.js and Tauri

Coming to Rust from Django

Structural Typing in Rust

Idiomatic Rust? Implementing binary search

[ZH] Practice of web crawling with async Rust (使用 Rust 做异步数据采集的实践)

[video] Lock-Free to Wait-Free Simulation in Rust

Miscellaneous

Rust Web Development - MEAP

Fuchsia OS partially written in Rust has shipped

Crate of the Week

This week's crate is typed-index-collections, a crate that lets you make Vecs with custom-typed indices.

Thanks to Tim for the nomination

Submit your suggestions and votes for next week!

Call for Participation

Always wanted to contribute to open-source projects but didn't know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

If you are a Rust project owner and are looking for contributors, please submit tasks here.

No issues were proposed for CfP.

Updates from Rust Core

280 pull requests were merged in the last week

implement more Iterator methods on core::iter::Repeat

override clone_from for some types

stabilize const_fn_unsize

implement the new desugaring from try_trait_v2

impl FromStr for proc_macro::Literal

stabilize extended_key_value_attributes

fix auto-hide for implementations and implementors

add rustc_mir::interpret::Machine::enforce_abi()

check for more things in THIR unsafeck

suppress spurious errors inside async fn

avoid zero-length memcpy in formatting

always produce sub-obligations when using cached projection result

CTFE core engine allocation & memory API improvemenets

CTFE get_alloc_extra_mut: also provide ref to MemoryExtra

fix missing lifetimes diagnostics

suggest borrowing if a trait implementation is found for &/&mut T

remove InPlaceIterable marker from Peekable due to unsoundness

extend rustc_on_implemented to improve more ? error messages

cargo: add cargo:rustc-link-arg-bin flag

rustdoc: don't hide inherent implementations by default

clippy: fix ICE in implicit_return

clippy: fix invalid syntax in from_iter_instead_of_collect suggestion

clippy: fix needless_borrow suggestion

clippy: fix redundant_closure for vec![] macro in a closure with arguments

clippy: don't lint multiple_inherent_impl with generic arguments

clippy: early return from LintPass registration when collecting metadata

clippy: adding the default lint level to the metadata collection

Rust Compiler Performance Triage

A somewhat quiet week. Some PRs had performance runs performed on them, but the changes were merged despite this. Also, we still have issues with certain benchmarks being noisy.

Triage done by @rylev. Revision range: 25a277..cdbe2

2 Regressions, 2 Improvements, 1 Mixed 0 of them in rollups

Full report here.

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week:

A new prelude for the 2021 edition (trait-only edition)

Final Comment Period

Every week the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

RFCs

[disposition: merge] RFC: 2021 Edition

[disposition: merge] RFC: Overconstraining and omitting unsafe in impls of unsafe trait methods

Tracking Issues & PRs

[disposition: merge] rustc: Allow safe #[target_feature] on wasm

[disposition: merge] Show test type during prints

[disposition: merge] Tracking Issue for VecDeque binary search functions

[disposition: merge] Tracking issue for WebAssembly SIMD support

[disposition: merge] Use try_reserve in Vec's io::Write

New RFCs

ArrayBuilder struct for safe/efficient dynamic array initialisation

RFC: I/O Safety

A Cargo profile option trim-path to sanitise absolute paths

Upcoming Events

Online

May 27, 2021, London/Remote, UK - Runtime reflection, gRPC at scale, and more

May 27, 2021, Montréal, QC, CN - Rust MTL: Building a Scrabble AI with the fst crate - Rust Montréal

June 1, 2021, Dublin, IE - June Remote Meetup - Rust Dublin

June 1, 2021, Buffalo, NY, US - Buffalo Rust User Group, First Tuesdays - Buffalo Rust Meetup

North America

June 9, 2021, Atlanta, GA, US - Grab a beer with fellow Rustaceans - Rust Atlanta

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Rust Jobs

Ockam

Architect - Rust Library Design (Remote)

Red Hat

Senior Software Engineer - Virtualization & Storage (Remote Europe)

Starry

Rust Software Engineer (Boston, MA, US)

NZXT

Senior Software Engineer for CAM (Remote)

Senior Software Engineer for Streaming Software (Remote)

Kollider

Junior Backend Engineer (Remote)

Senior Backend Engineer (Remote)

DevOps Engineer (Remote)

Kraken

Several Rust Engineering Postions Available

Tweet us at @ThisWeekInRust to get your job offers listed here!

Quote of the Week

Ok, you wanted it. Let's go full meta:

This time, there were two crates and one quote, which is not much, but ok. Keep it up, folks!

– llogiq on reddit

Thanks to Patrice Peterson for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by: nellshamrell, llogiq, and cdmistman.

Discuss on r/rust
by TWiR Contributors at May 26, 2021 04:00 AM
Niko Matsakis — Edition: the song
You may have heard that the Rust 2021 Edition is coming. Along with my daughter Daphne, I have recorded a little song in honor of the occasion! The full lyrics are below – if you feel inspired, please make your own version!¹ Enjoy!

Video

Lyrics

(Spoken)
Breaking changes where no code breaks.
Sounds impossible, no?
But in the Rust language, you might say that we like to do impossible things.
It isn’t easy.
You may ask, how do we manage such a thing?
That I can tell you in one word… Edition!

(Chorus)
Edition, edition… edition!

(Lang)
Who day and night
Is searching for a change
Whatever they can do
So Rust’s easier for you
Who sometimes finds
They have to tweak the rules
And change a thing or two in Rust?

(All)
The lang team, the lang team… edition!
The lang team, the lang team… edition!

(Libs)
Who designs the traits that we use each day?
All the time, in every way?
Who updates the prelude so that we can call
The methods that we want no sweat

(All)
The libs team, the libs team… edition!
The libs team, the libs team… edition!

(Users)
Three years ago I changed my code
to Rust twenty eighteen
Some dependencies did not
But they… kept working.

(All)
The users, the users… edition!
The users, the users… edition!

(Tooling)
And who does all this work
To patch and tweak and fix
Migrating all our code
Each edition to the next

(All)
The tooling, the tooling… edition!
The tooling, the tooling… edition!

(Spoken)
And here in Rust, we’ve always had our little slogans.
For instance, abstraction… without overhead.
Concurrency… without data races.
Stability… without stagnation.
Hack… without fear.
But we couldn’t do all of those things…
not without…
Edition!

Footnotes

OMG, that would be amazing. I’ll update the post with any such links I find. ↩

by Nicholas D. Matsakis at May 26, 2021 04:00 AM
May 25, 2021
Mozilla Security Blog — Updates to Firefox’s Breach Alert Policy
Your personal data is yours – and it should remain yours! Unfortunately data breaches that reveal your personal information on the internet are omnipresent these days. In fact, fraudulent use of stolen credentials is the 2nd-most common threat action (after phishing) in Verizon’s 2020 Data Breach Investigations report and highlights the problematic situation of data breaches.

In 2018, we launched Firefox Monitor which instantly notifies you in case your data was involved in a breach and further provides guidance on how to protect your personal information online. Expanding the scope of protecting our users across the world to stay in control of their data and privacy, we integrated alerts from Firefox Monitor into mainstream Firefox. We integrated this privacy enhancing feature into your daily browsing experience so Firefox can better protect your data by instantly notifying you when you visit a site that has been breached.

While sites continue to suffer password breaches, other leaks or lose other types of data. Even though we consider all personal data as important, notifying you for every one of these leaks generates noise that’s difficult to act on. The better alternative is to only alert you in case it’s critical for you to act to protect your data. Hence, the primary change is that Firefox will only show alerts for websites where passwords were exposed in the breach.

In detail, we are announcing an update to our initial Firefox breach alert policy for when Firefox alerts for breached sites:

“Firefox shows a breach alert when a user visits a site where passwords were exposed and added to Have I Been Pwned within the last 2 months.”

To receive the most comprehensive breach alerts we suggest to sign up for Firefox Monitor to check if your account was involved in a breach. We will keep you informed and will alert you with an email in case your personal data is affected by a data breach. Our continued commitment to protect your privacy and security from online threats is critical for us and aligns with our mission: Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.

If you are a Firefox user, you don’t have to do anything to benefit from this new privacy protection. If you aren’t a Firefox user, download Firefox to start benefiting from all the ways that Firefox works to protect your privacy.

The post Updates to Firefox’s Breach Alert Policy appeared first on Mozilla Security Blog.
by Luke Crouch at May 25, 2021 08:58 PM
May 24, 2021
Patrick Cloke — celery-batches 0.5 released!
A new version (v0.5) of celery-batches is available which adds support for Celery 5.1 and fixes storing of results when using the RPC result backend.

As explored previously, the RPC result backend works by having a results queue per client, unfortunately celery-batches was attempting to store the results …
by Patrick Cloke at May 24, 2021 08:56 PM
Daniel Stenberg — The curl user survey 2021
For the eighth consecutive year we run the annual curl user survey again in 2021. The form just went up and I would love to have you spend 10 minutes of your busy life to tell us how you think curl works, what doesn’t work and what we should do next.

We have no tracking on the website and we have no metrics or usage measurements of the curl tool or the libcurl library. The only proper way we have left to learn how users and people in general think of us and how curl works, is to ask. So this is what we do, and we limit the asking to once per year.

You can also view this from your own “selfish” angle: this is a way for you to submit your input, your opinions and we will listen.

The survey will be up two weeks during which I hope to get as many people as possible to respond. If you have friends you know use curl or libcurl, please have them help us out too!

Take the survey

Yes really, please take the survey!

Bonus: see the extensive analysis of the 2020 user survey. There’s a lot of user feedback to learn from it.
by Daniel Stenberg at May 24, 2021 05:59 AM
May 21, 2021
Firefox Nightly — These Weeks in Firefox: Issue 94
Highlights

On macOS, scrollbars now squish during rubber-banding.

We’re working on supporting native fullscreen on macOS. Turn it on by enabling the pref full-screen-api.macos-native-full-screen. This will (among other things) create new fullscreen Spaces for videos. You could, for example, put a fullscreen YouTube video in native Split Screen next to another application.

We’re also working on enhanced dark mode support for macOS (Bug 1623686). Enable this by turning on the pref widget.macos.respect-system-appearance. Recent fixes include a dark library window (Bug 1698763), dark page info dialog (Bug 1698754), and a dark “Clear Recent History” window (Bug 1710269).

We’ve announced the deprecation of the canvas drawWindow WebExtension method, due to incompatibility with the Fission architecture:

We should now be using tabs.captureTab.

about:welcome got major updates for Firefox 89. This includes new animations, icons, and accessibility improvements.

Friends of the Firefox team

For contributions from May 4 to May 18 2021, inclusive.

Resolved bugs (excluding employees)

New contributors (🌟 = first patch)

🌟 Alej0hio2007 helped retheme Reader Mode to fit in with the recent refresh!

Ava Katushka fixed a bug where ongoing downloads would be accidentally cancelled and deleted when clearing the downloads list in the Library

🌟 Gagah Pangeran Rosfatiputra fixed a dark theme icon glitch with one of our DevTools infobars

Manuel Carretero tightened up some click targets in the DevTools settings pane

Ryedu.09 fixed the alignment of a “Learn more” link in about:preferences

🌟 Silke Hofmann cleaned up how we import JSM’s in the Enterprise Policy Engine code

Project Updates

Add-ons / Web Extensions

Addon Manager & about:addons

Landed some more styling tweaks for making sure about:addons does better match the new Proton UI conventions: Bug 1709464 and Bug 1709655

WebExtensions Framework

More Fission-related changes landed in Firefox 90: Bug 1708238

Work related to the “manifest_version 3”: Support for new web_accessible_resources manifest property formats – Bug 1696580, Bug 1697334

WebExtension APIs

Starting from Firefox 90, Extensions will be allowed to use the Cache web API from extension pages to cache HTTP resources (caching an HTTP URL using the Cache web API will be still enforcing the extensions host permissions, as it would if the extension would be fetching from the same URLs using fetch or XHR) – Bug 1575625 and Bug 1710138

Thanks to André Natal for contributing this change as part of his work on the Project Bergamot extension

Fission

mccr8 enabled the Process Priority Manager for subframes

pbone landed some GC scheduling tweaks to make it less likely that closing many tabs all at once will result in long GC pauses

Lint and Docs

Silke did a patch to stop using the second argument to ChromeUtils.import when importing EnterprisePolicies.jsm.

This is part of a set of bugs to finish enabling the mozilla/reject-chromeutils-import-params ESLint rule everywhere which will aid potentially switching the module system to es6 modules in future.

macOS Spotlight

Native context menus landed in Firefox 89! This closes the 21-year-old bug 34572.

We also fixed a number of follow-up issues, like supporting dark mode context menus on macOS 10.14+.

Messaging System

about:welcome improvements: accessibility, design, experiments, localization, talos

Animations/transitions added to about:welcome proton designs (dialog, noodles, text)

video: https://bug1698204.bmoattachments.org/attachment.cgi?id=9220207

Tightened up upgrade dialog whitespace to better fit shorter screens

New Tab Page

Accessibility bug fixes for the “personalize” drawer allowing it to operate better with screen readers (Bug 1707022) Thanks to :eeejay for the patches! Also a fix for high contrast mode (Bug 1708248) thanks to :morgan and :thecount

Snippets has been disabled in Firefox 89 (Bug 1709984)

Performance

dthayer has a patch up for review to reduce the UI freezes caused by sending SessionStore data to the SessionFile worker.

mconley would like to experiment with the about:home startup cache using Nimbus, and is considering having the startup cache enabled in MR1.1.

mconley fixed Bug 1703494 – Remove sync layout flush for hamburger menu opening with proton

emalysz landed a patch to provide async support for promise workers, and removed OS.File from PageThumbs.jsm. Only 3 callers of OS.File left during startup!

Several BHR improvements:

Improved dashboard:

It’s possible to navigate to the data of previous days, and to link to a specific day.

For hangs with an associated bug, the whiteboard annotation is shown in the top right

when using the filter box, the filtered word is highlighted in the stack on the right side.

Better data:

(chrome) JS function names are now included in BHR stacks.

these label frames are now visible: “ChromeUtils::Import”, “mozJSSubScriptLoader::DoLoadSubScriptWithOptions”, “nsThreadManager::SpinEventLoop”, “Category observer notification”, “Services_Resolve”, “Task”

Doug is working on showing annotations (eg. “UserInteracting”, “browser.tabs.opening”) in the dashboard

Performance Tools

Profiler buffer memory is no longer counted in the profiler memory tracks, making it possible to see small memory use variations.

New label frames for XPIDL method/getter/setter calls (similar to what we already had for WebIDL)

Proton / MR1

AppMenu / Library

Minor bugfixes.

Panels

Updated Protections Panel to use the same subview navigation arrow icons as everywhere else

Fixed an issue where the input colour in Dark Theme wasn’t 100% correct. Originally filed for Bookmarks Panel, but affects password panel and findbar as well.

Protections Panel Milestone icon dimensions are now enforced

The spacing in the Bookmarks Panel was improved to avoid overlapping the label with focus rings

The Pocket Panel now uses system fonts and em units

Context menus

Disabled hover styles for the Windows 10 context menu

RTL support for native macOS menus

Modals

2 changes to modal backgrounds in dark mode (2), which were uplifted to 89

HCM improvements

Dialog sizing improvements

Infobars

The Buttons on modals do not change their state on hover or Button press when the High contrast mode is enabled

Onboarding

Changed from 2-screen to 3-screen flow

Search and Navigation

Daisuke fixed a bug on Linux where opening new tabs by middle clicking the tabs bar could paste clipboard contents into the urlbar. Bug 1710289

Daisuke also fixed a bug where pasting a string ending with a combination of CR, LF may drop the search terms. Bug 1709971

Marco landed a patch improving the tooltips and accessible text when adding new OpenSearch engines – Bug 1706334

Mark fixed a bug in the separate search bar, where certain characters could be shown encoded in the results panel – Bug 1529220

Screenshots

Screenshots now factors in Firefox zoom values

We’ve accepted an Outreachy intern who will start next week!

by Emma Malysz at May 21, 2021 10:25 PM
May 20, 2021
Mozilla Attack & Defense — Browser fuzzing at Mozilla
Introduction

Mozilla has been fuzzing Firefox and its underlying components for a while. It has proven to be one of the most efficient ways to identify quality and security issues. In general, we apply fuzzing on different levels: there is fuzzing the browser as a whole, but a significant amount of time is also spent on fuzzing isolated code (e.g. with libFuzzer) or whole components such as the JS engine using separate shells. In this blog post, we will talk specifically about browser fuzzing only, and go into detail on the pipeline we’ve developed. This single pipeline is the result of years of work that the fuzzing team has put into aggregating our browser fuzzing efforts to provide consistently actionable issues to developers and to ease integration of internal and external fuzzing tools as they become available.

Build instrumentation

To be as effective as possible we make use of different methods of detecting errors. These include sanitizers such as AddressSanitizer (with LeakSanitizer), ThreadSanitizer, and UndefinedBehaviorSanitizer, as well as using debug builds that enable assertions and other runtime checks. We also make use of debuggers such as rr and Valgrind. Each of these tools provides a different lens to help uncover specific bug types, but many are incompatible with each other or require their own custom build to function or provide optimal results. Besides providing debugging and error detection, some tools cannot work without build instrumentation, such as code coverage and libFuzzer. Each operating system and architecture combination requires a unique build and may only support a subset of these tools.

Last, each variation has multiple active branches including Release, Beta, Nightly, and Extended Support Release (ESR). The Firefox CI Taskcluster instance builds each of these periodically.

Downloading builds

Taskcluster makes it easy to find and download the latest build to test. We discussed above the number of variants created by different instrumentation types, and we need to fuzz them in automation. Because of the large number of combinations of builds, artifacts, architectures, operating systems, and unpacking each, downloading is a non-trivial task.

To help reduce the complexity of build management, we developed a tool called fuzzfetch. Fuzzfetch makes it easy to specify the required build parameters and it will download and unpack the build. It also supports downloading specified revisions to make it useful with bisection tools.

How we generate the test cases

As the goal of this blog post is to explain the whole pipeline, we won’t spend much time explaining fuzzers. If you are interested, please read “Fuzzing Firefox with WebIDL” and the in-tree documentation. We use a combination of publicly available and custom-built fuzzers to generate test cases.

How we execute, report, and scale

For fuzzers that target the browser, Grizzly manages and runs test cases and monitors for results. Creating an adapter allows us to easily run existing fuzzers in Grizzly.

To make full use of available resources on any given machine, we run multiple instances of Grizzly in parallel.

For each fuzzer, we create containers to encapsulate the configuration required to run it. These exist in the Orion monorepo. Each fuzzer has a configuration with deployment specifics and resource allocation depending on the priority of the fuzzer. Taskcluster continuously deploys these configurations to distribute work and manage fuzzing nodes.

Grizzly Target handles the detection of issues such as hangs, crashes, and other defects. Target is an interface between Grizzly and the browser. Detected issues are automatically packaged and reported to a FuzzManager server. The FuzzManager server provides automation and a UI for triaging the results.

Other more targeted fuzzers use JS shell and libFuzzer based targets use the fuzzing interface. Many third-party libraries are also fuzzed in OSS-Fuzz. These deserve mention but are outside of the scope of this post.

Managing results

Running multiple fuzzers against various targets at scale generates a large amount of data. These crashes are not suitable for direct entry into a bug tracking system like Bugzilla. We have tools to manage this data and get it ready to report.

The FuzzManager client library filters out crash variations and duplicate results before they leave the fuzzing node. Unique results are reported to a FuzzManager server. The FuzzManager web interface allows for the creation of signatures that help group reports together in buckets to aid the client in detecting duplicate results.

Fuzzers commonly generate test cases that are hundreds or even thousands of lines long. FuzzManager buckets are automatically scanned to queue reduction tasks in Taskcluster. These reduction tasks use Grizzly Reduce and Lithium to apply different reduction strategies, often removing the majority of the unnecessary data. Each bucket is continually processed until a successful reduction is complete. Then an engineer can do a final inspection of the minimized test case and attach it to a bug report. The final result is often used as a crash test in the Firefox test suite.

Code coverage of the fuzzer is also measured periodically. FuzzManager is used again to collect code coverage data and generate coverage reports.

Creating optimal bug reports

Our goal is to create actionable bug reports to get issues fixed as soon as possible while minimizing overhead for developers.

We do this by providing:

crash information such as logs and a stack trace

build and environment information

reduced test case

Pernosco session

regression range (bisections via Bugmon)

verification via Bugmon

Grizzly Replay is a tool that forms the basic execution engine for Bugmon and Grizzly Reduce, and makes it easy to collect rr traces to submit to Pernosco. It makes re-running browser test cases easy both in automation and for manual use. It simplifies working with stubborn test cases and test cases that trigger multiple results.

As mentioned, we have also been making use of Pernosco. Pernosco is a tool that provides a web interface for rr traces and makes them available to developers without the need for direct access to the execution environment. It is an amazing tool developed by a company of the same name which significantly helps to debug massively parallel applications. It is also very helpful when test cases are too unreliable to reduce or attach to bug reports. Creating an rr trace and uploading it can make stalled bug reports actionable.

The combination of Grizzly and Pernosco have had the added benefit of making infrequent, hard to reproduce issues, actionable. A test case for a very inconsistent issue can be run hundreds or thousands of times until the desired crash occurs under rr. The trace is automatically collected and ready to be submitted to Pernosco and fixed by a developer, instead of being passed over because it was not actionable.

How we interact with developers

To request new features get a proper assessment, the fuzzing team can be reached at fuzzing@mozilla.com or on Matrix. This is also a great way to get in touch for any reason. We are happy to help you with any fuzzing related questions or ideas. We will also reach out when we receive information about new initiatives and features that we think will require attention. Once fuzzing of a component begins, we communicate mainly via Bugzilla. As mentioned, we strive to open actionable issues or enhance existing issues logged by others.

Bugmon is used to automatically bisect regression ranges. This notifies the appropriate people as quickly as possible and verifies bugs once they are marked as FIXED. Closing a bug automatically removes it from FuzzManager, so if a similar bug finds its way into the code base, it can be identified again.

Some issues found during fuzzing will prevent us from effectively fuzzing a feature or build variant. These are known as fuzz-blockers, and they come in a few different forms. These issues may seem benign from a product perspective, but they can block fuzzers from targeting important code paths or even prevent fuzzing a target altogether. Prioritizing these issues appropriately and getting them fixed quickly is very helpful and much appreciated by the fuzzing team.

PrefPicker manages the set of Firefox preferences used for fuzzing. When adding features behind a pref, consider adding it to the PrefPicker fuzzing template to have it enabled during fuzzing. Periodic audits of the PrefPicker fuzzing template can help ensure areas are not missed and resources are used as effectively as possible.

Measuring success

As in other fields, measurement is a key part of evaluating success. We leverage the meta bug feature of Bugzilla to help us keep track of the issues identified by fuzzers. We strive to have a meta bug per fuzzer and for each new component fuzzed.

For example, the meta bug for Domino lists all the issues (over 1100!) identified by this tool. Using this Bugzilla data, we are able to show the impact over the years of our various fuzzers.

Number of bugs reported by Domino over time

These dashboards help evaluate the return on investment of a fuzzer.

Conclusion

There are many components in the fuzzing pipeline. These components are constantly evolving to keep up with changes in debugging tools, execution environments, and browser internals. Developers are always adding, removing, and updating browser features. Bugs are being detected, triaged, and logged. Keeping everything running continuously and targeting as much code as possible requires constant and ongoing efforts.

If you work on Firefox, you can help by keeping us informed of new features and initiatives that may affect or require fuzzing, by prioritizing fuzz-blockers, and by curating fuzzing preferences in PrefPicker. If fuzzing interests you, please take part in the bug bounty program. Our tools are available publicly, and we encourage bug hunting.
by Tyson Smith at May 20, 2021 04:11 PM
Daniel Stenberg — “I could rewrite curl”
Collected quotes and snippets from people publicly sneezing off or belittling what curl is, explaining how easy it would be to make a replacement in no time with no effort or generally not being very helpful.

These are statements made seriously. For all I know, they were not ironic. If you find others to add here, please let me know!

Listen. I’ve been young too once and I’ve probably thought similar things myself in the past. But there’s a huge difference between thinking and saying. Quotes included here are mentioned for our collective amusement.

I can do it in less than a 100 lines

[source]

I can do it in a three day weekend

(The yellow marking in the picture was added by me.)

[source]

No reason to be written in C

Maybe not exactly in the same category as the two ones above, but still a significant “I know this” vibe:

[source]

We sold a curl exploit

Some people deliberately decides to play for the other team.

[source]

This isn’t a big deal

It’s easy to say things on Twitter…

This tweet was removed by its author after I and others replied to it so I cannot link it. The name has been blurred on purpose because of this.

Discussions

Hacker news, Reddit
by Daniel Stenberg at May 20, 2021 11:21 AM
May 19, 2021
Hacks.Mozilla.Org — Improving Firefox stability on Linux
Roughly a year ago at Mozilla we started an effort to improve Firefox stability on Linux. This effort quickly became an example of good synergies between FOSS projects.

Every time Firefox crashes, the user can send us a crash report which we use to analyze the problem and hopefully fix it:

This report contains, among other things, a minidump: a small snapshot of the process memory at the time it crashed. This includes the contents of the processor’s registers as well as data from the stacks of every thread.

Here’s what this usually looks like:

If you’re familiar with core dumps, then minidumps are essentially a smaller version of them. The minidump format was originally designed at Microsoft and Windows has a native way of writing out minidumps. On Linux, we use Breakpad for this task. Breakpad originated at Google for their software (Picasa, Google Earth, etc…) but we have forked, heavily modified for our purposes and recently partly rewrote it in Rust.

Once the user submits a crash report, we have a server-side component – called Socorro – that processes it and extracts a stack trace from the minidump. The reports are then clustered based on the top method name of the stack trace of the crashing thread. When a new crash is spotted we assign it a bug and start working on it. See the picture below for an example of how crashes are grouped:

To extract a meaningful stack trace from a minidump two more things are needed: unwinding information and symbols. The unwinding information is a set of instructions that describe how to find the various frames in the stack given an instruction pointer. Symbol information contains the names of the functions corresponding to a given range of addresses as well as the source files they come from and the line numbers a given instruction corresponds to.

In regular Firefox releases, we extract this information from the build files and store it into symbol files in Breakpad standard format. Equipped with this information Socorro can produce a human-readable stack trace. The whole flow can be seen below:

Here’s an example of a proper stack trace:

If Socorro doesn’t have access to the appropriate symbol files for a crash the resulting trace contains only addresses and isn’t very helpful:

When it comes to Linux things work differently than on other platforms: most of our users do not install our builds, they install the Firefox version that comes packaged for their favourite distribution.

This posed a significant problem when dealing with stability issues on Linux: for the majority of our crash reports, we couldn’t produce high-quality stack traces because we didn’t have the required symbol information. The Firefox builds that submitted the reports weren’t done by us. To make matters worse, Firefox depends on a number of third-party packages (such as GTK, Mesa, FFmpeg, SQLite, etc.). We wouldn’t get good stack traces if a crash occurred in one of these packages instead of Firefox itself because we didn’t have symbols for them either.

To address this issue, we started scraping debug information for Firefox builds and their dependencies from the package repositories of multiple distributions: Arch, Debian, Fedora, OpenSUSE and Ubuntu. Since every distribution does things a little bit differently, we had to write distro-specific scripts that would go through the list of packages in their repositories and find the associated debug information (the scripts are available here). This data is then fed into a tool that extracts symbol files from the debug information and uploads it to our symbol server.

With that information now available, we were able to analyze >99% of the crash reports we received from Linux users, up from less than 20%. Here’s an example of a high-quality trace extracted from a distro-packaged version of Firefox. We haven’t built any of the libraries involved yet the function names are present and so are the file and line numbers of the affected code:

The importance of this cannot be overestimated: Linux users tend to be more tech-savvy and are more likely to help us solve issues, so all those reports were a treasure trove for improving stability even for other operating systems (Windows, Mac, Android, etc). In particular, we often identified Fission bugs on Linux first.

The first effect of this newfound ability to inspect Linux crashes is that it greatly sped up our response time to Linux-specific issues, and often allowed us to identify problems in the Nightly and Beta versions of Firefox before they reached users on the release channel.

We could also quickly identify issues in bleeding-edge components such as WebRender, WebGPU, Wayland and VA-API video acceleration; oftentimes providing a fix within days of the change that triggered the issue.

We didn’t stop there: we could now identify distro-specific issues and regressions. This allowed us to inform package maintainers of the problems and have them resolved quickly. For example, we were able to identify a Debian-specific issue only two weeks after it was introduced and fixed it right away. The crash was caused by a modification made by Debian to one of Firefox dependencies that could cause a crash on startup, it’s filed under bug 1679430 if you’re curious about the details.

Another good example comes from Fedora: they had been using their own crash reporting system (ABRT) to catch Firefox crashes in their Firefox builds, but given the improvements on our side they started sending Firefox crashes our way instead.

We could also finally identify regressions and issues in our dependencies. This allowed us to communicate the issues upstream and sometimes even contributed fixes, benefiting both our users and theirs.

For example, at some point, Debian updated the fontconfig package by backporting an upstream fix for a memory leak. Unfortunately, the fix contained a bug that would crash Firefox and possibly other software too. We spotted the new crash only six days after the change landed in Debian sources and only a couple of weeks afterwards the issue had been fixed both upstream and in Debian. We sent reports and fixes to other projects too including Mesa, GTK, glib, PCSC, SQLite and more.

Nightly versions of Firefox also include a tool to spot security-sensitive issues: the probabilistic heap checker. This tool randomly pads a handful of memory allocations in order to detect buffer overflows and use-after-free accesses. When it detects one of these, it sends us a very detailed crash report. Given Firefox’s large user-base on Linux, this allowed us to spot some elusive issues in upstream projects and report them.

This also exposed some limitations in the tools we use for crash analysis, so we decided to rewrite them in Rust largely relying on the excellent crates developed by Sentry. The resulting tools were dramatically faster than our old ones, used a fraction of the memory and produced more accurate results. Code flowed both ways: we contributed improvements to their crates (and their dependencies) while they expanded their APIs to address our new use-cases and fixed the issues we discovered.

Another pleasant side-effect of this work is that Thunderbird now also benefits from the improvement we made for Firefox.

This goes on to show how collaboration between FOSS projects not only benefits their users but ultimately improves the whole ecosystem and the broader community that relies on it.

Special thanks to Calixte Denizet, Nicholas Nethercote, Jan Auer and all the others that contributed to this effort!

The post Improving Firefox stability on Linux appeared first on Mozilla Hacks - the Web developer blog.
by Gabriele Svelto at May 19, 2021 02:28 PM
This Week In Rust — This Week in Rust 391
Hello and welcome to another issue of This Week in Rust! Rust is a systems language pursuing the trifecta: safety, concurrency, and speed. This is a weekly summary of its progress and community. Want something mentioned? Tweet us at @ThisWeekInRust or send us a pull request. Want to get involved? We love contributions.

This Week in Rust is openly developed on GitHub. If you find any errors in this week's issue, please submit a PR.

Updates from Rust Community

No newsletters or research papers this week.

Official

Announcing Rustup 1.24.2

Six Years of Rust

Project/Tooling Updates

rust-analyzer Changelog #77

IntelliJ Rust Changelog #147

GCC Rust Weekly Status Report 15

MoonZoon Dev News (3): Signals, React-like Hooks, Optimizations

Alacritty Version 0.8.0

Micromath 2.0.0: approximation-based embedded arithmetic, 2D/3D vector, quarternion, and statistics library

This Week In TensorBase 3

Observations/Thoughts

Authorization mechanisms in Rust web applications

Scylla Developer Hackathon: Rust Driver

Plugins in Rust: The Technologies

gRPC load-balancing in Rust

Verifying vectorized Rust revisited

Routes to Discovering Rust

How we utilized fuzzing to improve security in the TezEdge node and created an open-source CI tool for Rust code fuzzing

Boost productivity with Rust

Building Outer Wonders for Linux

Behind the scenes of 1Password for Linux

Writing Pythonic Rust

Upgradable parking_lot::RwLock might not be what you expect

Why Rust for Embedded Development?

Rust Walkthroughs

Understanding Rust Privacy and Visibility Model

Things you can't do in Rust (and what to do instead)

State Management With WebAssembly and Rust

Implementing Linked List in Rust

How to use gRPC with Rust Tonic and Postgres database with examples

Generating pre-signed S3 URLs in Rust

A simple user input collection, validation, and conversion library in Rust

How to make a cryptocurrency Telegram bot with Rust and Teloxide

Infinite Mixture Model in Rust with RV 0.12

Optimizing HashMaps even more

Inventing the Service trait

Rust Macros Rule: DRY warp Routes

Error Handling in Rust - A Deep Dive

[DE] Speicherverwaltung in Rust

[ES] Cómo utilizar Rust web framework Warp

[PT] O que é dyn no Rust?

[ZH] Practice of rendering markdown to HTML in Rust (Rust web 开发中，将 markdown 渲染为 HTML 的实践)

[ZH] [series] Build GraphQL services based on Async Rust using actix-web + async-graphql + rbatis + postgresql / mysql (基于 actix-web + async-graphql + rbatis + postgresql / mysql 构建异步 Rust GraphQL 服务) - Part 4

[video] The Rust Borrow Checker - A Deep Dive @ Rust DC, April 20 2021 w/ Nell Shamrell-Harrington

Miscellaneous

James Munns on the state and the future of embedded & safety-critical Rust | Emergence Podcast

Rust 2021 edition to arrive in October with 'more consistent panic' and other new features

SpaceX about the Rust Programming Language!

Crate of the Week

This week's crate is arraygen, a derive proc macro to generate arrays from structs.

Thanks to José Manuel Barroso Galindo for the nomination

Submit your suggestions and votes for next week!

Call for Participation

Always wanted to contribute to open-source projects but didn't know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

If you are a Rust project owner and are looking for contributors, please submit tasks here.

No issues were proposed for CfP.

Updates from Rust Core

333 pull requests were merged in the last week

add auto traits and clone trait migrations for (RFC #2229)

insignificant destructors for RFC #2229

add asm!() support for PowerPC

add asm!() support for PowerPC64

add support for const operands and options to global_asm!

recover from invalid struct item syntax

fix diagnostic for cross crate private tuple struct constructors

fix suggestions for missing return type lifetime specifiers

suggest adding a type parameter for impls

fix stack overflow when checking for structural recursion

implement span quoting for proc-macros

handle more span edge cases in generics diagnostics

improve diagnostics for GATs

show macro name in 'this error originates in macro' message

store VariantIdx to distinguish enum variants

remove CrateNum parameter for queries that only work on local crate

adjust target search algorithm for rustlib path

don't suggest adding 'static lifetime to arguments

improve error message for non-exhaustive matches on non-exhaustive enums

allow async {} expressions in const contexts

warn about unused pub fields in non-pub structs

fix unused attributes on macro_rules

box Impl.blanket_impl to reduce size

#[inline(always)] on basic pointer methods

make unchecked_{add, sub, mul} inherent methods unstably const

BTree: no longer copy keys and values before dropping them

str::is_char_boundary - slight optimization

futures-macro: improve diagnostics on type mismatch

futures: implement try_chunks

futures: change SelectAll iterators to return stream instead of StreamFuture

futures: expose iterators from SelectAll

futures: SelectAll::clear

futures: FuturesUnordered::clear

futures: change StreamExt::scan to pass state to closure by value

futures: abortable streams

cargo: improve performance of git status check in cargo package

rustdoc: minimize amount of fake DefIds used in rustdoc

clippy: add needless_bitwise_bool lint

clippy: new lint: unused_async

clippy: move inconsistent_struct_constructor to pedantic

clippy: needless_collect enhancements

clippy: while_let_on_iterator improvements

clippy: add Sized trait for wrong_self_convention lint test

clippy: match_single_binding: fix invalid suggestion when match scrutinee has side effects

clippy: trigger wrong_self_convention only if it has implicit self

clippy: stop linting else if let pattern in option_if_let_else lint

clippy: fix false positives about generic args

clippy: fix a manual_unwrap_or false positive with deref coercion

Rust Compiler Performance Triage

A lot of noise in the benchmark results this week. We are discussing (zulip archive, live zulip) how best to update the benchmark set to eliminate the noisy cases that are bouncing around. Beyond that, some large improvements to a few individual benchmarks.

The memory usage (max-rss) seemed largely flat. Except for an upward trend on tuple-stess that indicates 4% more memory from a week ago.

Triage done by @pnkfelix. Revision range: 382f..25a2

5 Regressions, 7 Improvements, 2 Mixed 1 of them in rollups

Full report here.

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week:

No RFCs were approved this week.

Final Comment Period

Every week the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

RFCs

[disposition: merge] RFC: 2021 Edition

[disposition: postpone] Allow Overloading || and &&

Tracking Issues & PRs

[disposition: merge] stabilize const_fn_unsize

[disposition: merge] rustc: Allow safe #[target_feature] on wasm

[disposition: merge] stabilize int_error_matching

[disposition: merge] Show test type during prints

[disposition: merge] stabilize member constraints

[disposition: merge] Move UnwindSafe, RefUnwindSafe, AssertUnwindSafe to core

[disposition: merge] Use try_reserve in Vec's io::Write

[disposition: merge] Add functions Duration::try_from_secs_{f32, f64}

[disposition: close] Allow unused variables with todo!

New RFCs

Pinned synchronization primitives

Upcoming Events

Online

May 19, 2021, Vancouver, BC - Rust Study/Hack/Hang-out night - Vancouver Rust

May 20, 2021, Online - Go vs Rust | Round table discussion

May 20, 2021, Dallas, TX, US - Last Tuesday - Dallas Rust

May 25, 2021, Berlin, DE - Rust and Tell - Berline.rs

May 27, 2021, Montréal, QC, CN - Rust MTL: Building a Scrabble AI with the fst crate - Rust Montréal

June 1, 2021, Buffalo, NY, US - Buffalo Rust User Group, First Tuesdays - Buffalo Rust Meetup

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Rust Jobs

Protocol Labs

Research Engineer, CryptoCompute Lab (Remote)

Amazon Web Services

Applied Scientist (Boston/Cambridge Area, MA, US)

Techno Creatives

Senior Rust Full Stack Developer (Gothenburg, Sweden)

Paige

Senior Software Engineer, Visualization (Remote, Europe)

ANIXE

Rust Software Engineer (Wrocław, PL)

NZXT

Senior Software Engineer for CAM (Remote)

Senior Software Engineer for Streaming Software (Remote)

Zondax

Embedded Systems Engineer (C/C++ & Rust)(Remote)

Software Engineer (Golang / Rust) (Remote)

Ockam

Several Rust related positions available

Tweet us at @ThisWeekInRust to get your job offers listed here!

Quote of the Week

I often think about Rust as a process and community for developing a programming language, rather than as a programming language itself.

– throwaway894345 on hacker news

Thanks to Krishna Sundarram for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by: nellshamrell, llogiq, and cdmistman.

Discuss on r/rust
by TWiR Contributors at May 19, 2021 04:00 AM
May 18, 2021
Mozilla Open Policy & Advocacy Blog — Mozilla publishes position paper on EU Digital Services Act
In December 2020 the European Commission published the draft EU Digital Services Act. The law seeks to establish a new paradigm for tech sector regulation, and we see it as a crucial opportunity to address many of the challenges holding back the internet from what it should be. As EU lawmakers start to consider amendments and improvements to the draft law, today we’re publishing our substantive perspectives and recommendations to guide those deliberations.

We are encouraged that the draft DSA includes many of the policy recommendations that Mozilla and our allies had advocated for in recent years. For that we commend the European Commission. However, many elements of the DSA are novel and complex, and so there is a need for elaboration and clarification in the legislative mark-up phase. We believe that with targeted amendments the DSA has the potential to serve as the effective, balanced, and future-proof legal framework.

Given the sheer breath of the DSA, we’re choosing to focus on the elements where we believe we have a unique contribution to make, and where we believe the DSA can constitute a real paradigm shift. That is not to say we don’t have thoughts on the other elements of the proposal, and we look forward to supporting our allies in industry and civil society who are focusing their efforts elsewhere.

Broadly speaking, our position can be summarised as follows:

Asymmetric obligations for the largest platforms

We welcome the DSA’s approach of making very large platforms subject to enhanced regulation compared to the rest of the industry, but we suggest tweaks to the scope and definitions.

The definition of these so-called Very Large Online Platforms (VLOPS) shouldn’t be based solely on quantitative criteria, but possibly qualitative (e.g. taking into account risk) as well, in anticipation of certain extraordinary edge cases where a service that meets that quantitative VLOP standard is in reality very low risk in nature.

Systemic transparency

We welcome the DSA’s inclusion of public-facing ad archive APIs and the provisions on access to data for public interest researchers.

We call for the advertising transparency elements to take into account novel forms of paid influence, and for the definition of ‘public interest researchers’ to be broader than just university faculty.

A risk-based approach to content responsibility

We welcome this approach, but suggest more clarification on the types of risks to be assessed and how those assessments are undertaken.

Auditing and oversight

We welcome the DSA’s third-party auditing requirement but we provide recommendations on how it can be more than just a tick-box exercise (e.g. through standardisation; clarity on what is to be audited; etc).

We reiterate the call for oversight bodies to be well-resourced and staffed with the appropriate technical expertise.

This position paper is the latest milestone in our long-standing engagement on issues of content regulation and platform responsibility in the EU. In the coming months we’ll be ramping up our efforts further, and look forward to supporting EU lawmakers in turning these recommendations into reality.

Ultimately, we firmly believe that if developed properly, the DSA can usher in a new global paradigm for tech regulation. At a time when lawmakers from Delhi to Washington DC are grappling with questions of platform accountability and content responsibility, the DSA is indeed a once-in-a-generation opportunity.

The post Mozilla publishes position paper on EU Digital Services Act appeared first on Open Policy & Advocacy.
by Owen Bennett at May 18, 2021 04:46 PM
Mozilla Security Blog — Introducing Site Isolation in Firefox
When two major vulnerabilities known as Meltdown and Spectre were disclosed by security researchers in early 2018, Firefox promptly added security mitigations to keep you safe. Going forward, however, it was clear that with the evolving techniques of malicious actors on the web, we needed to redesign Firefox to mitigate future variations of such vulnerabilities and to keep you safe when browsing the web!

We are excited to announce that Firefox’s new Site Isolation architecture is coming together. This fundamental redesign of Firefox’s Security architecture extends current security mechanisms by creating operating system process-level boundaries for all sites loaded in Firefox for Desktop. Isolating each site into a separate operating system process makes it even harder for malicious sites to read another site’s secret or private data.

We are currently finalizing Firefox’s Site Isolation feature by allowing a subset of users to benefit from this new security architecture on our Nightly and Beta channels and plan a roll out to more of our users later this year. If you are as excited about it as we are and would like to try it out, follow these steps:

To enable Site Isolation on Firefox Nightly:

Navigate to about:preferences#experimental

Check the “Fission (Site Isolation)” checkbox to enable.

Restart Firefox.

To enable Site Isolation on Firefox Beta or Release:

Navigate to about:config.

Set `fission.autostart` pref to `true`.

Restart Firefox.

With this monumental change of secure browser design, users of Firefox Desktop benefit from protections against future variants of Spectre, resulting in an even safer browsing experience. If you aren’t a Firefox user yet, you can download the latest version here and if you want to know all the technical details about Firefox’s new security architecture, you can read it here.

The post Introducing Site Isolation in Firefox appeared first on Mozilla Security Blog.
by Anny Gakhokidze at May 18, 2021 03:47 PM
Hacks.Mozilla.Org — Introducing Firefox’s new Site Isolation Security Architecture
Like any web browser, Firefox loads code from untrusted and potentially hostile websites and runs it on your computer. To protect you against new types of attacks from malicious sites and to meet the security principles of Mozilla, we set out to redesign Firefox on desktop.

Site Isolation builds upon a new security architecture that extends current protection mechanisms by separating (web) content and loading each site in its own operating system process.

This new security architecture allows Firefox to completely separate code originating from different sites and, in turn, defend against malicious sites trying to access sensitive information from other sites you are visiting.

In more detail, whenever you open a website and enter a password, a credit card number, or any other sensitive information, you want to be sure that this information is kept secure and inaccessible to malicious actors.

As a first line of defence Firefox enforces a variety of security mechanisms, e.g. the same-origin policy which prevents adversaries from accessing such information when loaded into the same application.

Unfortunately, the web evolves and so do the techniques of malicious actors. To fully protect your private information, a modern web browser not only needs to provide protections on the application layer but also needs to entirely separate the memory space of different sites – the new Site Isolation security architecture in Firefox provides those security guarantees.

Why separating memory space is crucial

In early 2018, security researchers disclosed two major vulnerabilities, known as Meltdown and Spectre. The researchers exploited fundamental assumptions about modern hardware execution, and were able to demonstrate how untrusted code can access and read memory anywhere within a process’ address space, even in a language as high level as JavaScript (which powers almost every single website).

While band-aid countermeasures deployed by OS, CPU and major web browser vendors quickly neutralized the attacks, they came with a performance cost and were designed to be temporary. Back when the attacks were announced publicly, Firefox teams promptly reduced the precision of high-precision timers and disabled APIs that allowed such timers to be implemented to keep our users safe.

Going forward, it was clear that we needed to fundamentally re-architecture the security design of Firefox to mitigate future variations of such vulnerabilities.

Let’s take a closer look at the following example which demonstrates how an attacker can access your private data when executing a Spectre-like attack.

Without Site Isolation, Firefox might load a malicious site in the same process as a site that is handling sensitive information. In the worst case scenario, a malicious site might execute a Spectre-like attack to gain access to memory of the other site.

Suppose you have two websites open – www.my-bank.com and www.attacker.com. As illustrated in the diagram above, with current web browser architecture it’s possible that web content from both sites ends up being loaded into the same operating system process. To make things worse, using a Spectre-like attack would allow attacker.com to query and access data from the my-bank.com website.

Despite existing security mitigations, the only way to provide memory protections necessary to defend against Spectre-like attacks is to rely on the security guarantees that come with isolating content from different sites using the operating system’s process separation.

Background on Current Browser Architecture

Upon being launched, the Firefox web browser internally spawns one privileged process (also known as the parent process) which then launches and coordinates activities of multiple (web) content processes – the parent process is the most privileged one, as it is allowed to perform any action that the end-user can.

This multi-process architecture allows Firefox to separate more complicated or less trustworthy code into processes, most of which have reduced access to operating system resources or user files. As a consequence, less privileged code will need to ask more privileged code to perform operations which it itself cannot.

For example, a content process will have to ask the parent process to save a download because it does not have the permissions to write to disk. Put differently, if an attacker manages to compromise the content process it must additionally (ab)use one of the APIs to convince the parent process to act on its behalf.

In great detail, (as of April 2021) Firefox’s parent process launches a fixed number of processes: eight web content processes, up to two additional semi-privileged web content processes, and four utility processes for web extensions, GPU operations, networking, and media decoding.

While separating content into currently eight web content processes already provides a solid foundation, it does not meet the security standards of Mozilla because it allows two completely different sites to end up in the same operating system process and, therefore, share process memory. To counter this, we are targeting a Site Isolation architecture that loads every single site into its own process.

Without Site Isolation, Firefox does not separate web content into different processes and it’s possible for different sites to be loaded in the same process.

Imagine you open some websites in different tabs: www.my-bank.com, www.getpocket.com, www.mozilla.org and www.attacker.com. As illustrated in the diagram above, it’s entirely possible that my-bank.com and attacker.com end up being loaded in the same operating system process, which would result in them sharing process memory. As we saw in the previous example, with this separation model, an attacker could perform a Spectre-like attack to access my-bank.com’s data.

Without Site Isolation, the browser will load embedded pages, such as a bank page or an ad, in the same process as the top level document.

While straightforward to understand sites being loaded into different tabs, it’s also possible that sites are embedded into other sites through so-called subframes – if you ever visited a website that had ads on it, those are probably subframes. If you ever had a personal website and you embedded a YouTube video with your favourite song within it, the YouTube video was embedded in a subframe.

In a more dangerous scenario, a malicious site could embed a legitimate site within a subframe and try to trick you into entering sensitive information. With the current architecture, if a page contains any subframes from a different site, they will generally be in the same process as the outer tab.

This results in both the page and all of its subframes sharing process memory, even if the subframes originate from different sites. In the case of a successful Spectre-like attack, a top-level site might access sensitive information it should not have access to from a subframe it embeds (and vice-versa) – the new Site Isolation security architecture within Firefox will effectively make it even harder for malicious sites to execute such attacks.

How Site Isolation Works in Firefox

When enabling Site Isolation in Firefox for desktop, each unique site is loaded in a separate process. In more detail, loading “https://mozilla.org” and also loading “http://getpocket.com” will cause Site Isolation to separate the two sites into their own operating system process because they are not considered “same-site”.

Similarly, “https://getpocket.com” (note the difference between http and https) will also be loaded into a separate process – so ultimately all three sites will load in different processes.

For the sake of completeness, there are some domains such as “.github.io” or “.blogspot.com” that would be too general to identify a “site”. This is why we use a community-maintained list of effective top level domains (eTLDs) to aid in differentiating between sites.

Since “github.io” is listed as an eTLD, “a.github.io” and “b.github.io” would load in different processes. In our running examples, websites “www.my-bank.com” and “www.attacker.com” are not considered “same-site” with each other and will be isolated in separate processes.

With Site Isolation, Firefox loads each site in its own process, thereby isolating their memory from each other, and relies on security guarantees of the operating system.

Suppose now, you open the same two websites: www.attacker.com and www.my-bank.com, as seen in the diagram above. Site isolation recognizes that the two sites are not “same-site” and hence the site isolation architecture will completely separate content from attacker.com and my-bank.com into separate operating system processes.

This process separation of content from different sites provides the memory protections required to allow for a secure browsing experience, making it even harder for sites to execute Spectre-like attacks, and, ultimately, provide a secure browsing experience for our users.

With Site Isolation, Firefox loads subframes from different sites in their own processes.

Identical to loading sites into two different tabs is the separation of two different sites when loaded into subframes. Let’s revisit an earlier example where pages contained subframes, with Site Isolation, subframes that are not “same-site” with the top level page will load in a different process.

In the diagram above, we see that the page www.attacker.com embeds a page from www.my-bank.com and loads in a different process. Having a top level document and subframes from different sites loaded in their own processes ensures their memory is isolated from each other, yielding profound security guarantees.

Additional Benefits of Site Isolation

With Site Isolation architecture in place, we are able to bring additional security hardening to Firefox to keep you and your data safe. Besides providing an extra layer of defence against possible security threats, Site Isolation brings other wins:

By placing more pages into separate processes, we can ensure that doing heavy computation or garbage collection on one page will not degrade the responsiveness of pages in other processes.

Using more processes to load websites allows us to spread work across many CPU cores and use the underlying hardware more efficiently.

Due to the finer-grained separation of sites, a subframe or a tab crashing will not affect websites loaded in different processes, resulting in an improved application stability and better user experience.

Going Forward

We are currently testing Site Isolation on desktop browsers Nightly and Beta with a subset of users and will be rolling out to more desktop users soon. However, if you already want to benefit from the improved security architecture now, you can enable it by downloading the Nightly or Beta browser from here and following these steps:

To enable Site Isolation on Firefox Nightly:

Navigate to about:preferences#experimental

Check the “Fission (Site Isolation)” checkbox to enable.

Restart Firefox.

To enable Site Isolation on Firefox Beta or Release:

Navigate to about:config.

Set `fission.autostart` pref to `true`.

Restart Firefox.

For technical details on how we group sites and subframes together, you can check out our new process manager tool at “about:processes” (type it into the address bar) and follow the project at https://wiki.mozilla.org/Project_Fission.

With Site Isolation enabled on Firefox for Desktop, Mozilla takes its security guarantees to the next level and protects you against a new class of malicious attacks by relying on memory protections of OS-level process separation for each site. If you are interested in contributing to Mozilla’s open-source projects, you can help us by filing bugs here if you run into any problems with Site Isolation enabled.

Acknowledgements

Site Isolation (Project Fission), has been a massive multi-year project. Thank you to all of the talented and awesome colleagues who contributed to this work! It’s a privilege to work with people who are passionate about building the web we want: free, inclusive, independent and secure! In particular, I would like to thank Neha Kochar, Nika Layzell, Mike Conley, Melissa Thermidor, Chris Peterson, Kashav Madan, Andrew McCreight, Peter Van der Beken, Tantek Çelik and Christoph Kerschbaumer for their insightful comments and discussions. Finally, thank you to Morgan Rae Reschenberg for helping me craft alt-text to meet the high standards of our web accessibility principles and allow everyone on the internet to easily gather the benefits provided by Site Isolation.

The post Introducing Firefox’s new Site Isolation Security Architecture appeared first on Mozilla Hacks - the Web developer blog.
by Anny Gakhokidze at May 18, 2021 03:45 PM
Spidermonkey Development Blog — Ergonomic Brand Checks will ship with Firefox 90
When programming with Private Fields and methods, it can sometimes be desirable to check if an object has a given private field. While the semantics of private fields allow doing that check by using try...catch, the Ergonomic Brand checks proposal provides a simpler syntax, allowing one to simply write #field in o.

As an example, the following class uses ergonomic brand checks to provide a more helpful custom error.

class Scalar { #length = 0; add(s) { if (!(#length in s)) { throw new TypeError("Expected an instance of Scalar"); } this.#length += s.#length; } }

While the same effect could be accomplished with try...catch, it’s much uglier, and also doesn’t work reliably in the presence of private getters which may possibly throw for different reasons.

This JavaScript language feature proposal is at Stage 3 of the TC39 process, and will ship in Firefox 90.
by Matthew Gaudet at May 18, 2021 02:44 PM
May 17, 2021
The Rust Programming Language Blog — Announcing Rustup 1.24.2
The rustup working group is happy to announce the release of rustup version 1.24.2. Rustup is the recommended tool to install Rust, a programming language that is empowering everyone to build reliable and efficient software.

If you have a previous version of rustup installed, getting rustup 1.24.2 is as easy as closing your IDE and running:

rustup self update

Rustup will also automatically update itself at the end of a normal toolchain update:

rustup update

If you don't have it already, you can get rustup from the appropriate page on our website.

What's new in rustup 1.24.2

1.24.2 introduces pooled allocations to prevent memory fragmentation issues on some platforms with 1.24.x. We're not entirely sure what aspect of the streamed unpacking logic caused allocator fragmentation, but memory pools are a well known fix that should solve this for all platforms.

Those who were encountering CI issues with 1.24.1 should find them resolved.

Other changes

You can check out all the changes to Rustup for 1.24.2 in the changelog!

Rustup's documentation is also available in the rustup book.

Finally, the Rustup working group are pleased to welcome a new member. Between 1.24.1 and 1.24.2 二手掉包工程师 (hi-rustin) has joined, having already made some excellent contributions.

Thanks

Thanks again to all the contributors who made rustup 1.24.2 possible!

Carol (Nichols || Goulding)

Daniel Silverstone

João Marcos Bezerra

Josh Rotenberg

Joshua Nelson

Martijn Gribnau

pierwill

Robert Collins

二手掉包工程师 (hi-rustin)

by The Rustup Working Group at May 17, 2021 12:00 AM
May 15, 2021
The Rust Programming Language Blog — Six Years of Rust
Today marks Rust's sixth birthday since it went 1.0 in 2015. A lot has changed since then and especially over the past year, and Rust was no different. In 2020, there was no foundation yet, no const generics, and a lot of organisations were still wondering whether Rust was production ready.

In the midst of the COVID-19 pandemic, hundreds of Rust's global distributed set of team members and volunteers shipped over nine new stable releases of Rust, in addition to various bugfix releases. Today, "Rust in production" isn't a question, but a statement. The newly founded Rust foundation has several members who value using Rust in production enough to help continue to support and contribute to its open development ecosystem.

We wanted to take today to look back at some of the major improvements over the past year, how the community has been using Rust in production, and finally look ahead at some of the work that is currently ongoing to improve and use Rust for small and large scale projects over the next year. Let's get started!

Recent Additions

The Rust language has improved tremendously in the past year, gaining a lot of quality of life features, that while they don't fundamentally change the language, they help make using and maintaining Rust in more places even easier.

As of Rust 1.52.0 and the upgrade to LLVM 12, one of few cases of unsoundness around forward progress (such as handling infinite loops) has finally been resolved. This has been a long running collaboration between the Rust teams and the LLVM project, and is a great example of improvements to Rust also benefitting the wider ecosystem of programming languages.

On supporting an even wider ecosystem, the introduction of Tier 1 support for 64 bit ARM Linux, and Tier 2 support for ARM macOS & ARM Windows, has made Rust an even better place to easily build your projects across new and different architectures.

The most notable exception to the theme of polish has been the major improvements to Rust's compile-time capabilities. The stabilisation of const generics for primitive types, the addition of control flow for const fns, and allowing procedural macros to be used in more places, have allowed completely powerful new types of APIs and crates to be created.

Rustc wasn't the only tool that had significant improvements.

Cargo just recently stabilised its new feature resolver, that makes it easier to use your dependencies across different targets.

Rustdoc stabilised its "intra-doc links" feature, allowing you to easily and automatically cross reference Rust types and functions in your documentation.

Clippy with Cargo now uses a separate build cache that provides much more consistent behaviour.

Rust In Production

Each year Rust's growth and adoption in the community and industry has been unbelievable, and this past year has been no exception. Once again in 2020, Rust was voted StackOverflow's Most Loved Programming Language. Thank you to everyone in the community for your support, and help making Rust what it is today.

With the formation of the Rust foundation, Rust has been in a better position to build a sustainable open source ecosystem empowering everyone to build reliable and efficient software. A number of companies that use Rust have formed teams dedicated to maintaining and improving the Rust project, including AWS, Facebook, and Microsoft.

And it isn't just Rust that has been getting bigger. Larger and larger companies have been adopting Rust in their projects and offering officially supported Rust APIs.

Both Microsoft and Amazon have just recently announced and released their new officially supported Rust libraries for interacting with Windows and AWS. Official first party support for these massive APIs helps make Rust people's first choice when deciding what to use for their project.

The cURL project has released new versions that offer opt-in support for using Rust libraries for handling HTTP/s and TLS communication. This has been a huge inter-community collaboration between the ISRG, the Hyper & Rustls teams, and the cURL project, and we'd like to thank everyone for their hard work in providing new memory safe backends for a project as massive and widely used as cURL!

Tokio (an asynchronous runtime written in Rust), released its 1.0 version and announced their three year stability guarantee, providing everyone with a solid, stable foundation for writing reliable network applications without compromising speed.

Future Work

Of course, all that is just to start, we're seeing more and more initiatives putting Rust in exciting new places;

Critical Section & Ferrous Systems have started Ferrocene, a project to make Rust a viable programming language for safety and mission critical systems across the industry.

Embark Studios have released an initial prototype of rust-gpu, a new compiler backend that allows writing graphics shaders using Rust for GPUs.

The Linux project is currently considering a proposal to add Rust as the second language to the kernel to enable writing safer driver and kernel-space code.

Google has announced that it now supports building low level components of the Android OS in Rust, and have already begun an effort to rewrite their bluetooth stack with Rust!

Right now the Rust teams are planning and coordinating the 2021 edition of Rust. Much like this past year, a lot of themes of the changes are around improving quality of life. You can check out our recent post about "The Plan for the Rust 2021 Edition" to see what the changes the teams are planning.

And that's just the tip of the iceberg; there are a lot more changes being worked on, and exciting new open projects being started every day in Rust. We can't wait to see what you all build in the year ahead!

Are there changes, or projects from the past year that you're excited about? Are you looking to get started with Rust? Do you want to help contribute to the 2021 edition? Then come on over, introduce yourself, and join the discussion over on our Discourse forum and Zulip chat! Everyone is welcome, we are committed to providing a friendly, safe and welcoming environment for all, regardless of gender, sexual orientation, disability, ethnicity, religion, or similar personal characteristic.
by The Rust Team at May 15, 2021 12:00 AM
May 14, 2021
Firefox Nightly — These Weeks in Firefox: Issue 93
Highlights

Firefox 89 introduces a fresh new look and feel!

Floating tabs!

Streamlined menus!

New icons!

Better dark mode support!

Improved context menus on Mac and Windows

Improved perceived startup performance on Windows

Native context menus and rubberbanding/overscroll on macOS

Refreshed modals dialogs and notification bars!

More details in these release notes and in this early review from laptopmag

Non-native form controls are slated to ride out in Firefox 89 as well

This lays the groundwork for improving the sandboxing of the content processes by shutting off access to native OS widget drawing routines

(Experimental, and en-US Nightly only) Users will now get unit conversions directly in the URL bar! Users can type “5 lbs to kg” and see a copy/paste friendly result instantaneously.

Friends of the Firefox team

For contributions from April 20 2021 to May 4 2021, inclusive.

Introductions/Shout-Outs

Resolved bugs (excluding employees)

Fixed more than one bug

Falguni Islam

Itiel

kaira [:anshukaira]

Kajal Sah

Luz De La Rosa

Richa Sharma

Sebastian Zartner [:sebo]

Vaidehi

New contributors (🌟 = first patch)

kaira [:anshukaira] added some CSS polish to an about:logins import error dialog, and removed some unused assets from the Screenshots code

🌟 Ava Katushka made Firefox more consistent in how it chooses default filenames for saved images

🌟 Vaidehi

suppressed a spurious focus ring from appearing upon loading about:downloads

fixed the appearance of an image in RDM when using Dark Theme

Claudia Batista [:claubatista] landed a patch to make it possible to fallback to some built-in support pages when access to SUMO is not available

Kajal Sah

enabled ESLint support for our Screenshots code

removed some unused code from Screenshots now that saved screenshots are no longer hosted on a server

🌟 Lebar improved some of our internal Places database access code

Luz De La Rosa fixed some visual glitches in our panels as part of the retheme effort

🌟 Richa Sharma added initial support for isolating WebExtension access to particular containers. See the “WebExtensions Framework” update for more details.

ryedu.09 fixed a visual glitch in about:preferences

🌟 Samuel Grasse-Haroldsen made it so that we render an appropriate message in about:addons when there are no add-ons to manage, rather than an empty list.

Dawit got rid of some unused Screenshots code

Project Updates

Add-ons / Web Extensions

Addon Manager & about:addons

Starting from Firefox 90, when no extensions are installed our about:addons page will show to the users a nicer message to explicitly direct them to addons.mozilla.org instead of an empty list of installed extensions (Bug 1561538) – Thanks to Samuel Grasse-Haroldsen for fixing this polishing issue.

As part of the ongoing work to get rid of OS.File usage, Barret unveiled and fixed some races in AddonManager and XPIDatabase jsm (Bug 1702116)

Fixed a macOS specific issue in the “Manager Extension Shortcuts” about:addons view, which was preventing this view from detecting some of the conflicting shortcuts (Bug 1565854)

WebExtensions Framework

Starting from Firefox 90, we now avoid ChromeUtils.idleDispatch on urgent blocking webRequest events, which made both us and perfherder quite happy \o/ (Bug 1587058)

We expect this to be also a user perceived improvement (e.g. this was an known issue with high refresh monitors, e.g. see Bug 1560090)

As part of the past round of Outreachy projects, our contributor Richa Sharma worked on a project aiming to allow Firefox users to restrict which extensions are allowed or not allowed to run in certain Firefox containers. The initial set of changes needed to adapt our internals have been landed in Firefox 90 (but we aware that the feature is still locked behind prefs, the effort to complete adapting all the WebExtensions features and APIs is still ongoing and there isn’t yet any Firefox UI to manage these restrictions):

Meta bug: Bug 1683056 – [META] Users control over add-ons in Container tabs

Set of bugs landed in Firefox 90: Bug 1683058 (tabs API), Bug 1690736 (webNavigation API), Bug 1692813 (proxy API), Bug 1697764 (webRequest API)

Experimental prefs:

extensions.userContextIsolation.enabled (boolean),

extensions.userContextIsolation.defaults.restricted (JSON stringify array of userContext Ids)

extensions.userContextIsolation.EXTID.restricted (JSON stringify array of userContext Ids)

As part of our ongoing work on introducing in Firefox support for extensions using the new “manifest_version 3”, we have introduced support for some new annotations to our JSONSchema parser (and started to use these new properties to introduce the differences between the API and manifest properties available based on the extensions manifest_version):

Bug 1693403 – Support schema versioning for Manifest v3 differences

Bug 1687762 – Deprecate APIs ahead of MV3 and disable in MV3

Bug 1696043 – use mv3 format for content_security_policy

Bug 1697059 – require local icons for search

Fixed a use-after-free issue on shutdown in MatchPattern::Init identified through grizzly fuzzy testing (Bug 1699298)

Fixed a bug in DataTransferList, which was preventing web pages to access a drag and dropped file list if an extension content script was able to access it first (Bug 1707214)

WebExtension APIs

Nicolas Chevobbe applied the needed changes to ensure that the devtools.inspectedWindow.reload method is Fission compatible also when an extension does pass to it the userAgent option (Bug 1706098)

Fission

Neil has been working on reviving the tab unloader for when users are hitting memory limits

It’s smarter this time though, and should hopefully make better choices on which tabs to unload.

Currently disabled by default, but Nightly users can test it by setting `browser.tabs.unloadOnLowMemory` to `true`

Messaging System

New users now get initial focus on about:welcome instead of the address bar based on experiment results. This was uplifted to Beta 89 and Release 88.

Import screen on about:welcome opens up migration wizard based on the browser used to download Firefox as well as showing the other browser’s name on the button.

Remotely deployed an infobar to remind new users two times to set Firefox as the default browser after 5 weeks and 10 weeks.

Removed theme screens for both new user about:welcome and upgrade onboarding.

Performance

dthayer updated the skeleton UI to match proton styles, turned it off for non-default densities, and ensured we show the skeleton UI when restarting firefox

The skeleton UI is set to ride the trains to release!

Barret remove OS.File usage from XPIDatabase.jsm

Florian fixed a bug where the notificationbar stack lazy getter was called every time a tab closed

Florian added Worker.postMessage, “Image load”, and “Image paint” profiler markers

Florian wrote a patch to update the about:processes table in a more efficient way

Florian ensured mochitest profiling works for accessibility tests and tests triggering customizationchange events.

Try mach test <path to mochitest> –profiler

mconley dug into a few minor performance regressions related to Proton

Performance Tools

Stacks now include the category color of each stack frame (in tooltips, marker table, sidebar)

Fixed a bug where the dot markers appear in the wrong places.

Search and Navigation

Lots of polish fixes to Proton address bar (and search bar)

The Search Mode chiclet can now be closed also when the address bar is unfocused – Bug 1701901

Address bar results action text (for example “Switch to tab”, or “Search with Engine”) won’t be pushed out of the visible area by long titles anymore – Bug 1707839

Double dots in domain-looking strings will now be corrected – Bug 1580881

Screenshots

Kajal, Falguni, Dawit, and Kaira have been working on removing server side code from screenshots
by Doug Thayer at May 14, 2021 03:11 PM
Niko Matsakis — CTCFTFTW
This Monday I am starting something new: a monthly meeting called the “Cross Team Collaboration Fun Times” (CTCFT)¹. Check out our nifty logo²:

The meeting is a mechanism to help keep the members of the Rust teams in sync and in touch with one another. The idea is to focus on topics of broad interest (more than two teams):

Status updates on far-reaching projects that could affect multiple teams;

Experience reports about people trying new things (sometimes succeeding, sometimes not);

“Rough draft” proposals that are ready to be brought before a wider audience.

The meeting will focus on things that could either offer insights that might affect the work you’re doing, or where the presenter would like to pose questions to the Rust teams and get feedback.

I announced the meeting some time back to all@rust-lang.org, but I wanted to make a broader announcement as well. This meeting is open for anyone to come and observe. This is by design. Even though the meeting is primarily meant as a forum for the members of the Rust teams, it can be hard to define the borders of a community like ours. I’m hoping we’ll get people who work on major Rust libraries in the ecosystem, for example, or who work on the various Rust teams that have come into being.

The first meeting is scheduled for 2021-05-17 at 15:00 Eastern and you will find the agenda on the CTCFT website, along with links to the slides (still a work-in-progress as of this writing!). There is also a twitter account @RustCTCFT and a Google calendar that you can subscribe to.

I realize the limitations of a synchronous meeting. Due to the reality of time zones and a volunteer project, for example, we’ll never be able to get all of Rust’s global community to attend at once. I’ve designed the meeting to work well even if you can’t attend: the goal is have a place to start conversations, not to finish them. Agendas are annonunced well in advance and the meetings are recorded. We’re also rotating times – the next meeting on 2021-06-21 takes place at 21:00 Eastern time, for example.³

Hope to see you there!

Footnotes

In keeping with Rust’s long-standing tradition of ridiculous acronyms. ↩

Thanks to @Xfactor521! 🙏 ↩

The agenda is still TBD. I’ll tweet when we get it lined up. We’re not announcing that far in advance! 😂 ↩

by Nicholas D. Matsakis at May 14, 2021 04:00 AM
May 13, 2021
Mozilla Open Policy & Advocacy Blog — Defending users’ security in Mauritius
Yesterday, Mozilla and Google filed a joint submission to the public consultation on amending the Information and Communications Technology (ICT) Act organised by the Government of Mauritius. Our submission states that the proposed changes would disproportionately harm the security of Mauritian users on the internet and should be abandoned. Mozilla believes that individuals’ security and privacy on the internet are fundamental and must not be treated as optional. The proposals under these amendments are fundamentally incompatible with this principle and would fail to achieve their projected outcomes.

Under Section 18(m) of the proposed changes, the ICTA could deploy a “new technical toolset” to intercept, decrypt, archive and then inspect/block https traffic between a local user’s Internet device and internet services, including social media platforms.

In their current form, these measures will place the privacy and security of internet users in Mauritius at grave risk. The blunt and disproportionate action will allow the government to decrypt, read and store anything a user types or posts on the internet, including intercepting their account information, passwords and private messages. While doing little to address the legitimate concerns of content moderation in local languages, it will undermine the trust of the fundamental security infrastructure that currently serves as the basis for the security of at least 80% of websites on the web that use HTTPS, including those that carry out e-commerce and other critical financial transactions.

When similarly dangerous mechanisms have been abused in the past, whether by known-malicious parties, business partners such as a computer or device manufacturer, or a government entity, as browser makers we have taken steps to protect and secure our users and products.

In our joint submission to the on-going public consultation, Google and Mozilla have urged the Authority not to pursue this approach. Operating within international frameworks for cross-border law enforcement cooperation and enhancing communication with industry can provide a more promising path to address the stated concerns raised in the consultation paper. We remain committed to working with the Government of Mauritius to address the underlying concerns in a manner that does not harm the privacy, security and freedom of expression of Mauritians on the internet.

The post Defending users’ security in Mauritius appeared first on Open Policy & Advocacy.
by Marshall Erwin at May 13, 2021 05:00 AM
May 12, 2021
Mozilla Open Policy & Advocacy Blog — Mozilla files joint amicus brief in support of California net neutrality law
Yesterday, Mozilla joined a coalition of public interest organizations* in submitting an amicus brief to the Ninth Circuit in support of SB 822, California’s net neutrality law. In this case, telecom and cable companies are arguing that California’s law is preempted by federal law. In February of this year, a federal judge dismissed this challenge and held that California can enforce its law. The telecom industry appealed that decision to the 9th Circuit. We are asking the 9th Circuit to find that California has the authority to protect net neutrality.

“Net neutrality preserves the environment that creates room for new businesses and new ideas to emerge and flourish, and where internet users can choose freely the companies, products, and services that they want to interact with and use. In a marketplace where consumers frequently do not have access to more than one internet service provider (ISP), these rules ensure that data is treated equally across the network by gatekeepers. We are committed to restoring the protections people deserve and will continue to fight for net neutrality,” said Amy Keating, Mozilla’s Chief Legal Officer.

*Mozilla is joined on the amicus brief by Access Now, Public Knowledge, New America’s Open Technology Institute and Free Press.

The post Mozilla files joint amicus brief in support of California net neutrality law appeared first on Open Policy & Advocacy.
by Mozilla at May 12, 2021 03:53 PM
Planet Mozilla
Collected here are the most recent blog posts from all over the Mozilla community. The content here is unfiltered and uncensored, and represents the views of individual community members. Individual posts are owned by their authors -- see original source for licensing information.
Subscribe to Planet
Feeds:
Atom
RSS 2.0
RSS 1.0
Subscription list:
FOAF
OPML
Last update: June 16, 2021 10:59 AM
Other Planets
Projects
Planet Participation
Planet Thunderbird
Planet QMO
Planet Automation
Mozilla Research
Search
Subscriptions
Aaron Klotz
About:Community
Firefox 89: The New Contributors To MR1
Adam Lofting
Adam Munter
Adam Roach
Adam Stevenson
Adblock Plus
Adrian Gaudebert
Aki Sasaki
Al Billings
Alessio Placitelli
Alex Gibson
Alex Vincent
Alexander Surkov
Alexandre Poirot
Allen Wirfs-Brock
Alon Zakai
Amy Tsay
Andrea Marchesini
Andreas Farre
Andrew Halberstadt
Andrew Sutherland
Andrew Truong
Andrzej Hunt
Anjana Vakil
Anne van Kesteren
Anthony Hughes
Anthony Jones
Anthony Ricaud
Armen Zambrano
Asa Dotzler
Axel Hecht
Bas Schouten
Beatriz Rizental
Ben Galbraith
Ben Hearsum
Benjamin Bouvier
Benjamin Kerensa
Bill McCloskey
Bill Walker
Blake Kaplan
Blake Winton
Bobby Holley
Boris Zbarsky
Botond Ballo
Brian Birtles
Bryce Van Dyk
Byron Jones
Cameron Kaiser
TenFourFox FPR32 SPR1 available
Cameron McCormack
Carsten Book
Chelsea Novak
Chris AtLee
Chris Cooper
Chris H-C
Chris Ilias
Chris Pearce
Chris Peterson
Christian Legnitto
Daniel Glazman
Daniel Holbert
Daniel Stenberg
What goes into curl?
Bye bye Travis CI
Bye bye metalink in curl
curl localhost as a local host
Taking hyper-curl further
Giving away an insane amount of curl stickers
QUIC is RFC 9000
curl 7.77.0 – 200 OK
The curl user survey 2021
“I could rewrite curl”
Data@Mozilla
⚠️Danger zone⚠️: handling sensitive data in Glean
This week in Glean: Glean Dictionary updates
Dave Hunt
Dave Huseby
Dave Townsend
David Bryant
David Burns
David Camp
David Humphrey
David Lawrence
David Teller
David Tenser
David Weir (satdav)
Dennis Schubert
WebCompat Tale: CSS Flexbox and the order of things
WebCompat PSA: Please don't use negative `text-indent`s for hidden labels.
Dietrich Ayala
Don Marti
Doug Belshaw
Dustin J. Mitchell
Edward Lee
Ehsan Akhgari
Eitan Isaacson
Emma Humphries
Eric Rahm
Eric Shepherd
Erica Jostedt
Felipe Gomes
Firefox Browser Architecture
Firefox Nightly
These Weeks in Firefox: Issue 95
These Weeks in Firefox: Issue 94
These Weeks in Firefox: Issue 93
Firefox Test Engineering
Firefox Test Pilot
Firefox UX
Content design considerations for the new Firefox
Florian Quèze
Florian Scholz
Francesco Lodolo
François Marier
How to get a direct WebRTC connections between two computers
Frederik Braun
Frédéric Wang
Gabriela Surita
Gareth Aye
Gary Kwong
Geoff Lankow
Georg Fritzsche
George Roter
Gijs Kruitbosch
Giorgio Maone
Giorgos Logiotatidis
Gregory Szorc
Guillaume Destuynder
Hacks.Mozilla.Org
Implementing Private Fields for JavaScript
Looking fine with Firefox 89
Improving Firefox stability on Linux
Introducing Firefox’s new Site Isolation Security Architecture
Hal Wine
Hannes Verschore
Henri Sivonen
Bogo-XML Declaration Returns to Gecko
Henrik Mitsch
Henrik Skupin
Honza Bambas
IRL (podcast)
Ian Bicking
J. Ryan Stinnett
J.C. Jones
Jack Moffitt
James Hugman
Jan Odvarko
Jan de Mooij
Jan-Erik Rediger
Jane Finette
Jared Hirsch
Jared Wein
JavaScript at Mozilla
Jean-Marc Valin
Jeff Klukas
Jeff Muizelaar
Jeff Walden
Jesse McCrosky
Jessilyn Davis
Jet Villegas
Jim Blandy
Jim Chen
Joe Walker
Joel Maher
John Ford
John Slater
Jonas Finnemann Jensen
Jonathan Watt
Jordan Lund
Josh Matthews
Joshua Cranmer
Julia Vallera
Julian Seward
Julien Pagès
Julien Vehent
Justin Crawford
Justin Dolske
K Lars Lohn
Kannan Vijayan
Karl Dubost
Get Ready For Three Digits User Agent Strings
Kartikaya Gupta
Kent James
Kev Needham
Kevin Brosnan
Kim Moir
L. David Baron
Larissa Shapiro
Lawrence Mandel
Les Orchard
Liz Henry
Ludovic Hirlimann
Luis Villa
Luke Wagner
Madhava Enros
Maja Frydrychowicz
Manish Goregaokar
Marcia Knous
Marco Bonardo
Marco Castelluccio
Marco Zehe
Mark Banner
Mark Côté
Mark Mayo
Mark Reid
Mark Surman
Markus Stange
Martin Giger
Martin Thompson
Matjaž Horvat
Matt Brubeck
Matthew Gregan
Matthew Noorenberghe
Max Kanat-Alexander
Michael Comella
Michael Droettboom
Michael Kaply
Michael Kelly
Michelle Thorne
Mike Conley
Mike Hommey
Mike Hoye
Mike Shal
Mike Taylor
The hidden meaning of 537.36 in the Chromium User-Agent string
Mitchell Baker
Mozilla Accessibility
Mozilla Addons Blog
Manifest v3 update
Mozilla Attack & Defense
Eliminating Data Races in Firefox – A Technical Report
Browser fuzzing at Mozilla
Mozilla B-Team
Mozilla Cloud Services Blog
Mozilla Fundraising
Mozilla Future Releases Blog
Mozilla GFX
Mozilla Localization (L10N)
L10n Report: June 2021 Edition
Mozilla Marketing Engineering & Ops Blog
Mozilla Open Design Blog
Mozilla Open Innovation Team
Mozilla Open Policy & Advocacy Blog
Mozilla joins call for fifth FCC Commissioner appointment
Working in the open: Enhancing privacy and security in the DNS
The Van Buren decision is a strong step forward for public interest research online
Advancing system-level change with ad transparency in the EU DSA
Mozilla reacts to the European Commission’s guidance on the revision of the EU Code of Practice on Disinformation
Mozilla publishes position paper on EU Digital Services Act
Defending users’ security in Mauritius
Mozilla files joint amicus brief in support of California net neutrality law
Mozilla Performance Blog
Performance Sheriff Newsletter (April 2021)
Mozilla Privacy Blog
Mozilla joins call for fifth FCC Commissioner appointment
Working in the open: Enhancing privacy and security in the DNS
The Van Buren decision is a strong step forward for public interest research online
Advancing system-level change with ad transparency in the EU DSA
Mozilla reacts to the European Commission’s guidance on the revision of the EU Code of Practice on Disinformation
Mozilla publishes position paper on EU Digital Services Act
Defending users’ security in Mauritius
Mozilla files joint amicus brief in support of California net neutrality law
Mozilla Release Management Team
Mozilla Reps Community
Mozilla Science Lab
Mozilla Security Blog
Updating GPG key for signing Firefox Releases
Firefox 89 blocks cross-site cookie tracking by default in private browsing
Updates to Firefox’s Breach Alert Policy
Introducing Site Isolation in Firefox
Mozilla Thunderbird
Mozilla VR Blog
Mozilla WebDev Community
Myk Melez
Nathan Froyd
Neil Deakin
Nicholas Nethercote
Nick Alexander
Nick Desaulniers
Nick Fitzgerald
Nick Nguyen
Nick Thomas
Nika Layzell
Niko Matsakis
CTCFT 2021-06-21 Agenda
Edition: the song
CTCFTFTW
Onno Ekker
Panos Astithas
Pascal Chevrel
Patrick Cloke
Converting Twisted’s inlineCallbacks to async
celery-batches 0.5 released!
Patrick Finch
Patrick McManus
Paul Adenot
Paul Bone
Paul McLanahan
Pete Moore
Pomax
Princi Vershwal
Project Tofino
QMO
Rabimba
Rafael Ebron
Rail Aliiev
Raphael Pierzina
Enable Fission tt(c) on more platforms
Robert Helmer
Robert Kaiser
Robert O'Callahan
Roberto A. Vitillo
Rodrigo Silveira
Rubén Martín
Ryan Harter
Getting Credit for Invisible Work
Ryan Kelly
Sam Foster
Ideas on a lower-carbon internet through scheduled downloads and Quality of Service requests
Sara Haghdoosti
Sean Martell
Selena Deckelmann
Shane Tomlinson
Shihan Viswaprasath
Shing Lyu
Shruti Jasoria
Spidermonkey Development Blog
Ergonomic Brand Checks will ship with Firefox 90
Steve Fink
Stuart Colville
Support.Mozilla.Org
What’s up with SUMO – June 2021
Sylvestre Ledru
Tantek Çelik
Tanvi Vyas
Tarek Ziadé
Ted Mielczarek
The Firefox Frontier
The Mozilla Blog
Privacy analysis of FLoC
Become a better writer with these five extensions for Firefox
11 secret tips for Firefox that will make you an internet pro
Feel at home on your iPhone and iPad with Firefox
Sharing your deepest emotions online: Did 2020 change the future of therapy?
How to capture screenshots instantly with Firefox
A fresh new Firefox is here
Modern, clean new Firefox clears the way to all you need online
Building a more privacy preserving ads-based ecosystem
The future of ads and privacy
The Rust Programming Language Blog
Announcing Rustup 1.24.3
Announcing Rustup 1.24.2
Six Years of Rust
The Servo Blog
The Talospace Project
Firefox 89 on POWER
Progress on the OpenPOWER SpiderMonkey JIT
This Week In Rust
This Week in Rust 394
This Week in Rust 393
This Week in Rust 392
This Week in Rust 391
Thunderbird Blog
Théo Chevalier
Tiger Oakes
Tim Guan-tin Chien
Tim Taubert
Tom Farrow
Tom Schuster
Tyler Downer
Wil Clouser
Will Kahn-Greene
William Lachance
Glean Dictionary updates
William Quiviger
Wladimir Palant
Yura Zenevich
Zibi Braniecki
Maintained by the Planet Mozilla Module Team. Powered by Planet Venus. View our Privacy Policy.

Month	Page views	Vs previous month
May 2021	7,601,709	-13.02%

Locale	Apr 2021 page views	Localization progress (per Jun, 3)
de	10.05%	99%
zh-CN	6.82%	100%
es	6.71%	42%
pt-BR	6.61%	65%
fr	6.37%	86%
ja	4.33%	53%
ru	3.54%	95%
it	2.28%	98%
pl	2.17%	84%
zh-TW	1.04%	6%

Month	Total questions	Answer rate within 72 hrs	Solved rate within 72 hrs	Forum helpfulness
Jun 2021	3091	65.97%	13.62%	63.64%

Channel	May 2021
Channel	Total conv	Conv handled
@firefox	4012	212
@FirefoxSupport	367	267

USA	174
Sweden	103
Germany	93
India	92
UK	64
France	56
Spain	31
Brazil	31
The Netherlands	24
Switzerland	20

Planet Mozilla

June 15, 2021

Daniel Stenberg — What goes into curl?

Stick to our principles

A shortlist of things I personally want to see

Sponsored works have priority

Keep up with where the world goes

Asking the community

Ideas are easy, code is harder

It needs to exist to be considered

Half-baked is not good enough

Standards and in-use are preferred properties

When no compass needle exists, maintain existing direction

Who decides if its fine?

How to land code in curl

Your feedback helps!

Mozilla Open Policy & Advocacy Blog — Mozilla joins call for fifth FCC Commissioner appointment

June 14, 2021

Daniel Stenberg — Bye bye Travis CI

Seriously. Always.

Transition to death

Not eligible but still there

New service

Pay up?

Credits

Niko Matsakis — CTCFT 2021-06-21 Agenda

Afterwards: Social hour

Turbowish and Tokio console

Guiding principles for Rust

June 11, 2021

François Marier — How to get a direct WebRTC connections between two computers

Testing basic WebRTC functionality

Checking the type of peer connection you have

Chromium

Firefox

Firewall ports to open to avoid using a relay

Patrick Cloke — Converting Twisted’s inlineCallbacks to async

Data@Mozilla — ⚠️Danger zone⚠️: handling sensitive data in Glean

Data collection + Pipeline Encryption = ✨

How does the ✨magic✨ happen in the Glean SDKs?

Limitations and next steps

Acknowledgements

Support.Mozilla.Org — What’s up with SUMO – June 2021

Welcome on board!

Community news

Community call

Community stats

KB

KB Localization

Forum Support

Social Support

Play Store Support

Product updates

Firefox desktop

Firefox mobile

Other products / Experiments

Shout-outs!

Useful links:

June 10, 2021

Mozilla Localization (L10N) — L10n Report: June 2021 Edition

Welcome!

New content and projects

Firefox 89 (MR1)

What’s new or coming up in Firefox desktop

What’s new or coming up in mobile

What’s new or coming up in web projects

AMO

MDN

Mozilla.org

What’s new or coming up in SuMo

What’s new or coming up in Pontoon

Look out for pilcrows

Events

Friends of the Lion

Useful Links

Questions? Want to get involved?

The Mozilla Blog — Privacy analysis of FLoC

Cohort IDs can be used for tracking

Browser Fingerprinting

Multiple Visits