A Mozilla Plugin to Help Overcome IE Rendering Flaw

least_weasel writes "An article on Ars Technica reveals Mozilla's intention to create and release a plugin for Internet Explorer that would allow the often-criticized IE to utilize some of the cooler rendering code developed for Firefox. The current WIP focuses on rendering using HTML5 standards, but the plans seem to be more ambitious than just fixing this one small piece of IE. The article covers some of the plans, hurdles, and potential benefits. It also spills the beans on the code name for the project: Screaming Monkey."

Interesting, but difficult

[AKAImBatman]

FYI, Screaming Monkey was already discussed in an earlier story [slashdot.org].

Unfortunately, scripted manipulation of VML is too slow to be used for highly interactive web applications. Mozilla's solution is to bake its own native Canvas implementation into an ActiveX plugin that can be integrated directly into Internet Explorer.

The only problem is getting people to install the plugin. My own solution was to use the market penetration of Java Applets to develop a shunt [dnsalias.com] that would render Canvas using Java APIs. (Note that the events system has not been completed in that demo. Make sure you click outside the block falling area so that the browser receives the keyboard commands.)

The same sort of shunt could be done with Flash 9 or Silverlight. Which would do a nice end-run around the problem of getting plugins installed.

Re:Sad or happy day in Redmond?

[snl2587]

The new plan for Mozilla:

• Embrace I.E.
• Extend I.E. with this plugin
• Extinguish I.E. with a "Get Firefox" button on every page.

What could possibly go wrong?

Re:HTML5 is a standard now?

[secPM_MS]

I would be rather cautious about simply trying to implement and support HTML5, which is no standardized yet. I attended BlackHat ~ 2 weeks ago and Stamos's talk "Living in the RIA World" had some interesting things to say about HTML5 in its current state. If you wait ~ 6 months, BlackHat will allow viewing. My notes concerning HTML 5 follow.

HTML 5: have DOM storage (session and local) and database storage. These should all be SameOrigin. Meant to block userâ(TM)s deleting of tracking cookies. Use of database storage, there can be SQL injection against the local database. Some browsers support GlobalStorage that donâ(TM)t have SameOrigin control. Lots of new attack surface in FF3. Websites can be protocol handlers (support spyware!!). Installation of protocol handler is one click. WebKit is a big supporter of HTML5 and supports these issues.

HTML5 has limited storage (~ 15 Mbytes total) allowing easy exhaustion attacks and there is no UI to manage this. DOS is easy. Can easily plant arbitrary evidence on a system. HTML 5: Security âoeneed to write this sectionâ.

We now have web developers making desktop apps without any security or privacy expertise. The Web is becoming more heterogeneous and far far more dangerous.

Look to the beam in your own eye

[szquirrel]

Hey, that's great. Do they also have plans to fix the flaws in Firefox?

Off the top of my head, could we finally have support for SVG as a native image format? Or even just SVG rendering that isn't slower than a stone cow?

Don't want to sound like the grumpy old man, I just want most of my web shit to work in *one* browser before I worry about how it works in every browser.

Re:I'm a bit skeptical

[hr.wien]

I assume you can have the browser display a "download plugin" button for those people, just like it does it you're missing flash or shockwave.

Re:Er...

[MrMunkey]

The fact still remains that people use IE, because that's "the Internet" on their computer. It's been suggested that Adobe might include these plugins (there's also one in the works for the canvas element) with their Flash installer. That would greatly increase the number of people with IE that would support some of the features that are already available in FF/Opera/Safari.

I think that people who don't have permission to install the plugins just won't be able to do so, but they wouldn't be able to install FF anyway.

Re:Er...

[anaesthetica]

I think the idea might be to get a first mover advantage on IE. If the IE installed base gets this plugin and gets used to the behavior, Microsoft will find it harder to do their usual trick of implementation-but-not-quite. People who have this plugin will be upset if Microsoft releases a new version of IE that breaks the Canvas behavior that they've become used to. A wide deployment of the plugin (perhaps through Adobe as the article speculates) might create just enough perceived path-dependence that Microsoft won't go out of its way to break the Canvas standard with a proprietary implementation.

Re:HTML5 is a standard now?

[jsebrech]

We now have web developers making desktop apps without any security or privacy expertise. The Web is becoming more heterogeneous and far far more dangerous.

What bothers me is how security is somehow pushed to the forefront as the most important issue, even more important than functionality.

The most secure system is one that is turned off. This new stuff they're adding increases the attack surface, sure, but it's also necessary to build stuff that actually works (like a web app that doesn't die when your wifi does).

But even aside from the issue of functionality vs. security, there's the issue of security somehow being way more important in the browser, which I think is nonsense. Client-server apps have always had lousy security, and were easily hijacked. Just because they now run in a browser, the threat level hasn't changed. A hacker that is determined can break in sure, but they've always been able to break in. Nothing has truly changed, except for the perception of the threat level.

All in all I think the web stack is pretty secure by default, when comparing it to the alternatives.

Why does the title sound like a low-blow?

[Eric Freyhart]

"A Mozilla Plugin to Help Overcome IE Rendering Flaw"

Should it not read: A Mozilla Plugin to add Enhanced IE Rendering?

Come on. This old fight between browsers is becoming stale. IE included many things now in the HTML specs that were not available in any other browser, such as CSS Style for shadow effects, etc. Why is it that when something new comes out for IE that it is automatically described as a "bug" fix or a workaround to a "flaw"?

Please people, I like FF and IE for different reasons. At least write unbiased stories and stop bashing each other's code efforts.

Exactly backwards

[markdavis]

This is exactly backwards to what most of us need. We need a [multiplatform] plugin for Firefox that will allow broken IE-only sites to work under Firefox so we can continue to use the browser of our choice. Not that I want to promote the use of IE-only coding, but the reality is that if the site doesn't work, the average users always blame Firefox, not the site designer.

random idea for IEs final destruction...

[nawcom]

Have Mozilla send come checks to all major software companies (Adobe wink wink) - perhaps Google can through in a few $100 million in the pot too to distribute. Goal: install Firefox (if not installed yet) and make Firefox the default browser. A little taste of Microsoft's own medicine.

*nawcom sips from his glass of kool-aid*

Re:I'm a bit skeptical

[techno-vampire]

Possibly the best way to handle this is use one of IE's many security holes to patch the bug: create a website that checks to see if you're using IE. If you are, and you don't already have this plugin, use ActiveX to install it. After all, we all know that a large percentage of the people who use IE will always click OK when asked if they want their browser to install something; that's how a lot of malware gets installed.

Re:HTML5 is a standard now?

[moderatorrater]

What's the difference between web developers and regular developers? Take a look at any desktop applications and tell me that they're programming with better security practices than web developers. Windows, apache, IIS, OSX, and many more programs include critical security holes that can be exploited externally; how is a buffer overflow any better or worse than improperly escaped SQL?

Developers as a whole have been programming without security and privacy expertise, web developers just happen to have a program that's exposed to (at best) everyone in a particular company, or often everyone in the world. With that kind of exposure, what percentage of non-web-based programs would survive without getting exploited?

Sorry, rant over. Security is a big concern, and for things which need to be very secure these features shouldn't be allowed. However, that shouldn't keep the browsers from increasing functionality and usability. Hopefully developers are learning their lessons and becoming more security conscious.

Re:HTML5 is a standard now?

[raddan]

All in all I think the web stack is pretty secure by default, when comparing it to the alternatives.

Really? My opinion is that the "web stack" (not sure which stack you mean here; MSIE-Windows, FF-Windows, Safari-MacOSX, Konq-Linux, etc) has by far the worst record so far. MSIE-Windows has to be the #1 vector for infection now, and has been for at least the last 6-7 years. Which alternative are you thinking of? Because the "web stack" is, in my opinion, the premier virus runtime environment.

My opinion is that web designers made a HUGE mistake in not treating network input cautiously. The emphasis has been on "rich APIs", "data structure passing", extensibility, desktop integration, and so on. These are undoubtably good things in the absence of malicious input, but the fact is, there is a lot of malicious input out there. Web browsers would benefit greatly from some simple privilege separation; the Mozilla camp could do this with some effort, but MSIE is pretty much dead in the water here due to the level of integration with the base system. I understand the HTML5 camp's worry that Flash/Flex will become a de facto standard, but in my opinion, web security has not been taken seriously enough. These kinds of vulnerabilities have become a major source of income for organized crime in the East, and still people like you are saying that security is not the most important issue? Gimme a break.

Re:Er...

[neokushan]

I'd also like to believe Microsoft will get a bit arsey about it and be all "wut, we don't need ur bloody plugins, we'll make these features available ourselves!" and thus push them towards implementing more standards rather than just fixing the broken ones they have now.

Note: Not trying to troll on Microsoft here, just trying to point out that it would be helpful to everyone if IE supported more features that other browsers have.

Re:Er...

[carlzum]

And then that jock gets a job in the city rec department, and his bangin' cheerleader girlfriend is a professional beautician, between them making as much as you do by yourself with your programming experience.

Sigh, if life were fair this would be true. The jocks become corporate sales guys and upper management types. While I honed my programming skills they developed "leadership" skills on a football scholarship at State U. Now they drive nice cars, play golf on office time, and their cheerleader girlfriends have become hot moms.

I think I'm going to put Revenge of the Nerds on to feel better.

Re:Er...

[SanityInAnarchy]

I can't speak for him, but I do, and I'll endorse that statement.

Develop to standards first. Target Firefox first, Safari second, then worry about IE. Put IE-specific hacks in separate stylesheets, and don't even let non-IE browsers see them.

And throw "GetFirefox" links around where you're allowed to.

Re:Er...

[wolferz]

I think his analogy was perfect... He points out quite right that in both cases people don't care. And while you point out that the jocks and cheerleaders are shooting themselves in the foot you can't correctly claim this as evidence that the analogy is flawed or inapplicable... as people who use IE are shooting themselves in the foot as well.

The analogy is quite sound.

oh and you are completely wrong about the results of this plugin. It will bring about no measurable change in and of itself. As was said in the post before you the people who care are unlikely to install this plug-in as they likely don't use Ie or when they do they do so simply to see if IE is garbling their page. The people who actually need it don't even know what "an IE" is much less understand the need for this plug-in much less have any intention of getting it.

There are extremely few exceptions to this. Most of the exceptions are limited to the stubborn people who actually like IE and the way IE works enough to not care about whether pages are standards compliant. In fact the majority of the "what's an IE" crowd *would* feel the same way if they were to find out the details. They are comfort blanket type people. They would rather stick with something "good enough" than leave their comfort zone to learn something new especially when it is as trivial as "computer stuff." C'est la Vie. This is Life.

As a result the vast majority of users (those who don't know what "an IE" is) will not get this plugin and web developers will still have to jump through the same hoops they have to now. Yes they *could* make their page standards compliant... but they can do that now. If they do they will have the same problem with people adopting the plugin that they have now with people adopting gecko based browsers. Same shit different day.

The only way this could *lead* to what you describe is if it spurred MS to fix their own crap and include it in an update or the next version of IE (which, if history is any indication, is 10 years down the road) thus disseminating a standards compliant browser to the populace at large.