Indistinguishable from Jesse

What's the difference between Firefox and Mozilla?

Mozilla (Application Suite, also known as SeaMonkey) is a complete suite of Internet applications, including a web browser, a mail/news client, and a chat client. Firefox is just a browser, which makes it a better choice if you already have a mail client for example. Also, since Firefox is smaller than the whole Mozilla suite, it's faster and easier to use.

Note, though, that Firefox is not just the standalone Mozilla browser. The user interface in Firefox differs from Mozilla in many ways. For example, Firefox has customizable toolbars.

[This question and answer are mostly from David Tenser's Firefox FAQ.]

What do I gain by switching from Mozilla to Firefox?

• Speed. Firefox is much faster than Mozilla.
• Customizable toolbars.
• It's easier to browse with multiple windows and multiple tabs. Shift+click opens a link in a new window and Ctrl+click opens it in a new tab.
• Middle-click autoscroll.
• Form autocomplete.
• Extensions and themes. It's easier to develop extensions and themes for Firefox, so there are more available.
• Update notification.

Will Firefox import my Mozilla settings?

Firefox will offer to import your Mozilla passwords, cookies, and options the first time you run it. You can also use File > Import to import them at any time.

What happened to option XYZ?

The option you want to change might still exist in about:config, or there might be an extension that adds it.

Will Firefox integrate with my default mail client like Mozilla integrated with Mozilla Mail?

You can still press Ctrl+M to open your mail client to compose a new message. The Ctrl+2 shortcut to open your mail client is gone; use your operating system to make a global shortcut instead. You can add a toolbar button to open your mail client using Customize Toolbars. The "Send Link" command still exists, but the "Send Page" command is gone (bug 216168).

If you use Mozilla Mail as your mail client, I recommend that you switch to Thunderbird after you switch to Firefox. Firefox can't integrate well with Mozilla Mail because Mozilla Mail assumes you use Mozilla as your browser. If you use another mail cilent, such as Eudora, you don't have to switch to Thunderbird.

How do I create custom sidebars in Firefox?

To create a custom sidebar in Firefox, bookmark the URL you want to use as a sidebar, right-click the bookmark and select "Properties", and check "Load this bookmark in the sidebar".

Slashdot reports a "new" spoofing hole in many browsers, including older versions of Mozilla, discovered by Mark Laurence. The hole is that site A can load its own content into a frame on site B, and the content will appear to be from site B because the frameset is still from site B. This attack only works if site B is a framed site, so some banks are not affected.

A comment I posted on Slashdot:

Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:

Mozilla (bugzilla.mozilla.org 246448)

Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17.

Opera (bugs.opera.com 145283)

No response.

Microsoft

On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.

Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.

To be fair to Microsoft, the fix for the frame-spoofing hole did break a few sites. According to a bug filed today, the Charles Schwab brokerage site is one of the broken sites.

I will give 5 Gmail invitations to new Mozilla volunteers this week. There are several ways you can make useful contributions to the Mozilla project with only a nightly build of Firefox and a Bugzilla account:

Finding and reporting bugs

You can find bugs to report through everyday use or by intentionally looking for bugs. Good ways to find bugs that haven't already been reported are testing new features (extension manager, two-pane bookmark manager), testing rarely used features (help, bookmark update notification), and testing for keyboard accessibility.

When you find a bug, search Bugzilla to find out if your bug has already been reported. If it hasn't, report it. Most bug reports should include your build ID (from Help > About), steps to reproduce the bug, and the expected and actual results from following those steps.

Triaging unconfirmed bugs

Bugs filed by new Bugzilla users start with the "unconfirmed" status. You can change to "new" once you've checked that they're useful. This includes searching Bugzilla to make sure it isn't a duplicate, making sure the summary (title) is clear and specific, and making sure the bug is in the correct component. If the bug is a bug in page display, it also needs a simplified testcase (see below) before it can be marked as "new". For more information, see Bug Triagers' Guide: Moving a Bug from Unconfirmed to New.

Isolate bugs and create simplified testcases

Isolating bugs is one of the best ways to save Mozilla developers time. In many bug reports, the reporter has included a URL and a description of what Mozilla does wrong at that URL. Before a Mozilla developer can fix the bug, she has to figure out what part or parts of the page trigger the bug. You can save Mozilla developers time by isolating bugs and attaching your minimal minimal testcases to bugs. To find bugs that need testcases, look for unconfirmed bugs in layout components, bugs without the "testcase" keyword, or bugs with the "qawanted" keyword.

Testcases should be as small as possible while still showing the bug. For most layout bugs, a minimal testcase will be under a kilobyte. Be sure to include text in the testcase or in the bug making it clear what the correct behavior is and what Mozilla is doing wrong. For more tips on creating testcases, see The BugAThon.

Contest rules

While or after contributing, tell me your Bugzilla e-mail address. I'll look at what you and other new volunteers have done in Bugzilla and give the accounts to those with the best contributions.

On Tuesday, Asa will be in #mozillazine to help new volunteers learn how to use Bugzilla as part of a weekly event called Bugday. Asa or I can give you Bugzilla privileges once you've added useful comments to a few bugs. These priviliges let you report bugs as new rather than unconfirmed, mark other people's bugs as duplicates, and make other changes to bugs.

You're not limited to the ways of contributing I listed above. For more ideas, see Getting involved with mozilla.org.

Blake Ross is looking for ideas for how to improve Firefox with machine learning. He hopes to choose one of the ideas for a summer research project at Stanford. I added several suggestions in a comment on his post.

I filed 11 bugs in 6 hours today :) 7 of the bugs required testcases. My "bugs to file" folder is down from 112 files to 73, not counting subdirectories.

I updated Pornzilla today. I rewrote the introduction and the About Pornzilla section. I also wrote and added some search bookmarklets, including one that searches Google for pages on the same site that have the same title.

I will spend the summer in Austin, Texas, working in the Mozilla group at IBM.

I will start graduate school at UCSD in September.

I had to install Enigmail and gpg in order to send a vulnerability report to CERT.

I am not happy with gpg's UI. I had to read this page to figure out which command-line options I had to use. GPG gives a vague yet serious-sounding warning if you use an empty "passphrase" when creating your key. (As far as I can tell, a strong passphrase protects you against someone who can read the file containing your private key, but other than that it doesn't increase security.) It asked me to move the mouse around and bang on the keyboard while it generated my keys, but it generated the keys in less than a second, making me worry that it didn't use any good sources of entropy when it created my key.

I was able to figure out how to use Enigmail without much trouble. I encountered lots of warning and error messages, but I think they were all necessary. (I didn't like the text "This message will appear 1 more time" at the bottom of most of the warnings, though. I don't want Enigmail to keep me from making a mistake just because I almost made the mistake 2 times in the past!) Enigmail's options were split between the Options window and the Account Settings window, but that's a problem with Thunderbird in general.

Neither CERT nor Enigmail warned me that the subject of my e-mail would be sent unencrypted.