So often I want to automate parts of my web experience, and I think ugh I need a browser extension, or user script, or puppeteer. All of which feel clunky for trying to do something simple.
Seems like this will get me 90% of the way for most things, then when I need to click a button or automatically respond to an automatic email, that's just a few lines of code and a cron job away.
1. I couldn't get this working on my M1 Mac due to MacFUSE issues.
2. I wish there was a version for Firefox.
I think this is such a cool project, and I want this to work really badly. I have many workflows where I'd like to log data for certain sites I visit it plain text for further analysis. And long term storage.
It's not a bug. It's an intentional choice by Mozilla that users should not be able to install software without the approval of Mozilla. They say it is for security. But the signing portal is automated so this is only realistically for revokation after widespread damage has been done.
The suggestion in the thread is to use the developer edition which is, in lineage, essentially aurora/alpha version (in the past naming scheme) and contains bugs and security holes.
With modern Firefox if you want software freedoms you have to give up safety... or use the unbranded version which has no auto update and manually re-install the browser for every update.
There was recently someone who made a "fuse-ish" thing using user-mode NFS, which more closely matches my mental model of living in the new multi-arch, locked-down macOS world (https://news.ycombinator.com/item?id=32726166 not open source but the discussion shows the general idea)
I regrettably don't know the guts of NFS enough to know how much of FUSE can be ported, but my guess would be "perfect is the enemy of good" for folks who otherwise can't even run this right now
This was the straw finally pushing me to very seriously consider migrating to Chromium. They seem to absolutely despise power users, they pull the same type of shit with Fennec/Fenix.
They hate their users so much they're perfectly willing to compromise their security. "This extension is not actively monitored by Mozilla". But you can't do the responsible thing and build it from source yourself.
Even installing the "Developer Edition" didn't enable to me to install self-built extensions (yes, with that secret flag). And it doesn't even tell you that it doesn't accept unsigned extensions, they claim that the extension is "broken".
The fuck?! This is Apple-level user hostility. Meanwhile Mozilla execs are getting Apple exec-style compensation while driving it further into the ground.
Not as much as it initially seemed. All extensions I use work fine, including uBlock Lite. The arbitrary limits would trivially be increasable in a fork.
But of course I'm worried about Chromium going the way of the third E, which makes it quite possible I'll continue the toxic relationship with Mozilla for even longer.
It is hostile to power users, but gracious to unsuspecting users who might have a sneaky person install extensions on their browser to steal their data/spy on them. In any case, a real power user could always use a developer build and set that flag.
Yes, my not so nice implication was that they aren't a real power user and it was PEBKAC. I usually try to be nicer but it's hard when someone is saying "X sucks because..."
It’s really not that bad. You can sign up for a free Mozilla developer account and upload the bundle you’d like to sign, and install the signed extension a few minutes later on any edition of Firefox.
Okay, but Linux is an operating system (kernel), Firefox is a web browser. That's two completely different things with different expectations and threat models.
Chrome lets you do it, and with the market share that it has, it means that it's the de facto expectation that you can actually install extensions without an account. And it's not like chrome is less secure than firefox, the opposite is true actually.
if this is horrifying, perhaps you should go touch some grass man. A decent security take is not a horror show when you can get even hobby stuff of your own signed fairly trivially.
Have you tried rebuilding the XPI in a different way or trying a different XPI? I would guess that your addon is broken, as it works for me: https://postimg.cc/9rkbMd7v
I understand the frustration and would also like improved control, but I understand firefox preventing this in the "normal" edition as it's very common for trojans to install unwanted extensions manually by fiddling with the profile files, I've had to remove them manually from family computers in the past.
lol, I feel that Firefox is chrome but using Firefox engine. What I don't understand is that can see evidence of this if you cause an error and view source. It has chrome:// literally hard-coded and commented out.
Host a web server, kill the web-server, try to visit the URL, open inspector and look chrome.
(i'm on freebsd, so if linux: /usr/lib/firefox/omni.ja!/chrome or something) too drunk to care. The internet is fucked.
Firefox version: 109.0 (64-bit)
root@cuddles:/usr/crystal/doublerabbit/ # pkg install chromium
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
chromium: 109.0.5414.119
noto-basic: 2.0_1
sndio: 1.9.0
Call me skeptical, what a coincidence. Convince me.
> Even installing the "Developer Edition" didn't enable to me to install self-built extensions
For a different perspective, I’ve successfully done this on both Windows and Linux. In both cases it was pretty straightforward. (My extension was admittedly very simple, though… maybe it’s different with more complex ones.)
This is a super nice idea. I wonder what other software we could interact in this form. The Unix people did have a good point about everything being a file.
Valid complaint, but maybe not such a great reason.
It gets worse when you deal with sysfs or procfs and similar. It all becomes obscure magic, like what values can be written into what file, why some files aren't readable, or the contents of files being just a bunch of numbers which you have no way of interpreting.
Another problem is that there's way too many of different file types and they aren't organized into any kind of hierarchy or any other meaningful order. This makes tools like rsync extremely complicated, with loads of footguns and still not solving the problem well. It feels especially bitter because in exceeding majority of cases you don't want tools like rsync to deal with named FIFO or device files or sockets etc. but you get accidentally but painfully bitten by them every now and then.
A directory is a file (and IIRC e.g. Plan 9 decided they should be readable just like normal files and there shouldn't be any special readdir syscalls). You can see its attributes to figure out the rest.
If not for strong Linux limitations (because of alleged hardlink knot-tying problem) and belief that it just cannot be both, transparent archive access through a filesystem would be a thing. As well as metadata access (`play ./file.mp3` vs `edit ./file.mp3/id3v2`). People of the past seemed to have paid great attention to interoperability and effort to make common interfaces; folks of the modern age ('00s and later) love unique and completely incompatible solutions to the same problem.
This was possible in the beginning. But then came the moral police and deprived us of this freedom, because they deemed it to be "confusing".
See, for example, The Unix Programming Environment, by Kernighan and Pike, page 51 [0]:
Despite their fundamental properties inside the kernel, directories sit in the file system as ordinary files. They can be read as ordinary files. (...) The time has come to look at the bytes in a directory:
'ls -l' will tell you the basic information of a given listing, including whether it's a normal file, directory, symlink, block device, named pipe, etc.
stat(1) will provide additional information on a file.
file(1) will not only distinguish between filesystem=level distinctions, but will make a remarkably good guess as to what the file contents of a normal file are, based on magic(5).
One source of inspiration is to see what the Plan 9 folks did, plus things inspired from that - filesystems for network access, for the clipboard, for representing windows on the screen.
I've also been considering some sort of filesystem for MQTT, which combined with an appropriate bridge would allow for reading and control of assorted smart devices as a filesystem.
The file interface is somewhat limited though (e.g. everything is just an opaque untyped byte stream) and has security issues in conjunction with shell scripting (e.g. quoting and escaping).
A data type aware interface like AppleScript or COM, if universally supported, would be more expedient.
And so? The mantra says "everything is a file", not "everything is only a file". You can provide stream access to everything, and then more advanced access to some particular resources.
The problem is that everything below the file surface is proprietary, so to speak, and that the file interface doesn’t give you a standard way of discovering the file format or (for command pipes) the commands it understands. What’s missing is a standard way of querying schema information about files/pipes. In addition, like in the TFA use-case, not just individual files have schemata, but whole directories and directory trees have. Those are not communicated by the file system, but have to be known out-of-band for each specific purpose.
Providing just a generic interface cuts two ways: On the one hand, you can represent anything, but on the other hand, you don’t know what anything represents without additional information (metadata).
echoing the sentiment given to linux users every time they ask for a version for their os-- you can just install linux in a vm if you want to use this.
The author directly mentions Emacs twice and one of their liked tweets says "in practice most of my logical 'windows' are actually browser tabs or Emacs buffers": https://twitter.com/rsnous/status/1176587656915849218
If you're on macOS, you can do a small piece of this natively with AppleScript (or anything that can send apple events) in Chrome or Safari -- namely, you can iterate through windows or tabs, view their source code, and execute arbitrary javascript you pass (there's a one time security option you have to accept). This can be handy for quick automations if you don't want to install anything.
(Background: I have RSI, so I've been developing some integrations between applications and Talon Voice (https://talonvoice.com/). AppleScript ends up being surprisingly valuable/fast/reliable for applications that support it. I also built an integration with iTerm2's Python API before noticing that everything I was trying to do was already supported by its AppleScript dictionary, and was faster. In Google Chrome, the "iterate through tabs and execute javascript in them" is very useful for automating Google Meet muting/unmuting.)
Nothing against this excellent project though; I'm a big fan of Omar's Twitter! And I suspect most here will appreciate the easier scriptability of the filesystem approach than dealing with the atrocious syntax of AppleScript.
You don't need to spend that much. I mean, go for it, it sounds fun, but just getting a desk the right height (i.e. probably lower than it is now) and a stable chair solved mine. See sibling comment here.
It's all about hardware. I've addressed it quite well with a three-pronged approach:
1. Motorized standing desk - typing from varying postures keeps strain spread out
2. Kensington trackball mouse - less hand sweeping / temptation to drags wrist on table
3. Ortholinear "Planck" keyboard - modifier keys accessible via thumb and programmable layers more generally can completely eliminate painful hand poses and keep fingers on the home-row
Change is good. I find using a variety of mice helps. Rollermouse, trackpads, rockmouse, carpal tunnel mouse(quadraclicks), mousetrapper.
For the dragging wrist problem, I really like the reloot or other similar gliding palm rests. I find upgrading them with ceramic lights makes a big difference.
With my particular RSI I also can't use a standard trackball, but I swear by my thumb trackballs. (But every body is different, every injury is different, etc.)
Once I ended that one bad relationship in my life, my mind stopped messing up the most used part of my body to send me signals that I’m actually chewing on life’s gristle.
My wrists have been pain free for 15 years. Without surgery. Without therapy. Without a change in work hours.
Talon itself provides noise and speech recognition, and provides the framework that allows you to build automations with any program; Cursorless really helps make programming by voice feel comparable to typing.
For me, it's a combination of introducing alternate input methods (largely voice, but noises are also very additive -- they very well for fast/discreet actions, whereas voice is higher bandwidth but lower latency), as well as building higher-level and better integrations with applications. But I still have always to go personally.
I've been meaning to write up a blog post with everything that I've learned, but you know how it is :)
"If you're on macOS, you can do a small piece of this natively with AppleScript (or anything that can send apple events) in Chrome or Safari -- namely, you can iterate through windows or tabs, view their source code, and execute arbitrary javascript you pass (there's a one time security option you have to accept). This can be handy for quick automations if you don't want to install anything."
sure, for example this pauses every youtube video in every chrome tab:
tell application "Google Chrome"
repeat with theWindow in every window
repeat with theTab in (every tab of theWindow)
if (URL of theTab) contains "youtube.com" then
execute theTab javascript "document.querySelectorAll('video, audio').forEach(e => e.pause())"
end if
end repeat
end repeat
end tell
There are lots of examples just by googling. The script editor has a dictionary for every application you can natively script.
You don’t need to write AppleScript yourself, someone else has already done the hard work with Scripting Bridge and you can simply enjoy an easy-to-use CLI: https://github.com/prasmussen/chrome-cli
I can’t answer that question exactly because that’s driving Chrome, but I wrote an AppleScript the other day to make zoom less dreadful.
I annotate on screens all day and there are no useful shortcuts for moving between drawing and erasing. Also the drawing button requires 2 clicks. I’ve wired my wacom tablet so the two buttons fire off shortcuts, they run a service I’ve registered in the menus, they run the applescript, it fishes about for the right windows in zoom and clicks the buttons. It could not have worked but it just happens to because I can trigger a button and then focus moves to the next button (which I can’t otherwise target) and then I can push “space” to get the job done.
Here’s one of the scripts if anyone wants to see how weird it all is.
tell application "System Events"
repeat with theProcess in processes
if not background only of theProcess then
tell theProcess
set processName to name
set theWindows to windows
end tell
set windowsCount to count of theWindows
if processName is "zoom.us" then
repeat with theWindow in theWindows
tell theWindow
set theSize to size
set windowName to name
end tell
if windowName is "annotation panel" then
if item 1 of theSize is 776 then
tell theWindow to tell button 5 to click
key code 49
else
tell theWindow to tell button 4 to click
key code 49
end if
end if
end repeat
end if
end if
end repeat
end tell
Safari, not Chrome, but here's an AppleScript I use to map a trackpad gesture to the "next page" link on a wide variety of Web sites,
tell application "Safari" to do JavaScript "
(() => {
const loc = Array
.from(document.querySelectorAll('[rel=\"next\"], .next, [title=\"Next page\"]'))
.map(i => i.getAttribute('href')).filter(i => i)[0];
if (loc) {
document.location = loc;
}
})()
" in document 1
s/next/prev/g s/Next/Previous/ for the matching "previous page" script.
Note that this requires Safari's "AllowJavaScriptFromAppleEvents" preference to be set, either via a "Develop" menu option or directly in its preferences file via, e.g., the
shell command, and that this setting allows any program you authorize[1] to send Apple Events to Safari to potentially do Terrible Things. Given that the setting is both disabled and hidden by default, and additionally gated by an opt-in privacy preference, it's presumably an unlikely target for garden-variety malware, however.
[1] Check the Automation group in the Privacy tab of the Security & Privacy preference pane for a list of programs so authorized.
Shameless plug: I've made a set of AppleScripts I call "Tab Transporter" for moving groups of tabs between browsers. The code is painful to write when you're used to a normal programming language, so these examples could be useful for anyone else looking to interact with browser tabs via AppleScript.
Funny, I do similar [1] though my solution is very basic compared to yours.
The script allows me to quickly move the current tab from Firefox or Safari to Arc Browser [2] (which uses Chrome under the hood).
I use the following key-bindings ⌥⌘F or ⌥⌘S in Raycast [3] to activate a tab move to Arc from Firefox or Safari, respectively.
If I were you I would find out which “RSI” you have. Mine wasn’t from “overuse” per sé, just posture and needing to stretch/exercise.
If your RSI is Carpal Tunnel or Cubital Tunnel Syndrome, a quick and easy surgery is the answer.
If your RSI is tendinitis (unlikely, for all the times I see people self-diagnose with it) rest is your best bet.
If your RSI is arthritis, there are medications and even surgeries out there to help with it, but that’s the easiest one to diagnose because it just requires looking at an x ray of your hand.
You may have carpal tunnel syndrome-like symptoms, but that likely just means you have nerve impingement somewhere between your cervical (neck area) spine and your hand.
I’m not a doctor, but through personal experience I can tell you, you probably have the power to get rid of your “RSI” without resorting to dictation software and so on.
Regarding stretching, I found the book Conquering Carpal Tunnel Syndrome to be a huge help. It has lots of suggestions for kinds of stretches to do based on the kind of work you do, but my big takeaway (and according to the author, the most important part) was how to do the stretches: only stretch until you barely feel a stretch, then hold there until you feel a sense of release. In my experience that was more effective than the “stretch until you feel a good strong stretch” strategy.
I have a copy of this which I no longer need. If anyone in Australia wants it hit me up and I'll mail it to you. @johnnydecimal@hachyderm.io.
FWIW -- I know this isn't an RSI thread -- mine was 100% fixed by changing my desk. It was too high, and my classic 5-wheeled office chair was unstable. I lowered the desk to about 68cm (I'm 172cm) and bought a chair with wooden legs (Ikea, ~$80), started doing light stretches in the morning, and that fixed it for me.
I made the desk from Ikea cabinets and a $100 plain wooden door. So it's a) cheap, b) massive, and c) I can screw things in to the underside.
I significantly reduced the symptoms of my carpel tunnel by changing from a normal height mechanical keyboard to one with slim key caps. I really miss my Das Ultimate but the difference is really noticeable.
Aah yep, I also had a Das, and the Filco Majestouch 2. Beautiful keyboards. Sold 'em.
Now I use the very-average Microsoft Sculpt Ergonomic. Low keycaps, low travel. And of course a split layout.
Do not use the execrable MS mouse that comes with that keyboard. I love the MX Anywhere series, I currently use a 2 and a 3. They're light, so you can nudge them round with your fingers without having to move your arm too aggressively.
Ah yes I know that keyboard - mine is a Keychron K2 V2 with optical switches. It's decent to type on but I miss having a volume knob and proper function keys.
I find it really helps not having the number pad - it means my mouse can be closer to the keyboard so my wrists are straighter.
For a mouse I use a MX Master 3 which I'm very happy with.
I also use an MX Master (2S), and wish I would have switched sooner. It can connect to 3 devices (via Bluetooth or USB receivers) with a button on the bottom to switch, and an “infinite” scroll wheel with multiple modes, which is awesome!
I tried the Master but found it a tad large. As above, I'm not a ginormous person: 172cm (5' 8", just), 70kgs. I don't have huge hands. I found pushing round the Master to be a bit too much work, which sounds preposterous but ¯\_(ツ)_/¯.
The Anywhere is just smaller, lighter. More nimble.
I tried an MX Master 3 and 2S, I also have the MX Ergo trackball mouse and the Logitech vertical mouse. The vertical mouse is what I ended up with, but for years I would switch mice, switch between several mice within a day, switch hands - and they were all half-measures that just kind of delayed the "degeneration". The issue, it would seem, was not the mouse or overusing the mouse. The issue seems to have come from my shoulder area (Thoracic Outlet Syndrome aka TOS / Pec. Minor Syndrome), which a vertical mouse will uniquely address as it allows your shoulder to be less interiorly-rotated than a standard mouse, even a trackball mouse that is not vertical.
I remember reading a Medium article a while ago about a software engineer who described how he addressed his "RSI", which I suspect was just TOS - he switched to an ergonomic keyboard and vertical mouse, which over a period of MANY MONTHS more or less resolved his RSI. He talked about how he still has to be careful and take breaks often. I really think, especially considering his age (20s), he could have kept the mouse and keyboard he had, if he just engaged in posture-correcting shoulder stretches and strength exercises.
My personal trainer told me the same- you won't gain flexibility by "forcing" the stretch, only by stretching just beyond where the muscle wants to stop, holding it there for around 30 seconds (and you should feel a "release"), and repeating the next day.
This is solid advice! I had "RSI" for years (could barely type or write) and in the end what solved everything were exercises to improve my posture and strengthen my back, neck and shoulders.
There's a lack of awareness too - I saw three orthopedic surgeons and one neurologist and none asked me about, mentioned, or tested me for Thoracic Outlet Syndrome (which is likely what you had based on what fixed your symptoms). I only learned about TOS myself after they ruled out Carpal Tunnel Syndrome and going back to Google to try to find what could be causing CTS symptoms other than CTS.
If you had told me in 1992 when AppleScript was first introduced that it would be around for over 30 years across three processor transitions, I would not have believed you.
Now they just need to bring back QuickDraw GX, OpenDoc and PowerTalk (please don’t for all that is holy)
Interestingly, all the AppleScript functionality is built on an objective-c api called ScriptingBridge and it’s relatively easy to use a real programming language for the same sorts of things. JavaScript is natively supported by Script Editor, but there’s bindings for Ruby and Python too. I’ve wrapped it up in Common Lisp for my own use: https://github.com/fiddlerwoaroof/objc-lisp-bridge/blob/mast...
Once you figure it out it's not too tricky. For example, I have shell utils for converting all links on a page to "in current tab links" by removing the `target` attr on <a> tags:
However, we shouldn't forget the reduced security of the situation. This opens entirely new attack vectors by introducing the otherwise fantastic ability of local programs to consume network input.
With the flexibility and utility of local information comes additional remote attacks. In doing so, this extension blurs the lines between the greater difficulty of remote attacks vs local attacks. Many programs never considered in their threat models that input would come over the network. There are many developers who never try to protect past a certain point, saying, "if the person gets this far, there is nothing we can do anyway", then they ship.
If a tool's threat model never considered having network input in the first place, that tool would seem deficient in most every real-world situation.
I do not per se see a problem with "network input" but I think you're referring to input from untrusted sources, i.e. input that is not controlled or approved by the user of the tools.
I think that a modern operating system must definitely have access controls that can flag and signal when input is untrusted, wherever the source may be, network, keyboard, USB stick, camera, whatever. If the input is from a network source such as el rando website, then an AAA-layer service can block, flag, log, and handle an exception, rather than forcing every tool and every application to track the provenance of every byte of input. Don't you think?
> If a tool's threat model never considered having network input in the first place, that tool would seem deficient in most every real-world situation.
The hyperbole isn't needed. Risk can be avoided, mitigated, transferred, or accepted. This extension, which otherwise looks fantastic by the way, moves the risks between those categories for various local tools, the data in the DOM, and even for remote accounts of the other current websites. That is what is happening here.
> I do not per se see a problem with "network input" but I think you're referring to input from untrusted sources, i.e. input that is not controlled or approved by the user of the tools.
That is the implication of saying network input, since that input is uncontrolled and from a third party.
This reminds me of a blog post [1] I read before. Pertinent quote:
> Unbeknownst to me, even with --dry-run pip will execute arbitrary code found in the package's setup.py. In fact, merely asking pip to download a package can execute arbitrary code (see pip issues 7325 [2] and 1884 [3] for more details)!
If your local machine is compromised such that your mountpoints are free game to some tool running.. what difference do you think this will make? Your cookie jar IS STILL exposed without this.
You misunderstand the security implications, so making categorical statements like that isn't useful. While random running processes may be on a developer's machine, that's not at issue here.
You should read the article. This isn't /mnt but fs/mnt.
In this particular scenario, the article describes the use of FUSE for mounting the files. FUSE stands for "Filesystem in Userspace". This, thankfully, doesn't force running a web browser as root, which would be required in your scenario.
> doesn't force running a web browser as root, which would be required in your scenario.
It would not in any way shape or form be required in my scenario. Please re-read the basics of file permissions on POSIX.
We are asking the question: "Does this expose additional potential security vulnerabilities not exposed with the cookies existing purely in the normal cookie store?"
Our possible vectors of attack are a compromised root owned service and a compromised user owned service. Both of those vectors would allow the cookie store to be exfiltrated regardless of whether this extension is used.
Ergo, this extension does not create any additional security vulnerabilities in that regard.
One of the coolest use-cases for this for me is the ability to "host" these folders on a server and be able to access it from embedded contexts. I'm hoping to write a full computer stack that can run on microcontrollers (GitHub.com/Civboot/fngi), including a gopher-like browser for lightweight protocols. It could never interface with the real WWW... unless it had a server hosting the browser like this!
200 comments
[ 3.4 ms ] story [ 255 ms ] threadSo often I want to automate parts of my web experience, and I think ugh I need a browser extension, or user script, or puppeteer. All of which feel clunky for trying to do something simple.
Seems like this will get me 90% of the way for most things, then when I need to click a button or automatically respond to an automatic email, that's just a few lines of code and a cron job away.
1. I couldn't get this working on my M1 Mac due to MacFUSE issues.
2. I wish there was a version for Firefox.
I think this is such a cool project, and I want this to work really badly. I have many workflows where I'd like to log data for certain sites I visit it plain text for further analysis. And long term storage.
The suggestion in the thread is to use the developer edition which is, in lineage, essentially aurora/alpha version (in the past naming scheme) and contains bugs and security holes.
With modern Firefox if you want software freedoms you have to give up safety... or use the unbranded version which has no auto update and manually re-install the browser for every update.
[0] https://extensionworkshop.com/documentation/publish/submitti...
I regrettably don't know the guts of NFS enough to know how much of FUSE can be ported, but my guess would be "perfect is the enemy of good" for folks who otherwise can't even run this right now
Design doc: https://github.com/buildbarn/bb-adrs/blob/master/0009-nfsv4.... Code: https://github.com/buildbarn/go-xdr
>in Firefox You'll need to install as a "temporary extension", so it'll only last in your current FF session. (If you want to install permanently, see this issue: https://github.com/osnr/TabFS/issues/4#issuecomment-75344738...)
They hate their users so much they're perfectly willing to compromise their security. "This extension is not actively monitored by Mozilla". But you can't do the responsible thing and build it from source yourself.
Even installing the "Developer Edition" didn't enable to me to install self-built extensions (yes, with that secret flag). And it doesn't even tell you that it doesn't accept unsigned extensions, they claim that the extension is "broken".
The fuck?! This is Apple-level user hostility. Meanwhile Mozilla execs are getting Apple exec-style compensation while driving it further into the ground.
What is the situation surrounding Manifest V3 in Chromium? Won't that throw a wrench into power user's workflows with its own arbitrary limitations?
But of course I'm worried about Chromium going the way of the third E, which makes it quite possible I'll continue the toxic relationship with Mozilla for even longer.
...this one?
>>Even installing the "Developer Edition" didn't enable to me to install self-built extensions (yes, with that secret flag).
I would guess that they are trying to install is actually broken.
And Mozilla still doesn't scan or do any due diligence on whatever it is you are installing.
It's likely you forgot to include the browser_specific_settings with a some arbitrary id in the manifest.json.
Permanently installing unsigned extensions definitely works in the Developer Edition after setting the pref in about:config.
I understand the frustration and would also like improved control, but I understand firefox preventing this in the "normal" edition as it's very common for trojans to install unwanted extensions manually by fiddling with the profile files, I've had to remove them manually from family computers in the past.
Host a web server, kill the web-server, try to visit the URL, open inspector and look chrome.
Examples:
"<script xmlns="http://www.w3.org/1999/xhtml" src="chrome://global/content/neterror/aboutNetErrorCodes.js"></script>"
Visit chrome://global/content/aboutNetError.mjs in your firefox browser. Why is Firefox accepting chrome:// URI's?
You can even browse: chrome://global/skin/icons/
Visit: jar:file:///usr/local/lib/firefox/omni.ja!/chrome/
(i'm on freebsd, so if linux: /usr/lib/firefox/omni.ja!/chrome or something) too drunk to care. The internet is fucked.
Firefox version: 109.0 (64-bit)
root@cuddles:/usr/crystal/doublerabbit/ # pkg install chromium Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. The following 3 package(s) will be affected (of 0 checked):
New packages to be INSTALLED: chromium: 109.0.5414.119 noto-basic: 2.0_1 sndio: 1.9.0
Call me skeptical, what a coincidence. Convince me.
https://developer.mozilla.org/en-US/docs/Glossary/Chrome
https://www.nngroup.com/articles/browser-and-gui-chrome/
> 'Chrome' is the user interface overhead that surrounds user data and web page content.
Browser/GUI's "chrome" terminology existed before google "chrome" browser. That's why you use "userChrome.css" to modify the visual look by yourself.
For a different perspective, I’ve successfully done this on both Windows and Linux. In both cases it was pretty straightforward. (My extension was admittedly very simple, though… maybe it’s different with more complex ones.)
Yes and no. While it simplifies things to an extent, it's also confusing, especially with extension-less files.
Example: Tell me, is this a file or directory?
It could be a file that curls todays posts, or it could be a folder (directory) that contains them./dev/readme.dev
To know what this is, a `stat(2)` is required.
It gets worse when you deal with sysfs or procfs and similar. It all becomes obscure magic, like what values can be written into what file, why some files aren't readable, or the contents of files being just a bunch of numbers which you have no way of interpreting.
Another problem is that there's way too many of different file types and they aren't organized into any kind of hierarchy or any other meaningful order. This makes tools like rsync extremely complicated, with loads of footguns and still not solving the problem well. It feels especially bitter because in exceeding majority of cases you don't want tools like rsync to deal with named FIFO or device files or sockets etc. but you get accidentally but painfully bitten by them every now and then.
A directory is a file (and IIRC e.g. Plan 9 decided they should be readable just like normal files and there shouldn't be any special readdir syscalls). You can see its attributes to figure out the rest.
If not for strong Linux limitations (because of alleged hardlink knot-tying problem) and belief that it just cannot be both, transparent archive access through a filesystem would be a thing. As well as metadata access (`play ./file.mp3` vs `edit ./file.mp3/id3v2`). People of the past seemed to have paid great attention to interoperability and effort to make common interfaces; folks of the modern age ('00s and later) love unique and completely incompatible solutions to the same problem.
This was possible in the beginning. But then came the moral police and deprived us of this freedom, because they deemed it to be "confusing".
See, for example, The Unix Programming Environment, by Kernighan and Pike, page 51 [0]:
Despite their fundamental properties inside the kernel, directories sit in the file system as ordinary files. They can be read as ordinary files. (...) The time has come to look at the bytes in a directory:
[0] https://archive.org/details/UnixProgrammingEnviornment/page/...stat(1) will provide additional information on a file.
file(1) will not only distinguish between filesystem=level distinctions, but will make a remarkably good guess as to what the file contents of a normal file are, based on magic(5).
I've also been considering some sort of filesystem for MQTT, which combined with an appropriate bridge would allow for reading and control of assorted smart devices as a filesystem.
A data type aware interface like AppleScript or COM, if universally supported, would be more expedient.
And so? The mantra says "everything is a file", not "everything is only a file". You can provide stream access to everything, and then more advanced access to some particular resources.
Providing just a generic interface cuts two ways: On the one hand, you can represent anything, but on the other hand, you don’t know what anything represents without additional information (metadata).
Four fake file systems! (9 mins) https://www.youtube.com/watch?v=pfHpDDXJQVg
i.e. screenshots, torrents, youtube, git.
Fuse does not support windows. If it did the extension could probably be easy to port..
Your best bet is probably running the browser under some wsl layer.
Not saying it shouldn't support windows, but choosing Linux and MacOS as initial support is a sensible choice...
0: https://twitter.com/rsnous/status/1338932056743546880
The author directly mentions Emacs twice and one of their liked tweets says "in practice most of my logical 'windows' are actually browser tabs or Emacs buffers": https://twitter.com/rsnous/status/1176587656915849218
(Background: I have RSI, so I've been developing some integrations between applications and Talon Voice (https://talonvoice.com/). AppleScript ends up being surprisingly valuable/fast/reliable for applications that support it. I also built an integration with iTerm2's Python API before noticing that everything I was trying to do was already supported by its AppleScript dictionary, and was faster. In Google Chrome, the "iterate through tabs and execute javascript in them" is very useful for automating Google Meet muting/unmuting.)
Nothing against this excellent project though; I'm a big fan of Omar's Twitter! And I suspect most here will appreciate the easier scriptability of the filesystem approach than dealing with the atrocious syntax of AppleScript.
https://news.ycombinator.com/item?id=34852007
1. Motorized standing desk - typing from varying postures keeps strain spread out
2. Kensington trackball mouse - less hand sweeping / temptation to drags wrist on table
3. Ortholinear "Planck" keyboard - modifier keys accessible via thumb and programmable layers more generally can completely eliminate painful hand poses and keep fingers on the home-row
For the dragging wrist problem, I really like the reloot or other similar gliding palm rests. I find upgrading them with ceramic lights makes a big difference.
Once I ended that one bad relationship in my life, my mind stopped messing up the most used part of my body to send me signals that I’m actually chewing on life’s gristle.
My wrists have been pain free for 15 years. Without surgery. Without therapy. Without a change in work hours.
Talon itself provides noise and speech recognition, and provides the framework that allows you to build automations with any program; Cursorless really helps make programming by voice feel comparable to typing.
For me, it's a combination of introducing alternate input methods (largely voice, but noises are also very additive -- they very well for fast/discreet actions, whereas voice is higher bandwidth but lower latency), as well as building higher-level and better integrations with applications. But I still have always to go personally.
I've been meaning to write up a blog post with everything that I've learned, but you know how it is :)
I recommend breaks and rest over strengthening exercises when dealing with hand pain. Learn preventative measures
Are there any good examples of doing this?
There are lots of examples just by googling. The script editor has a dictionary for every application you can natively script.
Been using this for about a decade now.
I annotate on screens all day and there are no useful shortcuts for moving between drawing and erasing. Also the drawing button requires 2 clicks. I’ve wired my wacom tablet so the two buttons fire off shortcuts, they run a service I’ve registered in the menus, they run the applescript, it fishes about for the right windows in zoom and clicks the buttons. It could not have worked but it just happens to because I can trigger a button and then focus moves to the next button (which I can’t otherwise target) and then I can push “space” to get the job done.
Note that this requires Safari's "AllowJavaScriptFromAppleEvents" preference to be set, either via a "Develop" menu option or directly in its preferences file via, e.g., the
shell command, and that this setting allows any program you authorize[1] to send Apple Events to Safari to potentially do Terrible Things. Given that the setting is both disabled and hidden by default, and additionally gated by an opt-in privacy preference, it's presumably an unlikely target for garden-variety malware, however.[1] Check the Automation group in the Privacy tab of the Security & Privacy preference pane for a list of programs so authorized.
See also https://chromedevtools.github.io/devtools-protocol/ with Playwright et al., even Excel VBA: https://github.com/PerditionC/VBAChromeDevProtocol
Many sites fight against automation, see https://github.com/ultrafunkamsterdam/undetected-chromedrive...
I've used them daily for 5+ years.
https://github.com/tedmiston/tab-transporter
I use the following key-bindings ⌥⌘F or ⌥⌘S in Raycast [3] to activate a tab move to Arc from Firefox or Safari, respectively.
1: https://github.com/ayewo/raycast-script-commands/tree/main/b...
2: https://arc.net
3: https://www.raycast.com/
If your RSI is Carpal Tunnel or Cubital Tunnel Syndrome, a quick and easy surgery is the answer.
If your RSI is tendinitis (unlikely, for all the times I see people self-diagnose with it) rest is your best bet.
If your RSI is arthritis, there are medications and even surgeries out there to help with it, but that’s the easiest one to diagnose because it just requires looking at an x ray of your hand.
You may have carpal tunnel syndrome-like symptoms, but that likely just means you have nerve impingement somewhere between your cervical (neck area) spine and your hand.
I’m not a doctor, but through personal experience I can tell you, you probably have the power to get rid of your “RSI” without resorting to dictation software and so on.
https://www.amazon.com/Conquering-Carpal-Syndrome-Repetitive...
FWIW -- I know this isn't an RSI thread -- mine was 100% fixed by changing my desk. It was too high, and my classic 5-wheeled office chair was unstable. I lowered the desk to about 68cm (I'm 172cm) and bought a chair with wooden legs (Ikea, ~$80), started doing light stretches in the morning, and that fixed it for me.
I made the desk from Ikea cabinets and a $100 plain wooden door. So it's a) cheap, b) massive, and c) I can screw things in to the underside.
Now I use the very-average Microsoft Sculpt Ergonomic. Low keycaps, low travel. And of course a split layout.
Do not use the execrable MS mouse that comes with that keyboard. I love the MX Anywhere series, I currently use a 2 and a 3. They're light, so you can nudge them round with your fingers without having to move your arm too aggressively.
I find it really helps not having the number pad - it means my mouse can be closer to the keyboard so my wrists are straighter.
For a mouse I use a MX Master 3 which I'm very happy with.
The Anywhere is just smaller, lighter. More nimble.
I remember reading a Medium article a while ago about a software engineer who described how he addressed his "RSI", which I suspect was just TOS - he switched to an ergonomic keyboard and vertical mouse, which over a period of MANY MONTHS more or less resolved his RSI. He talked about how he still has to be careful and take breaks often. I really think, especially considering his age (20s), he could have kept the mouse and keyboard he had, if he just engaged in posture-correcting shoulder stretches and strength exercises.
This is solid advice! I had "RSI" for years (could barely type or write) and in the end what solved everything were exercises to improve my posture and strengthen my back, neck and shoulders.
Sounds about right. Nice to know there's a name for it!
Now they just need to bring back QuickDraw GX, OpenDoc and PowerTalk (please don’t for all that is holy)
Endless fun meditations & musings on code & processes & computing. It's the most live, most inove stream of computing out there.
:)
However, we shouldn't forget the reduced security of the situation. This opens entirely new attack vectors by introducing the otherwise fantastic ability of local programs to consume network input.
With the flexibility and utility of local information comes additional remote attacks. In doing so, this extension blurs the lines between the greater difficulty of remote attacks vs local attacks. Many programs never considered in their threat models that input would come over the network. There are many developers who never try to protect past a certain point, saying, "if the person gets this far, there is nothing we can do anyway", then they ship.
I mean, any script on my machine can use these tools to interact with network input and execute untrustworthy code...
I do not per se see a problem with "network input" but I think you're referring to input from untrusted sources, i.e. input that is not controlled or approved by the user of the tools.
I think that a modern operating system must definitely have access controls that can flag and signal when input is untrusted, wherever the source may be, network, keyboard, USB stick, camera, whatever. If the input is from a network source such as el rando website, then an AAA-layer service can block, flag, log, and handle an exception, rather than forcing every tool and every application to track the provenance of every byte of input. Don't you think?
The hyperbole isn't needed. Risk can be avoided, mitigated, transferred, or accepted. This extension, which otherwise looks fantastic by the way, moves the risks between those categories for various local tools, the data in the DOM, and even for remote accounts of the other current websites. That is what is happening here.
> I do not per se see a problem with "network input" but I think you're referring to input from untrusted sources, i.e. input that is not controlled or approved by the user of the tools.
That is the implication of saying network input, since that input is uncontrolled and from a third party.
Hey, it is easier to authenticate and authorize network input than keyboard input, considering what sort of USB devices are floating around.
(Fantastic extension, btw.)
This reminds me of a blog post [1] I read before. Pertinent quote:
> Unbeknownst to me, even with --dry-run pip will execute arbitrary code found in the package's setup.py. In fact, merely asking pip to download a package can execute arbitrary code (see pip issues 7325 [2] and 1884 [3] for more details)!
Also seen on Twitter [4].
[1] https://moyix.blogspot.com/2022/09/someones-been-messing-wit...
[2] https://github.com/pypa/pip/issues/7325
[3] https://github.com/pypa/pip/issues/1884
[4] https://twitter.com/moyix/status/1566561433898426368
your cookie jar is somewhere in ~ (eg ~/.firefox)
If a service has been compromised such that it can exfiltrate /mnt/blah/tab/blah/, it can also exfiltrate ~/.firefox/blah
You're shuffling deck chairs on the titanic.
In this particular scenario, the article describes the use of FUSE for mounting the files. FUSE stands for "Filesystem in Userspace". This, thankfully, doesn't force running a web browser as root, which would be required in your scenario.
It would not in any way shape or form be required in my scenario. Please re-read the basics of file permissions on POSIX.
We are asking the question: "Does this expose additional potential security vulnerabilities not exposed with the cookies existing purely in the normal cookie store?"
Our possible vectors of attack are a compromised root owned service and a compromised user owned service. Both of those vectors would allow the cookie store to be exfiltrated regardless of whether this extension is used.
Ergo, this extension does not create any additional security vulnerabilities in that regard.
https://github.com/atomontage/osa-chrome https://melpa.org/#/osa-chrome