Firefox OS apps and beyond

I have written two Firefox OS apps, which are both not very popular. You may stop reading here if you haven't used either squeezefox or wallabag-fxos. This article is about how I think they should evolve, while Firefox OS is currently transitioning into a community-led B2G OS.

The apps I have written are both simple web clients for specific API endpoints. My first app, Squeezefox is a remote control for Logitech Squeezebox Wifi Radios. The other one, wallabag-fxos is a Firefox OS client for the Pocket clone Wallabag.

The only feature that makes both of these apps so Firefox OS specific is their use of systemXHR: In Firefox OS, an XMLHttpRequest (XHR) instantiated with the {mozSystem: true} parameter is allowed to issue HTTP requests towards all origins. This is what allows my apps to be configured to talk with the user's wallabag instance (or squeezebox device).

I myself do not use those apps very heavily myself anymore and don't think I would make a great maintainer. But I do strongly believe in webapps and the future of the web regardless of the success of particular platforms, and I want these apps to be useful - regardless of the user agent.

For this reason, I suggest re-architecting applications who rely on it to be freed from proprietary technologies like systemXHR: The idea is to suggest users they self-host these apps on the same origin where they already host their main endpoint. Both wallabag and squeezebox servers (aka logitech media servers) allow hosting additional static files besides those which are built-in. By removing some app-specific endpoint settings and defaulting to request against location.href, those apps can become more universally usable in its current form without any extra permissions or vendor-specific extensions.

Users who want to keep my apps in their Firefox OS/B2G OS specific nature, may keep using them as is. I have saved their current state in branches called fxos-legacy.

I will continue to welcome contributions to both the new architecture as well as the legacy branches, but I strongly recommend forking my projects if folks intend to use them productively in the future. But starting now, I will not commit to actively drive the development of either.

All posts

  1. Reference Sheet for Principals in Mozilla Code (Mon 03 August 2020)
  2. Hardening Firefox against Injection Attacks – The Technical Details (Tue 07 July 2020)
  3. Understanding Web Security Checks in Firefox (Part 1) (Wed 10 June 2020)
  4. Help Test Firefox's built-in HTML Sanitizer to protect against UXSS bugs (Fri 06 December 2019)
  5. Remote Code Execution in Firefox beyond memory corruptions (Sun 29 September 2019)
  6. XSS in The Digital #ClimateStrike Widget (Mon 23 September 2019)
  7. Chrome switching the XSSAuditor to filter mode re-enables old attack (Fri 10 May 2019)
  8. Challenge Write-up: Subresource Integrity in Service Workers (Sat 25 March 2017)
  9. Finding the SqueezeBox Radio Default SSH Passwort (Fri 02 September 2016)
  10. New CSP directive to make Subresource Integrity mandatory (`require-sri-for`) (Thu 02 June 2016)
  11. Firefox OS apps and beyond (Tue 12 April 2016)
  12. Teacher's Pinboard Write-up (Wed 02 December 2015)
  13. A CDN that can not XSS you: Using Subresource Integrity (Sun 19 July 2015)
  14. The Twitter Gazebo (Sat 18 July 2015)
  15. German Firefox 1.0 ad (OCR) (Sun 09 November 2014)
  16. My thoughts on Tor appliances (Tue 14 October 2014)
  17. Subresource Integrity (Sun 05 October 2014)
  18. Revoke App Permissions on Firefox OS (Sun 24 August 2014)
  19. (Self) XSS at Mozilla's internal Phonebook (Fri 23 May 2014)
  20. Tales of Python's Encoding (Mon 17 March 2014)
  21. On the X-Frame-Options Security Header (Thu 12 December 2013)
  22. html2dom (Tue 24 September 2013)
  23. Security Review: HTML sanitizer in Thunderbird (Mon 22 July 2013)
  24. Week 29 2013 (Sun 21 July 2013)
  25. The First Post (Tue 16 July 2013)