Posts Tagged ‘mozilla’

Good Day! The time goes fast, and I’m already at the end of my 5th semester and writing my final release for my Open Source class.
First of all, I would like to say Thank you to Dave for this amazing experience and excellent class – Open Source Development. Such a great class with such an awesome professor. I learned much more that I expected. Also, I would like to say thank you to all Webmaker team for their help and willing to help in all kinds of situations. I was involved in a real code, in a real projects with all sorts of bugs and improvements. That was my first time dealing and being in a real world programming life and Open Source as well. I am more than motivated to continue my contribution to Mozilla Open Source World. Personal thanks to @jbuck (Jon Buckley), who was mentoring me during my CSP implementation. 🙂
I learned a lot new tools and improved my skills in all sorts of Web Development. My personal thought is: when you are involved in Open Source, you are open yourself to learn more and more every day; and this is super cool. You will be always up to date and interested in what you are doing.

Lets get back to my release. During the last week I was working on requireJS bug and also finished and merged my CSP implementation for Thimble and Goggles.

This week contribution:

  • Bug 995318update index.html in Goggles to use requireJS. Fixed and merged. PR can be found here. Two more similar bug are waiting to be fixed. That will be my next step.
  • Bug 959271CSP for thimble. Finally got landed and I’m so happy with that. PR can be found here. All the webmaker components, except popcorn, are using CSP. It took a semester for me to learn, create, fix and land this feature to all the webmaker components and now I am really happy that it works good and I included my work into webmaker.
  • Bug 990786fixing CSP for Goggles. Basically, removing CSP from all the pages, but ‘publish’, where injection could be present. Fixed and merged. PR can be found here.
  • Bug 995781Correcting alignment and profile image shape for Goggles. Fixed and merged. PR can be found here. I fixed the image shape and alignment on the publish page. After my little involvement with CSS, I found out that it is really fun and interesting as well.

That is basically it for my final release.
I would like to say that my classmates were really involved into the course as well, and I liked the presentations they did during the semester, where I learned something new and something more. This kind of approach gave all the classmates to learn even more than only their area of bugs.
Great experience with a great team! 🙂 Thank you!:)
PS: will be off next week – going to see Montreal 🙂


Good Sunday evening! I am coming to the end of the semester and to my final release in OSD. I would say, that it was and it is a great class that opens new horizons to students and possible opportunities to their future. I am so happy that I was and I am involved with such great companies as CDOT and Mozilla.

Previous week was the hardest one for me in terms of time, all the assignment presentations and assignment deadlines were there. Also I finished reading a great Sci-Fi book “Calculating God” last Sunday.

Lets get back to my work throughout the last week.
I was working on implementation GA events to goggles – bug968291, I was continuing this bug from the week before the last week. I became a little bit harder than I excepted, but it even better. It turned out that, from this bug we started 3 more new bugs, , which I took already:

Basically, all 3 bugs related to the same problem/feature: to update goggles to use requireJS whenever its possible. Why 3 bug? Because, in this way it’s easier to stay on track.
I started to work on bug995318 (my commit with progress) and made progress on that already. The main idea of the requireJS is to optimize in browser use and it makes app more efficient and work faster.
I would provide short guide on how it works.
The tree of directories:

  • project-directory/
    • index.html
    • js/
      • main.js
      • require.js
      • browser-screen.js
      • sso-override.js
      • sub/
        • util.js
        • jquery.js

Sample index.html file

<!DOCTYPE html>
        <title>My Project</title>
        <!-- data-main attribute tells require.js to load
             js/main.js after require.js loads. -->
        <script data-main="js/main" src="js/require.js"></script>
        <h1>My index.html file</h1>
        <p class="test">Some weird text here</p>

main.js – special configuration file in requireJS

  baseDir:'/js', // this dir will be used as home for our js files
  paths: {       // do not specify file extension, it assumes that it is .js
    'jquery':           'sub/jquery',  
    'text':             '/bower/text/text',
    'localized':        '/bower/webmaker-i18n/localized',
    'languages':        '/bower/webmaker-language-picker/js/languages',
    'list':             '/bower/listjs/dist/list.min',
    'fuzzySearch':      '/bower/list.fuzzysearch.js/dist/list.fuzzysearch.min',
    'browser-screen':   'browser-screen',
    'sso-override':     'sso-override',
    'utils':            'sub/utils'

// Now you specify which scripts will be loaded after require.js is fired in index.html
require(['browser-screen', 'sso-override', 'jquery', 'utils'],
  // you can give more instructions here

Now, inside one of your js file, you do the following.

require(['jquery'], function($) {
  $(.test).text("your new text");

With this example, you don’t need to include jQuery script in html file. This approach is really efficient in terms of coding, speed of application and code management. Also, it is much more easier to add more functionality in the future with such application structure.

Also, during this week, I pushed to PR and merged small css bug where I had to fix the alignment in navigation area when user logged in.

I am looking forward to continue my contribution to Mozilla and CDOT 🙂 Cheers!

Good Sunday.
This week was extremely busy and full of deadlines for the assignments and labs. The next one will be the same or even more loaded. Anyways, I am super motivated with my Open Source involvement, specifically with Mozilla team. I am strongly direct myself, that event after my OSD class will come to an end I will continue my contribution to Mozilla…my experience and willing to code grew enormously for the last couple of months.


OpenSource contribution matters

During this week I updated my previous bug with Google Analytics implementation for Goggles, my PR can be found here -> GA for goggles, right now I am waiting for review and hopefully it will be landed soon. While working on GA for goggles, Jon helped me to find out that we actually do not need CSP for goggles’s index page, no input fields there, so no potential vulenrability exists. After that, I filed a new bug (to remove CSP from index page, and leave it only for publish page) and send PR, which is under review.

Also, I updated CSP for Thimble, where I missed some sources when together.js were activated. I updated my PR here.

The last thing I did during this week was my little involvement with CSS, where a small fix had to be done. In Goggles, username, language picker and ‘sign in’ button were not aligned in one line. I took that bug, fixed it and pushed PR. I would say, that CSS is also a lot of fun, especially now, with all its power and functionality.
I was working mostly on small bugs this week, due to my lack of time. One major bug is still has to be done, its recoding the popcorn instance. I would work on that next week and week after, so that I would finish it before my next release.

And started my runnings today, which is absolutely great:) Summer almost came!
Bye, bye!:)

Good Sunday!
This week I was working on random bugs as well as I was fixing errors on my CSP implementation for Thimble. Also I reviewed Jon’s CSP implementation for
To be more specific, here is my progress so far:

  • Google Analytics Events for Goggles, bug968291:
    I picked up this bug, while I was searching for some interesting things to implement. The basic idea of this bug is to add GA events to goggle, so when user clicks on different buttons (‘Activate X-Ray’,’Undo’,’Redo’,’Publish’ etc.). So the path to implement it was:

    1. Add webmaker-analytics to the bower
    2. Require ‘analytics’ inside the JS file, where ‘click’ events implemented
    3. Add analytics.event("Activate X-Ray", { label: "Activated" });
    4. Do it for every click event, where it needs
    5. Test…fix
  • The problem I faced in this bug was, that when I implemented analytics.event to ‘Undo’,’Redo’,’Publish’,’Help, ‘Quit’ – I wrote as a name of the event was passed as a text var, and so when analytics fires – this ‘text’ will be shown. The problem here is with localization, it means that if the language is different – the ‘text’ var will be in that language.(Thank @aali for pointing it out) But it is not what we need, that is why I added separate events to all the buttons. My pull request. I would like to thanks @thecount for the help he gave me during this bug. Also, I learned requirejs tool for javascript a little bit.

  • Refactoring ‘HOSTNAME’ vars in webmaker components to ‘HOSTNAME_APP’bug951709 – all components reviewed and merged.
  • Fixed minor bugs in Thimble CSPPR here
  • Removed ‘Add to Map’ link from webmaker-eventspull request 63 (merged)

Also my progress can be seen at my github page (admix)
For the next week I will be working on a final CSP for Thimble, recode the popcorn instance for

Its Friday and I will let you know what I was working on during this week.

I started to work on a couple of new bugs, which are not quite connected to CSP implementation, but also in the are I’m interested in.

  • I found out that nom install command could be failed during downloading source from a git repo using SSH (the path is written using git:// protocol). That is why it is safer to connect using HTTP. i fixed that issue in bug981588 and the bug was merged.
  • The other bug is about refactoring, that non-error responses SHOULD NOT be sent with res.json({error: "okay"}), instead use: res.json({status: "okay"}). My commit for this issue has not been pushed to PR yet. I’m looking for all files that could take place in this issue.
  • Also, I found out the other great thing about OpenSource. The challenge I faced last week was about my experience with AirMail App. With the latest update, this program started to lag and show weird green links in emails. So the fun stuff happened when I was looking for the contact information of that company to file my issue, because all the reinstallation procedures didn’t help. I found out that AirMail App uses github as a place for filing issues.. I found it pretty neat, even when the application is doesn’t use open source direction, using github for filing issues could be very beneficial for the company. I filed my issue there and got an answer on the next day. I liked it.

Coming back to CSP and block bugs. A could of new reviews happened.

  • Two last blocks for Thimble were fixed, reviewed and merged. (bug981357 and bug979111). That is why I pushed CSP for Thimble to be reviewed -> bug959271.
  • Also, all the dependencies for CSP were merged and I pushed CSP bug to review as well: bug959277. It has only one weird questing, where I’m stuck. When user press “Activate X-Ray Goggles” – CSP caught inline script violation, but an interesting part is that there is no inline script there. The suggesting I have is that:
    <div class="bookmarklet"><a href="" id="bookmarklet-link" class="ui-btn"><span>{{ gettext("Activate X-Ray Goggles") }}</span></a></div>

    “bookmarklet-link” id field has some kind of error/bug. Working and getting help to find out why.

  • One more thing is that Jon put me on review for CSP at, which Jon PRed not while ago. I found out that two new policies should be added and it’s still early to push this update, because there are 2 more block bugs left.
  • I’m still working on eval() at PluginDetect_Flash.js David helped me and pointed to pinlady PluginDetect. The possible solution is:
    Instead of using eval like this:


    Do this:

    isIE = (function () {
      var tmp = document.documentMode, e, isIE;
      // Try to force this property to be a string.
      try{document.documentMode = "";}
      catch(e){ };
      // If document.documentMode is a number, then it is a read-only property, and so
      // we have IE 8+.
      // Otherwise, if conditional compilation works, then we have IE < 11.
      // Otherwise, we have a non-IE browser.
      isIE = typeof document.documentMode == "number";
      // Switch back the value to be unobtrusive for non-IE browsers.
      try{document.documentMode = tmp;}
      catch(e){ };
      return isIE;

    At this point, I’m waiting for more info from Jon on this, just to make sure that I’m on a right way.

    Hopefully one of the CSP implementation will be merged to master or at least a great progress will be made before my Rel #5.
    Have a great weekend!

The study week was quick and useful at the same time. I was catching up with everything and did a couple of progress with my own project. At the same time I am closer and closer to implementing CSP into webmaker and its components.

During my release #4 time, I am working on goggles and thimble components. The first thing I decided to implement is to file all the issues related to inline scripts and other bugs that could be problematic for CSP implementation.

Bugs in goggles:

  • Move google analytics into separate file X-Ray Goggles bug977293 – FILED, FIXED, MERGED
  • Move inline script into separate file bug975628 – FILED, FIXED, MERGED
  • Move error tracking into separate file bug973112 – REVIEWED,FIXED,MERGED
  • Move inline script in sso-override.html file into separate file bug980160 – FILED, IN PROCESS
  • Move inline script in webmaker-auth-client.html file into separate file bug980159 – FILED, IN PROCESS
  • Move inline script in preferences.html into separate file bug980162 – FILED, IN PROCESS
  • Also this directory has some html files with inline scripts. Thinking of moving them into separate files as well

Bugs in Thimble

Separate bugs

  • Remove old-style players and dependencies on the Popcorn.player module bug973369 – REVIEWED, FIXED, MERGED
  • Looking for some backend/new feature bugs, that I would like to work on. Maybe will catch up on filer.. still looking for something.

To sum up, I am moving forward to implement CSP for goggles, almost all sub bugs were fixed and merged. Now testing CSP work and looking for more inline script or other problems that could prevent from CSP integration.

At the same time doing the same thing with Thimble and hopefully soon Webmaker will be with CSP.
See you later with my final Release #4.

Welcome to Friday and the last day before the study break.

This week was really exhausted one, all the midterms and assignment deadline made it even more nervous. Anyways, my work in Open Source World holds me in excited mood. 🙂

For this release I completed a lot of new for me kind of bugs and also made a great progress with the final CSP implementation into Webmaker and components. A little bit later in this post about it.

The other thing is that I found some really useful articles related to the Content Security Policy:

  • Compatibility table for support of Content Security Policy in desktop and mobile browsers -> look here
  • Content Security Policy on Mozilla Hacks -> look here and Mozilla Wiki -> here
  • A lot more on CSP v1.1 (new version 🙂 ) standard on w3 -> look here

Another great news!

Content Security Policy has just recently updated to version 1.1 (February 11th, 2014), which has some new features, which will be really useful to use for my future implementation it to the mozilla components.

  • nonce — random sequence of symbols that you send through header;
  • If there is an unsafe-inline and nonce, then nonce turns off unsafe-inline;
  • only those inline scripts work which have attribute nonce with the same value as in the header
    var hood = require("hood");
    //declaring new attribute in header
    module.exports.addCSP = function(options) {
      return hood.csp({
        headers: [
        policy: {
          'default-src': [
          'script-src': [
            "nonce-eef8264c4994bf6409c51ac7c9614446" //'nonce' has value with random symbols
    <script type="text/javascript">
      alert("BLOCKED, because no 'nonce' attribute");
    <script nonce="22168992a8d57a5d3a64ca73bb9fc669">
      alert("BLOCKED, because 'nonce' value doesn't equal to one written in the Policy");
         //'nonce' is equal to one in the header
    <script nonce="eef8264c4994bf6409c51ac7c9614446">       
      alert("VALID, because 'nonce' attribute is equal to one in the Policy");
    <!-- VALID, because there is a 'script-src' with '' -->
    <script src=""></script>
    <!-- BLOCKED, because 'nonce' attribute is different -->
    <script nonce="22168992a8d57a5d3a64ca73bb9fc669" src=""></script>
    <!-- VALID, because 'nonce' attribute is the valid, even then the is not in script-src -->
    <script nonce="eef8264c4994bf6409c51ac7c9614446" src=""></script>
  • Specifying policy with metatag
  • Javascript API for getting and checking policies
  • DOM event about policy violation
  • New attributes: form-action, plugin-types
  • I will talk to Jon and Dave about these new features and how they can benefit.

Also I am thinking of implementing report-uri attribute to mozilla’s CSP, so that we will be getting all the information related to the policies violation and for easy check on the policy rules

Here is a small example of report-uri implementation

//inside CSP header declare report-uri
module.exports.addCSP = function(options) {
  return hood.csp({
    headers: [
    policy: {
      'default-src': [
      'script-src': [
      'report-uri': [  //report-uri attribute
        "/pathToFile/csp.jsx"  //path to report json file

And here is hoe the report-uri file looks like

    "csp-report": {
        "document-uri": "",
        "referrer": "",
        "violated-directive": "script-src 
        "original-policy": " all policies specified here ",
        "blocked-uri": " blocked urls will be here "

Pretty neat thing this CSP 🙂

The only one thing stops this implementation is this bug -> Mozilla CSP report-uri bug which is kind a problem. I would contact jbuck to get some info on that.

Lets get back to my bugs for this release. So I moved as close as possible to implement CSP on webmaker. Due to Jon Buckley’s vacation (hope is doing great 🙂 ), some of my bugs are on review stage, but this is not a problem at all, I have a lot of stuff to do for my next release. These are the bugs I fixed for this release:

  • Moving inline script to separate file -> bug 973120 Fixed and Landed,PR here
  • Remove inline script for quick-linking to a tag -> bug 973116 Fixed and Landed,PR here
  • Move google analytics snippet into a separate JS file -> bug 973119 Fixed and Landed,PR here
  • Move JS error tracking snippet -> bug 973112 On review and PR here
  • Starting point on CSP for Xray Goggles, adding ‘hood’ module, adding CSP to middleware.js and implementing it in app.’s commits -> here
  • Also I filed a bug for Xray Goggles -> here, which is related to future CSP as well. The bug is still not confirmed, but anyways, I am suggesting to find other related issues in Goggles, how we did with Webmaker, to make the whole CSP Implementation much more easier and straight forward.

This is pretty much it for this release.
Have a great weekend!