Features of Firefox
Like Opera and the Mozilla Suite, Mozilla Firefox has some features that distinguish it from other browsers like Internet Explorer. However, it lacks many of the features found in other browsers, in an effort to combat interface bloat and to allow the browser to be shipped as a small, pared-down core that can easily be customized to meet individual users' needs. Instead of providing all features in the standard distribution, Firefox relies on the extension system to allow users to modify the browser according to their requirements.
Tabbed browsing
Firefox supports tabbed browsing, which allows users to open multiple pages in the same window. This feature was carried over from the Mozilla Suite, which in turn had borrowed the feature from the popular MultiZilla [1] extension for SeaMonkey. Until version 1.0, Firefox did not support automatic single-window mode, in which all links that would normally open in a new window were instead opened in a new tab. [2] This feature was introduced in 1.0 after complaints from users migrating from other browsers such as Opera, or Internet Explorer shells such as Avant Browser or Maxthon. However, there were a number of problems with this policy, and as a result it has been stored in a hidden preference as an experimental feature. Before 1.0, most users who preferred single window mode used extensions such as Tabbrowser Preferences or Tabbrowser Extensions to solve their quandary. [3] [4]
Firefox also permits the "homepage" to be a list of URLs delimited with vertical bars (|), which are automatically opened in separate tabs, rather than a single page. This can be a mixed blessing, since clicking the home page opens another set of tabs, instead of resetting the current set (though the proper way to solve this isn't entirely clear), and since it is slightly more difficult to open a browser quickly for a single web page retrieval when this is necessary.
Pop-up blocking
Firefox also includes integrated customizable pop-up blocking. Firefox was given this feature early in beta development, and it was a major comparative selling point of the browser until Internet Explorer gained the capability in the beta of Windows XP Service Pack 2. This blocks pop-ups from all web sites by default, but can be configured to allow individual sites to show pop-ups. It can also be turned off entirely to allow pop-ups from all sites. Firefox's pop-up blocking can be inconvenient at times, however — it prevents JavaScript-based links opening a new window while a page is loading unless a site is added to a "safe list" found in the options menu.
In many cases it is possible to view the pop-up's URL by clicking the dialogue that appears when one is blocked. This makes it easier to decide if the pop-up should be displayed.
Download manager
An integrated customizable download manager is also included. Downloads can be opened automatically depending on the file type, or saved directly to disk. By default, Firefox downloads all files to a user's desktop on Windows or to the user's home directory on Linux, but it can be configured to prompt for a specific download location. The download manager currently does not support cross-session resuming (stopping a download and resuming it after closing the browser). [5] Another issue with the download manager is that it fails to close if small files or files already in the cache are downloaded. [6]
When the download manager was first introduced around version 0.8, there was an uproar among users who preferred the old style of individual windows for downloads, akin to that used by Internet Explorer. [7] Initially there was a great demand for an extension to address the issue but this desire quickly diminished.
Live Bookmarks
Powered by RSS or Atom feeds, "Live Bookmarks", another feature of Firefox, allow users to dynamically monitor changes to their favorite news sources. When this feature was first introduced in version 1.0 PR, there were a few worries that Firefox was beginning to include non-essential features and that it was beginning to bloat the browser much like the Mozilla Suite. However, these worries have largely abated.
Live Bookmarks have surprised many users with their simplicity. [8] Instead of treating RSS-feeds as HTML pages like most news readers do, they are treated as bookmarks that are updated in real-time with a link to the appropriate source.
Add-ons
Themes
Firefox also supports a variety of themes/skins for changing its appearance. Themes are written in XUL (XML-based User-interface Language) and CSS. Many themes can be downloaded from the Mozilla Update web site.
The change of default theme from Qute to Winstripe in Firefox 0.9 was subject to mass debate. The Winstripe theme was created by heavily modifying Pinstripe, a theme designed with Mac OS X in mind. Prior to that, Firefox and its predecessors had used the Qute theme, designed by Arvid Axelsson. Due to licensing issues, the theme was prevented from being released under the Mozilla Public License. Axelsson was upset about being notified about the theme change only a few days before it took place, and posted the transcript of his dialogue with Ben Goodger, who had informed him of the change, on the MozillaZine forums, breaking the news before it was formally announced. [9] Although many people criticized the new theme when it was rolled out, eventually the tension subsided. Axelsson continues to produce Qute privately. The default theme for Mozilla Thunderbird is still made by Axelsson.
Extensions
An often-touted feature of Firefox is its extensibility. Extensions allow the addition of new features such as mouse gestures, advertisement blocking, proxy server switcher, debugger tools, and others through the installation of XPInstall modules. Many former Mozilla features such as IRC chat (ChatZilla), calendar, etc. have become extensions. Although several private sites have sprung up offering extensions for download, the Mozilla Foundation offers a variety of extensions for download on the Mozilla Update site. Most extensions are no more than a few kilobytes in size, making them easily accessible to anyone regardless of connection speed.
The extension system can be viewed as a ground for experiment where new functionalities are being tested. From time to time an extension would be pulled back into the project and made part of the product. An example is MultiZilla [10], an extension which provided tabbed browsing at a time when Mozilla still did not have that feature. Note that Mozilla's implementation of tabbed browsing is not based on MultiZilla [11].
There has been some concern about the security of extensions, as it is possible for a user to download a malicious extension that may be used to gather information about the user, or, worse, compromise his or her computer's security. The developers responded by letting users whitelist the sites they trust to download extensions from, and by providing a preference to disable extension installation altogether. In addition, Firefox prevents users from clicking the button to install the extension for three seconds to ensure that users are not tricked into clicking it accidentally. Blogger Jesse Ruderman filed the bug report [12] that explained why the last measure is necessary, giving examples of how users could be manipulated into installing extensions without knowing it in versions without the three-second delay.
Firefox must be restarted before extensions are fully installed, uninstalled or disabled. This is one of the criticisms of Firefox themes and extensions although the Firefox development team plan for functionability to allow extensions and themes to be installed without restarting of Firefox in version 1.5.
All themes and extensions downloaded from the Mozilla Update site [13] may be upgraded through the browser interface itself. This same feature also allows users to download updates to Firefox directly without having to browse to the Mozilla Foundation's website.
Plugins
Firefox supports plugins based on Netscape Plugin Application Program Interface (NPAPI), i.e. Netscape-style plugins. As a side note, Opera and Internet Explorer 3.0 to 5.0 also supports NPAPI.
On June 30, 2004, the Mozilla Foundation, in partnership with Adobe, Apple, Macromedia, Opera, and Sun Microsystems, announced a series of changes to web browser plugins [14]. The new API will allow Web developers to offer richer web browsing experiences, helping to maintain innovation and standards on the Net [15]. The new plugin technologies are expected to be implemented in the future versions of the Mozilla applications.
Preferences and privacy
Firefox's toolbars and interface are customizable; users can move and manipulate the various buttons, fields, and menus on the toolbars, and also add new toolbars or delete existing ones.
Firefox can also save users' usernames and passwords, making it convenient for them to login to the sites they frequent. However, this password manager comes with a caveat — passwords and usernames are not filled in on a page until the page has finished loading. [16] In addition, Firefox also may save information a user enters on forms — this makes filling in forms which require information that does not change (or changes infrequently) — such as the user's name or address — more convenient. Both the password manager and the saving of form data may be disabled.
Firefox offers a one-click system for deleting trails of activity on the Web. Cookies, history, saved passwords, cache, saved form information, and download manager history can all be cleared with one button or individually.
Additionally, Firefox stores many hidden preferences that are accessed by typing about:config in the address bar. This is used to enable features such as single-window mode and error-pages, or to speed up page rendering by various tweaks. Experimental features like HTTP pipelining are often hidden in the about:config menu.
Security
Secured by design
Firefox was designed with security in mind. Some of the key features include the use of the sandbox security model, same origin policy [17] and external protocol whitelisting [18].
One key characteristic of Firefox security is based on the fact that it is open source software, and thus, its source code is visible to everyone. Proposed software changes are reviewed by at least one other person, and typically "super-reviewed" by yet another, and once placed in the software is visible for anyone else to consider or protest. [19] In addition, Mozilla (including Firefox) has a security "bug bounty" system: people who report a valid critical security bug receive a $500 (US) cash reward (for each report) and a Mozilla T-shirt. [20] The purpose of this "bug bounty" system is, according to the Mozilla Foundation, to "encourage more people to find and report security bugs in our products, so that we can make our products even more secure than they already are." [21] Note that these reporters can be anyone in the world, and that these potential reporters have access to the source code of Mozilla Firefox, internal design documentation, forum discussions, and other materials they can use to aid them in finding security flaws.
Vulnerabilities
As of March 2005, the security firm Secunia reports 3 security flaws not yet fixed for Mozilla Firefox [22], as opposed to 20 security flaws not yet fixed for Microsoft Internet Explorer. [23] While Internet Explorer users who have installed Windows XP Service Pack 2 are only affected by seven of these vulnerabilities, users of older versions of Windows are potentially affected by all of them as Service Pack 2 is only available for Windows XP. On January 11, 2005 a security spoofing flaw involving pop-up windows, which was hidden on Bugzilla for three months, was publicly disclosed. The severity of it is disputed, however, as not all users have been able to reproduce it. [24]
A line of reasoning used by some to explain Firefox's low number of security vulnerabilities is that since Firefox's market share is quite low, attackers may have less incentive to develop and release exploit code, and so vulnerabilities of the same kind may be less likely to be exploited.
On the whole, Firefox security vulnerabilities have been patched relatively quickly. Most occurred during the beta phase of the project. One notable exception is the XUL spoofing vulnerability that was found in 1999, marked confidential in the Mozilla bugtracker until July 21, 2004, and fixed finally before the first official release of the product for end-users (the 1.0 release). [25] In late February 2005 a security update, Firefox 1.0.1, was released which addresses several more security issues found since the release of 1.0, in particular preventing a new class of internationalized domain name spoofing attacks.
A list of fixed security vulnerabilities can also be found in Mozilla Foundation's security advisories [26].
Media coverage
The count of pro-Firefox security reports and press articles took a notable upswing after the Download.ject attack on Internet Explorer on June 23, 2004. This was bolstered by numerous media reports on the subject around the same time that representative Art Manion of the United States Computer Emergency Readiness Team (US-CERT) suggested that using a web browser other than Internet Explorer would mitigate security risks. On June 6, 2004, before the release of Windows XP Service Pack 2, CERT Vulnerability Note (VU#713878) stated as one of seven solutions that switching to an alternate browser would avoid this vulnerability, and possibly others.
Some security experts, including Bruce Schneier and David A. Wheeler, recommend that users stop using Internet Explorer for normal browsing, and switch to a different browser instead; Wheeler specifically recommending Firefox. [27] [28] Several technology columnists have suggested the same, including highly regarded Wall Street Journal columnist Walter S. Mossberg [29] [30], Washington Post columnist Rob Pegoraro [31], USA Today's Byron Acohido and Jon Swartz [32], Forbes' Arik Hesseldahl [33], eWEEK.com Senior Editor Steven J. Vaughan-Nichols [34] [35], and Desktop Pipeline's Scot Finnie. [36] Microsoft's Craig Mundie admitted that Microsoft's products were "less secure than they could have been" because they were "designing with features in mind rather than security" — even though most people didn't use those new features. [37]
On December 8, 2004, Pennsylvania State University Information Technology Services suggested that students avoid using Internet Explorer [38] and recommended a number of alternative browsers including Firefox. [39]
Comparisons
Firefox's security is usually contrasted with that of Internet Explorer, since Internet Explorer is Firefox's primary competition.
The United States Computer Emergency Readiness Team (US-CERT) did state that Internet Explorer's design makes it very difficult to secure. In contrast, almost none of their concerns apply to Firefox. The US-CERT noted that "There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX... IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system." [40] Firefox and Internet Explorer both employ graphical user interfaces (GUIs), and in both cases there is the risk that a user may be fooled by misunderstanding the interface or the displayed information in a way that puts them at risk (this is a general risk of GUI-based web browsers). However, in all other ways Firefox is different from Internet Explorer:
- Firefox does not use a domain/zone security model or local machine zone trust for accessing web pages (these are common ways to fool Internet Explorer into granting excess privileges).
- Firefox does not support many of Microsoft's proprietary DHTML features, which create those risks for vulnerabilities
- Firefox is not part of Microsoft's HTML Help system
- Firefox does not ignore the MIME type of a file unless it's a binary file sent with a text/plain MIME type
- Firefox does not support ActiveX (though plugins for ActiveX exist in some form; once an ActiveX component is run, it runs with the full privileges of the user, instead of having limited privileges like a Java or JavaScript applet). Signed remote script that uses XPCOM (short for cross platform COM) is in some ways similar to ActiveX. However, XPCOM cannot be used silently in this way because every use of XPCOM components need to be confirmed by the user (with a timeout dialog) [41][42]. Therefore, usually XPCOM is only used within the browser chrome.
- Firefox is not deeply integrated into the operating system. Thus, any defects in Firefox are less likely to have catastrophic effects, major new versions of Firefox can be installed without installing a new operating system, and Firefox can be uninstalled later without difficulty. However, since Firefox is cross-platform, any defects in the browser may affect all platforms. In addition, defects in the browser may potentially allow a hacker access to all the system resources made accessible by vulnerabilities in Internet Explorer.
Standards
The Mozilla Foundation takes pride in Firefox's compliance with W3C Web standards. Firefox has extensive support for most basic Web standards including HTML, CSS, JavaScript, and MathML.
It also supports PNG images and variable transparency, something Internet Explorer does not do fully. Indeed, Firefox's support of PNG images has caused much debate around Internet Explorer's standards compliancy, as it is a standard that some web developers want to use instead of the old GIF format, which does not have the same capabilities. GIF was also patent-encumbered until recently.
Developers are constantly improving Firefox's support for existing standards. Most of CSS2 and some of the not-yet-completed CSS3 standard have already been implemented in Firefox.
Work is being done on implementing newer standards like SVG, APNG, and XForms natively into Firefox.
Firefox and other Mozilla applications are built with XPToolkit, which reuses some of the existing standards (CSS, JavaScript and RDF) and introduces a collection of proprietary standards (XUL, XBL, and XTF).
Cross-platform support
Mozilla Firefox runs on a wide variety of platforms. Releases available on the primary distribution site support the following operating systems: [43]
- Various versions of Microsoft Windows, including Windows 98, Windows 98SE, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003
- Mac OS X
- Linux-based operating systems using XOrg Server or XFree86
Mozilla Firefox can be installed on Windows 95, though this requires a few additional steps [44].
Since the source code is available, it can also be compiled and run on a variety of other architectures and operating systems. Thus, Firefox is also available for many other systems. This includes Solaris (x86 and SPARC), OS/2, AIX, [45] and FreeBSD [46].
Other features
Firefox also has a non-modal incremental find feature known as "find as you type". When a user types a word while on a web page, Firefox will automatically search for it in the page and highlight the first instance found.
There is also a built-in Mycroft Web search function with extensible search engine listing; by default, Firefox includes plugins for Google and Yahoo!, and also includes plugins for looking up a word on dictionary.com and browsing through Amazon.com listings. Other popular Mycroft search engines include Wikipedia, eBay, and IMDb. Mycroft is named after Mycroft Holmes, the fictional older and smarter brother of Sherlock Holmes. The Macintosh OS's built-in search system is named after Sherlock Holmes.
It should be noted that most of the aforementioned features are not unique to Firefox. Opera, for example, also supports many of these features, but lacks similar extensibility; also, it is supported by advertisements — users must pay a fee to remove the advertisements. See also comparison of web browsers.