The officially official Devuan Forum!

You are not logged in.

#1 2018-06-27 00:10:54

dxrobertson
Member
Registered: 2017-05-04
Posts: 232  

Firefox Oddities

Firefox ESR 52.8.1 (64-bit) from debian/devuan repositories.

I have noticed 2 issues in the use of firefox. 

1) Shortly after starting firefox, within a minute or so, firefox appears to lockup and not respond.  The lockup lasts several seconds, up to maybe 10-20 seconds.  This is a delayed reaction, I can open up a few tabs and load pages before this happens.  Once it happens, I cant change tabs, type into input boxes, nothing.  It then clears itself and all is normal from there on.

2) What appears to be randomly, firefox looses its focus on textareas, as used in gmail for example.  Often times I find myself responding to an email, typing away, then lookup at the screen and none of my typing appears, yet the cursor is in the textarea.  I then click in the textarea, and can then type as normal.   This happens quite often.

These are not general PC performance problems; 4mg ram and recent Intel core 3. 

Just wondering if anyone else is experiencing these issues with firefox?

Offline

#2 2018-06-27 00:43:14

golinux
Administrator
Registered: 2016-11-25
Posts: 3,137  

Re: Firefox Oddities

Firefox has become the most odd of oddities.  LOL!  Try disabling all your extensions to see if the problem goes away. If it does, start re-enabling them one at a time to find the culprit.  If disabling extensions doesn't stop that behavior,  create a new Moziila profile.  If that stops it, a corrupted profile is likely the problem.  .You can also test by logging into Devuan as another user.   If it goes away, Firefox is OK and it's something with the affected user.

Online

#3 2018-06-27 07:41:34

cynwulf
Member
Registered: 2017-10-09
Posts: 234  

Re: Firefox Oddities

Run firefox from a terminal emulator and see what output appears?

Offline

#4 2018-06-27 08:51:38

devuser
Member
Registered: 2018-04-30
Posts: 176  

Re: Firefox Oddities

Yeah, checking plugins would be my first thought too. As for 2) are you maybe working on a laptop with touchpad? It's easy to accidently click something while typing. If nothing a helps maybe you could look into palemoon (not really a solution but imo FF is getting worse and worse by the year).

Offline

#5 2018-06-27 09:20:02

cynwulf
Member
Registered: 2017-10-09
Posts: 234  

Re: Firefox Oddities

While we're into suggesting alternatives in preference to solving the OP's, problem, I suggest iridium or chromium.  Yes an evil google product, but actually better put together, does privilege separation better and as a result is more secure.

Offline

#6 2018-06-27 10:26:22

devuser
Member
Registered: 2018-04-30
Posts: 176  

Re: Firefox Oddities

cynwulf wrote:

I suggest iridium or chromium.  Yes an evil google product, but actually better put together, does privilege separation better and as a result is more secure.

Nothing wrong with chromium (chrome on the other hand...). It's a solid product. I've actually considered switching to it too but i can't get used to the UI and it's lacking when it comes to plugins (the main reason i used to use FF).

Regarding security i don't see how process separation (i guess that's what you are hinting at?) is all that important though. While i'll have to agree that it's (at least used to be - i don't follow this all that closely) easier to turn an exploit into a compromise with FF we are talking about last line defenses when there is already major hole in the bucket.

With the switch to WebExtensions FF has lost it's appeal to me anyways. That's also where it made up points in the security department imo (is there anything even close to Random Agent Spoofer for chromium?). Palemoon is obviously a risky choice with it's tiny dev team and the little exposure it gets but atm there seems no real alternative when you are used to classic FF (i've been running classic theme restorer before they killed it with the WebExtensions switch).

Last edited by devuser (2018-06-27 10:27:06)

Offline

#7 2018-06-27 10:33:19

Panopticon
Member
Registered: 2018-01-27
Posts: 306  

Re: Firefox Oddities

devuser, that was happening to me when i was using my laptop without an external mouse using an improperly setup openbox install, i was like wtf is going on! Took me a little while until i realized the touchpad was the issue when on. There is a way to disable touchpad when typing, im using openbox and from my very basic knowledge there is autostart entry you can use that uses syndaemon. Not sure how that would be implemented in other desktops like xfce or kde etc but im sure there is a function somewhere.

Below is from Bunsenlabs openbox .config/openbox/autostart

## Disable touchpad while typing
syndaemon -i .5 -K -t -R -d &

Offline

#8 2018-06-27 11:28:07

cynwulf
Member
Registered: 2017-10-09
Posts: 234  

Re: Firefox Oddities

devuser wrote:

Nothing wrong with chromium (chrome on the other hand...). It's a solid product. I've actually considered switching to it too but i can't get used to the UI and it's lacking when it comes to plugins (the main reason i used to use FF).

chromium, like firefox still comes out of the box with google spyware built in and enabled.  chrome is worse still.  Iridium is a chromium fork which does not.  Iridium doesn't seem to be available in Debian repositories, but they do provide a .deb package.  It's available in OpenBSD ports and for Windows, hence why I use it.

Last time I checked, chrome "phones home" when installed initially.  But I wasn't referring to privacy settings or anonymous browsing, etc.

UI wise, I dislike chromium/chrome/iridium, but have gotten used to it.  I preferred the old Netscape/Mozilla/Seamonkey UI, but common sense in UI design seems to be a thing of the past (just look at the gnome project).

devuser wrote:

Regarding security i don't see how process separation (i guess that's what you are hinting at?) is all that important though. While i'll have to agree that it's (at least used to be - i don't follow this all that closely) easier to turn an exploit into a compromise with FF we are talking about last line defenses when there is already major hole in the bucket.

I'm not familiar with "process separation".  I am referring to privilege separation (privsep).  It's important for browsers, due to the attack surface offered by modern browsers.  chromium was designed from day one with sanboxing and privsep in mind, where Mozilla have been retrofitting it to legacy Netscape code.

devuser wrote:

(is there anything even close to Random Agent Spoofer for chromium?).

Spoofing user agents is really a privacy thing, rather than a security concern.  For example, you can browse with tor, script blocking and random UAs, but a vulnerability in e.g. the browser, kernel, SSL (or in the CPU!) is still a security hole and could still compromise your system, irrespective of any extra privacy measures you've taken.

There are several user agent switchers for chrome, some offer random switching, but I'm not aware if they have the same functionality as the one you refer to, as I've not used them.

Regarding extensions, I have umatrix (better than what noscript has become by a square mile) and HTTPS everywhere installed.  The extensions situation seems ok, though again extensions always have to be researched an vetted rather than installed blindly.  The Seamonkey extensions situation is far worse...

Offline

#9 2018-06-27 13:00:53

devuser
Member
Registered: 2018-04-30
Posts: 176  

Re: Firefox Oddities

cynwulf wrote:
devuser wrote:

Nothing wrong with chromium (chrome on the other hand...). It's a solid product. I've actually considered switching to it too but i can't get used to the UI and it's lacking when it comes to plugins (the main reason i used to use FF).

chromium, like firefox still comes out of the box with google spyware built in and enabled.  chrome is worse still.  Iridium is a chromium fork which does not.  Iridium doesn't seem to be available in Debian repositories, but they do provide a .deb package.  It's available in OpenBSD ports and for Windows, hence why I use it.

Interesting. I thought at least chromium would be somewhat clean. Concerning FF my illusions were long gone. Just look at all the google related garbage RAS lets you disable and that's probably just the tip of the iceberg. Not to mention google being the default search engine with URL bar integration to eat your typos and suggestions and what not.

cynwulf wrote:
devuser wrote:

Regarding security i don't see how process separation (i guess that's what you are hinting at?) is all that important though. While i'll have to agree that it's (at least used to be - i don't follow this all that closely) easier to turn an exploit into a compromise with FF we are talking about last line defenses when there is already major hole in the bucket.

I'm not familiar with "process separation".  I am referring to privilege separation (privsep).  It's important for browsers, due to the attack surface offered by modern browsers.  chromium was designed from day one with sanboxing and privsep in mind, where Mozilla have been retrofitting it to legacy Netscape code.

OK, i see where you are coming from. Process separation was one of the recently hyped up FF features concerning improving security so i thought you were referring to that but mozilla's codebase being quite rusty can't be argued. Tbh i still see those safety nets somewhat as duct tape for the problem of functionality bloat in todays browsers. My hope is for Palemoon to try ironing out the warts of Mozillas codebase without adding new features left and right while staying usable (damn, i'd love to use a reasonable browser but with the websites nowadays it's hopeless) and yeah, i know, that's likely nothing more than wishful thinking.

cynwulf wrote:
devuser wrote:

(is there anything even close to Random Agent Spoofer for chromium?).

Spoofing user agents is really a privacy thing, rather than a security concern.  For example, you can browse with tor, script blocking and random UAs, but a vulnerability in e.g. the browser, kernel, SSL (or in the CPU!) is still a security hole and could still compromise your system, irrespective of any extra privacy measures you've taken.

Point taken even if script blocking imo shouldn't be listed here imo as it in fact stops a lot of exploits.

cynwulf wrote:

There are several user agent switchers for chrome, some offer random switching, but I'm not aware if they have the same functionality as the one you refer to, as I've not used them.

Guess i should have explained that a bit. RAS functionality goes way beyond simple randomization of user agents (and is one of the rare attempts to at least try do more than a halfassed job at it). It offers a wide selection of other options ranging from disabling WebGL, WebRTC, Canvas to manipulating caching, visited link CSS, clipboard events, DOM timing, localization, fonts. You are right it's more about privacy than security though. Sadly the plugin is pretty much dead as it's impossible to port to WebExtensions according to the author. Actually i am thinking of picking it up to provide updates for usage with Palemoon.

Last edited by devuser (2018-06-27 13:17:44)

Offline

#10 2018-06-27 16:07:43

cynwulf
Member
Registered: 2017-10-09
Posts: 234  

Re: Firefox Oddities

You're right that script blocking could be seen as security related.  However just completely turning off javascript is probably the best approach, though not practical for most people.

I can manage to browse the web by selectively disabling those scripts which just aren't needed (advertising, tracking, etc related), but the average person usually can't manage this or just doesn't know about.  This is all assuming that 100% of the issue is javascript and nothing more...  you've also no reliable or practical way of knowing which scripts are dangerous and which are not.

Hence "secure by default" is the best approach and why sandboxing, privsep, etc are preferred and very important.

It's not so much "duct tape", as just correctness - in that the OS should never assume that any installed programme is "safe", never mind the web content it accesses.  It really boils down to that the OS should stick to the principle of least privilege.

Last edited by cynwulf (2018-06-27 16:08:29)

Offline

#11 2018-06-27 16:44:15

devuser
Member
Registered: 2018-04-30
Posts: 176  

Re: Firefox Oddities

cynwulf wrote:

You're right that script blocking could be seen as security related.  However just completely turning off javascript is probably the best approach, though not practical for most people.

Yeah, it's quite funny when look at how Palemoon even warns users about stability problems concerning NoScript. Seems a lot of their bug reports boils down to non technical users installing it "because it's good for security" and then blame Palemoon for broken pages.

cynwulf wrote:

I can manage to browse the web by selectively disabling those scripts which just aren't needed (advertising, tracking, etc related), but the average person usually can't manage this or just doesn't know about.  This is all assuming that 100% of the issue is javascript and nothing more...  you've also no reliable or practical way of knowing which scripts are dangerous and which are not.

Agreed. I'd say i have a somewhat solid grasp on the topic but that sure wont safe me from allowing a bad script while searching for the right combo to get site X to work.

cynwulf wrote:

Hence "secure by default" is the best approach and why sandboxing, privsep, etc are preferred and very important.

It's not so much "duct tape", as just correctness - in that the OS should never assume that any installed programme is "safe", never mind the web content it accesses.  It really boils down to that the OS should stick to the principle of least privilege.

Well, sure it's probably safe to assume that pretty much any program beyond a simple "Hello World!" will have at least some kind of bug (per 1000 lines of code you add... i guess you know the saying). Still most programs are usually ran as is and most often that's just fine (of course chroots, selinux and so are things but i wouldn't say they are used that regularly outside of high security setups). Personally i've picked up the habit of doing important stuff under a different user account though. So yeah i kinda have my own sandbox.

I won't argue that in the end a safety net is better than a compromise but modern browsers seemingly needing those nets by default is imo telling something about the code. It's kinda like the authors saying: "We don't really know whats going on in our codebase and have no faith in it ever becoming even remotely trustworthy". Given the speed at which browser development moves that's not even a big surprise. There is simply no time to stabilize things when you have to give your browser the functionality needed for making coffee before the competition does.

Offline

Board footer