Sunday, March 24, 2019

TenFourFox FPR13 SPR1 available

TenFourFox Feature Parity Release 13 Security Parity Release 1 ("FPR13.1") is now available and live (downloads, hashes, release notes). The Pwn2Own vulnerabilities do not work on TenFourFox in their present form (not only because we're PowerPC but also because of our hybrid-endian typed arrays and other differences), but I have determined that TenFourFox-specific variant attacks could be exploitable, so we are patched as well. This should also reduce the risk of crashes from attempts to exploit mainline x86 Firefox.

Meanwhile, H.264 support for TenFourFox FPR14 appears to be sticking. Yes, folks: for the first time you can now play Vimeo and other H.264-only videos from within TenFourFox using sidecar ffmpeg libraries, and it actually works pretty well! Kudos to Olga for the integration code! That said, however, it comes with a couple significant caveats. The first is that while WebM video tends not to occur in large numbers on a given page, H.264 videos nowadays are studded everywhere (Vimeo's front page, Twitter threads, Imgur galleries, etc.) and sometimes try to autoplay simultaneously. In its first iteration this would cause the browser to run out of memory if a large number of higher resolution videos tried to play at once, and sometimes crash when an infallible memory allocation fallibled. Right now there is a lockout in the browser to immediately halt all H.264 decoding if any instance runs out of memory so that the browser can save itself, but this needs a lot more testing to make sure it's solid, and is clearly a suboptimal solution. Remember that we are under unusual memory constraints because of the large amount of stack required for our JIT.

The second caveat with H.264 support is that while the additional AltiVec support in ffmpeg (TenFourFox is compatible with 2.8 and 3.4) makes H.264 decoding faster than WebM, it is not dramatically so, and you should not expect a major jump in video performance. (In fact, quite the opposite on pages like the above.) Because of that, and because I have to build and support ffmpeg library installers now, I am only officially supporting H.264 on G4/7450 and G5 based on the existing 1.25GHz minimum CPU requirement for web video (and you should really have 2GB or more of memory). There will not be an official TenFourFox ffmpeg build for G4/7400 and G3 (or, for that matter, Intel); while you can build it yourself mostly out of the box with Xcode 2.5 and I won't have any block in TenFourFox for user-created libraries, I will provide neither support nor ffmpeg builds for these architectures. Olga's current FFmpeg Enabler does work on 10.4 now and does support 7400 and my future 7450 version will run on a 7400, so early G4 users have a couple options, but either way you would be on your own. Sorry, there are enough complaints about TenFourFox performance already without me making promises of additional functionality I know those systems can't meet.

Back on the good news side, the AppleScript-JavaScript bridge is also complete and working. As a example, consider this script, which actually works in the internal test build:

tell application "TenFourFoxG5"
  tell front browser window
    set URL of current tab to "https://www.google.com/"
    repeat while (current tab is busy)
      delay 1
    end repeat
    tell current tab
      run JavaScript "let f = document.getElementById('tsf');f.q.value='tenfourfox';f.submit();"
    end tell
    repeat while (current tab is busy)
      delay 1
    end repeat
    tell current tab
      run JavaScript "return document.getElementsByTagName('h3')[0].innerText + ' ' + document.getElementsByTagName('cite')[0].innerText"
    end tell
  end tell
end tell

I'll let you ponder what it does until the FPR14 beta comes out, but it should be obvious that this would be great for automating certain tasks in the browser now that you don't have to rely on figuring out how to send the exact UI event anymore: you can just manipulate the DOM of any web page directly from AppleScript. Firefox still can't do that! (Mozilla can port over my code; I'd be flattered.)

The last things to do are a couple security and performance tweaks, and then one more desperate attempt to get Github working. I'm still not sure how feasible the necessary JavaScript hacks will be yet but come hell or high water we're on track for FPR14 beta 1 in early April.

8 comments:

  1. virustotal found this in the new dot 1 release -

    Ikarus flagged - PUA.OSX.KeyLogger

    https://www.virustotal.com/ui-public/index.html#/home/upload

    fyi

    ReplyDelete
    Replies
    1. I'm not going to lose a lot of sleep over an obvious false positive hit.

      Delete
  2. [ChrisT] One of the ~60 engines that virustotal uses detects the three firefox executables (firefox, firefox-bin and Resources/firefox) inside the application package as keyloggers. The other engines come out clean.

    ReplyDelete
  3. Is there a way to disable the h.264 playback? I have an addon that stops webM unless I click on it (to keep things faster) but this mp4 thing is dogging the system something painful (lovely technical achievement though it may be).

    ReplyDelete
    Replies
    1. Yes, there will be a pref you can turn off, or just simply never install the H.264 libraries and they will never play (like currently).

      Delete
    2. OK - can just remove them then. Pretty cool approach though to the problem. Sadly, even the wallpaper moves these days!

      Delete
  4. Hi! Just a quick word to say that I really appreciate your work on TenFourFox. I am currently using it on a 2 ghz iMac G5. Thank you!

    ReplyDelete
  5. Works pretty good on my Leopard G5 2.3 DC 12GB 7800GT. While testing in Vimeo 720p was usually pretty watchable, depending on the video content and editing style. Of course at 720p the CPU was totally pegged. At 540p playback was generally great and relieved some of the CPU spike, though I still noticed an occasional dropped frame on some videos. 480p video was super smooth and easy for the machine to handle while I multitasked.

    ReplyDelete

Due to an increased frequency of spam, comments are now subject to moderation.