Firefox 41+ extension signing

In the never-ending quest for browser security, Firefox has started implementing safeguards to only allow signed extensions. I found this out after upgrading to Firefox 41 as my installed version of “Deque FireEyes” stopped working. Thankfully, there is a workaround in Firefox 41, but it goes away in Firefox 42.

  • Firefox 40: warning only!
  • Firefox 41: workaround, via:

    xpinstall.signatures.required = false
  • Firefox 42: BLOCKED! unless signed


Website testing with SortSite

SortSite is a popular desktop software for testing of web applications for broken links, browser compatibility, accessibility and common spelling errors. It is also available as a web application known as “OnDemand“.

You can generate a free sample test of your website at:


Deque FireEyes accessibility testing plugin

I’ve done a lot of accessibility testing and development work over my career. One of the many free tools that I use in that role is FireEyes. Deque also has some commercial packages for developer use.

FireEyes adds a new tab on the Firebug tab bar and adds the ability to analyze a web site for WCAG 2.0 Level A and AA and Section 508 accessibility violations. The Stand-Alone version of FireEyes is a browser plugin to the FireFox browser. It requires that the FireBug plugin already be installed


  • Firefox 31-41

    As of 2015aug21, the current version of the extension is NOT signed and will not execute on later versions. [See my later post on this topic]

  • FireBug 2.x – Do NOT install Firebug v3 alpha as the tab will not show.

NOTE: should be on Firebug tab labeled “Worldspace Fireyes”, but does not seem to be available in Firebug3.

NOTE: if you try to download in MSIE, you must rename the .zip to .xpi, and then open with Firefox.


HTML4 script defer

This HTML4 attribute was intended to defer/delay execution of specific javascript code until after the page is rendered. In theory, this makes the website “appear” faster as the functions relevant to the User-Interface can be executed before other “background” processes that would otherwise block the screen from displaying.

<script defer="defer" src="example.js"></script>

NOTE: Do not use defer for external scripts that might depend on each other if you need to support MSIE9 and earlier.


Java User-Agent detector and caching

It’s often important for a server side application to understand the client platform. There are two common methods used for this.

  1. On the client itself, “capabilities” can be tested.
  2. Unfortunately, the server cannot easily test these, and as such must usually rely upon the HTTP Header information, notably “User-Agent”.

Example User-agent might typically look like this for a common desktop browser, developers can usually determine the platform without a lot of work.

"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)"

Determining robots and mobile platforms, unfortunately is a lot more difficult due to the variations. Libraries as those described below simplify this work as standard Java Objects expose the attributes that are commonly expected.

With Maven, the dependencies are all resolved with the following POM addition:


/* Get an UserAgentStringParser and analyze the requesting client */
final UserAgentStringParser parser = UADetectorServiceFactory.getResourceModuleParser();
final ReadableUserAgent agent = parser.parse(request.getHeader("User-Agent"));

out.append("You're a '");
out.append("' on '");

As indicated on the website documentation, running this query for each request uses valuable server resources, it’s best to cache the responses to minimize the impact!

NOTE: the website caching example is hard to copy-paste, here’s a cleaner copy.

package com.example.cache;

import java.util.concurrent.TimeUnit;
import net.sf.uadetector.ReadableUserAgent;
import net.sf.uadetector.UserAgentStringParser;
import net.sf.uadetector.service.UADetectorServiceFactory;

* Caching User Agent parser
* @see
* @author Scott Fredrickson [skotfred]
* @since 2015jan28
* @version 2015jan28
public final class CachedUserAgentStringParser implements UserAgentStringParser {

private final UserAgentStringParser parser = UADetectorServiceFactory.getCachingAndUpdatingParser();
private static final int CACHE_MAX_SIZE = 100;
private static final int CACHE_MAX_HOURS = 2;
* Limited to 100 elements for 2 hours!
private final Cache<String , ReadableUserAgent> cache = CacheBuilder.newBuilder().maximumSize(CACHE_MAX_SIZE).expireAfterWrite(CACHE_MAX_HOURS, TimeUnit.HOURS).build();

* @return {@code String}
public String getDataVersion() {
return parser.getDataVersion();
* @param userAgentString {@code String}
* @return {@link ReadableUserAgent}
public ReadableUserAgent parse(final String userAgentString) {
ReadableUserAgent result = cache.getIfPresent(userAgentString);
if (result == null) {
result = parser.parse(userAgentString);
cache.put(userAgentString, result);
return result;
public void shutdown() {


Take and save a screenshot capture with Selenium

As I recently discussed Selenium, it might be useful to know how to take screen captures during tests. I’ve found that putting the function into a java method makes usage a LOT easier… here are the relevant code bits (obviously this will not run on it’s own). Feel free to expand on it as needed as this is just a stub.

import org.openqa.selenium.OutputType;
import org.openqa.selenium.TakesScreenshot;
import org.openqa.selenium.WebDriver;
* @param driver {@code WebDriver}
* @param filename {@code String}
protected static void takeScreenshot(final WebDriver driver, final String suffix){
final String fn = "takeScreenshot("+ driver.getCurrentUrl() +","+suffix+")";
final String filename = "/tmp/screenshot_" + suffix + ".png";

LOGGER.debug("takeScreenshot("+ driver.getCurrentUrl() +","+filename+")");
final File scrFile = ((TakesScreenshot)driver).getScreenshotAs(OutputType.FILE);
// Now you can do whatever you need to do with it, for example copy somewhere
FileUtils.copyFile(scrFile, new File(filename));
LOGGER.debug("[EXEC] {} {}",filename, fn);
catch(final IOException ex){


Some other helpful Selenium methods

Here are a few other helpful functions for use of Selenium testing scripts as you often need to click links, fill in fields, and submit forms.

import java.util.List;
import org.openqa.selenium.By;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.WebDriverException;
import org.openqa.selenium.WebElement;
* @param driver
* @param name
* @return
public static WebElement findElementByName(final WebDriver driver, final String name){
final By el =;
final WebElement wel = driver.findElement(el);
return wel;
* @param driver
* @param name
* @param value
public static void sendKeysByFieldName(final WebDriver driver, final String name, final String value){
final WebElement wel = findElementByName(driver, name);
* @param driver
* @param xpath
public static void clickByXpath(final WebDriver driver, final String xpath){
final By el = By.xpath(xpath);
//"el is {}", el);
final WebElement wel = driver.findElement(el);;
* @param driver
* @param linktext
public static void waitToClickLinkText(final WebDriver driver, final String linktext){
final WebDriverWait wait = new WebDriverWait(driver, 10);
final By el = By.linkText(linktext);
final WebElement wel = driver.findElement(el);;
* @param driver
* @param text
* @return
public boolean pageContainsText(final WebDriver driver, final String text){
final String xpathExpression = "//*[contains(text(),'" + text + "')]";
final List<WebElement> list = driver.findElements(By.xpath(xpathExpression));
return list.size() > 0;

Poodle.. or rather, what’s all the fuss with SSLv3

The “Poodle” attack on websites and browsers was all over the media a few weeks ago, following in the shadow of Heartbleed.

Here’s what most users need to know… This is an vulnerability that exists in secure internet communication because…

  1. While most newer systems rely on TLS security, they still support older protocols (SSLv3 in particular for this issue)
  2. As secure communications generally attempt to find a “common” method, they will often “drop down” to older supported versions (even if they are now often considered insecure!)
  3. Most browser and server software (unless recently patched) will allow for this “drop down” in security.
  4. Most software provides a mechanism to disable this by the user or in configuration.
  5. Upgrading your software will usually remove these “problematic” vulnerabilities.

Simply put… for a consumer, it’s best to upgrade to a newer browser or find the appropriate configuration to disable SSLv3 if you are unable to upgrade. Server administrators generally should update their sofware on a regular basis for security items such as this one!

NOTE: Many CDN’s such as CloudFlare are proactive and block this vulnerability.

Technical details on the Poodle vulnerability (if you’re into that sort of thing!):

Instructions here are for Apache HTTPd 2.2.23 and newer, other servers will require a similar change:

  1. sudo vi /etc/apache2/mods-enabled/ssl.conf
  2. Change the following line from:
    SSLProtocol All -SSLv2
    SSLProtocol All -SSLv2 -SSLv3
  3. sudo service apache2 reload
  4. sudo service apache2 restart

Can be tested at the following websites:


“msapplication-config” and browserconfig.xml

Windows-8/MSIE-11 introduced Tiles, as such server administrators may have started seeing HTTP 404 errors in their server logs as it attempts to look for a “browserconfig.xml” file at the root of a website domain. If you are inclined to use this file, you should definitely look into the documentation for how to best make use of it. Others may just wish to prevent the error from making “noise” in their log files.

To remove the error, add the following to your pages; alternately you COULD define the URL of your file as the ‘content’ attribute:

<meta name="msapplication-config" content="none" />

You can alternately place an empty /browserconfig.xml on your web server for each domain.

An common example of how to use this file is below:

<?xml version="1.0" encoding="utf-8"?>
<square70x70logo src="/mstile-70x70.png"/>
<square150x150logo src="/mstile-150x150.png"/>
<wide310x150logo src="/mstile-310x150.png"/>
<square310x310logo src="/mstile-310x310.png"/>
<TileImage src="/mstile-150x150.png" />


Install free “recognized” SSL certificates for Apache2

Once you have your server running with a self-signed certificate you might find it useful to have a “real” certificate that does not warn users.

Many of the CA’s provide test certificates that are generally valid for 30-60 days, I’ve recently discovered StartSSL, that generates free certificates that are valid for a full year.

  1. Generating keys and certificates….

    NOTE: this process is rather involved and is documented better elsewhere, here’s what I needed to remember to get the keys and certificates.

    • save ssl.key (private)
    • save ssl.crt (pem encoded)
    • get file from control panel:
  2. Make sure that you move all three files to the /etc/apache2/ssl/ folder on the server.
  3. Edit the config file…
    sudo vi /etc/apache2/sites-available/default-ssl.conf

    Modify the values related to the keys and certs…

    SSLCertificateFile /etc/apache2/ssl/ssl.crt
    SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
    SSLCertificateChainFile /etc/apache2/ssl/

  4. Reload the config and restart…

    sudo service apache2 reload
    sudo service apache2 restart
  5. Test it out…