Blog Posts

The short happy life of the Breached extension


In October 2017, Troy Hunt of Have I Been Pwned held a contest inviting people to do something cool with the HIBP API. I decided a) that I would kind of like the special edition ThinkPad he was giving away, and b) that I could probably whip something up pretty quickly.

I decided to create a browser extension that would simply pull HIBP breach information and show a browser notification – with the ability to view extra info – when the user visited a site that had been breached. And so was born the Breached extension. (Spoiler: I didn’t win.)

For non-technical readers: A “breach”, in this context, is when a hacker obtains the user database of a website. A breach generally includes email addresses, passwords (in some form), maybe credit cards, and other stuff you don’t want a hacker to have. So “breach information” about...


Markdown Here: Splitting the Firefox and Thunderbird Extension


[This started as notes to myself to help clarify the problem and solution. It’s probably more suited to a Github issue than a blog post, and it may get copied into one.]

The story so far

The Firefox and Thunderbird versions of Markdown Here both used nearly the same code – an old-style XUL extension. Tb is only capable of using a XUL extension, while Fx supports at least three extension types: XUL-based, Add-on SDK (aka Jetpack, aka jpm), and WebExtensions. WebExtensions is the newest, and is essentially an implementation of Chrome’s extension API.

I’ve kept my eye on WebExtensions because it’s tempting to be able to use identical code across the many major browsers: Chrome, Firefox, Opera, and Edge(?). It seemed premature to do any real work towards using it as it’s not yet fully released, and there would be no perceived benefit to...


Android Non-Vulnerability: Steal a Device and Keep it Unlocked


While poking around in my Android phone’s developer options, I realized that if you steal a phone that’s currently unlocked because it’s in a “trusted place”, then you can force it to remain unlocked forever. (And then I got schooled about that not being a problem.)

Security Feature: Smart Lock with Trusted Places

Android’s Smart Lock allows users to configure conditions under which to keep the phone unlocked. One of the conditions is location – you can set trusted locations where your phone shouldn’t prompt for a PIN/pattern/password when unlocking.

This is a pretty great feature. It’s difficult to convince people that the security gained by using a PIN outweighs the inconvenience of constantly entering it. Smart Lock helps mitigate the inconvenience by not requiring the user to constantly enter the PIN at home or at the office.

Developer Feature: Mock Location

If you’re developing a location-aware...


Why and How to Use a Contributor License Agreement


Background and Motivation

I received a pull request for Markdown Here that was great: it found a bug, fixed it, and included tests for the fix. However, the PR submitter didn’t write the tests using the existing framework, so I figured I’d massage his test code into the proper form.

And then I noticed that he included a copyright line in the test file. It says “MIT License”, which is the license used for the rest of the project, but that got me thinking about what that might mean…

Wikipedia suggests that the MIT License would require me to include his copyright+license notice wherever I use his code. Not a big deal, but annoying. And maybe a slippery slope – what if I get a bunch more code submissions?

So I did some research into “Contributor License Agreements” and found that there are a couple more...


Test post: Markdown Here in Disqus


This is just a stub test post to allow me to try out Markdown Here in Disqus comments.

Right now MDH won’t work with Disqus in Chrome because of cross-origin restrictions. See:

Update: The Disqus edit box is contenteditable, and MDH will render in it, but all formatting seems to get stripped out when you actually post the comment. Seems like the rich-edit-ness is probably just to support Disqus’s add-an-image feature.


Safari Extensions Gallery: half-baked


Trying to get Markdown Here listed in the Safari Extensions Gallery is by far the worst browser extension “store” experience I’ve had so far. Shockingly bad.

No hosting

First of all, but least of all: There’s no hosting. Unlike the Chrome and Mozilla stores, the Safari store doesn’t host the extension for you – it’s really more of a listing of links to wherever you host your extension files. That’s not terrible, but:

  • It’s costing me a little bit of money each month to host them.
  • I don’t get nice install/usage stats like I do with Chrome and Mozilla.

No communication

Submitting the extension was basically the same as everywhere else. But this is the confirmation email:

Dear Adam Pritchard, Thank you for submitting your Safari Extension. Apple reviews all submissions and reserves the right to omit, edit, or reject any submission....


No One Knows to Click on a Page Action


Page actions – the buttons in a browser’s address bar – are a surprising UI failure.

When adding a button for a browser extension, a choice must be made whether to make it a “page action” or a “browser action” (button on the toolbar). But browsers have failed to communicate the interactiveness of page actions, and almost no one – techy or layman – realizes that they’re clickable.

To complement the context menu item and hotkey, and to fulfil a user feature request, I decided to add a button to the Markdown Here browser extension. It turned out that simply deciding where to put the button was a big part of the effort…

Page Action vs. Browser Action

I’m going to use the Chrome extension development terminology:

Page actions...
are the buttons and status indicators located in the address/omni/awesome bar. (See pageAction API...