Recap: The method I used to prevent access from web pages to the content of the notes does not work in Firefox 4 (but it does in Firefox 3.6).
I wrote to the security mailing list and this seems to be a bug in Firefox 4. I filed a bug report.
As I have to start writing my master thesis soon and therefore I will have less time for the add-on. But of course I won't put development on hold completely. Here is a list of things I'm planning to implement next:
- Localization for Italian, French and Spanish
- Import and export functionality
- Specifying the location of the database file
- The possibility to show notes in the sidebar and not in the page
- Search from the sidebar
and of course bug fixes, bug fixes and bug fixes.
We just uploaded version 0.7.0.3 (it might take some time until the new version is approved), which does not contain any new features, but fixes a security hole:
As the notes are directly to the website, it theoretically can access the content of the notes. While such a scenario might seem unlikely, it is potential threat.
There are several possible solutions:
1. The most secure solution is to not add the notes to the website, but to the browser and only layout them on top of the website.
This is how Internote is doing it and I have to say, they did a pretty good job. Unfortunately it is not that easy to do so, as the internal structure of the Firefox UI seems to be different for different OS (Windows, Mac OS X, Linux). But I experienced some usabilities issues on Mac OS X like flickering of the notes when scrolling and problems with dragging the notes.
2. Add the notes to the website, but protect the content from being accessed. This solution is "less secure" in a sense that a website could still detect whether you added notes, but it cannot read the contents anymore. It cannot get more information than how many notes you created.
We decided to take this approach as it was much easier to implement in a shorter time. The content of the notes are now loaded into iframes, which, due to the same-origin policy, can't be accessed by the parent page.
Unfortunately, it seems that Firefox 4 contains a bug which does not respect the same origin policy. But we will follow this issue.
Synchronization is currently broken. I'm working on that but I would like to address also one or two other issues before I create a new version. But there will be a new version in the next couple of days, so stay tuned!
Sometimes, things go quite fast. Synchronization should work again now as of version 0.7.0.2.
1-4 of 4