FFClickOnce

A Firefox extension for running .NET ClickOnce applications

Author: James Dobson
Contact: dobson@softwarepunk.com
Date: 2007-04-13 (Documentation last updated)
Version: 0.6 (FFClickOnce version to which this document applies)

News

(2007-04-13)

Version 0.6 of FFClickOnce is now avaible at the Mozilla Addons site! This new release adds localization support, as well as translations for several major languages.

I am amazed by the speed at which it was approved. I'm not sure if I was just lucky this time, or if the new Mozilla Addons site somehow offers a streamlined review process. Regardless, I am quite happy that this release was approved so soon after being submitted.

As far as the installation problem that I mentioned on April 10th goes, it was rectified for version 0.5 a couple days ago. For interest's sake, you can see more information about the hasing problem at Mozilla Bug 345505 (https://bugzilla.mozilla.org/show_bug.cgi?id=345505).

(2007-04-10)

It has come to my attention recently that the version of FFClickOnce on the Mozilla Addons Site won't install automatically due to a hash validation error. I'm guessing that the hash value of the extension in the Mozilla Addons database has gotten corrupted somehow. To fix this, I am going to submit version 0.6 of FFClickOnce to the Mozilla Addons site today. I'm hoping that doing this will force the site to recompute the hash code.

Also, version 0.6 of FFClickOnce finally includes some localizations, courtesy of the kind folks at Babelzilla:

  • fr-FR (by Jean-Bernard Marcon)
  • it-IT (by Martino T)
  • nl-NL (by markh)
  • es-ES (by chuzo)

I have also done my best to translate into zh-CN and zh-TW, though my Chinese is only rudimentary, especially when it comes to technical words.

For more comprehensive information, please see the testing document for FFClickOnce. It is primarily intended for people testing the extension, though I believe that a user could read it and get a good idea of how to use this extension.

Old News

Older news items about FFClickOnce can be found in the FFClickOnce News Archive.

Purpose

FFClickOnce lets you run .NET ClickOnce applications from Firefox.

ClickOnce applications are launched from a link to a ".application" file. When a user clicks on this kind of link, Firefox downloads the file to a temporary directory and runs it locally. This causes the ClickOnce launch process to fail.

This problem is documented on several websites:

Solution

FFClickOnce is a Firefox extension that adds an extra option when you click on a link to a ClickOnce application, as in the following pictures:

ffox-clickonce.png

The dialog that appears in Firefox versions 2.0 and earlier
confirm-window-ff2.0.0.1.png

The dialog that appears in Firefox versions 2.0.0.1 and later.

I realize that, with this method, users have to click more than once to run their "ClickOnce" software, but I feel very uneasy about the security implications of being able to instantly run software downloaded from the web. I feel that users should be informed that the link they have clicked on is a ClickOnce link, and that they should be given an option to cancel the operation, if they wish. The present scheme accomplishes that.

Tip

Versions 0.3 and up let you run a ClickOnce application immediately, without having to go through this extra step. To enable this feature:

  1. choose "Add-ons" (or "Extensions", if using Firefox 1.5) from the "Tools" menu in Firefox.
  2. click on the FFClickOnce extension.
  3. click on the "Options" button. The FFClickOnce options window should appear.
  4. check the box that says "Don't prompt before running application"
  5. press "OK"; FFClickOnce will now launch an application as soon as you click on its link.

Installation

FFClickOnce v0.6 is available on the FFClickOnce page at the Mozilla Addons Site. This is the recommended way of getting FFClickOnce.

After installation, as a quick check to make sure that it works, try the sample ClickOnce application at http://www.softwarepunk.com/clickonce/tester/deploy/publish.htm

For more comprehensive information, I have created a testing document for FFClickOnce. It is primarily intended for people testing the extension, though I believe that a user could read it and get a good idea of how to use this extension.

Implementation Details

When you use FFClickOnce to run a ClickOnce application, it takes the URL and executes the following command:

%SystemRoot%\system32\rundll32.exe dfshim.dll,ShOpenVerbApplication The_URL_goes_here

Version 0.3 of FFClickOnce also tries to figure out which versions of the .NET Framework are installed on your computer. It does this by following the advice in http://support.microsoft.com/kb/318785, which tells us to look in the directory:

%SystemRoot%\Microsoft.NET\Framework

for subdirectories named "vN.N.NXXXX". There should be one of these directories for each of the .NET Framework versions installed on the computer.

Note

There have been reports that a release of version 3.0 of the .NET CLR breaks this convention and creates a directory named "v3.0", without the extended version number. Until I get an idea of how common this is, I won't detect Framework versions that are missing the extended version number.

In addition to figuring out which versions of the .NET Framework are installed, version 0.3 of FFClickOnce also reports that information to the webserver. It does so by altering Firefox's user agent string. The default Firefox user agent string is:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060321 Firefox/2.0a1

Notice that this string has no information about which versions of the .NET Framework are installed. Now, here is an Internet Explorer user agent string:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

This user agent string indicates that there are two versions of the .NET Framework installed. If FFClickOnce were installed on a machine with these two versions of the .NET Framework, it would change the Firefox user agent string to:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Gecko/20060321 Firefox/2.0a1

Unfortunately, this behaviour can cause the Java plugin (and possibly other plugins as well) to crash. This is due to a programming error, either in Firefox itself or the Java plugin, that limits Firefox's user agent string to 127 characters (plus a null terminator, I presume). When a user agent string exceeds this amount , it can cause the plugin loading process to fail. This is a bug in Firefox and its plugins. There is a bug report with more information at: https://bugzilla.mozilla.org/show_bug.cgi?id=328778

As of my latest testing, Firefox 1.5.0.4 crashes completely due to this bug. So does Firefox 2.0.0.1.

To avoid these bugs, FFClickOnce v0.4 will only include the version of the .NET Framework with the highest version number. Also, I have included an additional safety feature in the extension that stops FFClickOnce from changing the user agent string, if so doing will push the string length over the limit. The user will be informed if this happens. So, the user agent string in, for example Firefox 2.0.0.1, would be:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1; .NET CLR 2.0.50727) Gecko/20061204 Firefox/2.0.0.1

This action may not actually bring the user agent string below 127 characters, as other extensions may be adding to its length. However, once this feature has kicked in, it can be said that FFClickOnce is no longer contributing to the problem.

Note

Many publish.htm pages check only that a 2.x version of the Framework is reported in the User Agent string. Due to the fact that I can only fit one version of the Framework in the User Agent string safely, people who have version 3 of the Framework installed will likely not see the correct publish.htm page.

URL parameters, a feature of ClickOnce, should also work with FFClickOnce. For example, try the following test: http://www.softwarepunk.com/clickonce/tester/deploy/ClickOnceTester.application?x=abc&y=def

Security Implications

FFClickOnce runs applications downloaded from the internet, and does not do any special security checks. You should always be careful when running something that you downloaded from the internet.

Other Solutions

There is a different solution at http://channel9.msdn.com/ShowPost.aspx?PostID=138879. It is intended to be used by software developers when they are packaging their applications.

License

This software is licensed under the "MIT License", available from: http://www.opensource.org/licenses/mit-license.php. Here is the text of the license:

Copyright (c) 2006 James Dobson

Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

The source code for this software can be accessed by running an "unzip" program on the .xpi extension file.