ForceCORS Workaround

June 2, 2014, 5:49 p.m.

The latest Firefox no longer has an add-on bar which also caused the ForceCORS button to disappear. Github user lissyx was quick to fork it and rewrite the extension to fit the new Mozilla SDK but as we tried to submit the update to the Mozilla add-on site it got rejected due to security considerations. I'll now try to find a way to bring it back to the official add-on site by making a few changes requested by Mozilla but until then, here's a workaround:

Download the Addon Bar addon

Since a lot of people miss the add-on bar, a new add-on called the addon bar (restored) brings back the add-on bar : ) If you add this add-on, the ForceCORS button becomes visible again without configuration. You can use the customize menu to move the button elsewhere but you need to keep this addon installed to keep it there.

Install ForceCORS manually

If you've lost the ForceCORS extension after it was removed from the Mozilla add-on site, you can re-install it manually by downloading the XPI-file here and then opening it in Firefox.

Thanks everyone for reporting and discussing the issues - please continue to do so here. I'll try to get it back to an official add-on as soon as I can.

Expanding My Horizon

May 18, 2013, 6:57 p.m.

It's been a while since I last blogged on my blog. One of the many things I've been up to recently is learning how to fly. As a member of a local aeroclub I can now take an airplane to the sky and literally expand my horizon!

To find out exactly how much expandin' is really possible, I hacked together some Javascript that allows me to enter different cruise speeds (in knots) and endurances (in hours) and overlays it on Google Maps. Here's a screenshot:

range screenshot

Needless to say this is a very rough estimate as it doesn't take any air space restrictions, terrain, weather, climbs or descents into consideration, but it's still fun to enter different aircraft's performance characteristics and imagine where they would take me :)

Try it out!

This was the first time I used the Google Maps API and I have to say that it is really simple and easy to use. It works well and the documentation is good.

Taking Notes

Dec. 17, 2011, 9:05 p.m.

Something I never did as a student was taking notes. I just didn't think it was cool. But things change and I now take a lot of notes. Most of them I take at work during meetings, interviews, trainings etc but my notebook is also full of spontaneous ideas, scribbles, numbers, code snippets, stack traces, quotes and other things.

Obviously I don't carry around a pen and something made out of paper all day long. I type fast enough to protect the trees and read and write my notes digitally. When I started digital note-taking, I looked at evernote and its type of software and was shocked by the feature overload in some of these tools.

Here's what I need from a note-taking application:

  • a (big) plaintextbox to enter my note
  • store a timestamp for each note
  • tags
  • search

That's it. No video, no Facebook, no Foursquare, no Twitter. Google Notebook called tags 'labels' and had richtext but was otherwise exactly what I wanted. It also worked on every device that supported HTML and I used it every single day. And then this happened:


This sucked. I guess when a Google application gets less than five million users they say "noone is using this" and just turn it off. And sure enough it was in read-only mode a few days later. Coming back from #gdd11, I decided to give the Google App Engine a try and implemented my own notebook within a few hours:


Nothing fancy but it does everything Google Notebook did for me. It works and I've used it every day since. Feel free to use it with your own Google account:

Also, the codez are on github, in case you need another GAE sample :)

A Memory Leak brought to you by XmlSerializer

Oct. 26, 2011, 6:16 p.m.

We ran into an interesting memory leak the other day. When one of my colleagues analyzed the memory dump from production, he saw an unusual amount of types in *.GeneratedAssembly.* namespaces, one instance each:

0:007> !dumpheap -stat
              MT    Count    TotalSize Class Name
000007ff0024da98        1           24 System.Xml.Serialization.TempAssemblyCache
000007ff002474f8        1           24 System.Xml.Serialization.Configuration.RootedPathValidator
000007ff00441d98        1           40 Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializerContract
000007ff004412c8        1           40 Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializerContract
000007ff004407f8        1           40 Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializerContract
000007ff003ef9b0        1           40 Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializerContract
000007ff003eeee0        1           40 Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializerContract
... and more

He also found the method XmlSerializer.GenerateTempAssembly in call stacks and soon thereafter the explanation online:

To increase performance, the XML serialization infrastructure dynamically generates assemblies to serialize and deserialize specified types. The infrastructure finds and reuses those assemblies. This behavior occurs only when using the following constructors:


XmlSerializer.XmlSerializer(Type, String)

If you use any of the other constructors, multiple versions of the same assembly are generated and never unloaded, which results in a memory leak and poor performance. The easiest solution is to use one of the previously mentioned two constructors. Otherwise, you must cache the assemblies in a Hashtable, as shown in the following example.

from MSDN

Turned out we were (indirectly) using one of the XmlSerializer constructors that cause this documented memory leak. This also popped up in many other places online and can be easily reproduced with a few lines of code:

public class Brick { }

    var s = new XmlSerializer(typeof(Brick), new Type[] {});
    s.Serialize(Stream.Null, new Brick { });

Isn't that some very fine memory leaking code? Not only is it eating up memory, it is also generating, loading (and deleting) *.dll files in your temp-path (e.g. C:\Users\josef\AppData\Local\Temp) and is therefore incredibly slow. The Hanselman already taught us how we can make the generated code visible:

<?xml version="1.0" encoding="utf-8" ?>
         <add name="XmlSerialization.Compilation" value="1" />

With this switch set to 1, the C# code for each generated assembly will be written into *.cs files so if you run the code above, your temp-dir will be flooded:

C:\Users\josef\AppData\Local\Temp>dir *.cs
 Volume in drive C has no label.
 Volume Serial Number is ####-####

 Directory of C:\Users\josef\AppData\Local\Temp

10/26/2011  05:11 PM             9,260 0r2upaee.0.cs
10/26/2011  05:11 PM             9,260 0wvlt0sz.0.cs
10/26/2011  05:11 PM             9,260 12x20ris.0.cs
10/26/2011  05:11 PM             9,260 1bsq04ge.0.cs
10/26/2011  05:11 PM             9,260 1wvkuolg.0.cs
10/26/2011  05:11 PM             9,260 1y4yyetd.0.cs
10/26/2011  05:11 PM             9,260 20yixjrc.0.cs
10/26/2011  05:11 PM             9,243 23qz4yru.0.cs
10/26/2011  05:11 PM             9,260 2vt3hznp.0.cs
         101 File(s)        926,038 bytes
           0 Dir(s)  91,353,591,808 bytes free

The recommended way to get around this issue is to use one of the two safe constructors (see above) if you can, or cache the XmlSerializer instances by yourself. We went for the latter.

Force CORS Firefox Extension

Aug. 1, 2011, 2:05 a.m.

I've created a very simple extension for Firefox that adds the Cross Origin Resource Sharing (CORS) Access-Control- HTTP headers to all responses before they're processed by the browser. This essentially disables the browser's same origin policy and allows cross domain calls even if the web server does not support CORS.

The default setting adds the following headers to every response:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST

This can be customized in the forcecors.headers setting via about:config, the values are separated by spaces (and yes, you may add arbitrary, cors-unrelated headers :).

Force CORS is going to be very helpful for my numerous Javascript/HTML5 hacks (diagnostic scripts, little helpers, mashups, etc.) that load data from websites I don't control :)

The code is available on github, feel free to fork it.

And here's the link to Mozilla's "AMO":

Oh, and a warning: Force CORS circumvents the browser's same origin policy, so be careful (i.e. don't use it if you don't know what you're doing).


There's a problem with the Mozilla add-on site.