Mike, there's no "simplified syntax and parser support" when you serve XHTML as text/html. The point about DTDs is that XML DTDs do not support ancestor-descendant exclusions--only parent-child relationships.
Interesting how the article uses the wrong name for the XHTML2 WG throughout.
P.S. This comment form in the XHTML mode says "'ascii' codec can't encode character u'\u2019' in position 21: ordinal not in range(128)" when attempting to use proper punctuation.
I keep on coming back to Opera for general browsing (on Windows at least). It's just so very snappy, in a way Gecko-based browsers have never managed. It's often ahead of the curve on features, too - things like mouse gestures and page zoom have been in there forever, and Speed Dial is one of those simple additions that seems so obvious that you can't believe nobody did it before.
The UI isn't great, though, and makes Opera difficult to switch to. There are about 4 major versions' worth of inconsistent UI features layered on top of one another, and there's way too much fiddly customisation possible. You can even still use it in MDI mode, a throwback to Opera's pre-millenial editions (context-click a tab and go to Arrange/Cascade). I think they need the courage to throw away the obscure cruft that bloats the interface, and go in a stripped-down direction like Chrome. Really I'd like them to jettison the mail and chat and widgets and feed reader too, like the Seamonkey-to-Firefox transition.
Look forward to seeing where Hicks takes them, anyway.
I would like to know why The Graun doesn't appear to use its own spelling/usage check on articles.
For example recently it's had repeat Corrections about the spelling of Gandhi, another about Audrey Tautou, many other examples, plus words from its Style Guide which should get flagged up for checking.
But it doesn't seem to learn from its mistakes, so I presume that there is no word checking going on, although I have noted this to both the current and previous Readers' Editors.
Maybe a proper techie could point them in the right direction ...?!
And any building containing obscene amount of books and posting "deep void" -signs would be high on any geeks' agenda, so British Library should definitely be on the list.
Greenwich observatory (yes, on the list already) and Maritime Museum are good places. I especially liked the collection of old clocks and other navigation gear from the pre-GPS days. Too bad the Cutty Sark burned, though.
I'd also suggest kind of 21st century public transport walkthrough: DLR to Canary Wharf (make sure to take the first compartment), go to the Canary Wharf tube station and take Jubilee line to Westminster station. It's definitely worth seeing, and a good way to end up near the Houses of Parliament.
Kew Gardens. Especially in orchid season.
And I have kind of a sweet spot for Royal Albert Hall (and BBC proms). The Albert Memorial also gives an interesting insight into British mentality, especially when one remembers he was the king who did request nothing too grandiose or pompous to be built when he dies.
The British Library has a fantastic gallery for typography geeks - IMHO, it's well worth the visit. They've got Guttenberg Bibles, a copy of the Magna Carta, plus all sorts of other pretty goodies.
Almost forgot, 1.8.2 provides also a Frame Break Emulation feature, which honors frame busting on JavaScript-disabled pages where a frame busting statement is found in one of its top 5 script elements, hence the argument "NoScript makes you less safe" (which was already dubious because of the protections listed above) is now completely unjustified.
Actually NoScript's IFRAME blocking is independent from JavaScript, therefore NoScript configured to block cross-site frames (Forbid IFRAME) gives full protection against ClickJacking in all Zalewski's scenarios. That said, latest NoScript versions (1.8.2 and above) feature a new specific anti-clickjacking technology called ClearClick, working independently from iframe and plugin blocking. ClearClick prevents any UI interaction with embedded objects while they're partially obstructed or transparent, addressing all kinds of clickjacking, scriptless or not, iframe or plugin based. It's enabled by default on untrusted host pages (no matter if the embedded object is whitelisted or not), but can be easily configured to work on trusted host pages as well and so far did not cause any usability issue, therefore next stable release will likely ship ClearClick in trusted+untrusted default configuration.
Meh. This seems like one person's diatribe to me. It is well thought out and well researched, but IMO some of the assumptions are false. In particular, the author assumes that your reason for serving XHTML is to take advantage of client-side XML validation and mixed namespaces. But I would argue that the simplified syntax and parser support for XHTML/XML is a good enough reason to make the switch. You aren't really losing anything by serving up XHTML as text/html vs. serving up HTML 4.01. And, as the author points out, doing so is standards compliant.
Also, the stuff about HTML/SGML being superior because you can use DTDs to specify how elements can be nested is wrong. You can use DTDs to specify element nesting in XHTML/XML too, and a validating parser will tell you if you violate the DTD. Moreover, as the author pointed out, superior (more easily maintained, comprehensible, and less verbose) mechanisms are available for defining XML document types, like XML schemas.
Last week, Mark Pilgrim has posted a post about clickjacking in his HTML5 weekly series. Blog post summarizes the discussion in HTML5 group and browser vendor's feedback on the proposal.
Actually, that scenario is described in the link Ciaran posted - the NoScript installer page uses this technique to frame the "Install Now" buttons from addons.mozilla.org.
Noscript will help if the attacking site uses Javascript to create and position its IFrames. But Michal Zalewski is suggesting that you can clickjack passively, using CSS to disguise most of the target IFrame (by positioning elements over/around it), then tricking the victim into clicking on the desired uncovered element of the IFrame.
That's a different subclass of attack to what Hansen and Grossman originally described ("Consider that an attack can invisibly hover these buttons below the user's mouse"), but it seems plausible, and equally dangerous.
I just added support for this to the debug toolbar. Feel free to play around with it and let me know what you think. Great idea and thanks for the indirect suggestion. :)
Sign in with 
OpenID
On Announcing dmigrations:
Dude, looks really cool!
Alexander - 12th October 2008 15:54 - #
On XHTML - myths and reality:
Mike, there's no "simplified syntax and parser support" when you serve XHTML as text/html. The point about DTDs is that XML DTDs do not support ancestor-descendant exclusions--only parent-child relationships.
Interesting how the article uses the wrong name for the XHTML2 WG throughout.
P.S. This comment form in the XHTML mode says "'ascii' codec can't encode character u'\u2019' in position 21: ordinal not in range(128)" when attempting to use proper punctuation.
On and now... Opera:
I keep on coming back to Opera for general browsing (on Windows at least). It's just so very snappy, in a way Gecko-based browsers have never managed. It's often ahead of the curve on features, too - things like mouse gestures and page zoom have been in there forever, and Speed Dial is one of those simple additions that seems so obvious that you can't believe nobody did it before.
The UI isn't great, though, and makes Opera difficult to switch to. There are about 4 major versions' worth of inconsistent UI features layered on top of one another, and there's way too much fiddly customisation possible. You can even still use it in MDI mode, a throwback to Opera's pre-millenial editions (context-click a tab and go to Arrange/Cascade). I think they need the courage to throw away the obscure cruft that bloats the interface, and go in a stripped-down direction like Chrome. Really I'd like them to jettison the mail and chat and widgets and feed reader too, like the Seamonkey-to-Firefox transition.
Look forward to seeing where Hicks takes them, anyway.
phl - 10th October 2008 12:19 - #
On Get Lat Lon:
Excellent work. Do you live in Kansas City? I live in KC. I am about to launch alpha version and would like to visit. send email to vstilw01@yahoo.com
VStilwell - 10th October 2008 11:25 - #
On Back to full-time employment:
I would like to know why The Graun doesn't appear to use its own spelling/usage check on articles.
For example recently it's had repeat Corrections about the spelling of Gandhi, another about Audrey Tautou, many other examples, plus words from its Style Guide which should get flagged up for checking.
But it doesn't seem to learn from its mistakes, so I presume that there is no word checking going on, although I have noted this to both the current and previous Readers' Editors.
Maybe a proper techie could point them in the right direction ...?!
MikeW - 9th October 2008 12:01 - #
On json-head:
I'm curious--why did you implement this as a service instead of just a Javascript function to directly XHR and parse the headers?
On Places to see in London (for geeks):
The Noel Coward Theatre, now playing Avenue Q!
Simon Reinhardt - 8th October 2008 17:06 - #
On Places to see in London (for geeks):
And any building containing obscene amount of books and posting "deep void" -signs would be high on any geeks' agenda, so British Library should definitely be on the list.
Greenwich observatory (yes, on the list already) and Maritime Museum are good places. I especially liked the collection of old clocks and other navigation gear from the pre-GPS days. Too bad the Cutty Sark burned, though.
I'd also suggest kind of 21st century public transport walkthrough: DLR to Canary Wharf (make sure to take the first compartment), go to the Canary Wharf tube station and take Jubilee line to Westminster station. It's definitely worth seeing, and a good way to end up near the Houses of Parliament.
Kew Gardens. Especially in orchid season.
And I have kind of a sweet spot for Royal Albert Hall (and BBC proms). The Albert Memorial also gives an interesting insight into British mentality, especially when one remembers he was the king who did request nothing too grandiose or pompous to be built when he dies.
af - 8th October 2008 17:02 - #
On Places to see in London (for geeks):
The British Library has a fantastic gallery for typography geeks - IMHO, it's well worth the visit. They've got Guttenberg Bibles, a copy of the Magna Carta, plus all sorts of other pretty goodies.
Russell Keith-Magee - 8th October 2008 16:10 - #
On Dealing with UI redress vulnerabilities inherent to the current web:
Almost forgot, 1.8.2 provides also a Frame Break Emulation feature, which honors frame busting on JavaScript-disabled pages where a frame busting statement is found in one of its top 5 script elements, hence the argument "NoScript makes you less safe" (which was already dubious because of the protections listed above) is now completely unjustified.Giorgio Maone - 7th October 2008 20:18 - #
On Dealing with UI redress vulnerabilities inherent to the current web:
Actually NoScript's IFRAME blocking is independent from JavaScript, therefore NoScript configured to block cross-site frames (Forbid IFRAME) gives full protection against ClickJacking in all Zalewski's scenarios. That said, latest NoScript versions (1.8.2 and above) feature a new specific anti-clickjacking technology called ClearClick, working independently from iframe and plugin blocking. ClearClick prevents any UI interaction with embedded objects while they're partially obstructed or transparent, addressing all kinds of clickjacking, scriptless or not, iframe or plugin based. It's enabled by default on untrusted host pages (no matter if the embedded object is whitelisted or not), but can be easily configured to work on trusted host pages as well and so far did not cause any usability issue, therefore next stable release will likely ship ClearClick in trusted+untrusted default configuration.Giorgio Maone - 7th October 2008 20:03 - #
On XHTML - myths and reality:
Meh. This seems like one person's diatribe to me. It is well thought out and well researched, but IMO some of the assumptions are false. In particular, the author assumes that your reason for serving XHTML is to take advantage of client-side XML validation and mixed namespaces. But I would argue that the simplified syntax and parser support for XHTML/XML is a good enough reason to make the switch. You aren't really losing anything by serving up XHTML as text/html vs. serving up HTML 4.01. And, as the author points out, doing so is standards compliant.
Also, the stuff about HTML/SGML being superior because you can use DTDs to specify how elements can be nested is wrong. You can use DTDs to specify element nesting in XHTML/XML too, and a validating parser will tell you if you violate the DTD. Moreover, as the author pointed out, superior (more easily maintained, comprehensible, and less verbose) mechanisms are available for defining XML document types, like XML schemas.
Mike Malone - 7th October 2008 19:00 - #
On Comet works, and it's easier than you think:
Or maybe, the complete code to test it now.
Thanks again.
Lautaro Fernández (again) - 7th October 2008 15:54 - #
On Comet works, and it's easier than you think:
Hi, in your slides you said that adding and removing the hidden iFrame will remove the loading icon and cursor in Firefox, but I can't make it work.
Could you provide which version of Firefox where you using at that time?
Thanks in advance.
Lautaro Fernández - 7th October 2008 15:53 - #
On Clickjacking and NoScript:
And as of just now, what they call 'Clearclick' technology, apparently protects against the whole thing. http://noscript.net/?ver=1.8.2&prev=1.8.1.3
On Dealing with UI redress vulnerabilities inherent to the current web:
Last week, Mark Pilgrim has posted a post about clickjacking in his HTML5 weekly series. Blog post summarizes the discussion in HTML5 group and browser vendor's feedback on the proposal.
http://blog.whatwg.org/this-week-in-html-5-episode -7
Saravanan - 7th October 2008 12:34 - #
On Dealing with UI redress vulnerabilities inherent to the current web:
Actually, that scenario is described in the link Ciaran posted - the NoScript installer page uses this technique to frame the "Install Now" buttons from addons.mozilla.org.
phl - 7th October 2008 10:48 - #
On Dealing with UI redress vulnerabilities inherent to the current web:
Noscript will help if the attacking site uses Javascript to create and position its IFrames. But Michal Zalewski is suggesting that you can clickjack passively, using CSS to disguise most of the target IFrame (by positioning elements over/around it), then tricking the victim into clicking on the desired uncovered element of the IFrame.
That's a different subclass of attack to what Hansen and Grossman originally described ("Consider that an attack can invisibly hover these buttons below the user's mouse"), but it seems plausible, and equally dangerous.
phl - 7th October 2008 10:37 - #
On Dealing with UI redress vulnerabilities inherent to the current web:
Hmm, I think NoScript will actually protect you without the need for the target site to have added any frame busting Javascript.
Plugins -> Forbid IFRAME. See http://hackademix.net/2008/09/27/clickjacking-and- noscript/
On Using the New MySQL Query Profiler:
Hey Simon,
I just added support for this to the debug toolbar. Feel free to play around with it and let me know what you think. Great idea and thanks for the indirect suggestion. :)
http://github.com/robhudson/django-debug-toolbar/t ree
The big TODO here is to add checks for MySQL and version 5.0.37 or higher. But for now it's a good playground for the profiling information.
-Rob