September 2007
Sept. 25, 2007
Sun’s OpenID IdP: Real vs Fake. The thinking behind Sun’s decision to allow users of their OpenID provider to pick fake names and assign personal e-mail addresses.
Firefox 3 Antiphishing Sends Your URLs To Google. Stories like this crop up every now and then, but no one ever seems to mention that the Google Toolbar has been doing this since it was released (more than five years ago) provided you have PageRank display turned on.
Sept. 26, 2007
DOMContentLoaded for IE, Safari, everything, without document.write. Stuart has taken Hedger’s recent IE technique, combined it with the others and compressed it in to a short-as-possible code snippet that you can paste in to your scripts without having to include the whole of jQuery/YUI/Dojo/Prototype.
I have another technique [...] that I'll be switching jQuery to. If you attempt to insert into the document.body before the document is fully loaded, an exception is thrown. I take advantage of that to determine when the document is fully loaded.
Announcing the Dopplr 100. Similar to how Facebook used to only allow college e-mail addresses, Dopplr is now open to holders of e-mail accounts from 100 large corporations. The blog release doesn’t specify if each corporation gets its own special “group” within the application; that would be a neat touch.
djangogigs.com—from idea to release in 6 hours. Now that’s what I call rapid development.
Sept. 27, 2007
Google GMail E-mail Hijack Technique. Apparently Gmail has a CSRF vulnerability that lets malicious sites add new filters to your filter list—meaning an attacker could add a rule that forwards all messages to them without your knowledge.
WebRunner 0.7—New and Improved. A simple application for running a site-specific browser for a service (e.g. Twitter, Gmail etc). This is a great idea: it isolates your other browser windows from crashes and also isolates your cookies, helping guard against CSRF attacks.
WordPress 2.3: Canonical URLs. Fantastic to hear that WordPress 2.3 supports this, and that they picked the right terminology for it (I’ve called the same thing “disambiguated URLs” in the past).
Halo 3 Site Demonstrates Flaws in SilverLight. The Halo 3 “interactive manual” is like a throwback to Flash in the late 90s—“skip intro”, pointless transitions, text you can’t select or enlarge, links that aren’t links—all wrapped up in an ugly blob (only this time it’s XML instead of binary data).
DbMigration—a schema migration tool for Django. Nice and simple tool for adding schema migrations to a Django application.
Large codebases are the problem, not the language they're written in. Find a way to break/decompose big codebases into little ones.
CSS Sprite Generator (via) Upload a zip file of images and get back a CSS sprite plus a set of pre-calculated background image rules. Tool built by Ed Eliot and Stuart Colville for their forthcoming book “High Performance Web Site Techniques”.
Sept. 28, 2007
hasAccount. Stuart proposes a light-weight API for letting any site know if a user has an account (and is signed in) on another service. I wouldn’t want to deploy this without being confident that my CSRF protection was in order.
Kosmos Distributed File System (via) New open source distributed filesystem similar to Google’s GFS.
OLPC Peru/Arahuay. A fascinating case study of the introduction of the XO to a school in Peru. It’s really exciting to see the project starting to make an impact.
Sept. 30, 2007
Currently WebRunner applications share cookies with other WebRunner applications, but not with Firefox. WebRunner uses its own profile, not Firefox's profile. There is a plan to allow WebRunner applications to create their own, private profiles as well.
Designing for a security breach
User account breaches are inevitable. We should take that in to account when designing our applications.
[... 545 words]Idea: The Histogram as the Image. How to hide the New York City skyline in the histogram of an image.
Email addresses your OpenID via DNS. Sam Ruby has warmed to the idea of making e-mail addresses usable as OpenIDs via a DNS SRV record.