Simon Willison’s Weblog

Subscribe

April 2008

April 12, 2008

CSRF presentation at RSA 2008. It terrifies me how few people understand CSRF, years after it was discovered. I’ll say it again: if you’re a web developer and you don’t know what that acronym means, go spend an hour reading about it—because the chances are your applications are vulnerable.

# 10:52 am / jeremiah-grossman, csrf, rsa, rsa2008, security

Multiple inheritance of newforms and modelforms. If you ever see “Error when calling the metaclass bases metaclass conflict: the metaclass of a derived class must be a (non-strict) subclass of the metaclasses of all its bases” when trying multiple inheritance with newforms and modelforms, here’s a scary solution I found.

# 12:54 pm / django, python, multipleinheritance, metaclasses, inheritance, newforms, modelforms

April 13, 2008

The problem of grues is, of course, their recursive nature. To wit: A) Grues are found wherever it is very dark. B) There are no light sources on the inside of a grue. Therefore, being eaten by a grue is a fate which entails being eaten by an infinite number of progressively smaller grues, presumably nested in a geometrically complicated and interesting way.

Arturus

# 2:40 am / lolgrues, grue, grues, metafilter, zork

April 14, 2008

[Amazon's] forthcoming persistent storage feature will give you the ability to create reliable, persistent storage volumes for use with EC2. Once created, these volumes will be part of your account and will have a lifetime independent of any particular EC2 instance.

Jeff Barr

# 7:50 am / ec2, amazon, jeff-barr, storage

Amazon takes EC2 to the next level with persistent storage volumes. You can store a snapshot of a storage volume to S3 with a single API call, making backups trivial.

# 8:04 am / ec2, storage, backups, s3, virtualization, rightscale

Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types.

# 8:18 am / ie, internet-explorer, browsers, contenttypes, security, xss

Once you reach a certain level of activity in the system where the garbage collector can no longer keep up (and it will happen), then every line of code in your system is now a potential failure point that can leave the whole program in a bad state. Lisp has this problem. Java has this problem. Erlang does not.

Damien Katz

# 3:17 pm / lisp, java, erlang, garbagecollection, faliure, damien-katz

KML: A new standard for sharing maps. Google’s KML format, which is already supported by both Microsoft and Yahoo!’s map software, has been accepted under the wing of the Open Geospatial Consortium and is now an international standard.

# 6:36 pm / ogc, kml, google, google-maps, maps, mapping

April 19, 2008

Quotation search in Google News (via) Extremely impressive application of (I suppose) natural language processing in Google News—it now extracts quotations from news stories, even handling things like “he said” and “she said” and resolving them back to the speaker.

# 7:22 am / natural-language, google, google-news, quotations

Cluetrainwreck. Comcast’s official Twitter account is pretty creepy... “I hope we can change your perception of Comcast!”.

# 8 am / cluetrain, comcast, twitter, pr, charles-miller

PayPal Plans to Ban Unsafe Browsers. At first I thought they were going to encourage real anti-phishing features in browsers, which would be a big win for OpenID... but it turns out they’re just requiring EV SSL certificates which have been proven not to actually work.

# 10:45 am / openid, paypal, security, phishing, evssl

Mibbit (via) Excellent web-based IRC client, should be great for when pesky firewalls get in the way. Also a good candidate for use with a site-specific browser.

# 3:53 pm / ajax, irc, mibbit, sitespecificbrowsers

I've become increasingly convinced that what CEOs should be crying out for is not more innovation but fewer self-imposed obstacles.

Simon Wardley

# 4:26 pm / simon-wardley, innovation

HTML 5 vs. Yadis. The draft HTML5 spec currently disallows values for http-equiv and link rel which aren’t listed in the spec—meaning both methods of specifying a link to an OpenID server are invalid for HTML5. This should probably be fixed...

# 4:35 pm / html5, openid, yadis, standards

JavaScript: The Good Parts. Douglas Crockford’s soon-to-be-published book on the subset of JavaScript that he recommends. Promises to be “short, but dense”—if it’s half as good as his JavaScript lectures this is going to be a must-have.

# 4:38 pm / javascript, douglas-crockford, books

Embedding custom non-visible data in HTML 5. “Every HTML element may have any number of attributes starting with the string ’data-’ specified, with any value.”—this will be incredibly useful for unobtrusive JavaScript where there’s no sensible place to store configuration data as HTML content. It will also mean Dojo has an approved method for adding custom attributes to declaratively instantiate Dojo widgets.

# 10:58 pm / html5, javascript, standards, unobtrusive-javascript, html, dojo, customattributes

April 21, 2008

ISPs’ Error Page Ads Let Hackers Hijack Entire Web (via) Earthlink in the US served “helpful” links and ads on subdomains that failed to resolve, but the ad serving pages had XSS holes which could be used to launch phishing attacks the principle domain (and I imagine could be used to steal cookies, although the story doesn’t mention that). Seems like a good reason to start using wildcard DNS to protect your subdomains from ISP inteference.

# 6:51 am / isp, subdomains, dns, security, earthlink, xss, wildcarddns

April 22, 2008

Plazes adds Fire Eagle Support. The Plazer software can now automatically update your location in FireEagle based on fingerprinting your laptop’s local network.

# 1:02 am / plazes, location, fireeagle

OSM Super-Strength Export. Awesome new feature on OpenStreetMap: you can browse to anywhere on the map, then hit “export” and download a rendered bitmap or vector (PDF and SVG) image of the currently displayed map—and because it’s OSM there’s no watermark and a very liberal usage license.

# 9:56 am / openstreetmap, maps, mapping, svg, pdf, vector

Reading binary files using Ajax. There’s a simple trick for Firefox, and (amazingly) you can get IE to play along using a function written in VBScript.

# 7:02 pm / binary, ajax, ie, firefox, vbscript, javascript, xmlhttprequest

Google AJAX Search API: Flash and Server Side Access. Over a year after Google shot down their SOAP Search API, they’ve quietly released a JSON based one under the guise of supporting “Flash and other non JavaScript environments”. Comes with the strange requirement that an HTTP referer be sent with every request; the API key is optional.

# 7:16 pm / google, soap, ajax, json, search, web-services, apis

April 24, 2008

Generator Tricks for Systems Programmers. The best tutorial on Python’s powerful generator feature I’ve seen anywhere.

# 10:17 am / generators, python, david-beazley

April 25, 2008

Internet Asshattery, Armchair Scaling Experts Edition (via) Leonard says what needs to be said about the most recent case of Twitter scaling flame-bait.

# 11:19 pm / twitter, scaling, leonardlin

CSS Variables. Hooray! My number one requested CSS feature (and I know I’m not alone), proposed by Daniel Glazman and David Hyatt so I imagine we’ll see it trialled in WebKit pretty soon.

# 11:26 pm / webkit, css, variables, daniel-glazman, david-hyatt

April 26, 2008

Mass Attack FAQ. Thousands of IIS Web servers have been infected with an automated mass XSS attack, not through a specific IIS vulnerability but using a universal XSS SQL query that targets SQL Server and modifies every text field to add the attack JavaScript. If an app has even a single SQL injection hole (and many do) it is likely to be compromised.

# 9:12 am / iis, massattack, security, sql-injection, xss, sqlserver, sql

We are happy to announce that the Google Contacts Data API now supports OAuth. This is our first step towards OAuth enabling all Google Data APIs. Please note that this is an alpha release and we may make changes to the protocol before the official release.

Wei Tu

# 10:15 am / weitu, oauth, google, googlecontactsapi

Python one-liner of the day. I love the idea of publishing one-liners accompanied by one-line test suites.

# 10:24 am / testing, python

Speechification. “A blog of Radio 4. Not about Radio 4 but of it. We point to the bits we like, the bits you might have missed, the bits that someone might have sneakily recorded. Other speech radio from around the world will no doubt find its way here too.”

# 10:30 am / speechification, radio, radio4, blogging

MediaWiki API. Wikipedia’s best kept secret?

# 6:47 pm / mediawiki, wikipedia, api

Multi-Inflection-Point Alert. Dammit, Tim, stop giving away our competitive advantages!

# 6:48 pm / tim-bray, couchdb, simpledb, bigtable, rest, soap, python, java, rails

2008 » April

MTWTFSS
 123456
78910111213
14151617181920
21222324252627
282930