Simon Willison’s Weblog

Subscribe

October 2008

Oct. 1, 2008

Using the New MySQL Query Profiler. Extremely powerful new feature in MySQL 5.0.37. Definitely something for the Django debug toolbar.

# 1:20 am / django-debug-toolbar, django, mysql, profiling

This Week in HTML 5—Episode 7: Clickjacking. Clickjacking is when a third party site is embedded in an iframe with opacity 0 and positioned such that a click on the page actually hits a button on the now invisible third party site. Mark Pilgrim explains how the NoScript site uses this in a non malicious way to for the “install now!” button.

# 1:48 am / noscript, clickjacking, mark-pilgrim, phishing, security, iframes, opacity, html5

Coming Soon: Amazon EC2 With Windows. It’s not instantly clear if you need to source your own Windows licenses or if the license comes as part of the hourly VM charge. If it’s the latter, I can see this being fantastically useful for both automated and manual cross-browser testing—throw up a Windows VM for just as long as you need to run your tests, running them through rdesktop.

# 9:16 am / amazon, ec2, browsertesting, rdesktop, windows

Cascading. A Java API abstraction layer over Hadoop that lets developers think in terms of pipes and filters rather than map/reduce. The Cascading developers claim that this model is easier to understand and less error prone.

# 1:22 pm / mapreduce, cascading, java, hadoop, pipesfilters

[REDACTED]. Now that the iPhone NDA has been lifted be prepared for a flood of useful tips about the platform. Here’s Craig Hockenberry explaining how iPhone URL schemes work (used to great effect in the Pownce app for returning to the right place post-OAuth authentication in Safari).

# 10:34 pm / urlschemes, iphone, nda, craig-hockenberry, urls, oauth, pownce

simplejson 2.0.1. Python’s simplejson JSON library got a whole lot faster while I wasn’t looking.

# 10:55 pm / simplejson, json, python, performance, bobippolito

Oct. 2, 2008

What’s New in Python 2.6 (via) Python 2.6 final has been released (the last 2.x version before 3.0). multiprocessing and simplejson (as json) are now in the standard library, any backwards compatible 3.0 features have been added and the official docs are now powered by Sphinx (used by Django 1.0 as well). There’s plenty more.

# 11:47 am / django, python, releases, json, simplejson, multiprocessing, sphinx-docs

Google’s Wikipedia and Panoramio layers are now available in the API. I really like their use of reverse domain style identifiers for the layer IDs: map.addOverlay(new GLayer(“org.wikipedia”));

# 11:59 am / google-maps, wikipedia, javascript, panoramio, glayer

FB App Canvas Pages: I Think I’d Use IFrames. Facebook’s Charlie Cheever explains the difference between FBML canvas pages, iframe pages and XFBML when building Facebook apps. I’m always surprised at APIs that load untrusted content in an iframe, as it seems like an invitation for frame-busting phishing attacks.

# 2:39 pm / facebook, charlie-cheever, framebusting, iframes, security, phishing, fbml, xfbml, facebookapi

Tweetersation. Nat and my latest side project: a JSONP API powered tool to more easily follow conversations between people on Twitter, by combining their tweets in to a single timeline.

# 5:08 pm / twitter, jsonp, projects, natalie-downe, javascript, api, tweetersation

Obama ’08 for iPhone (via) Slick app, impressive for a three week turnaround. I’m guessing it uses the phone number area codes in your address book to arrange your friends by state for the “call your friends” feature, which is an ingeniously simple hack.

# 6:13 pm / politics, iphone, barack-obama, ravenzachary

Oct. 3, 2008

Why Google App Engine is broken and what Google must do to fix it. Aral Balkan describes a number of critical issues with App Engine. If you’re considering building something serious on it you need to read this article; I’ve run in to several of these problems myself just running toy projects on the platform. Here’s hoping they get addressed in the near future.

# 10 pm / google, appengine, aral-balkan, scalability

Oct. 4, 2008

The Flickr Panda. Reminds me of the prime number shitting bear.

# 9:42 am / flickr, panda, funny, primenumbershittingbear

FOWA pre-interview: Andrew Turner. I’ve started to post pre-interviews with speakers to the FOWA blog, in advance of the conference next week. First up is Andrew Turner of Mapufacture.

# 9:44 am / andrew-turner, fowa, interviews, mapufacture

Oct. 6, 2008

Tracking your Cat with GPS. Alex Lee strapped a GPS to his cat.

# 9:16 pm / gps, alex-lee, cats, location

Oct. 7, 2008

Dealing with UI redress vulnerabilities inherent to the current web (via) The best explanation of clickjacking I’ve seen yet, complete with discussion of a number of non-ideal potential solutions. It looks like frame busting JavaScript will defeat it, but only for users who have JavaScript enabled—which means that in this case extensions like NoScript actually make you less safe. UPDATE: NoScript is smarter than I thought; see the comments.

# 9:59 am / javascript, noscript, clickjacking, security

Clickjacking and NoScript (via) NoScript CAN protect against clickjacking, but only if you enable the “Plugins|Forbid IFRAME” option.

# 11:05 am / noscript, clickjacking, security

Giving Dabble DB a time machine. More innovation from Dabble DB—the service now offers a UI to their backup snapshots, letting you roll your own instance back to a specific point in time to recover accidentally deleted data.

# 12:55 pm / dabbledb, revert, snapshots

XHTML—myths and reality. Useful overview of XHTML from Tina Holmboe of the W3C’s XHTML Working Group, which suggests considering HTML 4.01 strict unless you need mixed namespaces for things like MathML. I’ve been storing this blog’s content as XHTML but serving as HTML for several years now.

# 4:56 pm / mathml, xhtml, tinaholmboe, w3c, namespaces, html

Oct. 8, 2008

Places to see in London (for geeks). My geek-oriented guide to London attractions that you may not hear about otherwise, updated for this year’s overseas FOWA attendees. Suggestions for additions welcome.

# 2:54 pm / geeks, london, maps, googlemymaps, fowa2008

Antisocial: a Javascript demo by Gasman. The demo is cool (3D on top of canvas); the “demotool” editor is simply amazing.

# 3 pm / demo, demotool, gasman, matt-westcott, antisocial, 3d, canvas, javascript

Oct. 9, 2008

and now... Opera. Jon Hicks is joining Opera as Senior Designer. I absolutely cannot wait to see what he comes up with there.

# 6:39 pm / jon-hicks, opera, design, browsers

Antisocial. Matt Westcott (a.k.a. Gasman) provides some technical background to his awesome Antisocial 3D canvas demo.

# 6:42 pm / javascript, canvas, 3d, demoscene, matt-westcott, gasman

Oct. 10, 2008

Videos from FOWA 2008. The Carsonified team have a scarily fast turnaround on the videos from this year’s Future of Web Apps. Most of yesterday’s talks are already available to watch online, as a full talk or the edited highlight reel.

# 4:03 pm / carsonified, future-of-web-apps, video, fowa2008

Oct. 13, 2008

Versioning REST Web Services. Peter Williams suggests using a vendor MIME media type in the Accept header to specify a required API version, because embedding the API version in the URL itself leads to a single resource ending up with many different URLs, one for each API version.

# 12:45 pm / rest, urls, peter-williams, versioning, contentnegotiation, accept, http

Oct. 14, 2008

asql—Apache SQL querying. Command line tool for loading web server log files in common log format in to a SQLite database, with a built-in interactive shell.

# 11:22 am / asql, logs, sqlite, apache

Browser Paint Events. The latest Firefox nightlies include a new MozAfterPaint event which fires after a portion of the page has been redrawn and provides co-ordinates of the affected rectangle. John Resig provides a neat bookmarklet that uses the new event to visualise repainting operations.

# 1:08 pm / mozafterpaint, mozilla, javascript, firefox, john-resig

Minimal nginx conf to split get/post requests. Interesting idea for master-slave replication balancing where GET v.s. POST is load-balanced by nginx, presumably to different backend servers that are configured to talk to either a slave or a master. This won’t deal very will with replication lag though—you really want a user’s session to be bound to the master server for the next few GET requests after data is modified to ensure they see the effects of their updates. UPDATE: Amit fixed my complaint with a neat hack based around a cookie with a max age of 10 seconds.

# 4:33 pm / load-balancing, masterslave, mysql, nginx, replication

Yahoo! Releases OpenID Research. Extremely valuable research, conducted with a group of typical Yahoo! users. OpenIDs usability remains bad, and if we don’t get it right soon something centralised like Facebook Connect will take over and the Web will stop being open.

# 4:59 pm / facebook, facebookconnect, openid, usability, yahoo, research

Oct. 15, 2008

Announcing the New York Times Campaign Finance API (via) The New York Times have released their first data API, exposing campaign finance data from the Federal Election Commission.

# 2:05 pm / api, campaignfinance, new-york-times

2008 » October

MTWTFSS
  12345
6789101112
13141516171819
20212223242526
2728293031