Simon Willison’s Weblog


Sunday, 12th April 2009

17-year-old claims responsibility for Twitter worm. It was a text book XSS attack—the URL on the user profile wasn’t properly escaped, allowing an attacker to insert a script element linking out to externally hosted JavaScript which then used Ajax to steal any logged-in user’s anti-CSRF token and use it to self-replicate in to their profile. # 7:22 pm

We’re using the same trick on to avoid having to maintain a look up database, though we’re using base 58.

Kellan Elliott-McCrea # 4 pm

The App Store has an inscrutable, time-consuming, whim-dependent approval process. The App Store newsgroup postings are full of angry claims that this is a bug, but I bet it’s a feature. If you can’t get an app approved until it’s working perfectly, and you have to wait a week or two -- or more -- between approval rounds, you’re much more likely to put a lot more effort in up front to get it right.

Marc Hedlund # 1:49 pm

Tweenbots: Cute Beats Smart. How do you build a robot that can get from one end of Washington Square Park to the other without your help? Give it a cute smile and a sign explaining where it’s going and rely on strangers to point it in the right direction along the way. # 1:47 pm

Running Rhino and Helma NG on Google App Engine. Helma NG is a JavaScript web app framework, which now works on App Engine out of the box. # 12:52 pm

A rev=“canonical” HTTP Header. Chris Shiflett proposes optionally exposing rev=canonical information in an HTTP header, thus allowing sites to discover shorter URLs using just a HEAD request and removing the need to parse HTML. The pingback specification also uses this shortcut. # 12:33 pm

Revving up. Jeremy Keith advocates adding the revcanonical attribute to regular A elements as well as / instead of hiding it in the head of the document, following the microformats design principle that invisible metadata is less valuable than augmenting visible links. I’ve updated my shorten bookmarklet to handle this case. # 12:29 pm