Blogmarks
Filters: Sorted by date
Reia. The most common complaint I see about Erlang is the syntax. Reia is a Python-style scripting language (with a dash of Ruby) that runs on the Erlang virtual machine. Looks promising.
freebase-suggest (via) A jQuery plugin that performs auto-completion against the Freebase JSONP API, and allows the results to be limited to specific categories or subsets.
html-whitelist (via) DeWitt Clinton’s web service wrapper aroud the html5lib HTML sanitiser, hosted on AppEngine.
Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary.
Secure mashups with dojox.secure (via) dojox.secure is brilliant and terrifying at the same time. It provides a full featured API for running untrusted JavaScript in a sandbox, by parsing and validating that code against a variant of Douglas Crockford’s ADsafe JavaScript subset. It could be fantastically useful, but it’s difficult to judge how secure this approach really is.
csrf_protect.php. A PHP class for applying CSRF protection to existing PHP applications, using output buffering to rewrite any POST forms on a page. Heavily inspired by Django’s CSRF middleware. Tell me if you spot any bugs!
Decorator to limit request rates to individual views. Neat piece of code for public facing web APIs written in Django. Update: some smart criticisms in the comments.
Mark Zuckerberg speaking at FOWA. The Future of Web Apps Expo is just a few weeks away, and Mark Zuckerberg is the surprise keynote. I’m chairing the developer track again this year.
Robust Defenses for Cross-Site Request Forgery [PDF]. Fascinating report which introduces the “login CSRF” attack, where an attacker uses CSRF to log a user in to a site (e.g. PayPal) using the attacker’s credentials, then waits for them to submit sensitive information or bind the account to their credit card. The paper also includes an in-depth study of potential protection measures, including research that shows that 3-11% of HTTP requests to a popular ad network have had their referer header stripped. Around 0.05%-0.10% of requests have custom HTTP headers such as X-Requested-By stripped.
bpgsql. Barry Pederson’s pure Python PostgreSQL client library now ships with a Django backend.
Google’s Usability Research on Federated Login. Fascinating—suggests an approach to federated auth based on the Amazon.com “Yes, I have a password” login flow. Feels convoluted to me but apparently it tests really well against a mainstream audience. The more research shared around this stuff the better.
Is your Rails application safe? (via) update_attributes(params[:foo]) in ActiveRecord is an anti-pattern.
Accessibility Experiment. Joe Walker asks what would happen if we threw away the idea of serving the same accessible site to every user and instead tried building specific versions aimed at different disabilities.
RestView—a class for creating a view that dispatches based on request.method (via) I finally got around to writing up a simple approach I’ve been using for REST-style view functions in Django that dispatch based on request.method.
backup_to_s3.py. I wrote Yet Another S3 backup script today. It’s a thin wrapper about boto that doesn’t do anything particularly impressive, but it fits my brain.
Introducing the Django Debug Toolbar. Another project inspired by DjangoCon: a component based debugging toolbar for Django. I like the architecture so far.
Django version 1.1 roadmap. Django 1.1 is due out in March, but the deadline for feature proposals is November the 7th.
Django’s release process. Django is moving to time-based releases, with minor releases (new features but no backwards incompatible changes) approximately every six months.
OAuth Playground (via) Neat OAuth API explorer from the Google Data APIs team.
Beware the time-eater: Cambridge University’s monstrous new clock. Beware the Chronophage, my son.
When Ajax Attacks! Web application security fundamentals. Slides and notes from my talk on web application security at @media Ajax last Tuesday.
How Companies Pay Artists to Include Brands in Lyrics. “We just feel that if it’s a product that’s admired by the artist and fits his/her image, we now have the capability of leveling out the playing field and making things financially beneficial for all parties involved.” Charming.
Tell-a-Friend: Leverage Word of Mouth Marketing. I’d love to know how they intend to stop this free widget from becoming the world’s most popular spam proxy. And of course, they abuse the password anti-pattern despite the existence of safe API alternatives to address book scraping.
We’re Never Content. Amazon will be releasing a proper edge caching CDN on top of S3 “before the end of the year”.
DjangoCon and learning from Zope 2. Mark Ramm presented probably the most thought-provoking talk at DjangoCon. He’s started writing it up as a series of posts.
Frame-Busting Gadgets. I’ve always been slightly suspicious of the Google Gadgets / OpenSocial idea of sandboxing untrusted third party content in an iframe. Sure enough, it turns out iframe busting scripts work in Gadgets, meaning a seemingly harmless gadget could potentially launch a phishing attack.
When Ajax Attacks! Web application security fundamentals. Slides and (other people’s) notes from my presentation at @media Ajax on Tuesday.
YouTube Playlist: DjangoCon 2008 Sessions. YouTube’s tag and search indexes appear to lag behind the main site by quite a while; this appears to be the definitive index page for videos of talks at DjangoCon.
YouTube: djangocon tag. Google have started posting videos of presentations at DjangoCon on YouTube.
Documents Reveal Django Pony, Caught In Tail Of Lies. whytheluckystiff. Enough said.