Blogmarks
Filters: Sorted by date
Running C and Python Code on The Web. Adobe are working on a toolchain to compile C code to target the Tamarin VM in Flash. This will allow existing C code (from CPython to Quake) to execute in a safe sandbox in the browser.
A browser sniffing warning: The trouble with Acid3 and TinyMCE. Opera recommend “bug detection”, a step up from object detection and browser sniffing where your JavaScript includes mini unit test style fragments of code designed to test if buggy behaviour you are working around still affects the user’s browser.
ratproxy. “A semi-automated, largely passive web application security audit tool”—watches you browse and highlights potential XSS, CSRF and other vulnerabilities in your application. Created by Michal Zalewski at Google.
IE8 Security Part IV: The XSS Filter (via) IE8 will include an XSS filter to identify and neutralise “reflected” XSS attacks (where malicious code in a query string is rendered to the page), turned on by default. Sounds like a good idea to me, and site authors can disable it using Yet Another Custom HTTP header (X-XSS-Protection: 0).
Portable Social Networks, The Building Blocks Of A Social Web. Ben Ward’s tour de force of practical tools and techniques for building out the distributed social web, using XFN and hCard to represent the data. If you only read one article on portable social networks, make it this one.
eval() Kerfuffle. The ability to read supposedly private variables in Firefox using a second argument to eval() will be removed in Firefox 3.1.
Ruby’s Vulnerability Handling Debacle. The critical Ruby vulnerabilities are over a week old now but there’s still no good official patch (the security patches cause segfaults in Rails, leaving the community reliant on unofficial patches from third parties). Max Caceres has three takeaway lessons, the most important of which is to always keep a “last-known-good” branch to apply critical patches to.
ORG verdict on London Elections: “Insufficient evidence” to declare confidence in results. Electronic voting strikes again. Also of interest: the audit conducted by KPMG can’t be published due to “commercial confidentiality”.
Django File Uploads (via) Nearly two years in the making, Django’s file upload capacity has received a major (and backwards incompatible) upgrade. Previously, files were uploaded by default in to RAM—now, files larger than 2.5MB are streamed to a temporary file and extensive hooks are provided to customise where they end up—streaming to S3, for example.
Poking new holes with Flash Crossdomain Policy File. This is an old article from 2006 which describes the crossdomain.xml hidden in a GIF exploit I referred to in an earlier post (scroll down to the appendix for an example). As far as I know the Flash Player’s crossdomain.xml parser has been tightened up since.
Whitespace Sensitivity. Amusingly, Ruby is actually far more sensitive about whitespace than Python is.
Delighting with Data. Tom Taylor’s full transcript and slides for his recent talk at Oxford Geek Night—talks about Twitter bots, wikinear, iamnear.net and various other small but neat data repurposing projects.
Evil GIFs: Partial Same Origin Bypass with Hybrid Files. First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter.
Javascript protocol fuzz results. If your HTML sanitizer uses blacklisting rather than whitelisting here are a few more weird ways of injecting javascript: in to a link that you need to worry about—but you should really switch to whitelisting http:// and https:// instead.
The end of LugRadio. Wow. LugRadio was a podcast before the term podcast had even been coined. It will be sorely missed.
Enough Already with the Connections! Comet doesn’t mean making long-lived HTTP connections (which most browsers do anyway thanks to HTTP keep-alive), it means making long-held HTTP requests. I’m guilty of spreading this misinformation in the past.
Dark Launches, Gradual Ramps and Isolation: Testing the Scalability of New Features on your Web Site. Smart advice from Dare Obasanjo that extend the “dark launch” idea illustrated by Facebook chat a few weeks ago.
Dissecting today’s Internet traffic spikes (via) Theo Schlossnagle on how the increasing popularity of interest aggregation services such as Digg and Reddit result in traffic spikes that dwarf the old Slashdot effect, making a the old rules of thumb for capacity planning irrelevant.
Microformats and accessibility: the soap opera that never ends. “Be sure to tune in next week, when we’ll drown a leading accessibility expert to see if she’s a witch.”
Graphite. Real-time graphing package for server monitoring, similar to RRDTool. Created by the team at Orbitz, using Django and ExtJS for the frontend and Cairo to generate the graphs.
RefactorMyCode.com. Neat community for discussing improvements to code snippets. Login using OpenID.
BBC iPlayer Beta. Preview of the new version of the iPlayer. Nice to be able to listen to Radio programmes in the same interface as TV without having to use the cramped popup window.
How to sell your software for $20,000 (via) The best article I’ve read on software entrepreneurship in ages.
Module Pattern Provides No Privacy... at least not in JavaScript(TM) (via) JavaScript variables hidden inside a closure aren’t as hidden as I thought—it turns out you can pass a closure as the second argument to eval (at least in Firefox) and “steal” private variables back out of it.
Capital FM London Traffic Map. We launched this today at GCap (née Global Radio). I’m particularly impressed with how well the team handled clustering the traffic cameras on the Google map.
Browser Uploads to S3 using HTML POST Forms. I didn’t know you could do this: create a regular HTML form that gives people permission to upload direct to your own S3 bucket, using a signed JSON policy statement in a hidden form field to prevent third parties from abusing your S3 account.
The Cron Commandments. How to write well-behaved cron scripts, from Dean Wilson.
He/She/They: Grammar and Facebook. Facebook are going to start requiring gender information because foreign language translations wind up being too confusing when that information is not available. Aside: I wish they’d implement proper title elements on their blog posts.
How-to: Full-text search in Google App Engine. Use search.SearchableModel instead of db.Model—it’s pretty rough at the moment which is probably why it’s still undocumented.
sfical.py. Neat idea: write a CGI script that turns a proprietary API (in this case the SalesForce events API) in to standard ical format, then run it on your Mac’s local Apache server and subscribe to it from iCal.