Simon Willison’s Weblog

IE8 Security Part IV: The XSS Filter (via) IE8 will include an XSS filter to identify and neutralise “reflected” XSS attacks (where malicious code in a query string is rendered to the page), turned on by default. Sounds like a good idea to me, and site authors can disable it using Yet Another Custom HTTP header (X-XSS-Protection: 0). # 3rd July 2008, 9:37 am

Enough Already with the Connections! Comet doesn’t mean making long-lived HTTP connections (which most browsers do anyway thanks to HTTP keep-alive), it means making long-held HTTP requests. I’m guilty of spreading this misinformation in the past. # 30th June 2008, 9:27 am

mod_rpaf for Apache. A more secure alternative to Django’s equivalent middleware: sets the REMOTE_ADDR of incoming requests from whitelisted load balancers to the X-Forwarded-For header, without any risk that if the load balancers are missing attackers could abuse it to spoof their IP addresses. # 24th June 2008, 5:02 pm

ncache. A squid-style caching system built on top of nginx. Supports the HTTP PURGE method for cache invalidation. # 18th June 2008, 8:09 pm

The X-Robots-Tag HTTP header. News to me, but both Google and Yahoo! have supported it since last year. You can add per-page robots exclusion rules in HTTP headers instead of using meta tags, and Google’s version supports unavailable_after which is handy for content with a known limited shelf-life. # 9th June 2008, 9:21 am

Yahoo!’s Latest Performance Breakthroughs. 20 new performance tips to join the previously published 14. Flushing the buffer while the backend code is still working to cause the browser to start loading CSS earlier is interesting. # 20th March 2008, 3:17 pm

Beyond DOCTYPE: Web Standards, Forward Compatibility, and IE8. This has huge implications for client-side web developers: IE 8 will include the ability to mark a page as “tested and compatible with the IE7 rendering engine” using an X-UA-Compatible HTTP header or http-equiv meta element. It’s already attracting a heated debate in the attached discussion. # 22nd January 2008, 12:40 pm

Cross-Site XMLHttpRequest (via) “Firefox 3 implements the W3C Access Control working draft, which gives you the ability to do XMLHttpRequests to other web sites”—you can mark a document as available for cross-domain requests using either an Access-Control HTTP header or an XML processing instruction. # 9th January 2008, 11:57 pm

HTTP Cache Channels (via) Interesting extension to the HTTP caching model by Mark Nottingham: caches can be told to subscribe to an Atom feed which alerts them to cached data that has gone stale. Group invalidation is also supported. # 4th January 2008, 12:48 pm

The backdooring of SquirrelMail. A SquirrelMail developer’s account was compromised and used to insert a backdoor: the other developers initially missed the hole because it used $_SERVER[’HTTP_BASE_PATH’], which can be set with a Base-Path: HTTP header. # 28th December 2007, 11:40 pm

Techniques for safely consuming external HTTP on demand? I asked this question on programming.reddit.com yesterday and got some really insightful answers, including Joe Stump from Digg describing how Digg Images uses Danga’s Gearman worker queue. # 15th December 2007, 12:29 pm

Two HTTP Caching Extensions. stale-while-revalidate serves cached content even while a refresh has been triggered and is currently being pulled in to the cache; stale-if-error serves cached content if a service has gone down. # 12th December 2007, 11:23 am

A Taxonomy of Event- and REST-based Comet. Kris Zyp describes a conceptual model for Comet messages based on REST semantics (so you can send a PUT referencing a specific URI down to a client to represent an idempotent state change). # 21st November 2007, 8:18 pm

Orbited: The Orbit Event Daemon. HTTP daemon designed for long-lasting comet connections, written in Python using pyevent on top of libevent. # 9th November 2007, 11:01 pm

Http-https transitions and relative URLs. Finally, a reason to use those weird protocol-relative URLs (//example.com/path and the like). # 18th October 2007, 11:57 am

ETags, ETags, ETags. They’re no magic bullet. # 7th August 2007, 2:51 pm

YSlow. New extension for Firebug (yes, an extension on top of another extension) from the Yahoo! performance team which provides improved performance measurement tools and optimisation advice. # 25th July 2007, 4:48 am

Return of the HTTP overhead delay. Christian proposes a neat way of improving page performance, by delaying non-essential images such as avatars until after the rest of the page has loaded. # 11th July 2007, 3:12 pm

The State of Proxy Caching. If you’ve always wondered exactly what intermediate proxies are going to do to your carefully constructed Web application, here’s your answer. # 21st June 2007, 2:18 pm

Avoid IE Brokenness When using Vary and Attachments (via) Django middleware that works around a bug in IE where external applications fail to load content that was served with a Vary header. # 9th April 2007, 9:41 am

The RADAR Architecture: RESTful Application, Dumb-Ass Recipient (via) Dave Thomas points out that REST expects smart clients, but browsers are dumb (only really support POST and GET). His suggested fix is to build a pure REST service and then drop in a server-side application proxy that sits between the browser and the REST backend. # 2nd April 2007, 10:42 am

Content delivery system design mistakes. Collection of tips for optimising Web server performance. Mentions lighttpd/nginx, Keep-Alive, expires headers, noatime and more. # 15th February 2007, 11 am

Don’t serve JSON as text/html. Another sneaky XSS trick. # 5th July 2006, 11:46 pm