689 items tagged “javascript”
2008
V8 Design Elements. High level design details of Google’s V8 JavaScript engine, including how it uses “hidden classes” to optimise object property lookups and a bit of information on the machine code generation and garbage collection.
Chromium. Google Chrome is out! Here’s the open source project, including the code for the new V8 JavaScript virtual machine.
Google Chrome, the comic book (via) Google have finally announced a browser project, though it’s currently vapourware (or rather comicware), existing only as a Scott McCloud comic. Still, it looks fascinating—entirely open source, WebKit with a brand new JavaScript VM, every tab running in a separate process for smarter memory usage and some new UI concepts and anti-pishing measures thrown in as well.
addSizes.js: Snazzy automatic link file-size generation. Posted to Nat’s snazzy new blog: a script that uses my json-head API to grab the file size of linked documents on a page and insert those sizes in to the document.
WolfenFlickr 3D—An unlikely mashup. Brilliant: Wolfenstein 3D style raycasting in JavaScript with images on the walls that have been pulled in using Flickr’s JSONP API.
Coding Horror: Protecting Your Cookies: HttpOnly. Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers.
Capital Radio’s London Guide. Worth pointing out: the search / map interface on this page is one of the best examples of progressive enhancement I’ve ever seen. Try disabling JavaScript and see what happens. It seems like most developers just can’t be bothered with this kind of attention to detail these days, which disappoints me.
json-tinyurl. Because sometimes you want to be able to create a shorter version of a URL directly from JavaScript without hosting your own server-side proxy.
jeresig’s sizzle. Sizzle is a new selector engine (work in progress, no IE support yet) from John Resig, designed to be small, standalone, library agnostic and ridiculously fast. It should eventually replace jQuery’s current selector engine, but if it stays around 4KB it’s also going to be really useful for projects that don’t need the overhead of a full library.
TraceMonkey. Brendan Eich has been preaching the performance benefits of tracing and JIT for JavaScript on the conference circuit for at least a year, and the results from the first effort to be merged in to Mozilla core are indeed pretty astounding.
Get Lat Lon now has a “Get my location (by IP)” button. It took all of five minutes to add using the new google.loader.ClientLocation API. The button is only visible if your location can be resolved.
Gears API Blog: Gears 0.4 is here! New features are Geolocation, a Blob API for dealing with arbitrary binary data, onprogress() events for tracking HTTP downloads and uploads (meaning progress indicators) and the built-in Gears dialogs localized to 40 languages.
Google Code Blog: Two new ways to location-enable your web apps. The Gears Geolocation API isn’t very exciting just yet as it only really works on windows mobile devices, but the new google.loader.ClientLocation Ajax API is great—it gives you the user’s location based on looking up their IP address, saving you from needing to install a IP-to-geo lookup database.
Making queries faster isn't in the critical path for improving the real-world performance of any Dojo apps I know of, and I bet the same is true for JQuery users. Reducing the size of the libraries, on the other hand, is still important. Now that we're all fast enough, it's time that we stopped beating on this particular drum lest we lose the plot and the JavaScript community continue to subject itself to endless rounds of benchmarketing.
querySelectorAll in Firefox 3.1. John Resig benchmarks the various JavaScript libraries’ support for querySelelectorAll, and finds an impressive 2-6x performance improvement over native DOM traversal. It’s worth clicking through to John’s experimental plugin for adding support to jQuery, which does a clever trick using __proto__ to convert the collection returned by querySelectorAll in to a jQuery object in browsers that support it.
YUI 3.0 Preview Release 1. YUI sandboxing is a really good idea, which cleverly addresses both the need to run multiple versions of the library at once and the complaints about how verbose traditional YUI code can get.
ECMAScript Harmony. John Resig explains the outcome of the recent “Oslo meeting” where proponents of ECMAScript 3.1 (incremental improvements to JS as it exists today) and 4 (massive, sweeping changes including many new programming constructs) harmonised their differences. The combined effort is closer to 3.1 than it is to 4, which I think is the right decision.
MapIconMaker. Extension API that lets you programatically construct a Google Maps bubble marker icon with a custom size, gradient and stroke colour. Under the hood it uses the Google Chart API with the (undocumented?) “mm” chart type.
Facelift Image Replacement. Like sIFR but with JavaScript and a PHP text rendering component. I question the need for the JavaScript if you’re already generating the images on the server, but the actual generation script is nicely done—it makes smart use of ImageMagick and caches the generated images.
How Comet Brings Instant Messaging to meebo. “What started off as a hack appears to be fulfilling one of the most basic needs of the Web, which is live synchronous interaction”—Jian Shen
Firebug Lite 1.2 (via) Huge upgrade to the IE/Opera/Safari bookmarklet version of Firebug—it now has DOM element inspection, XHR tracking and an interactive console, among other features.
Dojango version 0.3 released. A reusable Django application that provides Dojo, helper functions (dojo.data integration) and tools for switching between Dojo versions.
window.name Transport. The cleverest use of the window.name messaging hack I’ve seen yet: Dojo now has dojox.io.windowName.send for safe, performant cross-domain messaging.
php: rfc: closures (via) I never thought I’d see the day, but a patch adding closures to PHP has been both proposed and accepted! Looks like a solid implementation—the syntax is similar to JavaScript but makes explicit which variables are to be captured. As with much of PHP, values are copied in to the closure by default but you can use an ampersand to specify JavaScript-style pass-by-reference instead.
quipt (via) Extremely clever idea: Cache JavaScript in window.name (which persists between page views and can hold several MB of data), but use document.referrer to check that an external domain hasn’t loaded the cache with malicious code for an XSS attack. UPDATE: Jesse Ruderman points out a fatal flaw in the comments.
A browser sniffing warning: The trouble with Acid3 and TinyMCE. Opera recommend “bug detection”, a step up from object detection and browser sniffing where your JavaScript includes mini unit test style fragments of code designed to test if buggy behaviour you are working around still affects the user’s browser.
eval() Kerfuffle. The ability to read supposedly private variables in Firefox using a second argument to eval() will be removed in Firefox 3.1.
Javascript protocol fuzz results. If your HTML sanitizer uses blacklisting rather than whitelisting here are a few more weird ways of injecting javascript: in to a link that you need to worry about—but you should really switch to whitelisting http:// and https:// instead.
Module Pattern Provides No Privacy... at least not in JavaScript(TM) (via) JavaScript variables hidden inside a closure aren’t as hidden as I thought—it turns out you can pass a closure as the second argument to eval (at least in Firefox) and “steal” private variables back out of it.
BUG: XSS Security flaw in BaseCamp Messages (via) BaseCamp lets users include HTML and JavaScript in messages, on the basis that anyone with a BaseCamp account is a trusted party. I’m not convinced: you could use this to circumvent BaseCamp’s access control stuff and read messages you’re not meant to. On the flip side, you could also use this to add brand new features to BaseCamp by using JavaScript in a message as a server-side equivalent to Greasemonkey.