Simon Willison’s Weblog

Subscribe

September 2007

Sept. 25, 2007

Sun’s OpenID IdP: Real vs Fake. The thinking behind Sun’s decision to allow users of their OpenID provider to pick fake names and assign personal e-mail addresses.

# 10:39 pm / privacy, identity, openid, pii, sun, sunmicrosystems, lauren-wood

Firefox 3 Antiphishing Sends Your URLs To Google. Stories like this crop up every now and then, but no one ever seems to mention that the Google Toolbar has been doing this since it was released (more than five years ago) provided you have PageRank display turned on.

# 11:04 pm / pagerank, google, privacy, firefox, mozilla, firefox3, toolbars, google-toolbar

Sept. 26, 2007

DOMContentLoaded for IE, Safari, everything, without document.write. Stuart has taken Hedger’s recent IE technique, combined it with the others and compressed it in to a short-as-possible code snippet that you can paste in to your scripts without having to include the whole of jQuery/YUI/Dojo/Prototype.

# 12:19 pm / ondomready, safari, ie, documentwrite, javascript, stuart-langridge, domscripting, unobtrusive-javascript

I have another technique [...] that I'll be switching jQuery to. If you attempt to insert into the document.body before the document is fully loaded, an exception is thrown. I take advantage of that to determine when the document is fully loaded.

John Resig

# 12:21 pm / ie, domcontentloaded, jquery, javascript, unobtrusive-javascript

Announcing the Dopplr 100. Similar to how Facebook used to only allow college e-mail addresses, Dopplr is now open to holders of e-mail accounts from 100 large corporations. The blog release doesn’t specify if each corporation gets its own special “group” within the application; that would be a neat touch.

# 4:34 pm / dopplr, facebook, email, invitations

djangogigs.com—from idea to release in 6 hours. Now that’s what I call rapid development.

# 4:53 pm / django, django-gigs, rapiddevelopment

Sept. 27, 2007

Google GMail E-mail Hijack Technique. Apparently Gmail has a CSRF vulnerability that lets malicious sites add new filters to your filter list—meaning an attacker could add a rule that forwards all messages to them without your knowledge.

# 10:29 am / gmail, security, google, csrf, vulnerability

WebRunner 0.7—New and Improved. A simple application for running a site-specific browser for a service (e.g. Twitter, Gmail etc). This is a great idea: it isolates your other browser windows from crashes and also isolates your cookies, helping guard against CSRF attacks.

# 1:55 pm / webrunner, security, csrf, browsers, twitter, gmail, xulrunner, sitespecificbrowsers

WordPress 2.3: Canonical URLs. Fantastic to hear that WordPress 2.3 supports this, and that they picked the right terminology for it (I’ve called the same thing “disambiguated URLs” in the past).

# 2:03 pm / wordpress, disambiguatedurls, canonicalurls, urls, mark-jaquith

Halo 3 Site Demonstrates Flaws in SilverLight. The Halo 3 “interactive manual” is like a throwback to Flash in the late 90s—“skip intro”, pointless transitions, text you can’t select or enlarge, links that aren’t links—all wrapped up in an ugly blob (only this time it’s XML instead of binary data).

# 2:38 pm / halo3, microsoft, flash, usability, silverlight

DbMigration—a schema migration tool for Django. Nice and simple tool for adding schema migrations to a Django application.

# 3:04 pm / django, orm, djangoorm, migrations, sql, python

Large codebases are the problem, not the language they're written in. Find a way to break/decompose big codebases into little ones.

Bill de hÓra

# 3:11 pm / bill-de-hora, programming, complexity, lesscode

CSS Sprite Generator (via) Upload a zip file of images and get back a CSS sprite plus a set of pre-calculated background image rules. Tool built by Ed Eliot and Stuart Colville for their forthcoming book “High Performance Web Site Techniques”.

# 10:59 pm / edeliot, csssprites, css, performance, spritegenerator, stuart-colville

Sept. 28, 2007

hasAccount. Stuart proposes a light-weight API for letting any site know if a user has an account (and is signed in) on another service. I wouldn’t want to deploy this without being confident that my CSRF protection was in order.

# 9:10 am / csrf, stuart-langridge, crossdomain, json, api, accounts

Kosmos Distributed File System (via) New open source distributed filesystem similar to Google’s GFS.

# 9:12 am / richskrenta, open-source, gfs, goggle, kfs

OLPC Peru/Arahuay. A fascinating case study of the introduction of the XO to a school in Peru. It’s really exciting to see the project starting to make an impact.

# 11:56 pm / olpc, xo, peru

Sept. 30, 2007

Currently WebRunner applications share cookies with other WebRunner applications, but not with Firefox. WebRunner uses its own profile, not Firefox's profile. There is a plan to allow WebRunner applications to create their own, private profiles as well.

Mark Finkle

# 4:08 pm / cookies, firefox, csrf, mark-finkle, webrunner, sitespecificbrowsers, security

Designing for a security breach

User account breaches are inevitable. We should take that in to account when designing our applications.

[... 545 words]

Idea: The Histogram as the Image. How to hide the New York City skyline in the histogram of an image.

# 9:34 pm / histogram, image, graphics

Email addresses your OpenID via DNS. Sam Ruby has warmed to the idea of making e-mail addresses usable as OpenIDs via a DNS SRV record.

# 9:36 pm / dns, srv, sam-ruby, openid, email

2007 » September

MTWTFSS
     12
3456789
10111213141516
17181920212223
24252627282930