Simon Willison’s Weblog

Subscribe

Friday, 29th August 2008

Capital Radio’s London Guide. Worth pointing out: the search / map interface on this page is one of the best examples of progressive enhancement I’ve ever seen. Try disabling JavaScript and see what happens. It seems like most developers just can’t be bothered with this kind of attention to detail these days, which disappoints me.

# 1:48 am / accessibility, capitalradio, google-maps, javascript, londonguide, progressive-enhancement, unobtrusive-javascript

Coding Horror: Protecting Your Cookies: HttpOnly. Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers.

# 2:01 am / html, httponly, javascript, jeff-atwood, sanitization, security, xss

New authentication schemes such as OpenID, or Microsoft's CardSpace, may help as adoption increases. These systems make it possible to register for one site using credentials verified by another. Instead of having many sites with poor verification procedures, the internet could have a few sites with strong verification procedures, that are then used by others. The advantage for the user is that they no longer have to jump through multiple hoops for each new site they encounter.

Tim Anderson, in the Guardian

# 10:01 am / captcha, cardspace, guardian, openid, security, tim-anderson

WolfenFlickr 3D—An unlikely mashup. Brilliant: Wolfenstein 3D style raycasting in JavaScript with images on the walls that have been pulled in using Flickr’s JSONP API.

# 10:24 am / flickr, javascript, jsonp, raycasting, wolfenflickr, wolfenstein3d