Simon Willison’s Weblog

Subscribe

May 2008

May 13, 2008

Session variables without cookies. Brilliant but terrifying hack—you can store up to 2 MB of data in window.name and it persists between multiple pages, even across domains. Doesn’t work with new tabs though, and storing JSON in it and eval()ing it is a bad idea—a malicious site could populate it before sending the user to you.

# 9:59 pm / javascript, json, crossdomainstorage, sessions, eval, security

May 14, 2008

Django: security fix released. XSS hole in the Admin application’s login page—updates and patches are available for trunk, 0.96, 0.95 and 0.91.

# 7:49 am / django, security, xss

Google Maps now shows photos and Wikipedia articles. Click the “More...” button. My first thought was “how do they get so many photo markers on the map?”—Firebug shows that they’re generating tiles on the server containing multiple photo markers, then when you click on one an Ajax call checks which photo is in that particular spot.

# 7:10 pm / google-maps, javascript, ajax, wikipedia

Google Doctype. So now we know what Mark Pilgrim’s been doing at Google... heading up a project to create an encyclopaedia of web development. The JavaScript UI for browsing it is a bit weird (though you do at least get real pages if you disable JavaScript in your browser).

# 8:30 pm / googledoctype, mark-pilgrim, documentation, google

Doctype on Google Code. Alternative way of browsing Google Doctype—if you link to articles here instead of using the permalinks in the official version non-JavaScript user agents will be able to access the content you’ve linked to.

# 8:34 pm / google, javascript, googledoctype

Doctype: /trunk/goog. Google’s newly released JavaScript library (pure JavaScript, so more along the lines of YUI and jQuery than GWT). I haven’t found the documentation for it yet, but the code is extremely well commented. UPDATE: The documentation is spread throughout Doctype.

# 9:12 pm / jquery, goog, google, googledoctype, gwt, javascript, dojo, libraries, yui

goog/useragent/iphoto.js. The Goog library includes code to detect the user’s installed version of iPhoto, based on reverse engineering the Mac.com Gallery RSS feeds. This has Mark Pilgrim written all over it.

# 9:21 pm / mark-pilgrim, iphoto, javascript, goog, googledoctyp

May 15, 2008

Engineering @ Facebook: Facebook Chat. The new Facebook Chat uses Comet (long polling with a hidden iframe) against a custom web / chat server written in Erlang, designed to handle a launch to all 70 million users at once. It was tested using a “dark launch” period where live pages simulated chat request traffic without showing any visible UI.

# 7:55 am / facebook, comet, javascript, erlang, darklaunch, scaling

Crossdomain.xml Invites Cross-site Mayhem. A useful reminder that crossdomain.xml files should be treated with extreme caution. Allowing access from * makes it impossible to protect your site against CSRF attacks, and even allowing from a “circle of trust” of domains can be fatal if just one of those domains has an XSS hole.

# 8:06 am / jeremiahgrossman, flash, javascript, security, csrf, xss, crossdomainxml

Cubescape. Beautiful isometric cube building tool by Cameron Adams, written in JavaScript and jQuery.

# 8:40 am / isometric, cubescape, cameronadams, javascript, jquery

Using Git as a versioned data store in Python. gitshelve supports the same interface as Python’s built-in shelve module but stores things to a versioned Git repository instead of just a pickled dictionary. I’ve been casually wondering what a Git-powered CMS would look like.

# 3:25 pm / git, cms, gitshelve, python

May 16, 2008

Firebug Command Line API. Another thing I didn’t know about Firebug: you can set a breakpoint at the start of a function with “debug(fn)” and log all calls to it with “monitor(fn)”.

# 12:14 pm / firebug, debugging, javascript

May 17, 2008

A McAfee spokeswoman said the company rates XSS vulnerabilities less severe than SQL injections and other types of security bugs. "Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification," she said. "When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities."

Dan Goodin

# 11:31 pm / mcafee, idiotic, security

Dopplr place googlemaps, with and without Yahoo Geo API bounding box adjustment. Dopplr uses Geonames for most geo information, but is now mixing in bounding box data from the Yahoo! Geo web service to improve the default zoom level for their maps. The JSON callback API means no server-side code is required on Dopplr’s end.

# 11:35 pm / json, dopplr, geonames, yahoogeo, whereonearth, matt-biddulph, jsonp, javascript, mapping

May 18, 2008

GeoNames Commercial Webservices. Wikinear has been loading slowly recently, so I’ve signed up for GeoNames very reasonably priced commercial plan which provides access to better servers at their end. This might speed things up to the point that I can reliably run the site on Google AppEngine, which times out aggressively if an external HTTP request takes too long.

# 10:32 am / wikinear, geonames, web-services, googleappengine

AOP aspect of JavaScript with Dojo. Fantastic post—concisely explains Aspect Oriented Programming, then shows how Dojo’s dojox.lang.aspect brings AOP to JavaScript, including some really useful built-in aspects for logging, profiling and more. Aspects are like Python decorators on steroids.

# 10:45 am / aspects, aop, javascript, decorators, python, dojo, dojox, eugenelazutkin

May 22, 2008

Debugging Django

I gave a talk on Debugging Django applications at Monday’s inaugural meeting of DJUGL, the London Django Users Group. I wanted to talk about something that wasn’t particularly well documented elsewhere, so I pitched the talk as “Bug Driven Development”—what happens when Test Driven Development goes the way of this unfortunate pony.

The slides [... 1,759 words]

On-board vs. Off-board Comet. Useful distinction. On-board comet runs on the same server as the rest of your application; Off-board comet is served from a separate server (generally a subdomain) and a separate stack. If you want to stick with PHP, Rails or Django for the rest of your site off-board comet looks like the way to go.

# 5:02 pm / comet, php, rails, django, joe-walker

Search Engine Optimization Through Hoax News. Devious new black-hat SEO technique: invent a news story that’s pure link-bait. The recent “13 year old steals dad’s credit card to buy hookers” story was a hoax: it was a pure play for PageRank.

# 6:09 pm / seo, pagerank, google, blackhat

May 23, 2008

Scoble writes something - 6,800 writes are kicked off, 1 for each follower. Michael Arrington replies - another 6,600 writes. Jason Calacanis jumps in - another 6,500 writes. Beyond the 19,900 writes, there's a lot of additional overhead too. You have to hit a DB to figure out who the 19,900 followers are. [...] And here's the kicker: that giant processing and delivery effort - possibly a combined 100K disk IOs - was caused by 3 users, each just sending one, tiny, 140 char message. How innocent it all seemed.

Isreal L'Heureux

# 7:28 pm / twitter, scaling

May 24, 2008

On the spot. Did you know Jupiter just grew a third spot? Apparently the spots are storms, and the largest has been raging for several centuries.

# 6:25 pm / brian-hayes, jupiter, astronomy

May 25, 2008

modswgi: Debugging Techniques. mod_wsgi is excellent software, and the documentation is equally superb. I used these instructions recently to run the Python debugger inside a running instance of Apache, which helped my track down some import errors that weren’t occurring with Django’s development server.

# 1:34 pm / modwsgi, django, python, debugging, pdb

Richard Feynman and The Connection Machine. Too much great stuff in here to attempt to summarise.

# 2:01 pm / richard-feynman, theconnectionmachine

Walk, Don’t Run (via) A retrospective look at Grim Fandango (possibly my favourite game of all time) and the fan community that are keeping it alive, nearly a decade after it was first released.

# 2:04 pm / grim-fandango, theescapist, games

LastGraph 3. Andrew Godwin’s last.fm profile visualisation tool, now in its third incarnation.

# 2:05 pm / lastfm, andrew-godwin, lastgraph, lastgraph3

Easy way to reset your sleep cycle: Stop eating (via) New research shows that you can quickly reset your sleep cycle by not eating for 12-16 hours and then using breakfast to flip in to another time zone. I get clobbered by jet lag when I fly from the US to Europe; this could be really useful.

# 2:11 pm / travel, jetlag

Debugging Django, a slidecast. I used SlideShare’s slidecast tool for the first time to synchronize audio of my Django London User Group talk with the slides. The talk included several live demos which aren’t represented in the slides so it’s a bit piecemeal in places.

# 2:47 pm / debugging, slideshare, slidecast, django, speaking, djugl

Twitter / MarsPhoenix. NASA’s Mars Phoenix lander, due to land on the planet today, has a Twitter account. Bio: “I dig Mars!”.

# 7:41 pm / marsphoenix, mars, nasa, twitter

May 26, 2008

Craigslist is fighting back. Its latest gimmick is phone verification. Posting in some categories now requires a callback phone call, with a password sent to the user either by voice or as an SMS message. [...] Spammers tried using their own free ringtone sites to get many users to accept the Craigslist verification call, then type in the password from the voice message. Craigslist hasn't countered that trick yet.

John Nagle

# 8:40 am / spam, phonecall, sms, callback, craigslist

QUnit. The jQuery unit testing framework is now documented and supported as a separate project.

# 5:31 pm / qunit, jquery, javascript, testing, unittests

2008 » May

MTWTFSS
   1234
567891011
12131415161718
19202122232425
262728293031