Simon Willison’s Weblog

Is your Rails application safe? (via) update_attributes(params[:foo]) in ActiveRecord is an anti-pattern.

# 8:28 pm / antipattern, activerecord, rails, security

Google’s Usability Research on Federated Login. Fascinating—suggests an approach to federated auth based on the Amazon.com “Yes, I have a password” login flow. Feels convoluted to me but apparently it tests really well against a mainstream audience. The more research shared around this stuff the better.

# 8:56 pm / google, usability, openid, login, amazon, authentication, federated

bpgsql. Barry Pederson’s pure Python PostgreSQL client library now ships with a Django backend.

# 11:42 am / python, postgresql, django, barry-pederson, bpgsql

Robust Defenses for Cross-Site Request Forgery [PDF]. Fascinating report which introduces the “login CSRF” attack, where an attacker uses CSRF to log a user in to a site (e.g. PayPal) using the attacker’s credentials, then waits for them to submit sensitive information or bind the account to their credit card. The paper also includes an in-depth study of potential protection measures, including research that shows that 3-11% of HTTP requests to a popular ad network have had their referer header stripped. Around 0.05%-0.10% of requests have custom HTTP headers such as X-Requested-By stripped.

# 9:40 am / pdf, http, csrf, paypal, logincsrf, phishing, security, xrequestedby

Mark Zuckerberg speaking at FOWA. The Future of Web Apps Expo is just a few weeks away, and Mark Zuckerberg is the surprise keynote. I’m chairing the developer track again this year.

# 1:11 pm / events, carsonified, fowa, facebook, future-of-web-apps, mark-zuckerberg

Decorator to limit request rates to individual views. Neat piece of code for public facing web APIs written in Django. Update: some smart criticisms in the comments.

# 1:13 pm / django, decorators, apis, python, rate-limiting

csrf_protect.php. A PHP class for applying CSRF protection to existing PHP applications, using output buffering to rewrite any POST forms on a page. Heavily inspired by Django’s CSRF middleware. Tell me if you spot any bugs!

# 2:52 pm / projects, code, php, csrf, security, middleware, outputbuffering

Secure mashups with dojox.secure (via) dojox.secure is brilliant and terrifying at the same time. It provides a full featured API for running untrusted JavaScript in a sandbox, by parsing and validating that code against a variant of Douglas Crockford’s ADsafe JavaScript subset. It could be fantastically useful, but it’s difficult to judge how secure this approach really is.

# 4:08 pm / dojox, dojo, javascript, security, sandboxing, adsafe, kriszyp, dojoxsecure, mashups

Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary.

# 10:18 pm / google, alf-eaton, security, csrf, logincsrf

html-whitelist (via) DeWitt Clinton’s web service wrapper aroud the html5lib HTML sanitiser, hosted on AppEngine.

# 11:54 pm / appengine, dewitt-clinton, sanitisation, html5, html5lib, security

freebase-suggest (via) A jQuery plugin that performs auto-completion against the Freebase JSONP API, and allows the results to be limited to specific categories or subsets.

# 11:58 pm / autocomplete, freebasesuggest, freebase, javascript, jquery, metadata, jsonp

Reia. The most common complaint I see about Erlang is the syntax. Reia is a Python-style scripting language (with a dash of Ruby) that runs on the Erlang virtual machine. Looks promising.

# 6:12 pm / reia, erlang, python, ruby, programming

Cheap, Easy Audio Transcription with Mechanical Turk. Andy Baio’s in-depth tutorial on submitting HITs to Mechanical Turk. I hadn’t realised how straight forward and powerful the interface has become.

# 6:37 pm / andy-baio, mechanicalturk, amazon, hits, transcription

Wario Land: Shake It—Amazing footage! Some virals really do deserve linking to.

# 4:46 pm / viral, youtube, flash, wario, wii, ad

Flickr Engineers Do It Offline. Flickr wrote their own queuing mechanism (in PHP), and currently run ten queue servers on dedicated hardware for tasks like pushing new photos in to indexes, denormalisation and “backfills” which move data between clusters and run bulk scripts against large numbers of existing rows.

# 1:24 am / flickr, message-queues, denormalisation, backfills, queues

James May’s Big Ideas: Come Fly with Me (via) The BBC made an hour-long documentary on Ekranoplans! It’s available for the next 21 days on the iPlayer (UK residents only).

# 11:07 pm / ekranoplans, bbc, iplayer, james-may, documentary, tv

CSS Systems for writing maintainable CSS. Nat has published the slides and notes from her BarCamp presentation this morning. I’m really excited about her approach, which involves designing a “CSS system” of markup patterns and CSS that embodies the design of an individual site. Future maintenance can then take this overall system in to account, which is assisted by a defined ordering system and shared vocabulary.

# 11:30 pm / csspatterns, css, markup, maintainability, natalie-downe, barcamplondon5

A Brief Tour of Graphd. The secret sauce behind Freebase—a custom written graph server that models everything as a typed, versioned relationship and can churn through over 3,000 simple queries a second on a single AMD64 core.

# 11:32 am / freebase, grahd, graphserver, databases

Popular Websites Vulnerable to Cross-Site Request Forgery Attacks. Ed Felten and Bill Zeller announce four CSRF holes, in ING Direct, YouTube, MetaFilter and the New York Times. The ING Direct hole allowed transfer of funds out of a user’s bank accounts! The first three were fixed before publication; the New York Times hole still exists (despite being reported a year ago), and allows you to silently steal e-mail addresses by CSRFing the “E-mail this” feature.

# 1:08 pm / csrf, edfelten, bill-zeller, security, ingdirect, youtube, metafilter, new-york-times