Simon Willison’s Weblog

Page Inlink Analyzer (via) Here’s why I’m so keen on JSONP APIs—Eric Miraglia’s tool fires off dozens of cross-domain JSON requests to pull together information about inbound links to your site from Yahoo! Site Explorer and del.icio.us. I imagine it would have been uneconomic for him to provide the tool if it had to proxy every request through his own server.

# 15th October 2008, 5:23 pm / jsonp, eric-miraglia, json, javascript, apis, delicious

Browser Paint Events. The latest Firefox nightlies include a new MozAfterPaint event which fires after a portion of the page has been redrawn and provides co-ordinates of the affected rectangle. John Resig provides a neat bookmarklet that uses the new event to visualise repainting operations.

# 14th October 2008, 1:08 pm / mozafterpaint, mozilla, javascript, firefox, john-resig

Antisocial. Matt Westcott (a.k.a. Gasman) provides some technical background to his awesome Antisocial 3D canvas demo.

# 9th October 2008, 6:42 pm / javascript, canvas, 3d, demoscene, matt-westcott, gasman

Antisocial: a Javascript demo by Gasman. The demo is cool (3D on top of canvas); the “demotool” editor is simply amazing.

# 8th October 2008, 3 pm / demo, demotool, gasman, matt-westcott, antisocial, 3d, canvas, javascript

Dealing with UI redress vulnerabilities inherent to the current web (via) The best explanation of clickjacking I’ve seen yet, complete with discussion of a number of non-ideal potential solutions. It looks like frame busting JavaScript will defeat it, but only for users who have JavaScript enabled—which means that in this case extensions like NoScript actually make you less safe. UPDATE: NoScript is smarter than I thought; see the comments.

# 7th October 2008, 9:59 am / javascript, noscript, clickjacking, security

Tweetersation. Nat and my latest side project: a JSONP API powered tool to more easily follow conversations between people on Twitter, by combining their tweets in to a single timeline.

# 2nd October 2008, 5:08 pm / twitter, jsonp, projects, natalie-downe, javascript, api, tweetersation

Google’s Wikipedia and Panoramio layers are now available in the API. I really like their use of reverse domain style identifiers for the layer IDs: map.addOverlay(new GLayer(“org.wikipedia”));

# 2nd October 2008, 11:59 am / google-maps, wikipedia, javascript, panoramio, glayer

freebase-suggest (via) A jQuery plugin that performs auto-completion against the Freebase JSONP API, and allows the results to be limited to specific categories or subsets.

# 24th September 2008, 11:58 pm / autocomplete, freebasesuggest, freebase, javascript, jquery, metadata, jsonp

Secure mashups with dojox.secure (via) dojox.secure is brilliant and terrifying at the same time. It provides a full featured API for running untrusted JavaScript in a sandbox, by parsing and validating that code against a variant of Douglas Crockford’s ADsafe JavaScript subset. It could be fantastically useful, but it’s difficult to judge how secure this approach really is.

# 24th September 2008, 4:08 pm / dojox, dojo, javascript, security, sandboxing, adsafe, kriszyp, dojoxsecure, mashups

When Ajax Attacks! Web application security fundamentals. Slides and notes from my talk on web application security at @media Ajax last Tuesday.

# 20th September 2008, 4:16 pm / atmediaajax, atmediaajax2008, security, csrf, xss, slides, ajax, javascript, speaking, my-talks

Frame-Busting Gadgets. I’ve always been slightly suspicious of the Google Gadgets / OpenSocial idea of sandboxing untrusted third party content in an iframe. Sure enough, it turns out iframe busting scripts work in Gadgets, meaning a seemingly harmless gadget could potentially launch a phishing attack.

# 17th September 2008, 11:23 pm / framebusting, security, gadgets, opensocial, javascript, phishing

When Ajax Attacks! Web application security fundamentals. Slides and (other people’s) notes from my presentation at @media Ajax on Tuesday.

# 17th September 2008, 11:18 pm / ajax, atmediaajax, atmediaajax08, csrf, javascript, security, speaking, xss, recovered, my-talks

Gearshift. Whoa, a full migrations library written in JavaScript for Gears (which uses SQLite for its data store).

# 15th September 2008, 2:51 pm / sqlite, gears, google-gears, javascript, migrations, gearshift

Prototype based programming in python. Neat implementation of JavaScript-style prototype inheritance in Python.

# 11th September 2008, 5:50 pm / python, javascript, prototype

Dromaeo: JavaScript Performance Testing (via) This is one classy benchmark. Run it in as many browsers as you like (each run is saved to the server and assigned a run ID), then compare the results by appending ?id=[run1],[run2]... to the URL.

# 11th September 2008, 4:06 pm / john-resig, dromaeo, javascript, performance, benchmarks

Cappuccino Web Framework. Now open source (LGPL)—the Objective-C-in-JavaScript web application toolkit from 280 North, who are speaking at this year’s FOWA in October. Beautiful logo.

# 5th September 2008, 3:27 pm / open-source, lgpl, javascript, objectivej, cappuccino

V8 Design Elements. High level design details of Google’s V8 JavaScript engine, including how it uses “hidden classes” to optimise object property lookups and a bit of information on the machine code generation and garbage collection.

# 2nd September 2008, 11:58 pm / google, javascript, v8, chrome

Chromium. Google Chrome is out! Here’s the open source project, including the code for the new V8 JavaScript virtual machine.

# 2nd September 2008, 9:06 pm / google, browsers, open-source, v8, javascript, chromium, chrome

Google Chrome, the comic book (via) Google have finally announced a browser project, though it’s currently vapourware (or rather comicware), existing only as a Scott McCloud comic. Still, it looks fascinating—entirely open source, WebKit with a brand new JavaScript VM, every tab running in a separate process for smarter memory usage and some new UI concepts and anti-pishing measures thrown in as well.

# 1st September 2008, 7:45 pm / googlebrowser, google, scott-mccloud, javascript, webkit, phishing, antiphishing, usability, chrome

addSizes.js: Snazzy automatic link file-size generation. Posted to Nat’s snazzy new blog: a script that uses my json-head API to grab the file size of linked documents on a page and insert those sizes in to the document.

# 30th August 2008, 10:39 am / jsonhead, natalie-downe, addsizes, javascript, json, jsonp

WolfenFlickr 3D—An unlikely mashup. Brilliant: Wolfenstein 3D style raycasting in JavaScript with images on the walls that have been pulled in using Flickr’s JSONP API.

# 29th August 2008, 10:24 am / flickr, wolfenstein3d, javascript, wolfenflickr, raycasting, jsonp

Coding Horror: Protecting Your Cookies: HttpOnly. Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers.

# 29th August 2008, 2:01 am / html, sanitization, jeff-atwood, security, httponly, xss, javascript

Capital Radio’s London Guide. Worth pointing out: the search / map interface on this page is one of the best examples of progressive enhancement I’ve ever seen. Try disabling JavaScript and see what happens. It seems like most developers just can’t be bothered with this kind of attention to detail these days, which disappoints me.

# 29th August 2008, 1:48 am / capitalradio, londonguide, progressive-enhancement, javascript, accessibility, google-maps, unobtrusive-javascript

json-tinyurl. Because sometimes you want to be able to create a shorter version of a URL directly from JavaScript without hosting your own server-side proxy.

# 27th August 2008, 10:58 am / jsontinyurl, json, jsonp, appengine, projects, javascript, tinyurl

jeresig’s sizzle. Sizzle is a new selector engine (work in progress, no IE support yet) from John Resig, designed to be small, standalone, library agnostic and ridiculously fast. It should eventually replace jQuery’s current selector engine, but if it stays around 4KB it’s also going to be really useful for projects that don’t need the overhead of a full library.

# 24th August 2008, 11:41 pm / john-resig, javascript, jquery, selectors, sizzle

TraceMonkey. Brendan Eich has been preaching the performance benefits of tracing and JIT for JavaScript on the conference circuit for at least a year, and the results from the first effort to be merged in to Mozilla core are indeed pretty astounding.

# 22nd August 2008, 11:13 pm / john-resig, tracemonkey, javascript, mozilla, performance, brendan-eich, jit

Get Lat Lon now has a “Get my location (by IP)” button. It took all of five minutes to add using the new google.loader.ClientLocation API. The button is only visible if your location can be resolved.

# 22nd August 2008, 10:16 am / location, javascript, clientlocation, getlatlon, projects

Gears API Blog: Gears 0.4 is here! New features are Geolocation, a Blob API for dealing with arbitrary binary data, onprogress() events for tracking HTTP downloads and uploads (meaning progress indicators) and the built-in Gears dialogs localized to 40 languages.

# 22nd August 2008, 10:14 am / gears, geolocation, onprogress, javascript, blobapi, http

Google Code Blog: Two new ways to location-enable your web apps. The Gears Geolocation API isn’t very exciting just yet as it only really works on windows mobile devices, but the new google.loader.ClientLocation Ajax API is great—it gives you the user’s location based on looking up their IP address, saving you from needing to install a IP-to-geo lookup database.

# 22nd August 2008, 10:12 am / location, gears, geolocation, clientlocation, javascript, apis