futtta's blog

Gelezen bij Jan Seurinck; Flattr organiseert de “Pay a Blogger Day”. Maar ik moet geen geld voor m’n blog, niet via zo’n micropayments-knop en niet door middel van advertenties. M’n blog (en m’n WordPress plugins), dat is mijn 5 minutes of fame. Of dan toch de long tail versie; een heel klein beetje fame, verspreid over een schijnbaar eindeloos uitgerekte 5 minuten.

Geef uw geld dus gerust aan een goed doel, of ga er eens lekker mee eten, uw aandacht volstaat ruimschoots om de boel hier draaiende te houden. Maar ge moogt altijd “hallo” zeggen in de comments, bloggers hebben dat zo graag dat ze er speciaal een blogpost voor schrijven!

At work we were stumped by a simple link that upon clicking didn’t have the browser request the target page. Our supplier investigated using VisualEvent, a bookmarklet-initiated javasript-tool that goes through a page and visualizes all events on DOM nodes. The developer released VisualEvent 2 a couple of days ago (also on GitHub), which I played around with for a bit and it really is great for debugging purposes!

The culprit for the “broken” link by the way was a bug in an old version of SmoothScroll, a jQuery-plugin by fellow Belgian Mathias Bynens which ensures smooth scrolling when clicking on a in-page link. The plugin did check if the link was to an anchor on the same page, but it had already prevented the default action before that check was made, resulting in the broken link. The current version of the plugin does the check before the default action is prevented, so all is well, your weekend can start. Enjoy!

Although web security is something I like to dabble in, I can’t honestly say it always is on the top of my mind. Up until an hour ago, access to the vast amount of information that Google manages for me (including access to my Google Android account) was protected by nothing but a password. A rather strong password for that matter, but it wasn’t entirely random and it has been the same for quite some time now.

As access to important online services such as Google should ideally not only rely on just a password (session hijacking anyone?), I activated Google 2-step authentication. What this means is that access to Google (Mail, Docs, …) is now also limited to authenticated devices. If I try to access Google from another computer, I’ll have to authenticate the device using an SMS-challenge or a code generated by the Google Authenticator application on my Android-phone.

If you’re still unsure about what 2-step authentication entails, here’s a brief intro-video from Google:

So yeah, you can have my password now. Theoretically. If you really insist. But even if I do decide to give it to you, you still won’t be able to access my account. How’s that for peace of mind? And now off to Facebook security settings, to enable login notifications & approvals.

It was always my intention to elaborate on my small donottrack plugin for WordPress, but it was only when Automattic upgraded to the new asynchronous Quantcast code that I was forced to look actually dig in.

The new Quantcast-code doesn’t use the old-fashioned document.write, but inserts the javascript asynchronously with an insertBefore on the parent of the first script-node (as popularized by the asynchronous Google Analytics-code). Variations on this method would include e.g. using appendChild or adding it to head (although that might not exist).

A couple of months ago I experimented with the DomNodeInserted event, but that isn’t supported by all browsers. And even when it works, I found no consistent way to stop the tracking script (which was already added to the DOM, as the event is triggered after) from being loaded or executed. But last week while searching for a better solution I found a reference to javascript AOP on StackOverflow and after following some links I discovered the JQuery AOP-plugin.

JQuery AOP allows one to (amongst other things) add an advice around a method. When the method is called, the advice kicks in before the execution. The advice is a function which can investigate and change the parameters used by the method. And that’s exactly what the current version of DoNotTrack does; it has AOP.around (I’ve removed the JQuery dependency) catch insertBefore and appendChild, investigates the src-attribute and replaces that value if it points to quantserve.com before allowing the method execution to proceed.

scriptParent=document.getElementsByTagName('script')[0].parentNode;

aop.around( {target: scriptParent, method: /[insertBefore|appendChild]/},
        function(invocation) {
                if ((typeof(invocation.arguments[0].src)==='string')&&((invocation.arguments[0].tagName.toLowerCase()==='script')||(invocation.arguments[0].tagName.toLowerCase()==='img'))) {
                        if (sanitizer(invocation.arguments[0].src)===true){
                             invocation.arguments[0].src='javascript:return false;';
                        }
                }
                return invocation.proceed();
        }
);

I’m working on a more generic version of an AOP-based WordPress Privacy plugin now. In a first stage it will probably be based on a blacklist, that is editable in the WP Privacy options-screen but at a later date a whitelist-based approach will be added (based on an integration with webpagetest.org). Let’s add that to my New Years resolution for 2012, shall we?