frank posted LIVE: Google Makes Major Announcements at Google I/O.
frank posted WebKit Is Great, But Isn’t the Great Unifier.
frank posted WebM and Google’s Web-video plan (FAQ).
frank posted Flash kills browsing in Android 2.2 Froyo.
frank published Lovin’ the WordPress plugin ecosystem.
I’m a sucker for simple things and in my book, WordPress (the open source software) is a great example of a simple yet powerful solution for publishing on the web. The last few days I experienced their plugin-ecosystem to be just as simple and powerful.
If you have a plugin to share and you:
- register on wordpress.org
- fill out a form to submit your plugin for inclusion in their repository
- after confirmation upload your code (together with a structured readme-file) via svn
Then boom, automatically;
- plugin pages (for description, installation, faq, changelog, …) are created and populated with information from the readme and base php-file
- a zip-file is created containing your stable version
- your plugin is listed on the “new plugins” page
Before you know it, you’ve got a bunch of real users (wp-youtube-lyte was downloaded 128 times in 2 days) who can rate your plugin and provide you with feedback. And every time you upload a new stable version via svn, a new zip-file is created and your users will get a notification in their wp-admin pages, allowing them to upgrade by simply clicking that upgrade link. Don’t you love it when a plan comes together?
But enough raving already, got to go create that admin-page for my plugin now, as requested by a user. I’m a sucker for real users!
frank posted USB & WiFi Tethering Built Into Android 2.2.
frank posted The Tell-Tale Beat.
frank published Web API security basics.
frank posted Google I/O Will Be Chrome’s Time to Shine.
frank posted Browser fingerprinting.
frank published Lite YouTube Embeds in WordPress.
frank posted cross-browser Greasemonkey scripts.
frank posted Projekktor: Simply Mighty Video.
The whole thing sounds easy enough to implement, but I have some doubts that it will open the project to XSS attack of some sort. Don’t really know why, though. :-)We mailed a bit more about the risks of cross site scripting and then he wrote the following:
Sadly we can have malicious JS problems since cleaning up of incoming data is optional.For an unrelated project I asked about authentication for a write-operation in the API and the reply was:
Authentication is not in the API yet. Currently you must include a session cookie along with API requests to perform a write, but the cookie itself is the one you get from logging in [in the web front end] as you would normally.Which sounds a lot like “we support cross site request forgery out of the box” … As with normal web applications, web API-security is an important (but complex) issue, which is not always easy to grasp. Based on a basic understanding of things, the following guidelines can go a long way into securing things both on the API-side and the client:
- Know who you’re dealing with; disable API-access for your users by default (allowing them to opt-in), provide bullet-proof authentication and session management in the API and throw in a synchronizer token to prevent cross site request forgery
frank posted WPO – Web Performance Optimization.
frank posted Mozilla, HTML5 editor differ with Microsoft.
frank Frank Met zijn gezicht in een autoruit en in het ziekenhuis … auw..
frank posted appendChild vs insertBefore.
frank posted Firefox 4: HTML5 and Native JSON Store.