Why you shouldn’t rely on ajax’s same origin policy

XmlHttpRequests (or “ajax“) is generally considered to be safe because it is restricted by the “same origin” policy, but that isn’t entirely correct. Consider the following: an ajax-call, like all http communication, consists of a request and a response. For read-operations the response is needed, for write-operations … that ain’t necessarily so!
So how can a “hacker” send a request for such a write-operation and have it executed (which amounts to  “cross site request forgery” actually)? There’s a number of  possibilities:

  1. Execute a GET-request by including it in the attack-site html as the src of a script, css or img tag, for all of which the same origin-policy does not apply.
  2. Using JavaScript to create a form, populate it and POST it, the same-origin policy does not apply to forms being posted.
  3. Just do a normal XHR-request, the same-origin policy applies, but some top-notch browsers will execute the request and just ignore the response (is that a bug or a feature?)

Conclusion: if you want to do anything more than read-requests on the same domain, you really-really-really have to protect your resources against CSRF using one of the techniques that are described in this wonderful OWASP CSRF cheat-sheet.

As found on the web (January 26th)

blog (feed #46)
generic (feed #50)
generic (feed #49)
facebook (feed #40)
frank Frank was gisteren nog stevig verkouden, maar voelt zich dankzij z’n vrouwtjes geneeskrachtige kippensoep vandaag een heel stuk beter! :-)..
generic (feed #50)
generic (feed #50)
blog (feed #46)
generic (feed #49)
facebook (feed #40)
frank Frank maakte een pannetje havermoutpap zoals hij dat 30 jaar geleden ook graag at :-)..

Did Flash really become irrelevant in 2010?

Little over a year ago I must have been smoking some weird shit when writing that Flash would become irrelevant in 2010. Because after all, this is 2011 and there’s still plenty of Flash for Adobe aficionados to make a living and the famous html5 video codec issue hasn’t been fully sorted out yet either. So I was wrong, was I? Well, … not really!
Apple still stubbornly refuses Flash on the iPhone and more importantly the iPad, Microsoft’s Internet Explorer 9 joined the HTML5-crowd in full force and even Adobe is going HTML5 with support in Dreamweaver and in Illustrator and with a preview of Edge, “a tool for creating animation and transitions using the capabilities of HTML5”.
But is was only in December 2010 that I knew I was dead on with my prediction, when I overheard this conversation at work between a business colleague and a web development partner:

Business Colleague: I would like a personalized dashboard with some nice-looking charts in my web application.
Web Development Partner: No problem, we’ll do it in Flash!
Business Colleague: No, we want this to work on the iPad too!

The year technology-agnostic decision-making business people started telling suppliers not to use Flash, that was the year Flash became irrelevant and “the open web technology stack” (somewhat incorrectly marketed as HTML5) took over.

Underworld live bij KCRW: paniek over kapotte knoppekes

De oudere jongeren van Underworld waren onlangs bij KCRW in de studio om daar wat muziek maken. Ze speelden onder andere “Two months off”, hieronder op YouTube. Best een fijn riedelke, meeslepend en zo, maar live in de radiostudio deed me dat toch niet veel. Tot er, 4 minuut 40 seconden ver in de trip, iets fout liep met een knoppeke of misschien wel met een hele sequencer. Karl Hyde gesticuleert dat de boel kapot is, Darren Price probeert Hyde met gebaren duidelijk te maken wat hij moet doen om de machinerie terug op gang te trekken, Rick Smith lijkt rustig “ik doe nog wel wat verder” te zeggen terwijl de roadie erbij wordt gehaald en Hyde ziet op 5 minuten 30 dat pakweg het volume gewoon op nul stond:

Underworld performing "Two Months Off" on KCRW

“So we mumbled a bit” eindigt Hyde. Hij is dan ook al 53.

How to do jQuery templates with jQote2

For a proof of concept I was preparing at work I needed a jQuery templating solution. Although there is beta templating support (contributed by Microsoft) in jQuery, I decided to implement jQote2 instead. This alternative jQuery plugin is small (3,2Kb minimized, 1,7Kb compressed), versatile and most importantly very, very fast!
So what do you need to know about jQote2 to get it working? Well, there’s 3 ingredients; data, template and javascript-code to put the data in the template.
The data can be fetched from an external source, e.g. this call to the iRail-api for departures from Brussels North.
The template is basically just HTML with some placeholders for your data:

<script type="text/x-jqote-template" id="liveboard_tmpl">
 <tr>
  <td class="left">
   <%= this.station %>
  </td>
  <td class="right">
   <%= this.time %>
  </td>
  <td class="right">
   <%= this.platform %>
  </td>
 </tr>
</script>

The javascript fetches the data using jQuery’s getJson, parses all departures in the template and adds the resulting HTML to an element in your DOM (in this case #liveboard’):

<script type="text/javascript">
$(document).ready(
	function() {
		$.getJSON(
			'http://api.irail.be/liveboard/?format=json&station=Brussel%20Noord&lang=EN&arrdep=DEP&callback=?',
			function(data) {
					$('#liveboard').jqoteapp('#liveboard_tmpl', data.departures.departure);
			}
		)
	}
);
</script>

Off course the UNIX-timestamp in this.time isn’t really usable, but we can easily add some javascript to the template, just before outputting the time, to fix that;

<% this.time=((new Date((Number(this.time))*1000)).toLocaleTimeString()).substr(0,5); %>

That’s right, use “<%” instead of “<%=” and you can mingle javascript in the template. To only show trains that have not left and to show departures including delay, the template looks like this:

<script type="text/x-jqote-template" id="liveboard_tmpl">
<% if (this.left!="1") { %>
 <tr>
  <td class="left">
   <%= this.station %>
  </td>
  <td class="right">
   <% if (this.delay!="0") {
    this.time="<span class=\"delayed\">"+((new Date((Number(this.time)+Number(this.delay))*1000)).toLocaleTimeString()).substr(0,5)+"</span>";
   } else {
    this.time=((new Date((Number(this.time))*1000)).toLocaleTimeString()).substr(0,5);
   } %>
   <%= this.time %>
  </td>
  <td class="right">
   <%= this.platform %>
  </td>
 </tr>
<% }; %>
</script>

Add some CSS and you’ll quickly have something like the demo you can find here. Just look at the code, it’s pretty straightforward and check out the jQote2 reference for even more info.

As found on the web (January 12th)

generic (feed #49)
youtube (feed #51)
blog (feed #46)
generic (feed #49)
generic (feed #49)
generic (feed #49)
generic (feed #50)
generic (feed #50)

Website performance: impact of web fonts

Although it was possible to embed fonts in web pages even during the dark ages of the internet, 2010 was the year when the pieces of the web typography puzzle really fell into place, Designers, Marketeers and especially “brand identity guards” are ecstatic about this evolution.
But there’s little to be found on the performance impact of web fonts. Because you’re downloading extra files, so there must be some impact, no? I created 4 identical pages; one without non-browser-native fonts, one with Cufon (which I already knew I wasn’t fond of), one with the hosted Google Font solution and one with local fonts (from fontsquirrel.com). Those 4 pages were analyzed by webpagetest.org (3 runs on IE8 from the Amsterdam node). These are the results:

doc complete (s)# requestsdownload size (Kb)diff with basic (s)full testresult url
basic1.50721135http://www.webpagetest.org/result/110106_1Y_7S9K/3/details/
cufon2.452261760.95http://www.webpagetest.org/result/110106_F8_7S9P/1/details/
webfont (local)1.807231890.30http://www.webpagetest.org/result/110106_V3_7SBD/1/details/
webfont (google)1.771231620.26http://www.webpagetest.org/result/110106_S4_7SM2/3/details/

As was to be expected and confirmed in the Google Webfonts FAQ, even the fastest method (hosted Google Fonts) is 0,26s slower then the version without web fonts. Locally hosted fonts are marginally slower, but that’s because (for reasons I don’t fully understand) 2 font-files were loaded instead of only 1 in the Google Fonts-powered page. Cufon isn’t really worth mentioning here, it’s dead-slow and has become rather irrelevant I guess. I did not test a version with images instead of web fonts, but that would probably yield approximately the same result (5 image files, each somewhere between 4 and 8Kb?) and is sub-optimal form a SEO and accessibility point of view.
So 0,3 seconds, that’s not too bad, no? Or is it? If you’re creating an online shop, Amazon’s experience might be of particular interest here; every 100ms delay costs them 1% in sales. So are you willing to lose 3% revenue just to have those nice fonts, which your visitors probably couldn’t care about less?
My advice; don’t use web fonts if you value performance. And you should consider performance a top priority, not just for sales’ sake, but because raw website performance also impacts usability and search engine ranking.
If your brand identity manager insists on using the right fonts, performance be damned, then try to at least follow these basic best practices:

  • have the CSS that defines your fonts (with font-face) as early in your HTML as possible and  certainly before any script is loaded
  • use Google’s hosted font-solution if possible; it’s fast, the CSS is optimized for the browser that requests it and there’s a lot of free fonts at your disposal
  • if you have to host the fonts yourself, make sure to serve the WOFF format (the new standard) and SVG (for iPhone/iPad) next to the more traditional TTF (the “old” standard) and EOT (for MSIE)
  • if you’re hosting your own fonts, configure your webserver to on-the-fly compress ttf, svg & eot-files (woff-files are already compressed) and set expire-headers for all fonts in the far future to allow optimal caching (example for Apache):

AddType font/ttf .ttf
AddType font/x-woff .woff
AddType image/svg+xml .svg
AddType application/vnd.ms-fontobject .eot
ExpiresByType font/ttf “access plus 30 days”
ExpiresByType font/x-woff “access plus 30 days”
ExpiresByType image/svg+xml “access plus 30 days”
ExpiresByType application/vnd.ms-fontobject “access plus 30 days”
AddOutputFilterByType DEFLATE font/ttf application/vnd.ms-fontobject image/svg+xml

Afscheid in mineur; Mick Karn

Gisteren overleed Mick Karn in Londen aan kanker. Karn speelde fretless bas (en saxofoon en klarinet) bij Japan en werkte daarna, in de jaren ’80, samen onder andere Kate Bush, Joan Armatrading, Midge Ure en Gary Newman. Z’n latere solo-werk en albums met Steve Jansen, Richard Barbieri en David Torn waren funky, jazzy, maar vooral eigenzinnig. Muziek voor muzikanten, misschien wel. Karn had een heel persoonlijke, intense stijl, liet z’n bas steeds bevreemdend melodieus grollen.
In het najaar van 2010, toen hij al gediagnosticeerd was met vergevorderde kanker, zat Mick Karn overigens opnieuw met Peter Murphy (ex-Bauhaus) in de studio om 25 jaar na datum een 2de Dali’s Car album op te nemen.
In 1991 brachten David Sylvian, Steve Jansen, Richard Barbieri en Mick Karn samen een nieuw album uit, niet als Japan maar als Rain Tree Crow. “Pocket full of change” van die CD is misschien het meest toepasselijke nummer bij deze gelegenheid: “Life runs out, like a pocket full of change” …

rain tree crow - pocket full of change