javascript has a mime-type at last!
Monday, June 27th, 2005Yep, finally, thanks to Björn Höhrmann, javascript has a real proper mime-type! The IETF announced today the approval of the internet draft.
Archive for the 'Background Colours!' Category
Phishing with Google
Tuesday, October 19th, 2004Well, still no response from google about the security flaw, so I’ve added in another more interesting example, this one replaces the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details, then upon submission the info goes to my site, before returning the user to google with a thankyou - only works in windows IE (inserting dynamic script elements is easiest there) For those of you without IE, this is what it looks like:
I think this sort of phishing would likely result in a large takeup. Hopefully google will start listening soon, this time I’ve posted to bugtraq too.
Google security flaw exploited.
Monday, October 18th, 2004I’ve mentioned the google script insertion flaw before, Google don’t seem to want to do anything about it, I’ve emailed security@google.com, but have had no response from them, well I got automated responses (that latest had number #15585565 in the subject no idea what that means).
Google Desktop has made the exploit even more dangerous - because it places the results of a desktop search into the output of a regular google search, the exploit now allows the capturing of information from the local computer - okay it’s not much information, but how long is a password or a credit card number? It’s also able to capture all the searches you make, and the ads/links you click and report them to a 3rd party site.
The exploit is a simple script insertion flaw, the image url of a custom search isn’t sanitised against javascript (well it was actually sanitised a little after my original report two years ago, but in a very incompetent way which suggests they didn’t actually test or understand the issue) so with a link, or a custom form you can inject script into google - which can then load any amount of script from a 3rd party site.
The exploit is trivial, and to get a user to use it, any of the popular “search my site” google forms can do it, or after a link to google . My sample google exploit is pretty poor, it tends to error with some strange timing issues occasionally (the data is still sent though), it only works in IE (the google desktop results are only inserted in IE, but the general security flaw is common to many browsers, it’s not an IE security flaw) but it shows how easily it can be done - it took me half an hour, more malicious users could make it neater easily.
To protect yourself from the flaw, you can use another search engine, or ensure you only use google from www.google.com - ensuring there’s nothing in the query string before you do a search, or disable javascript. I’d also recommend uninstalling Google Desktop, the Google toolbar, and any other google product simply because well over 2 years to fix a trivial security issue that should never made it past the most basic QA from the most inexperienced javascript tester suggests a serious problem with understanding the basics of security.
My talk at SVG Open 2004
Thursday, September 9th, 2004I just did my talk at SVG Open, went fine, wasn’t too pleased with the content, but then that was my own fault for not creating the funky SVG thing I wanted in time and a few network probs with this box that limited what I could demo. The Slides are online (although you’ll need javascript enabled with onclick support to view them, sorry about that, but it’s not really for the web…).
Had a fun dinner cruise last night off round the bay, much beer was drunk, and much more beer and sake drunk after in the dens of tokyo, still it was an early night for me at 2am as I had the presentation this morning, and needed to finish off the slides.
2b0dSVG Open 2004
Wednesday, September 8th, 2004SVG Open 2004 began properly today after yesterdays tutorials, first up was a very interesting talk on validation using NVDL from Makoto Murata, showing us how to validate multi-namespace documents, after that I started scribing into IRC a KDDI presentation, showing off their mobile goSVG browser. Unfortunately the scheduled very interesting presentation on Locus which seemed to be an 802.11 presence application didn’t happen, the presenters never turned up, and we didn’t have their tool to see where we were, a shame as I wanted to see if Bluetooth along the lines of Bluetooth Presence could plug in easily.
Next up was Jerold Maddox trying to show us how good design was simpler than we thought, his demos were excellent but I’m not convinced I could really do it.
Then there was Adobe and Zoomon showing us Zoomon’s new editor that sits inside Adobe CS and allows authoring of animated SVGT and easy publishing through GoLive.
And that was just the morning session, 5 more sessions to go, hopefully they’ll be lots more interesting stuff to come, but not from me, my session is going to be really dull unfortunately as I’ve just not managed to get what I wanted to demo anywhere near demoable, so I’ll just have to talk to other peoples fun image projects and maybe see if I can pull a bit of theory together without boring everyone too senseless.
Standards - WTF?
Tuesday, August 31st, 2004Daniel Glazman reports on an IRC discussion where someone complained about the work he did in the HTML Overlays proposal. Now there’s lots wrong with the proposal, which I’ll come onto later, but the complaint seemed to be that this trivial bit of script somehow undermined the W3C like the WHAT-WG and the XFN folk. As people know I really don’t think the WHAT-WG are doing useful work, (see my other posts) but they’re right to be working on HTML 4, they should, and I believe could be doing it within the W3C if it wasn’t for the way they’re going about things, but that’s a seperate matter.
The XFN and this proposal though, I’ve seen no-one complain about on undermining the W3C simply because they’re not! They both work in areas the W3C don’t go near in HTML, XFN because representing human relationships in HTML isn’t something that needs standardising, and HTML Overlays - because it’s a joke technology that cannot degrade.
The HTML Overlay proposal has many problems, it doesn’t degrade, this isn’t just a problem with the implementation (which is poor: little error protection, syntax errors in all non ES3 browsers, sync http requests in javascript, universal browser read popup boxes) but it’s actually impossible to do useful degradable replaced content, since it removes almost all the benefits, you have to end up putting the fallback to the replaced content into the main page - so you might as well have put it all in there.
Daniel says there are 2 sorts of non-JS users - those with genuine accessibility or similar needs, and those who disable javascript because they believe it’s the worst invention of all time (He was quoting Bert Bos well out of context here). Which is ridiculous, there are other very important categories - the non-PC device (and there are no non-PC devices that have the xml httprequest object) and the corporate security policy. The second of these especially is a market you cannot ignore - lots of people spend more time accessing the net at work, than at home, if the corporate security policy blocks activexcontrols - and they generally do - I’ve yet to work on a corporate targetted site that specced activex control access from script as a required feature, it simply wouldn’t be allowed.
The problem with the HTML Overlays proposal is not that it’s not from the W3C, it’s just that it’s really not very good, or even original - but then most of the stuff we see isn’t actually original, it’s just a rehash of another idea, so we shouldn’t criticise people for that.
Should Mozilla/Opera/Apple talk to their WHATWG guys?
Wednesday, June 30th, 2004So Mozilla’s got a new plugin architecture and it’ll work with Safari and Opera too - great news, it shows that the strategies of these three companies and the future of Web Applications are pretty sound, basic HTML and plugins for the new stuff, as you can see with the suggested uses of such plugin based systems.
For example, a user shopping for clothing on a web site that takes advantage of the new plugin capabilities could mix and match different styles and colors for shirts and pants using an interactive Flash movie, and pricing and other information in an associated web page would be updated as a result.
In order to foster a richer experience on the web, we need to enable more dynamic and deep interaction between the browser, the plugin, and web content. This is the first step in that direction; it will give web content developers new, portable options for creating innovative experiences and applications.
Unfortunate though, many of these companies employees (but not the companies we must remember) are spending their time on the WHATWG, now as I said I thought this had little chance of getting much take up. But with this press release, it doesn’t even look like it’s the policy of Moz, Opera and Apple - so why are the employees doing it?
Pandas in SVG
Tuesday, March 16th, 2004Peter Garza has produced a nice little SVG Panda story all crafted in notepad, and not a bit of scripting… Great Fun!
Mozilla finally getting on with SVG
Wednesday, March 3rd, 2004Mozilla Futures Presentation signals that Mozilla may finally get behind the SVG work, and get it the more developers any project needs. Great news.
Unfortunately the slide show demonstrates another of Mozilla’s failings, whilst noting that Mozila “Supports the most web pages of all non-IE browsers”, clearly highlighting that most people develop for the IE, and not for web - they fall into the same trap developing for a subset of browsers (DOM 2 Events enabled ones, and they don’t even do hasFeature detection so can claim purely on standards compliance terms), it’s unnecessary, but it harms other browsers.
A shame, I prepared a tiny patch but couldn’t find anywhere to send it to, I’ll fish around, but if anyone knows…
29a3foaf:mbox and other identifiers
Thursday, January 8th, 2004There’s been recent discussion on the foafmailing list saying that foaf:mbox doesn’t make a sensibleidentifier for variety of reasons. There seems to be some seriousmisconceptions here, foaf does not require, or care if you have afoaf:mbox (or even an mbox_sha1sum) the entire foaf universe worksfine if no-one had one.
foaf:mbox is defined as being unique for an agent, that’s a definitionof a foaf:mbox, it’s not a definition of an email address. It beingunique for an agent means there is no problem with more than oneperson sharing an address, that’s already supported (some tools may,and others may want to make assumptions about individuals but that’s alimitation of those assumptions, often though such assumptions arefine for the use case - i.e. thanking Aunt Maud, and Grandma andGrandad for the pressies is equivalent, who cares that one’s a person,and one’s a group.)
foaf:mbox’s definition is usable for the task that it’s used for - aconvenient distributed identifier for many people - foaf:weblog andfoaf:homepage are just as convenient. It’s not much use for answeringthe question “what email do I use to email someone”, if you want toanswer that question you do need to start looking very importantly attemporal issues. (which aren’t as simple as has been suggestedrecently, interpretationProperties and RDF architecture - no smushing- prevent the solution with dcterms being workable I believe.)
So foaf:mbox isn’t required, it’s just defined so that authors can useit, there is not a solution that a GUID is workable, to do itauthoring will always need a central server with total knowledge ofthe system so they can discover what an appropriate GUID for a personis, and what happens when they don’t have one.
If someone wants to construct a uniquely identifying string/guid orwhatever they’re free to do is, it’s simple:
<rdf:Property rdf:about=\"http:/jibbering.com/vocabs/invalid/GUID\"> <rdf:type rdf:resource=\"http://www.w3.org/2002/07/owl#InverseFunctionalProperty\"/> <rdfs:domain rdf:resource=\"http://xmlns.com/foaf/0.1/Agent\"/> <rdfs:range rdf:resource=\"http://www.w3.org/2000/01/rdf-schema#Resource\"/> </rdf:Property>Job done, defined, and foafnaut will automatically use it as a uniqueidentifier and smush on it - as will other tools, this is what RDFgives. If you can’t use an mbox for someone, use your invented GUID,or any other IFP. A single guid system will never work, which is whyit shouldn’t be in the FOAF namespace, a local guid system in localareas can work, but that local group must take responsibility forsolving a lot of problems it brings, there’s no problem using itthough.
There’s also been suggestion that governments currently use thingsabout peoples birth and appearance as identifiers. This is true, andit works for some governments, however I do not believe it works on adistributed internet system that is modelling life, not simply tryingto ensure they have identity. Equally it has collision problemsanyway.
The problems with birth place/date is that not everyone knows themeven about themselves let alone other people, and being able to talkabout other people without hassling them is a requirement in FOAF as Isee it. Parents also change, this doesn’t matter to a Governmenttheir database is private, and can force people to tell the truth -andnot actually care if it’s wrong, since it’s only used as an identifieranyway, it does however matter to a person. Not everyone wants toreveal such information to the world - do I really want to admit I’mRonald Reagans and Margaret Thatchers love child?
Everything that can be used to identify a person has problems, the RDFapproach to identifiers is that anything can be used to identifythings, this means you can pick one which doesn’t cause problems forthe thing you’re wanting to identify, and RDF aware tools will pick upon this.
Equally everything about a person or a resource has a temporal aspect(who my parents are last week, and who they are next week does notchange biologically, but it does change sociologically and due to noteveryone having complete knowledge of situations) So every propertyneeds to be able to be qualified by the time it is valid, and for manythis cannot go into the future 100% reliably, being completely correctalso means you’ll likely be completely useless.
For simplicity and generally because it’s actually only relevant to afew properties, the temporal methods can be handled outside of the RDFdocument (e.g. at the http level) I know from an RDF documents thatSomeBod someNS:hairColourOnHeadNotFacial Red and the file was createdat 2004-01-08 with an expires of 3 days, then I can safely concludethat the hair was red, in a weeks time I wouldn’t.
Of course if I wasn’t interested in the hair colour right now, butonly in answering the question “Has SomeBod ever had Red hair” then Ican do that too, hair colour is an incredibly transient thing for somepeople and for others it changes maybe once in their lifetime, asingle model doesn’t work.
In fact that’s my conclusion to all RDF modelling - A single model doesn’t work. Fortunately in RDF, you don’t need a single model.