| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Sep | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 | ||
I knocked up a greasemonkey script to get GPX routes out of Strava, to help you know exactly where the segments start and finish. The script lets you Export GPX rides and segments from Strava. At the moment it’s very rudimentary with just the route being created. It would be quite easy to add way markers or course points to it to highlight when you were approaching the start or finish of a segment, but for now I just kept it super simple.
I’ve been creating things that are lot like what are now called widgets for a long time, HTML+Javascript applications with full trust. I’ve always used something called Zeepe which turns IE into a fully trusted containier that you can launch locally (or even from the web, if you’ve got a licence and use the trust model).
Zeepe is much richer than other widget platforms on windows currently, not least because it allows complete connection to all windows COM objects - so you really can connect to anything, I use it for automating Windows Media Encoder and recording video streams, or as a Database management tool. I don’t know how capable the OS-X dashboard is, it may well be able to do similar stuff, but until there’s a powerbook with a nipple and release IE6 for OS-X I’ll stick with XP.
The widget system from Opera is new, last week at the gathering Opera ran a widget competition, and lots of widget folk arrived in #svg on freenode asking how to use all that cool opera SVG in the widget. I had a couple of hours so I decided to join in and create a quick widget.
Another cool thing that Opera have is the My Opera FOAF data they provide for everyone, so in a foafnaut kind of style, I decided to create widgnaut, a browser of the data. It’s very ugly but it shows some nice features of widgets and RDF and how easy such connections of data can be made once you escape the security constraints of browsers, but still use all those easy HTML/javascript features.
Opera Widgets currently have a few problems, which make the sort of widgets I like to create not really viable, the 2 big ones are:
Opera widgets are still good though, easy to create, and useful, just not quite ready for my perhaps odd requirements.
Despite the flaw being announced a long time ago, the google Book search flaw is still broken. It’s surprising that Google aren’t taking it more seriously, this one is very easy to use to automate a users GMail account, stealing contacts, or sending email if they are logged into google when they’re tricked into visiting such a page.
Here’s an example that will list your gmail contacts List your gmail contacts
There’s no reason why a page cannot also send emails, steal the contents emails or anything else. Given the length of time this has been public (I didn’t find this flaw, it was posted to bugtraq on the 4th April, or 6 days ago) it’s very possible that a worm that stole GMail information is already circulating. Disable script on google.com!
The script that gets the contacts is trivial:
function x() {
xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET","http://mail.google.com/mail/?view=page&name=contacts&ver=e0ad439ebad5ad16",false);
xmlhttp.send('');
return xmlhttp.responseText;
}
the x function then contains a json structure containing the contacts, this can be easily changed into the output format with some simple regular expressions: see test6.js for those and the complete included script. The livehttpheaders extension in FireFox is how to find out how to do other things.
2799Google are still failing to keep even their flagship google.com domain secure from Cross Site Scripting attacks, others it allows arbitrary code insertion into google.com.
See googles new pay search service (Not really of course, just my credit card form!)
The flaw appears to be in failing to clean the characters in a book result search, It’s a trivial flaw, that every google employee should know about, the same class of flaws keeps getting produced, Google developers, and google testers would appear to be uninterested in security, not even bothering to test flaws that they’ve found before.
Firefox have decided to implement the PING attribute, the idea of it is to ensure that what people click on can be tracked with minimum impact on the user. Currently tracking is done by a link to a url which then redirects to the correct site. This takes a fraction of a second, but it does take time, and if the middle site is down the user can’t get through to the end site, even if it’s up.
The PING attribute attempts to solve this by moving the tracking from the critical path into a seperate attribute which the browser POSTs to when the user “follows the hyperlink”. This feature also allows one new piece of functionality, the ability to track links within pages so <a href=”#’top” ping=”http://jibbering.com/tops”> would allow me to track how many times people used goto to top links.
The use case described in the documentation is “allowing advertisers to track click-through rates without obscuring the final target URI”. It also stresses that following the ping’s are optional, this has an important fact for anyone actually deploying adverts, if you use ping rather than the current reliable tracking methods then they will no longer be counted as a click-through. So if your ad agency changes to ping, you will lose clicks that you’re entitled to. I don’t know of any online Ad agencies which are planning to use ping, but the WHAT-WG specification is controlled by a Google employee.
Of course reputable Ad agencies have their click-throughs audited by independant auditors to ensure they are accurate, so any that switch to ping will soon be forced to switch back to ensure the results - and therefore the monies are accurately reported. It’s clear the use case described by the WHAT people is not met by the attribute, the only other use case mentioned is “track which off-site links are most popular”, hardly a particularly important use case, but if there are no downsides to the method, then does it matter?
Unfortunately there are downsides, existing tracking methods must end up at the site the user expects to go to, otherwise they’ll be annoyed, this method you can ping any site, for example
<a href=”http://jibbering.com” ping=”https://bugzilla.mozilla.org/duplicates.cgi?maxrows=10000″> would ping a bugzilla page that causes a lot of processing on the remote server, and returns a lot of data. So this sort of simple Denial of Service method is made easy, users will never know it’s happening all they’ll just see a big slowdown in their connection as it spends its time requesting pointless resources. Then there’s the up-counting of clickthroughs itself, copy the ping attribute from your google advert onto your other links, then any link a user leaves the page from an advert click is clicked, this is hard to track as the ad provider is completely outside the link the only way to check is to see if the recieved links match the sent links.
Like much of the WHAT-WG proposals (but not all), this is a poorly thought out proposal and it’s disappointing that the browser vendors are not meeting it with the critical inspection they would any other proposal. PING fails to meet its own use cases and it introduces lots of potential for abuse, if you’re creating a user agent and thinking of implementing this - think hard about what it could be used for?