This is a quick summary of a presentation I gave last week at Google’s second CMS Security Summit, held here in Munich. TL;DR: Injection attacks are bad, isolation is lacking, and I’m looking forward to more collaboration on both fronts.
Complete Archive of Everything Ever
Web Platform Security @ CMS Security Summit 2020 XSS (No, the _other_ 'S') - CSSConf EU 2013
Frontend Security - Frontend Conference, Zürich 2013
Last week, I was in Zürich to chat about client-side security. Here, I’ve wrapped up an annotated transcript, along with the slides and video. I’m pretty happy with how the talk turned out: I think it’s a good representation of what I think is important in frontend security, and worth your time to peruse.
Debugging runtime errors with 'window.onerror' in Blink
After working with Blink’s implementation of
window.onerrora little bit over the last week or so, I’m somewhat amazed that anyone ever used it for anything at all. Happily, we’ve made some big improvements in the last week or two that I think it’s worth highlighting here.
Securing the Client Side
At the end of last year, I presented ‘Securing the Client Side’ at Devoxx, and I’ve been meaning to put together a more accessible version of the talk for those who weren’t there. I think the topics are important, and worth the effort of updating this site for the first time in a year. cough.
Content Security Policy: Feature Detection
AngularJS has recently implemented support for Content Security Policy that restricts the use of
new Function(), and other such text-to-JS conduits. This is a huge win, as CSP is one of the best protections modern browsers provide against XSS attacks. However, Angular’s implementation reveals a need for feature detection that the spec currently doesn’t address. This is my proposal for such an API.
Chrome connects to three random domains at startup.
When you start Chrome, it attempts to connect to three random domains. I’ve seen a few theories about why exactly this happens that brush up against the nefarious. The true rationale is incredibly mundane: hopefully this short summary will clear things up.
Nerdy New Year
New Year’s resolutions come in all shapes and sizes; if you’re a web developer stuck for good ideas of things you could do to improve the world (or at least the tiny chunk of it that’s concerned with web performance and security) I’d like to propose two: secure all your websites, and use a cookieless domain for static assets.
Making Your Web Apps Accessible Using HTML5 and ChromeVox
Back in November, I presented twice at the Google Developer Day in Tel-Aviv. The first of those talks has been uploaded, and I spent most of the afternoon transcribing it to post here. I wanted to give the audience (you!) an introduction to screen readers, and to building accessible websites and applications. I think it was pretty successful, and I hope you enjoy it if you watch at home.
GDD Keynote: The HTML5 Demos
I had the opportunity to present a few demos during the Chrome section of Saturday’s Google Developer Day in Berlin (which, incidentally, was a blast). I expect a video to go up at some point in the vaguely near future, but, since I got more than a few questions about it, I’m throwing the links up here as a stopgap before the video’s released.
Secure Chrome extensions: Content Security Policy
Based on the Content Security Policy primer I wrote last week, you should have a good idea of what CSP can offer a website developer. What might not be clear is that the policies can extend beyond HTTP, a bit more deeply into the browser. Chrome offers Content Security Policy support for extensions that substantially reduce the possibility of permission leakage; this article describes how it works, and how you can use it in your extensions.
Content Security Policy: A Primer
The web’s security model is fundamentally broken, and has been since the beginning. Content Security Policy is an upcoming feature of the web platform that promises to mitigate the risk of XSS attacks, and it’s worth starting to play with now.
HTTP Strict Transport Security and You
With a simple Wi-Fi packet-sniffer, intercepting login cookies over the air is far easier than it ought to be. Happily, clever people have put together solid mitigation techniques, one of which is HTTP Strict Transport Security. I’ve implemented it on a personal site, this article describes what it is, why it’s important, and how you can use it yourself.
Dave Winer ends an otherwise quite reasonable piece about his concern at Facebook’s “frictionless sharing” with a non sequitur attack on Chrome for, as far as I can tell, nothing it’s actually doing.
I'm on Technikwürze
I sat down with Technikwürze’s Marcel Böttcher way back at the beginning of February to talk about the exciting new release of Chrome 9 to the stable channel, and a few other bits and pieces of the Chrome ecosystem. That interview (in German) is just now seeing the light of day as Technikwürze 178. After listening to it last night, I think it generally went pretty well, modulo a few small mistakes on my part.
A Quick git/vim Workflow Tip
Git makes it incredibly easy to work on a lot of a project’s features at once, hopping quickly back and forth between branches. I love this ability, but I hate remembering what exactly it was that I was working on in a particular branch. I know it had something to do with a particular bug, but I’ve no idea anymore which files I was fiddling around with to fix it. Here’s my solution to that problem.
Intro to IndexedDB
Yesterday at the Silicon Valley GTUG meetup, I gave a presentation introducing the IndexedDB API. I’ve thrown the slides on Slideshare, but the transcription there is absolutely miserable. I’ll reproduce it here in a readable format, and add a few notes where appropriate.
One question you’re almost certainly not asking yourself is “What’s Mike West been up to?” That’s a shame, really, as I’ve got some projects floating around that I’m proud of, and that I’d like to share with you. Moreover, I’d like to point out the project documentation pages that I’ve put together as a meta-project; I think it’s worth your time to take a look.
JSLint needs some Bad Parts
One of the few tools that I consider truly indispensable when developing websites is JSLint. Too bad it’s almost impossible to contribute back to the project, and that the project’s run by someone who “will hurt your feelings.”
CSS Rules of Thumb
Apropos of nothing, a few CSS tips that have nothing to do with browser incompatibilities, and everything to do with your own sanity when dealing with code you’ve written.
An Accessible Pagination Pattern
Pagination is a basic building block of the web, but it’s often implemented with markup that makes it less accessible than it ought to be. Here, I’ve outlined my preferred solution to the problem.
MacSpeech Dictate: First Impressions
I suspect that the first thing any developer does when they get their hands on MacSpeech Dictate is to begin writing a review of MacSpeech Dictate in MacSpeech Dictate. I am no exception.
My Jekyll Fork
Jekyll is a well-architected throwback to a time before Wordpress, when men were men, and HTML was static. I like the ideas it espouses, and have made a few improvements to it’s core. Here, I’ll point out some highlights of my fork in the hopes that they see usage beyond this site.
Fallow fields, revisited
I’m currently in the process of gutting my website, and rebuilding it piece by piece. I suspect I’m doing this to distract myself from the fact that I don’t seem to have anything interesting floating around my head to write about. Rather that catalog the failings of the system I’m replacing (for they are legion), in this article I’d like to touch on the carefully considered bits I’m keeping around.
Productivity Or My Lack Thereof
It’s becoming clear that I’m miserable at distinguishing between productivity and productivity porn.
Mark Nottingham has put together a really useful tool that aids in the analysis of the behavior of HTTP resources. I’ve started putting together a command line version based on the web version he’s released on GitHub.
Playing with Placemaker
Yahoo’s latest API is really quite cool: Placemaker takes your unstructured data (e.g. any HTML page, RSS feed, etc), and extracts a nice list of locations that your data refers to.
Well. That was easy.
Getting JSLint running inside Spidermonkey was much simpler than I expected it to be.
Running `python-spidermonkey` on JeOS
python-spidermonkeyproject looks brilliant.
The Value of Measurement
While I agree fully with many of the conclusions Lukas Mathis draws in an excellent essay on the recent Google/Douglas Bowman split, a few bits deserve further study. In general, engineers understand and can relate well to automated A/B testing, and designers understand and can relate well to more personal usability testing. The two are, however, not the same, don’t provide the same data, and ought not be conflated.
My DSL connection is really quite fast; I’m apparently only ~800m away from the nearest DSLAM, and so I should in theory be capable of maxing out the connection. This holds up pretty well in speed tests: I get great downstream, and passable upstream scores when connecting to pretty much anything in Europe. All told, I should be thrilled with my service, but I’m not, because it only seems to actually work about 80% of the time.
I think I've bricked my iPhone
I tried to install the latest iPhone 3.0 beta firmware on my decidedly-not-3G iPhone last night, and failed miserably.
Compiling Varnish on a minimal JeOS System
Varnish is an excellent-looking ‘HTTP accelerator’, designed specifically as a high-performance caching reverse-proxy to sit in front of your hard-working application servers, and relieve them of load. It’s a bit of a pain in the ass to install from source on JeOS, though.
I spent more time than I care to admit this afternoon tracking down a bug in some relatively straightforward jQuery code. As it turned out, I was overlooking my error because I was thinking about my code in absolutely the wrong way.
Installing the W3C HTML Validator on JeOS
So. W3C has quite decent installation instructions for the HTML validator, but it makes a few assumptions about a typical linux environment that don’t actually hold true if you’re running a stripped down JeOS distro in a virtual machine.
Vimeo's Noncommercial Nature
Vimeo’s asked Marco Armet to take down his Instapaper Pro demo video. His response is frustrated and understandable. I don’t, however, think it’s completely justified.
Static IPs in VMWare Fusion Guests
Setting VMWare Fusion up to assign the same IP to a particular guest OS every time is a trivial process, and makes configuring your development environment a simpler process.
In the last three weeks, I’ve set up something like 6 virtual machines to play with a variety of bits and pieces of things that I come across. Here are a few lessons learned.
(Mildly) improving Google Analytics' JS Embed
Instapaper is Amazing
I think I’ve read more articles with Instapaper in the last two days than I have in the last two weeks with NNW alone. It’s an absolutely brilliant tool, and I’m excited about how much simpler it’s made my internet-related reading life.
Centralized Bug Tracking
I liked many things about working at Yahoo. I’m coming to realize that what I (in hindsight) like most is probably the piece of software I thought about the least positively, namely Yahoo’s mostly centralized and completely open bug tracking system: Bugzilla. We abused it more than a bit, attempting to layer task and project management on top of a system that wasn’t really designed to support it, but all told, Bugzilla made my work life better.
Some Thoughts Regarding Caja
Yesterday, Yahoo! made some announcements regarding The Future™ of many of their high profile properties. Specifically, they’re (slowly) opening up, enabling third-party developers to build applications that can be seen on and interact with your My Yahoo! page, or your mailbox. I think this is a great step, and one I wish they’d made before they laid me off.
My job's value
Recently, I wrote a short article on the effect a team’s sense of ownership in it’s projects can have on the finished product. The surprising twist in my professional life last week has led me back onto the same train of thought, but I’m coming to it from a slightly different angle.
Has Mike been laid off? Yes. Yes he has.
Yahoo! decided to stop doing development work in it’s German offices, which leaves me in a bit of a bind. I’m suddenly incredibly motivated to look for new work. If you’ve got leads for me, please drop an email (firstname.lastname@example.org)
I ♥ GitHub
Over the last two or three weeks, a substantial subset of my friends and colleagues have started using GitHub to host some of their personal projects. I’m really enjoying this influx, and it’s inspiring in a way I didn’t really expect. GitHub has done nothing less than to make my friend’s coding activity visible to me, and mine visible to them. This doesn’t sound like much, but it’s simply transformative; If this is how “normal” people feel about Facebook, then I can start to understand how it’s captured so much mindshare.
An Admonition Regarding Details
Details are everything, but worrying about details at the expense of progress puts the cart before the horse, misses the forest for the trees, makes perfect the enemy of the good, and can be described by many other metaphors with similar meaning.
The Inspiration of Ownership
On the bus home from work, I was listening to this week’s On the Media. In particular, I was struck by a great interview with the man who designed the field-organizer and volunteer training programs for Barack Obama’s campaign: Marshall Ganz. If you’re at all interested in the political angle, I’d suggest you listen. If you’re at all interested in how I’m planning to apply this seemingly unrelated topic to the technical field of web development (et al), keep reading.
Flickr's API is driving me nuts
I’m trying to do something with the Flickr API that I consider to be relatively trivial. I have the impression that the API is fighting me every step of the way. Why, oh why, can’t the wonderful people who designed Del.icio.us’s new API hop over to Flickr and slap together something that makes sense from the perspective of the end user?
Generating Etags for static content using Nginx
Nginx is a brilliant little HTTP server that I’m using on this website to quickly serve static content. It bothers me a (very) little that it doesn’t correctly generate Etag headers for static content, however. I’m attempting to remedy that oversight by releasing an Nginx module:
The Overton Window at Work
The ‘Overton window’ is a bit of political jargon that describes how politicians influence the perceptions and debates that go on among the voting public. In this thinly veiled (but mercifully short) rant, I argue that it’s equally applicable to my workplace.
Smoothly Migrating to a New Server
Hopefully, you didn’t notice a thing yesterday when I moved the site off my shared accelerator at Joyent, and onto a custom built slice at Slicehost. That was very much the goal. Briefly, I’ll go through the steps I took to make the transition as smooth as possible both before the launch and directly afterwards.
Fallow fields and new beginnings
It’s been quite some time since I put any serious effort into mikewest.org. I’ve had tons of work, I’ve been burnt out, I’ve been complacent… the excuses pile on top of each other, each valid, each sufficient, none satisfactory. For the sake of my own sanity, I need to start working on personal projects again. Last week’s GitHub dump was the first step in that direction. Consider this relaunch to be the second.
Gently abandoning dead (to me) projects
I’ve had a few bits of code floating around on the site for 2-3 years now without any serious investment of effort on my part. It’s time to throw in the towel, admit that I’m never actually going to touch them again, and set those loose.
Microformats on Kelkoo
Ben Ward has a post up on YDN discussing the massive addition of microformats to the Kelkoo shopping site. Interesting read.
Accessibility Tips from Mike Davies
Mike Davies, who has more accessibility knowledge in his little finger than most developers I know, has started a new site to share his wisdom with the rest of us. I’m looking forward to seeing what he puts out there.
Safegarding your data with Parchive
After a brief mishap with a hard drive, I’ve gone backup-crazy. This article looks how I’m using Parchive to give myself an extra bit of confidence in my backups.
Carlo's launched Escaloop
Carlo’s just launched his latest lifestream-badge-making project: Escaloop.
Innovation and Interoperability
Briefly, my thoughts on the current dustup over the W3C’s CSS Working Group.
DNS Made Easy is actually pretty easy
In a spontaneous burst of productivity, spawned mostly by my complete and utter failure as a sysadmin, I moved my parent’s email account off my server. DNS Made Easy made this a trivial task.
Solving strange text wrapping problems in `bash`
I started having strange text wrapping problems after implementing implementing the beautifully colored bash prompt I discussed on Monday. After fidgeting around a bit, I think I’ve come up with a solution.
Now I have a colourful `bash` prompt
My jealousy of Adriano’s pretty
bashprompt has been assuaged by the construction of my own, prettier and more functional prompt. So there!
Presentation: Love the Terminal
When Murray and Norm solicited talks earlier in the year for the Yahoo! Frontend Summit, they somehow neglected to mention that the presentations would end up being hour-long blocks. :)
Photoset: @media Ajax
I still haven’t written anything useful about the @media Ajax conference, but here are some lovely pictures. Should be worth about 64,000 words, right?
Just back from London
I’m back from London after @media Ajax with some security papers for you to read, and not much else yet.
Looking forward to @media
I’m looking forward to @media Ajax
My grandmom died today.
Playing with Pownce…
Pownce looks like a more interesting Twittr.
Viva la Y! French News Site! Congrats to the Singapore News Team!
Singapore launched their News site today using the code we’ve been working on here in Munich as a base. Nice work!
Two more News relaunches, up and running…
We relaunched Yahoo! Nachrichten in Germany and Yahoo! Notizie in Italy today. Finally! :)
I am a Super Early Bird. Are you? Escaping Curly Braces in XSLT Attributes
Curly braces in the attributes of XSLT document’s elements are interpreted as XPATH expressions to be evaluated. This sometimes causes problems…
Ice Water for Some…
Safari’s coming to Windows. Welcome to the party…
Short-form Link Blogging
Blogging is hard for me, mostly because I have an irrational desire to make each of my posts “important” and “interesting”. I’m working out ways to solve that problem for myself…
Home again, home again… Stupid i18n Mistake.
Italian (and other languages) are full of single-quotes. Maybe I should escape them…
How do I unit test a website?
Unit testing seems like an unqualified good, I’m just not sure how to apply the concepts to my work.
Words Escape Me
I’m bored, and even though I should be overflowing with things to write about, I’m not.
My bookmarks are amazingly out of date.
I’m removing the bookmarks from this site on a temporary basis. That should drive me insane enough to actually do something about the fact that they haven’t changed since last year.
I’m (finally) hopping off GoDaddy and onto Gandi. Hopefully nothing explodes…
We launched the Yahoo! News site in Spain today. Finally!
I bought a Treo 600 on Ebay. And it’s huge. HUGE! But also very powerful and nice.
I used to be so pretty.
A few days ago, my landlord asked me if I was losing hair. sigh
Fun Apple Remote Tricks
Funny, funny coworkers can be stymied by pairing your Apple Remote with your mac.
Just the stats
A List Apart is running a survey to gather demographic info from web professionals; I think it could be a worthwhile enterprise.
Installing `libgd` from source on OS X
libgdis a pain in the ass to install from source. Here’s a step by step guide in case I ever have to do it again.
Amazingly Stupid DataRequestor Bug
James Moberg pointed out that I’m a complete idiot, and shipped DataRequestor 1.6 with some debug code left in.
Today, we relaunched Yahoo! News in the UK. Finally.
DataRequestor - Version 1.6
After a brief (ha!) hiatus, DataRequestor’s 1.6 release fixes many outstanding bugs. Grab it now!
Signs of Life
It’s great to see that SSHKeychain isn’t dead.
Benchmarking Your Site with `http_load`
http_load is a great benchmarking utility that gives you a quick overview of your web server’s performance. This article describes how to install and use it.
Subversion 1.4.3 Locking Your Mac
My coworkers love playing pranks on poor, unlocked computers. This is the method I’ve decided on to quickly and securely walk away from my Mac.
Auto-configuring Proxy Settings with a PAC File
Configuring a browser’s proxy settings manually is inflexible; proxy auto-config (PAC) files are much more flexible.
Installing Textpattern 4.0.4 with Markdown
This site is built on top of the Textpattern engine, running Markdown instead of Textile. Here’s how to make that happen.
Setting Up an OpenID Server with phpMyID iWant.
I want an iPhone. Just like everyone else.
Using YUI in Greasemonkey Scripts
Carlo Zottman has a great article out on Yahoo’s User Interface blog. Nice work!
Frohe Weihnachten! Building SSHKeychain as an Intel Binary
I’ve seen a few Universal Binary builds of SSHKeychain floating around, but I’m paranoid, so I built my own. It’s easier than I expected.
Building Subversion 1.4.3 for OS X
Metissian’s pre-build Subversion binaries are out of date, and Dan Benjamin’s excellent guide to building Subversion yourself runs into a wall for 1.4+. You, however, are an impatient pioneer. You want to build the latest stable (impatient, not _imprude
Starting out with the SVK Version Control System
SVK is a version control system that sits on top of a Subsverion, CVS, Perforce, etc. repository, and provides the promise of a common interface. Here’s how to install it on OS X.
Comments With Specificity
Jack Slocum’s new comment system is really inspirational.
Apartments in Munich
Help me find an apartment, please?
Backing Up E-Mail
Rui Carmo wrote a great python script to backup e-mail from an IMAP server.
Anatomy of a Technical Interview: Part I Serverless SVN Repositories
You don’t need a powerful SVN server in order to reap the benifits of version control. This article explains how to set up repositories on any machine you have SSH access into.
Traffic Analysis with Mint
I use Mint to analyze the traffic on this website. It’s a powerful tool, made more powerful with some excellent plugins.
You heard me: `leave`!
leaveis a brilliant little utility that annoys you at a pre-specified time until you log out.
Articles about Interviewing
A short list of articles worth reading for interviewers or interviewees.
Answers to Common Technical Interview Questions
The interview articles I found yesterday had more than a few common “phone screen” questions that I decided to make sure I could answer: here’s what I came up with.
DOM calls are expensive; this article walks through one quick way to optimize them out of your code.
French Translation of 'I Wonder What This Button Does'
John Garner has translated the revision control article I wrote for A List Apart into French! Exciting!
I wish I was at OSCON: 'Subversion Best Practices'
Brad Choate has a great summary of what looks like a wonderful presentation on Subversion best practices, given at OSCON 2006 by Ben Collins-Sussman & Brian W. Fitzpatrick
I Wonder What This Button Does
I’ve got an article up on A List Apart, introducing my favourite behind-the-scenes development tool: Subversion.
I wonder how to say 'ugh' in German?
I hate being sick.
Building Accessible Widgets for the Web
I’ve got an article up on Digital Web, outlining the processes I use to build accessible UI controls for web applications.
“Forbidden” Errors and Subversion Commits
mod_rewriterule broke my Subversion commits with 403 (“Forbidden”) errors. Here’s how I fixed it.
Digital Web and Me
I’ve joined Digital Web Magazine’s editorial team. Yay!
Install SQLite Locally on OS X
SQLite is a nice little database engine that can be incredibly fast as a website backend. Installing it on OS X is equally quick.
`mcw_ma_gnolia` version 0.4 is out
A new version of
mcw_ma_gnoliafixes an issue with parsing Ma.gnolia’s new linkroll format.
Virtual Hosting on OS X
Setting up virtual domains on your local OS X Apache installation is pretty easy. Here’s a quick description of the process.
TextMate bundle for TextPattern
A quick note about a TextMate language bundle for Textpattern that integrates with
Subversion Post-Commit Hooks 101
The “Hello World!” of Subversion
post-commithooks is the use of
SVNnotifyto send e-mails out to a project team every time a new revision is committed to the repository. This is easier than it sounds.
Working with Subversion File Properties
Subversion has a very powerful system for associating metadata with the files you have under version control. This article describes how to automate the process of adding properties to the files you put under version control using
I have three kinds of
mod_rewriterules in my
.htaccessfile, this article explains each, and lays out best practices for managing your site’s URL scheme.
mcw_ma_gnoliais a TextPattern plugin that generates a customizable Ma.gnolia link roll for use on your website.
Preparing a Mac for Resale
Describes the easy process of setting up a mac for resale (patches, etc) while keeping the Setup Assistant experience for the new owner.
mcw_templates - v.0.2
mcw_templatesis a TextPattern admin plugin, enabling the trivial export of pages, forms, and CSS rules to a specified folder for convenient editing, and the subsequent import of new and updated files.
mcw_templates - Import/Export Textpattern Templates
mcw_templates is a TextPattern plugin allowing the export/import of pages, forms, and css rules to files for external editing.
New Server, New Design
I’ve redesigned, and moved the site to a new server. Exciting, eh?
DataRequestor 1.6.1 - Ajax without the confusing API
XMLHttpRequestobject that enables the trivial implementation of dynamic interfaces without the painful necessity for a complete page-refresh to talk to the server. It’s Ajax without the confusing API.
Son of PerfectTime: The Validationator!
Showing Perfect Time (Unobtrusively)
Slidable Select Widgets Explained
A walkthrough of the process I used to make an accessible slider widget from a SELECT element.
Type-Ahead search for select elements
Event Handlers and Other Distractions
Attaching behaviors to the semantic elements in your HTML document isn’t nearly so hard as it sounds.