Complete Archive of Everything Ever

  1. Web Platform Security @ CMS Security Summit 2020

    This is a quick summary of a presentation I gave last week at Google’s second CMS Security Summit, held here in Munich. TL;DR: Injection attacks are bad, isolation is lacking, and I’m looking forward to more collaboration on both fronts.

  2. XSS (No, the _other_ 'S') - CSSConf EU 2013

    I had the distinct pleasure of talking with folks at this year’s CSSConf EU about the dangers of content-injection attacks. They’re not just for JavaScripters, you see: CSS is dangerous too! They’ve just posted the video, and I think it’s worth a little under a half-hour of your time to skim through.

  3. Frontend Security - Frontend Conference, Zürich 2013

    Last week, I was in Zürich to chat about client-side security. Here, I’ve wrapped up an annotated transcript, along with the slides and video. I’m pretty happy with how the talk turned out: I think it’s a good representation of what I think is important in frontend security, and worth your time to peruse.

  4. Debugging runtime errors with 'window.onerror' in Blink

    After working with Blink’s implementation of window.onerror a little bit over the last week or so, I’m somewhat amazed that anyone ever used it for anything at all. Happily, we’ve made some big improvements in the last week or two that I think it’s worth highlighting here.

  5. Securing the Client Side

    At the end of last year, I presented ‘Securing the Client Side’ at Devoxx, and I’ve been meaning to put together a more accessible version of the talk for those who weren’t there. I think the topics are important, and worth the effort of updating this site for the first time in a year. cough.

  6. Content Security Policy: Feature Detection

    AngularJS has recently implemented support for Content Security Policy that restricts the use of eval(), new Function(), and other such text-to-JS conduits. This is a huge win, as CSP is one of the best protections modern browsers provide against XSS attacks. However, Angular’s implementation reveals a need for feature detection that the spec currently doesn’t address. This is my proposal for such an API.

  7. Chrome connects to three random domains at startup.

    When you start Chrome, it attempts to connect to three random domains. I’ve seen a few theories about why exactly this happens that brush up against the nefarious. The true rationale is incredibly mundane: hopefully this short summary will clear things up.

  8. Nerdy New Year

    New Year’s resolutions come in all shapes and sizes; if you’re a web developer stuck for good ideas of things you could do to improve the world (or at least the tiny chunk of it that’s concerned with web performance and security) I’d like to propose two: secure all your websites, and use a cookieless domain for static assets.

  9. Making Your Web Apps Accessible Using HTML5 and ChromeVox

    Back in November, I presented twice at the Google Developer Day in Tel-Aviv. The first of those talks has been uploaded, and I spent most of the afternoon transcribing it to post here. I wanted to give the audience (you!) an introduction to screen readers, and to building accessible websites and applications. I think it was pretty successful, and I hope you enjoy it if you watch at home.

  10. GDD Keynote: The HTML5 Demos

    I had the opportunity to present a few demos during the Chrome section of Saturday’s Google Developer Day in Berlin (which, incidentally, was a blast). I expect a video to go up at some point in the vaguely near future, but, since I got more than a few questions about it, I’m throwing the links up here as a stopgap before the video’s released.

  11. Secure Chrome extensions: Content Security Policy

    Based on the Content Security Policy primer I wrote last week, you should have a good idea of what CSP can offer a website developer. What might not be clear is that the policies can extend beyond HTTP, a bit more deeply into the browser. Chrome offers Content Security Policy support for extensions that substantially reduce the possibility of permission leakage; this article describes how it works, and how you can use it in your extensions.

  12. Content Security Policy: A Primer

    The web’s security model is fundamentally broken, and has been since the beginning. Content Security Policy is an upcoming feature of the web platform that promises to mitigate the risk of XSS attacks, and it’s worth starting to play with now.

  13. HTTP Strict Transport Security and You

    With a simple Wi-Fi packet-sniffer, intercepting login cookies over the air is far easier than it ought to be. Happily, clever people have put together solid mitigation techniques, one of which is HTTP Strict Transport Security. I’ve implemented it on a personal site, this article describes what it is, why it’s important, and how you can use it yourself.

  14. Chrome Privacy

    Dave Winer ends an otherwise quite reasonable piece about his concern at Facebook’s “frictionless sharing” with a non sequitur attack on Chrome for, as far as I can tell, nothing it’s actually doing.

  15. I'm on Technikwürze

    I sat down with Technikwürze’s Marcel Böttcher way back at the beginning of February to talk about the exciting new release of Chrome 9 to the stable channel, and a few other bits and pieces of the Chrome ecosystem. That interview (in German) is just now seeing the light of day as Technikwürze 178. After listening to it last night, I think it generally went pretty well, modulo a few small mistakes on my part.

  16. A Quick git/vim Workflow Tip

    Git makes it incredibly easy to work on a lot of a project’s features at once, hopping quickly back and forth between branches. I love this ability, but I hate remembering what exactly it was that I was working on in a particular branch. I know it had something to do with a particular bug, but I’ve no idea anymore which files I was fiddling around with to fix it. Here’s my solution to that problem.

  17. Intro to IndexedDB

    Yesterday at the Silicon Valley GTUG meetup, I gave a presentation introducing the IndexedDB API. I’ve thrown the slides on Slideshare, but the transcription there is absolutely miserable. I’ll reproduce it here in a readable format, and add a few notes where appropriate.


    One question you’re almost certainly not asking yourself is “What’s Mike West been up to?” That’s a shame, really, as I’ve got some projects floating around that I’m proud of, and that I’d like to share with you. Moreover, I’d like to point out the project documentation pages that I’ve put together as a meta-project; I think it’s worth your time to take a look.

  19. JSLint needs some Bad Parts

    One of the few tools that I consider truly indispensable when developing websites is JSLint. Too bad it’s almost impossible to contribute back to the project, and that the project’s run by someone who “will hurt your feelings.”

  20. A JavaScript Detection Pattern

    Progressive enhancement of our sites and applications has become a relatively well accepted best practice for web development. This article outlines a technique I’ve used successfully to ensure that core functionality is available without JavaScript, while maintaining a quality experience for the majority of users with JavaScript enabled.

  21. CSS Rules of Thumb

    Apropos of nothing, a few CSS tips that have nothing to do with browser incompatibilities, and everything to do with your own sanity when dealing with code you’ve written.

  22. An Accessible Pagination Pattern

    Pagination is a basic building block of the web, but it’s often implemented with markup that makes it less accessible than it ought to be. Here, I’ve outlined my preferred solution to the problem.

  23. MacSpeech Dictate: First Impressions

    I suspect that the first thing any developer does when they get their hands on MacSpeech Dictate is to begin writing a review of MacSpeech Dictate in MacSpeech Dictate. I am no exception.

  24. My Jekyll Fork

    Jekyll is a well-architected throwback to a time before Wordpress, when men were men, and HTML was static. I like the ideas it espouses, and have made a few improvements to it’s core. Here, I’ll point out some highlights of my fork in the hopes that they see usage beyond this site.

  25. Fallow fields, revisited

    I’m currently in the process of gutting my website, and rebuilding it piece by piece. I suspect I’m doing this to distract myself from the fact that I don’t seem to have anything interesting floating around my head to write about. Rather that catalog the failings of the system I’m replacing (for they are legion), in this article I’d like to touch on the carefully considered bits I’m keeping around.

  26. Productivity Or My Lack Thereof

    It’s becoming clear that I’m miserable at distinguishing between productivity and productivity porn.

  27. Mnot's Redbot

    Mark Nottingham has put together a really useful tool that aids in the analysis of the behavior of HTTP resources. I’ve started putting together a command line version based on the web version he’s released on GitHub.

  28. Playing with Placemaker

    Yahoo’s latest API is really quite cool: Placemaker takes your unstructured data (e.g. any HTML page, RSS feed, etc), and extracts a nice list of locations that your data refers to.

  29. Well. That was easy.

    Getting JSLint running inside Spidermonkey was much simpler than I expected it to be.

  30. The Value of Measurement

    While I agree fully with many of the conclusions Lukas Mathis draws in an excellent essay on the recent Google/Douglas Bowman split, a few bits deserve further study. In general, engineers understand and can relate well to automated A/B testing, and designers understand and can relate well to more personal usability testing. The two are, however, not the same, don’t provide the same data, and ought not be conflated.

  31. DSL Woes

    My DSL connection is really quite fast; I’m apparently only ~800m away from the nearest DSLAM, and so I should in theory be capable of maxing out the connection. This holds up pretty well in speed tests: I get great downstream, and passable upstream scores when connecting to pretty much anything in Europe. All told, I should be thrilled with my service, but I’m not, because it only seems to actually work about 80% of the time.

  32. I think I've bricked my iPhone

    I tried to install the latest iPhone 3.0 beta firmware on my decidedly-not-3G iPhone last night, and failed miserably.

  33. Compiling Varnish on a minimal JeOS System

    Varnish is an excellent-looking ‘HTTP accelerator’, designed specifically as a high-performance caching reverse-proxy to sit in front of your hard-working application servers, and relieve them of load. It’s a bit of a pain in the ass to install from source on JeOS, though.

  34. Asynchronous Execution, JavaScript, and You

    I spent more time than I care to admit this afternoon tracking down a bug in some relatively straightforward jQuery code. As it turned out, I was overlooking my error because I was thinking about my code in absolutely the wrong way.

  35. Installing the W3C HTML Validator on JeOS

    So. W3C has quite decent installation instructions for the HTML validator, but it makes a few assumptions about a typical linux environment that don’t actually hold true if you’re running a stripped down JeOS distro in a virtual machine.

  36. Vimeo's Noncommercial Nature

    Vimeo’s asked Marco Armet to take down his Instapaper Pro demo video. His response is frustrated and understandable. I don’t, however, think it’s completely justified.

  37. Static IPs in VMWare Fusion Guests

    Setting VMWare Fusion up to assign the same IP to a particular guest OS every time is a trivial process, and makes configuring your development environment a simpler process.

  38. Virtualization Tips

    In the last three weeks, I’ve set up something like 6 virtual machines to play with a variety of bits and pieces of things that I come across. Here are a few lessons learned.

  39. Instapaper is Amazing

    I think I’ve read more articles with Instapaper in the last two days than I have in the last two weeks with NNW alone. It’s an absolutely brilliant tool, and I’m excited about how much simpler it’s made my internet-related reading life.

  40. Opera Web Standards Curriculum: The JavaScript Bits

    Last year, I jumped on the opportunity to sit down and write some articles for Opera’s Web Standards Curriculum. I bit off a bit more than I could chew, and Chris Mills exhibited the patience of a saint as I finished the first quickly, the second slowly, the third very slowly, and then completely failed to deal with the rest. Regardless, those were released along with the rest of the JavaScript bits to complete the curriculum.

  41. Centralized Bug Tracking

    I liked many things about working at Yahoo. I’m coming to realize that what I (in hindsight) like most is probably the piece of software I thought about the least positively, namely Yahoo’s mostly centralized and completely open bug tracking system: Bugzilla. We abused it more than a bit, attempting to layer task and project management on top of a system that wasn’t really designed to support it, but all told, Bugzilla made my work life better.

  42. Some Thoughts Regarding Caja

    Yesterday, Yahoo! made some announcements regarding The Future™ of many of their high profile properties. Specifically, they’re (slowly) opening up, enabling third-party developers to build applications that can be seen on and interact with your My Yahoo! page, or your mailbox. I think this is a great step, and one I wish they’d made before they laid me off.

  43. My job's value

    Recently, I wrote a short article on the effect a team’s sense of ownership in it’s projects can have on the finished product. The surprising twist in my professional life last week has led me back onto the same train of thought, but I’m coming to it from a slightly different angle.

  44. I ♥ GitHub

    Over the last two or three weeks, a substantial subset of my friends and colleagues have started using GitHub to host some of their personal projects. I’m really enjoying this influx, and it’s inspiring in a way I didn’t really expect. GitHub has done nothing less than to make my friend’s coding activity visible to me, and mine visible to them. This doesn’t sound like much, but it’s simply transformative; If this is how “normal” people feel about Facebook, then I can start to understand how it’s captured so much mindshare.

  45. An Admonition Regarding Details

    Details are everything, but worrying about details at the expense of progress puts the cart before the horse, misses the forest for the trees, makes perfect the enemy of the good, and can be described by many other metaphors with similar meaning.

  46. The Inspiration of Ownership

    On the bus home from work, I was listening to this week’s On the Media. In particular, I was struck by a great interview with the man who designed the field-organizer and volunteer training programs for Barack Obama’s campaign: Marshall Ganz. If you’re at all interested in the political angle, I’d suggest you listen. If you’re at all interested in how I’m planning to apply this seemingly unrelated topic to the technical field of web development (et al), keep reading.

  47. Flickr's API is driving me nuts

    I’m trying to do something with the Flickr API that I consider to be relatively trivial. I have the impression that the API is fighting me every step of the way. Why, oh why, can’t the wonderful people who designed’s new API hop over to Flickr and slap together something that makes sense from the perspective of the end user?

  48. Generating Etags for static content using Nginx

    Nginx is a brilliant little HTTP server that I’m using on this website to quickly serve static content. It bothers me a (very) little that it doesn’t correctly generate Etag headers for static content, however. I’m attempting to remedy that oversight by releasing an Nginx module: nginx-static-etags.

  49. The Overton Window at Work

    The ‘Overton window’ is a bit of political jargon that describes how politicians influence the perceptions and debates that go on among the voting public. In this thinly veiled (but mercifully short) rant, I argue that it’s equally applicable to my workplace.

  50. Smoothly Migrating to a New Server

    Hopefully, you didn’t notice a thing yesterday when I moved the site off my shared accelerator at Joyent, and onto a custom built slice at Slicehost. That was very much the goal. Briefly, I’ll go through the steps I took to make the transition as smooth as possible both before the launch and directly afterwards.

  51. Fallow fields and new beginnings

    It’s been quite some time since I put any serious effort into I’ve had tons of work, I’ve been burnt out, I’ve been complacent… the excuses pile on top of each other, each valid, each sufficient, none satisfactory. For the sake of my own sanity, I need to start working on personal projects again. Last week’s GitHub dump was the first step in that direction. Consider this relaunch to be the second.

  52. Gently abandoning dead (to me) projects

    I’ve had a few bits of code floating around on the site for 2-3 years now without any serious investment of effort on my part. It’s time to throw in the towel, admit that I’m never actually going to touch them again, and set those loose.

  53. Microformats on Kelkoo

    Ben Ward has a post up on YDN discussing the massive addition of microformats to the Kelkoo shopping site. Interesting read.

  54. Accessibility Tips from Mike Davies

    Mike Davies, who has more accessibility knowledge in his little finger than most developers I know, has started a new site to share his wisdom with the rest of us. I’m looking forward to seeing what he puts out there.

  55. Safegarding your data with Parchive

    After a brief mishap with a hard drive, I’ve gone backup-crazy. This article looks how I’m using Parchive to give myself an extra bit of confidence in my backups.

  56. DNS Made Easy is actually pretty easy

    In a spontaneous burst of productivity, spawned mostly by my complete and utter failure as a sysadmin, I moved my parent’s email account off my server. DNS Made Easy made this a trivial task.

  57. Solving strange text wrapping problems in `bash`

    I started having strange text wrapping problems after implementing implementing the beautifully colored bash prompt I discussed on Monday. After fidgeting around a bit, I think I’ve come up with a solution.

  58. Now I have a colourful `bash` prompt

    My jealousy of Adriano’s pretty bash prompt has been assuaged by the construction of my own, prettier and more functional prompt. So there!

  59. Presentation: Love the Terminal

    When Murray and Norm solicited talks earlier in the year for the Yahoo! Frontend Summit, they somehow neglected to mention that the presentations would end up being hour-long blocks. :)

  60. Photoset: @media Ajax

    I still haven’t written anything useful about the @media Ajax conference, but here are some lovely pictures. Should be worth about 64,000 words, right?

  61. Just back from London

    I’m back from London after @media Ajax with some security papers for you to read, and not much else yet.

  62. Escaping Curly Braces in XSLT Attributes

    Curly braces in the attributes of XSLT document’s elements are interpreted as XPATH expressions to be evaluated. This sometimes causes problems…

  63. Short-form Link Blogging

    Blogging is hard for me, mostly because I have an irrational desire to make each of my posts “important” and “interesting”. I’m working out ways to solve that problem for myself…

  64. Stupid i18n Mistake.

    Italian (and other languages) are full of single-quotes. Maybe I should escape them…

  65. How do I unit test a website?

    Unit testing seems like an unqualified good, I’m just not sure how to apply the concepts to my work.

  66. Words Escape Me

    I’m bored, and even though I should be overflowing with things to write about, I’m not.

  67. My bookmarks are amazingly out of date.

    I’m removing the bookmarks from this site on a temporary basis. That should drive me insane enough to actually do something about the fact that they haven’t changed since last year.

  68. Domain Transfer

    I’m (finally) hopping off GoDaddy and onto Gandi. Hopefully nothing explodes…

  69. ¡Es vivo!

    We launched the Yahoo! News site in Spain today. Finally!

  70. Stopgap Solution

    I bought a Treo 600 on Ebay. And it’s huge. HUGE! But also very powerful and nice.

  71. Fun Apple Remote Tricks

    Funny, funny coworkers can be stymied by pairing your Apple Remote with your mac.

  72. Just the stats

    A List Apart is running a survey to gather demographic info from web professionals; I think it could be a worthwhile enterprise.

  73. It's live.

    Today, we relaunched Yahoo! News in the UK. Finally.

  74. DataRequestor - Version 1.6

    After a brief (ha!) hiatus, DataRequestor’s 1.6 release fixes many outstanding bugs. Grab it now!

  75. Signs of Life

    It’s great to see that SSHKeychain isn’t dead.

  76. Benchmarking Your Site with `http_load`

    http_load is a great benchmarking utility that gives you a quick overview of your web server’s performance. This article describes how to install and use it.

  77. Locking Your Mac

    My coworkers love playing pranks on poor, unlocked computers. This is the method I’ve decided on to quickly and securely walk away from my Mac.

  78. iWant.

    I want an iPhone. Just like everyone else.

  79. Building SSHKeychain as an Intel Binary

    I’ve seen a few Universal Binary builds of SSHKeychain floating around, but I’m paranoid, so I built my own. It’s easier than I expected.

  80. Building Subversion 1.4.3 for OS X

    Metissian’s pre-build Subversion binaries are out of date, and Dan Benjamin’s excellent guide to building Subversion yourself runs into a wall for 1.4+. You, however, are an impatient pioneer. You want to build the latest stable (impatient, not _imprude

  81. Starting out with the SVK Version Control System

    SVK is a version control system that sits on top of a Subsverion, CVS, Perforce, etc. repository, and provides the promise of a common interface. Here’s how to install it on OS X.

  82. Backing Up E-Mail

    Rui Carmo wrote a great python script to backup e-mail from an IMAP server.

  83. Serverless SVN Repositories

    You don’t need a powerful SVN server in order to reap the benifits of version control. This article explains how to set up repositories on any machine you have SSH access into.

  84. Traffic Analysis with Mint

    I use Mint to analyze the traffic on this website. It’s a powerful tool, made more powerful with some excellent plugins.

  85. You heard me: `leave`!

    leave is a brilliant little utility that annoys you at a pre-specified time until you log out.

  86. Scope in JavaScript

    My latest article for Digital Web, ‘Scope In JavaScript’, is up and waiting for you to read it.

  87. Answers to Common Technical Interview Questions

    The interview articles I found yesterday had more than a few common “phone screen” questions that I decided to make sure I could answer: here’s what I came up with.

  88. Quick Optimization

    DOM calls are expensive; this article walks through one quick way to optimize them out of your code.

  89. I Wonder What This Button Does

    I’ve got an article up on A List Apart, introducing my favourite behind-the-scenes development tool: Subversion.

  90. Digital Web and Me

    I’ve joined Digital Web Magazine’s editorial team. Yay!

  91. Install SQLite Locally on OS X

    SQLite is a nice little database engine that can be incredibly fast as a website backend. Installing it on OS X is equally quick.

  92. Virtual Hosting on OS X

    Setting up virtual domains on your local OS X Apache installation is pretty easy. Here’s a quick description of the process.

  93. Subversion Post-Commit Hooks 101

    The “Hello World!” of Subversion post-commit hooks is the use of SVNnotify to send e-mails out to a project team every time a new revision is committed to the repository. This is easier than it sounds.

  94. Working with Subversion File Properties

    Subversion has a very powerful system for associating metadata with the files you have under version control. This article describes how to automate the process of adding properties to the files you put under version control using auto-props.

  95. Leveraging `mod_rewrite`

    I have three kinds of mod_rewrite rules in my .htaccess file, this article explains each, and lays out best practices for managing your site’s URL scheme.

  96. mcw_ma_gnolia

    mcw_ma_gnolia is a TextPattern plugin that generates a customizable Ma.gnolia link roll for use on your website.

  97. Preparing a Mac for Resale

    Describes the easy process of setting up a mac for resale (patches, etc) while keeping the Setup Assistant experience for the new owner.

  98. mcw_templates - v.0.2

    mcw_templates is a TextPattern admin plugin, enabling the trivial export of pages, forms, and CSS rules to a specified folder for convenient editing, and the subsequent import of new and updated files.

  99. DataRequestor 1.6.1 - Ajax without the confusing API

    DataRequestor is a JavaScript wrapper for the XMLHttpRequest object that enables the trivial implementation of dynamic interfaces without the painful necessity for a complete page-refresh to talk to the server. It’s Ajax without the confusing API.

  100. Type-Ahead search for select elements

    An expansion of earlier unobtrusive JavaScript articles: this time we’re adding type-ahead search functionality to SELECT elements.