Web Info & Tutorials

Douglas Crockford continues to bang the drum for securing JavaScript in his latest post:

It is possible to make secure programming languages. Most language designers do not consider that possibility. JavaScript’s biggest weakness is that it is not secure. That puts JavaScript in very good company, but it puts web developers in an untenable position because they cannot build secure applications in an insecure language. JavaScript is currently going through a redesign that is again failing to consider the security of the language. The new language will be bigger and more complex, which will make it even harder to reason about its security. I hope that that redesign will be abandoned.

A more fruitful approach is to remove insecurity from the language. JavaScript is most easily improved by removing defective features. I am aware of two approaches that allow us to build secure applications by subsetting the insecure language.

The first approach is to use a verifier. That is how ADsafe works. A verifier statically analyzes a program, and certifies that the program does not use any of the unsafe features of the language. This does not guarantee that the program is safe, but it makes it possible to make programs that are safe. Any program can compromise its own security. The improvement here is that a program’s security is not compromised by the language it is written in.

The second approach is to use a transformer. A transformer verifies, but it also modifies the program, adding indirection and runtime checks. The advantage of transformers is that they allow the use of a larger subset of the language. For example, ADsafe does not allow the use of the this parameter. A transformer can allow this because it can inject code around it and its uses to ensure that it is never used unsafely. The benefit is that it is more likely that existing programs could run in a safe mode with little or no modification. I think that is a dubious benefit because programs that are not designed to be safe probably are not. The downside is that the final program will be bigger and slower, and debugging on the transformed program will be more difficult.

Both approaches work. But we still need to fix the browser.

A new project, Google Caja, is trying to do source-to-source translation to secure things:

Using Caja, web apps can safely allow scripts in third party content.

The computer industry has only one significant success enabling documents to carry active content safely: scripts in web pages. Normal users regularly browse untrusted sites with Javascript turned on. Modulo browser bugs and phishing, they mostly remain safe. But even though web apps build on this success, they fail to provide its power. Web apps generally remove scripts from third party content, reducing content to passive data. Examples include webmail, groups, blogs, chat, docs and spreadsheets, wikis, and more.

Were scripts in an object-capability language, web apps could provide active content safely, simply, and flexibly. Surprisingly, this is possible within existing web standards. Caja represents our discovery that a subset of Javascript is an object-capability language.

FBJS is also trying to do some of this too. Got some time on Friday to look around some code? Take a look at some Caja.

Yahoo! has got a parallel universe going on between the US and the UK.

Last week we interviewed Steve Souders, Chief Performance Yahoo!, on the update to YSlow. Steve has a book out called High Performance Web Sites.

Meanwhile, in the UK, Stuart Colville and Ed Eliot also of Yahoo! have a book in the works called High Performance Web Site Techniques.

Stuart and Ed recently released the CSS Sprite Generator tool, and we sat down to discuss it, and other performance related topics:

I can’t wait to hear what Yahoo! Australia has to offer next!

Jason Harwig has written a quick tip on Testing JavaScript Objects with Function.prototype.call. The example that he uses is:

In the context of Crosscheck, the JavaScript unit testing framework, you would see this work via:

What is Crosscheck?

Crosscheck is an open source testing framework for verifying your in-browser javascript. It helps you ensure that your code will run in many different browsers such as Internet Explorer and Firefox, but without needing installations of those browsers. The only thing you need is a Java Virtual Machine.

Bob Buffone (Nexaweb, XAP, and a aggregation more) has created an application to effort JavaScript performance. You crapper separate the app in different browsers to study the results.

Bob has finished that impact for you though, and has documented his findings which has him last that the generalized senior is Safari, Firefox, IE.

Back in July, we held our third annual Ajax Reader Survey. The results are in. Some interesting observations:

• Prototype and Scriptaculous still dominate the field with 68% and 59% of readers using them, respectively. jQuery has a respectable 48% share. Yahoo UI!, Dojo, and Ext JS round out the top six. Google Gears enjoys usage by 22% of survey participants--pretty amazing for its youth. Despite Java's popularity amongst our readers, DWR is only used by 13% of readers, which surprised us.
• A little over 50% of readers use PHP, and about 40% use Java. Only 20% of readers use .NET technologies.
• The biggest concern on your mind? Cross-browser rendering issues, with 60% of you listing it as your biggest concern.

What questions/frameworks did we leave out? What do you think of the results?

Rey linked to Thomas Fuchs tease last week and now it is John Resig's turn.

Are we going to see a nice visualization engine in jQuery?