Web Info & Tutorials

Isomorphic has made a leap of faith to a new opensource business model today. They have freed up their SmartClient Ajax platform by releasing it under the LGPL license.

The piece that has been opensourced "includes the typical set of Ajax UI components that are now available from several vendors, but goes beyond the standard offering with support for very large datasets, metadata management, advanced skinning and branding, WSDL/SOA binding, and many other features

Extensions to SmartClient LGPL, including the SmartClient Java Server, the SmartClient Visual Builder tool, and several industry-specific optional modules, continue to be available for purchase."

You build UI's using a declarative markup such as:

And in JavaScript:

It is interesting to see that the market almost seems to require that you are opensource, else the barrier to playing around is too high.

Douglas Crockford really wants to make JavaScript safe and you can tell that he is frustrated in his new post on No Script:

I like JavaScript. The language's design got a lot of things right. But it also got a lot of things wrong. Most of those wrong things are just annoyances. A lot of them can be avoided.

There is one problem in JavaScript that is bigger than all of the others put together: The Global Object. All compilation units are thrown into a shared global container. This gives each unit full access to all of the other units. All units get exactly the same rights and privileges. This turns out to be a huge mistake. It is the root cause of most of the security problems in the browser.

If evil script gets onto a page from a good site, the evil script can access the server and there is no way that the server can see that it is talking to an evil script. The script also gets control of the screen, and the user is also unaware of that. This is known as the XSS attack.

If you happen to land on an evil page, script on that page can access servers that you have visited (such as your bank's website), and again, the server cannot tell that it is talking to an evil script. This is known as the XSRF attack.

Fortunately, there is an extension to Firefox that can significantly reduce the dangers and annoyances to you. It is called No Script. No Script lets you set policies on what scripts you want to run. It can block scripts from evil sites. It can frustrate some XSS attacks. It can also frustrate some phishing exploits.

It creates an (S) icon on the bottom bar that gives you access to an easy-to-use policy editor. You must explicitly authorize scripts for each of the sites you usually visit. You can grant temporary authorization for sites you visit once. You might think that you would have to spend a lot of time managing the policy, but surprisingly, you don't.

In the long term, I want to replace JavaScript and the DOM with a smarter, safer design. In the medium term, I want to use something like Google Gears to give us vats with which we can have safe mashups. But in the short term, I recommend that you be using Firefox with No Script. Until we get things right, it seems to be the best we can do.

Hot on the heels of the triple-threat Prototype news blast from yesterday comes more big news. Juriy Zaytsev & Maxim Chernyak officially launched Scripteka.com, the Prototype extensions repository and library. The intention is to provide a central place to organize plugins for the Prototype community.

With Scripteka you can:

• View an extensive library of useful (or useless) prototype based extensions
• Rate and use rating to find the coolest scripts out there
• Submit your own creations and get community feedback
• Subscribe to the newest additions to the library

From my discussion with Juriy over IM, he was extremely excited about all of the new Prototype news and felt this was a natural extension to the library:

This is what prototype community have been waiting for for a long time, to have all scripts in one place

The site also features a list of the latest submissions as well as the most popular extensions on the site.

We discussed the Gmail facelift (or is it a backlift?) terminal week. Subtle features hit been noticed, and digit is specially modify for proficient users.

There hit ever been whatever Greasemonkey scripts to draw your Gmail experience. You pay a aggregation of instance in email, so it makes significance that you would poverty to behave your world. It is strange that the Web has a artefact to do that. Google employs the Greasemonkey author, the communicator of digit Greasemonkey books, and the communicator who place in whatever of the most widely utilised userscripts, so it exclusive makes significance that we would place in whatever try here. The try shows in an experimental API to earmark for cushy monkeying around.

Basically, you crapper programatically alluviation up a supporter goal that gives you pleasant manus into the Gmail API. The mass playscript demonstrates how to alluviation and meaning the gmonkey bindings. It power add a nav incase to Gmail that updates with the the underway analyse type:

This is a pleasant ornament that I wish another sites start into. Not exclusive gift APIs to their place in tralatitious forms, but also letting the experts draw their commodity via gmonkey objects.