Web Info & Tutorials

Reviewers overuse the phrase “required reading,” but no other description fits the new book “Ajax Security” (2007, Addison Wesley, 470p). This exhaustive tome from Billy Hoffman and Bryan Sullivan places the specific security concerns of the Ajax programming model in historical perspective. It demonstrates not only new security threats that are unique to Ajax, but established threats that have gained new traction in the Web 2.0 era. It then details both the specific technical solutions and - more importantly - the mindset that are necessary to combat such threats.

Because so many developers have historically overlooked the importance of security, the authors approach their topic for what it is: a remedial subject. They take pains to explain the basic mechanisms by which hackers have exploited insecure web applications over the last decade: cross-site request forgeries, denial of service attacks, cross-site scripting and SQL injection. Then they explain how those mechanisms have changed thanks to the rise of xmlHttpRequest, public APIs, mash-ups and aggregators. If you’ve ever read a Douglas Crockford rant about the “brokenness” of the web security model and wondered why the guy was such an alarmist, Hoffman and Sullivan are only too happy to provide you with a much-needed wake-up call.

More…

Brian Klug of the PBwiki team wanted to learn more about JavaScript serving, so they created a JavaScript Library Test which tests the loading time of Dojo, jQuery, Prototype, YUI, and Protoculous.

The test compares packed vs. minified, gzipped vs not, cached, etc. with some interesting results (hint: don’t used packed!). You can use your browser to help test, or see the combined results of thousands of testers.

Scott Schiller redesigned his site for the holidays and I somehow missed it. He tends to experiment with JavaScript in this way, and this year is a great example:

Move your mouse over the christmas lights (with headphones), and blow off some holiday stress! Smash -all- of the lights, and you will be.. rewarded. ;) This uses SoundManager 2 for the effects, and YUI for DOM, Animation and the Slider widget. The site’s time-sensitive (night/day) and you can control the “lighting” and other effects via a slider, but I’ll leave it for you to check out if interested. ;)

I was also pleased to note that the YUI worked nearly flawlessly when the site is rendered in proper XML/standards mode (XHTML sent with the “application/xhtml+xml” MIME type), which also makes JavaScript a little more “strict” - ie., you can’t reference document.body any more, and so on.

The design is intentionally experimental, and uses a lot of alpha-transparent PNGs, animation and CSS opacity (there is an “enhanced FX” checkbox in the UI which enables/disables the fancy stuff), and will put a pretty good load on any modern system. The point was to see how the different browsers would perform; Safari 3 and Firefox 3 (beta) both handle things quite well, Opera and IE 7 do a decent job as well. (Unfortunately I had to degrade IE 6, it couldn’t handle all the PNGs + opacity.)