Thursday, March 31, 2005

Yahoo 360.

I've got yahoo 360 invites, gmail me at frenchy ... family, friends, coworkers, enemies first :)

Sunday, March 27, 2005

GMail offers Phishing Alerts

I'm interrupting my short blogging hiatus to point out that GMail offers, i don't know as of when, Phishing Alerts. Good stuff :) Thanks Googledudes :D

I'd written about phishing a while back too.

Monday, March 21, 2005

Theme Songs in Movies

As "Never Say Never" is playing on channel 528 right now, three movies that start the opening credits with theme songs come to my XSLT-infested, semi-lucid mind at this most auspicious hour:
  1. All James Bond movies
  2. South Park, The Movie
  3. Harold & Kumar Go to Whitecastle
A trend?

Mad Love to Lindy-Pie

Taking a few minutes away from late-night coding to send Mad Love to my friend Lindy-Pie who's the rough equivalent of a Filet Mignon lighter since last week. And mad shouts out to Her Man for taking such great care of her. Hang in there guys.

Wednesday, March 16, 2005

GMail Invites Out my Ears

Like most other GMail users, I've got what appears to be a never-ending stream of GMail invites to hand out. If you send me an email to frenchy@gmail.com, you're almost guaranteed to get an invitation.

Wednesday, March 09, 2005

iPod Killer, Reloaded

Sony: "hey look! we too have a flash-based mp3 player! with AAA batteries! watch out iPod"

Monday, March 07, 2005

EarthLink Broadband Over PowerLine Free Trial?

Hrmmm. I saw this site posted somewhere. I don't think I'm part of those lucky homes just yet.

R.I.P. Chris Portman

In over 6 years working here, I'd only interacted with him over our internal IRC a handful of times. One of our company's youngest and brightest minds, he was widely respected as a Guru in his field.

Sunday, March 06, 2005

XSLT Mac OS X Cocoa App

TestXSLT is what I was looking for to do XSLT transformations in Mac OS X. Thanks n' $20 to Marc Liyanage for putting it together :)

Tuesday, March 01, 2005

Friendster Features TypePad Blogging

Friendster now offers blogging and photo albums powered by TypePad. w00t.

ContextAgnosticXmlHttpRequest: an Informal RFC

update: 08/22/2007: Per anonymous commenter, Mozilla is about to release cross-domain support for XmlHttpRequest.
update 3/17/2006: See also the JSONRequest proposal by Douglas Crockford.
update 10/3/2005: Microsoft is asking similar questions. Please read the full discussions we had on ContextAgnosticXmlHttpRequest on the what-wg mailing list. The thread goes-on for quite a while, with good thoughts from many developers.Some key points i've extracted:

- There was a pretty decent consensus for requiring an HTTP service to send one extra HTTP Header that we might call X-Allow-Foreign-Hosts. A ContextAgnosticXmlHttpRequest would fail to expose any data from a service not sending this header. This ought to protect intranets.

- A couple of us firmly believe we truly don't want to be sending any cached/saved Cookies and/or Basic Auth credentials.



XmlHttpRequest is 2004-2005's big buzz. This post is intended for people who are familiar with this technology. If you wish to familiarize yourself with it, you might consider Apple's fine introduction to XmlHttpRequest.

The current security model of XmlHttpRequest prevents a document from initiating an HTTP Request to a host different from the one that served it. There are very very good, useful, critically important reasons for this: Your browser sends cookies along with the request. For similar reasons, a Flash application may only talk back to the same host that served it. This model already allows developers to build a host of insanely great things, and I'm very happy with it.

This informal RFC is attempting to explore the Pros and Cons of an additional type of request: a ContextAgnosticXmlHttpRequest Object. It would not replace the current implementation of XmlHttpRequest. It would be another object we could leverage for other types of requirements:

Here's a basic use case:

A document served by somehost.myFIRSTdomain.com would retrieve XML data over HTTP from somehost.mySECONDdomain.com.

And, by extension:

A document served by host1.mydomain.com would retrieve XML data over HTTP from host2.mydomain.com.

This request would:
  1. allow a document to perform an HTTP request to a foreign host
  2. without sending any cookies in the request that would otherwise be in effect for that host: no Cookie: Header in request
  3. Discard Set-Cookie: directives in HTTP responses from the target host.
  4. Ignore any cached HTTP Basic Auth credentials, and only send those that'd somehow be explicitly set (URI http://username:password@host or setter methods?)
  5. Always send an accurate HTTP Referer: request header whose value is the URI of the document executing the request. See more below.
Reasons to not do this / Abuse / Security / Discussion Points:
  1. update 11/09/2005: see the above X-Allow-Foreign-Hosts header suggestion which ought to nicely alleviate this problem. In other words, your XML service can only be used by foreign documents if and only if you explicitly allow it by sending this extra HTTP header. - The issue: Everyone and their Moms could now paste some silly HTML code in their web pages to retrieve XML data from web-services-providing web sites. I could now paste the Google Suggest code into my own web page, and show results from Google's servers on my own web page, without going through the trouble of proxying them first. In turn, Google would have to start locking their application down. "Hijacking" HTTP XML services isn't new though, plenty of people have leveraged GMAIL's API in standalone applications without exactly asking Google for their permission. But the learning-and-adoption curve for abuse is far steeper today: You've gotta know a little more about software development than pasting a piece of HTML code into your blog template. "If you're going to leverage someone else's HTTP/XML API in your web documents, be a sport, share-in the bandwidth cost and at least proxy them". I'd most definitely file this under "not unreasonable!".
  2. This would make "the game" interesting for web sites that are RSS aggregators. They would now have the ability to let their end-users load their favorite sites' RSS XML data directly into the web browser without, technically ,"having to" offer a server-side aggregating/caching/proxying layer. If poorly coded, such aggregator site could drive-up bandwidth costs of most subscribed to blogs.
  3. There is one HTTP header i would really like a ContextAgnosticXmlHttpRequest to always send out with absolute integrity: The Referer: (sic) HTTP header. For those who are not already aware of this, the misspelling of the word "Referrer" as "Referer" is part of the official HTTP specification. This header would basically identify the URL of the document originating the request. The entity managing the service receiving the request should be able to easily build white lists and black lists to effectively restrict browser-based access to their service: "If you're not coming from www.google.com, i ain't serving you sh!t."
  4. Beyond the Cookie: HTTP Header, are there any other HTTP headers that should not be included?
  5. Could phishers abuse this to further obfuscate what goes-on in their web documents? They've already got plenty of tools in their shed. I've often seen phishers set-up multiple domains as "landing-pages" to pose as banking sites, while thoroughly obfuscating their HTML code to hide which host/CGI they're actually submitting the data to: disparate landing pages might submit to a same host/CGI. Even with obfuscated HTML, it's relatively easy to sniff out the form submission target by crawling the DOM via a browser plugin or javascript:document.forms. I'd hate to add yet another Remote-Scripting hack to their tool-shed.
  6. Should restrictions be imposed on HTTP methods? Say, only HTTP GET is allowed. At which point, we might rename the object to reflect this restriction. The idea is that HTTP POST is more likely to be used for transactional purposes, which is unlikely to happen at a cross-host/domain level, and I'm leaning toward not allowing the HTTP POSTing of large amounts of data to a completely different domain. See also phishers above.
  7. What about HTTPS? Currently, an HTTP document can't initiate an HTTPS XmlHttpRequest. Should we retain the same restrictions for this object?
  8. Should HTTP Basic Auth even be supported?