web - Dave's Blog


Search

Tweet from David_Risney

2 days ago
How do you conditionally sprite/concat/shard based on http version? https://mattwilcox.net/web-development/http2-for-front-end-web-developers …
PermalinkComments

Retweet of JustRogDigiTec

Feb 13, 6:54
Still on the fence if this is good for the web. Love the progress!! “@shanselman: Flash isn't dead. It's undead. http://www.hanselman.com/blog/JavaScriptHasWonRunFlashWithMozillaShumwayAndDevelopSilverlightInJSWithFayde.aspx …
PermalinkComments

Retweet of textfiles

Feb 12, 9:15
My boss came out and spoke for five minutes in NYC and mentioning locking the web.... open. https://archive.org/details/bresterkahlenetgain …
PermalinkComments

Tweet from David_Risney

Feb 12, 8:35
Unicode encoding holy wars via Mark Pilgrim / Emo Philips http://web.archive.org/web/20080209154953/http://diveintomark.org/archives/2004/07/06/nfc …
PermalinkComments

Retweet of bai0

Feb 7, 12:49
@textfiles @jwz I added some more turtles. VRML in NS2 in WebGL on Chrome on an Oculus Rift. Achievement unlocked. pic.twitter.com/Imy4UWPG2w
PermalinkComments

Retweet of davemethvin

Feb 5, 9:34
When when the defenders of synchronous AJAX appear for the 14th time https://lists.w3.org/Archives/Public/public-webapps/2015JanMar/0523.html … http://i.imgur.com/k4Y5Uhh.png 
PermalinkComments

David_Risney: Just put up CSP Fiddler extension to help figure out minimum required CSP rules for web pages.

Jan 24, 5:32
David Risney @David_Risney :
Just put up CSP Fiddler extension https://github.com/david-risney/CSP-Fiddler-Extension … to help figure out minimum required CSP rules for web pages.
PermalinkComments

Live coding in VR with the Oculus Rift, Firefox WebVR,...

2014 Oct 6, 2:45


Live coding in VR with the Oculus Rift, Firefox WebVR, JavaScript and Three.js

"I built a live-coding web app for the Oculus Rift where you code in JavaScript using Three.js and watch the world change around you in real-time."

PermalinkCommentsvideo programming javascript 3d vr oculus-rift technical

Detect login with CSP - When Security Generates Insecurity

2014 Jul 8, 1:13

An interesting way to use the report-uri feature of CSP to detect if a user is logged into Google, Facebook etc.

PermalinkCommentstechnical security csp web

On exploiting security issues in botnet C&C...

2014 Jun 23, 4:26


On exploiting security issues in botnet C&C software:

Hackers “are learning that it’s not so easy to write secure code,” Toro says. “Most of us in the business of securing our applications and systems know that bulletproofing software is an extremely expensive and exhaustive undertaking. Malware creators who have to look to their own defences would have to slow down the production of new attacks.”

FYI, if you want to know what it looks like when you hack a hacker, look no further than the seminal 1995 film Hackers.

PermalinkCommentstechnical security

Netflix API : Retiring the Netflix Public API

2014 Jun 15, 3:02

First they came for our RSS feeds and I said nothing…

PermalinkCommentstechnical Netflix web api api

A high-profile fork: one year of Blink and Webkit Some stats...

2014 Jun 3, 9:10


A high-profile fork: one year of Blink and Webkit

Some stats and analysis at a very high level of the Blink fork from Webkit.

PermalinkCommentstechnology browser webkit blink apple google

XSS game

2014 May 29, 1:10

Google’s XSS training game. Learn how to find XSS issues for fun and profit.

PermalinkCommentstechnical web security xss google

Cloud Share - New App

2014 May 23, 4:06

I've put a new app on the Windows Store: Cloud Share. It connects the web to your Windows 8 share charm.

I did the development on GitHub and quite enjoyed myself. I wasn't sure I liked the game-ification of development in GitHub's dashboard showing you your longest development streak in days. However I realized that it encourages me to do work on my personal project and anything that aids in holding my attention on and helping me finish these projects is a good thing.

PermalinkCommentsdevelopment github javascript JS technical windows

Debugging anecdote - the color transparent black breaks accessibility

2014 May 22, 10:36

Some time back while I was working on getting the Javascript Windows Store app platform running on Windows Phone (now available on the last Windows Phone release!) I had an interesting bug that in retrospect is amusing.

I had just finished a work item to get accessibility working for JS WinPhone apps when I got a new bug: With some set of JS apps, accessibility appeared to be totally broken. At that time in development the only mechanism we had to test accessibility was a test tool that runs on the PC, connects to the phone, and dumps out the accessibility tree of whatever app is running on the phone. In this bug, the tool would spin for a while and then timeout with an error and no accessibility information.

My first thought was this was an issue in my new accessibility code. However, debugging with breakpoints on my code I could see none of my code was run nor the code that should call it. The code that called that code was a more generic messaging system that hit my breakpoints constantly.

Rather than trying to work backward from the failure point, I decided to try and narrow down the repro and work forwards from there. One thing all the apps with the bug had in common was their usage of WinJS, but not all WinJS apps demonstrated the issue. Using a binary search approach on one such app I removed unrelated app code until all that was left was the app's usage of the WinJS AppBar and the bug still occurred. I replaced the WinJS AppBar usage with direct usage of the underlying AppBar WinRT APIs and continued.

Only some calls to the AppBar WinRT object produced the issue:

        var appBar = Windows.UI.WebUI.Core.WebUICommandBar.getForCurrentView(); 
// appBar.opacity = 1;
// appBar.closeDisplayMode = Windows.UI.WebUI.Core.WebUICommandBarClosedDisplayMode.default;
appBar.backgroundColor = Windows.UI.Colors.white; // Bug!
Just setting the background color appeared to cause the issue and I didn't even have to display the AppBar. Through additional trial and error I was blown away to discover that some colors I would set caused the issue and other colors did not. Black wouldn't cause the issue but transparent black would. So would aqua but not white.

I eventually realized that predefined WinRT color values like Windows.UI.Colors.aqua would cause the issue while JS literal based colors didn't cause the issue (Windows.UI.Color is a WinRT struct which projects in JS as a JS literal object with the struct members as JS object properties so its easy to write something like {r: 0, g: 0, b: 0, a: 0} to make a color) and I had been mixing both in my tests without realizing there would be a difference. I debugged into the backgroundColor property setter that consumed the WinRT color struct to see what was different between Windows.UI.Colors.black and {a: 1, r: 0, g: 0, b: 0} and found the two structs to be byte wise exactly the same.

On a hunch I tried my test app with only a reference to the color and otherwise no interaction with the AppBar and not doing anything with the actual reference to the color: Windows.UI.Colors.black;. This too caused the issue. I knew that the implementation for these WinRT const values live in a DLL and guessed that something in the code to create these predefined colors was causing the issue. I debugged in and no luck. Now I also have experienced crusty code that would do exciting things in its DllMain, the function that's called when a DLL is loaded into the process so I tried modifying my C++ code to simply LoadLibrary the DLL containing the WinRT color definition, windows.ui.xaml.dll and found the bug still occurred! A short lived moment of relief as the world seemed to make sense again.

Debugging into DllMain nothing interesting happened. There were interesting calls in there to be sure, but all of them behind conditions that were false. I was again stumped. On another hunch I tried renaming the DLL and only LoadLibrary'ing it and the bug went away. I took a different DLL renamed it windows.ui.xaml.dll and tried LoadLibrary'ing that and the bug came back. Just the name of the DLL was causing the issue.

I searched for the DLL name in our source code index and found hits in the accessibility tool. Grinning I opened the source to find that the accessibility tool's phone side service was trying to determine if a process belonged to a XAML app or not because XAML apps had a different accessibility contract. It did this by checking to see if windows.ui.xaml.dll was loaded in the target process.

At this point I got to fix my main issue and open several new bugs for the variety of problems I had just run into. This is a how to on writing software that is difficult to debug.

PermalinkCommentsbug debug javascript JS technical windows winrt

location.hash and location.search are bad and they should feel bad

2014 May 22, 9:25
The DOM location interface exposes the HTML document's URI parsed into its properties. However, it is ancient and has problems that bug me but otherwise rarely show up in the real world. Complaining about mostly theoretical issues is why blogging exists, so here goes:
  • The location object's search, hash, and protocol properties are all misnomers that lead to confusion about the correct terms:
    • The 'search' property returns the URI's query property. The query property isn't limited to containing search terms.
    • The 'hash' property returns the URI's fragment property. This one is just named after its delimiter. It should be called the fragment.
    • The 'protocol' property returns the URI's scheme property. A URI's scheme isn't necessarily a protocol. The http URI scheme of course uses the HTTP protocol, but the https URI scheme is the HTTP protocol over SSL/TLS - there is no HTTPS protocol. Similarly for something like mailto - there is no mailto wire protocol.
  • The 'hash' and 'search' location properties both return null in the case that their corresponding URI property doesn't exist or if its the empty string. A URI with no query property and a URI with an empty string query property that are otherwise the same, are not equal URIs and are allowed by HTTP to return different content. Similarly for the fragment. Unless the specific URI scheme defines otherwise, an empty query or hash isn't the same as no query or hash.
But like complaining about the number of minutes in an hour none of this can ever change without huge compat issues on the web. Accordingly I can only give my thanks to Anne van Kesteren and the awesome work on the URL standard moving towards a more sane (but still working practically within the constraints of compat) location object and URI parsing in the browser.
PermalinkComments

Encrypted Web Traffic More Than Doubles

2014 May 18, 1:20

RT @PeerProd In Europe, encrypted traffic went from 1.47% to 6.10%, and in Latin America, it increased from 1.8% to 10.37%
http://www.wired.com/2014/05/sandvine-report/ #NSA

PermalinkCommentstechnical security nsa encryption

FCC planning new Internet rules that will gut Net Neutrality. Get ready to pay more for the stuff you love online.

2014 Apr 24, 3:29
PermalinkCommentstechnical net-neutrality fcc bullshit

The decline of the mobile web...

2014 Apr 8, 6:49


The decline of the mobile web http://cdixon.org/2014/04/07/the-decline-of-the-mobile-web/

PermalinkCommentstechnical web browser mobile phone

thefrogman: Poorly Drawn Lines by Reza...

2013 Oct 15, 7:47


thefrogman:

Poorly Drawn Lines by Reza Farazmand
[website | tumblr | twitter | facebook]

PermalinkCommentshumor comic robot
Older Entries Creative Commons License Some rights reserved.