2010 May 2, 3:14"This document contains normative guidelines for web applications built by the Interface Development practice of Isobar North America (previously Molecular)." Glad to see coding styles and best
practices for HTML, CSS, JS, associated HTTP headers etc etc etc
code css html html5 javascript web browser programming development technical via:kris.kowal 2010 Mar 11, 3:33"The headers and captions on http://diveintohtml5.org/ use an open source font called "Essays 1743." The creator of that font was looking for a tutorial on HTML5, came across my site, and was
pleasantly surprised to see his own work on prominent display. He now wants to update his font to include stylistically appropriate Unicode arrows, which I will then use with my captions.
The internet is awesome. It's so wonderfully intertwingled."
html html5 mark-pilgrim font technical 2010 Jan 29, 10:28"Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies." Examines HTTP headers and browser features and reports if your
configuration is unique (mine is). Good info for anyone looking at creating an anonymous browsing plugin or service
web security privacy eff education identity surveillance cookies cookie anonymity anonymous technical 2010 Jan 27, 9:56Some of the new security features in Chrome: XSS filter, HTTPS only, HTML5 origin header, and HTML5 postMessage function.
html5 html script xss csrf chrome browser google security web technical 2009 Dec 4, 10:24Flickr dev. blog on the accept-language HTTP header: "It’s true that the Accept-Language header has a troubled history. Because of this, many developers regard it the way medieval villagers might
have regarded a woman with a warty nose and a pet cat – it should be shunned, avoided and possibly burned at the stake." And this great anecdote: "In two and a half years of running as an
international site, we’ve only ever had one case where it didn’t work. Helio, a cellphone company, had a browser was custom-built for them in Korea, and had its “Accept-Language” header hard-coded to
always request Korean, something which led to much confusion for the Flickr users amongst their American customers."
flickr internationalization language accept-language http http-header development technical web 2009 Dec 1, 9:40Wow: 'The fact that federal, state, and local law enforcement can obtain communications "metadata"—URLs of sites visited, e-mail message headers, numbers dialed, GPS locations, etc.—without any real
oversight or reporting requirements should be shocking, but it isn't. The courts ruled in 2005 that law enforcement doesn't need to show probable cause to obtain your physical location via the cell
phone grid. All of the aforementioned metadata can be accessed with an easy-to-obtain pen register/trap & trace order. But given the volume of requests, it's hard to imagine that the courts are
involved in all of these.'
privacy security gps phone cellphone government politics 2009 Nov 24, 5:51"Metalink/HTTP describes multiple download locations (mirrors), Peer-to-Peer, checksums, digital signatures, and other information using existing standards for HTTP headers. Clients can transparently
use this information to make file transfers more robust and reliable."
http metalink url p2p http-header cache redirect reference technical 2009 Nov 20, 3:08"WebKit nightlies now support the HTML5 noreferrer link relation, a neat little feature that allows web developers to prevent browsers from sending the Referrer: header when navigating either anchor
or area elements."
technical html5 html webkit link referer http http-header web browser 2009 Sep 24, 3:51A proposed new HTTP header 'X-Force-TLS' to indicate a site only wants to be over HTTPS.
http header security https extension noscript web browser webbrowser 2009 Sep 11, 8:39"In the W3C Media Fragment Working Group (MFWG) we have had long discussions about the use of the URI query (”?”) or the URI fragment (”#”) addressing approach for addressing directly into media
fragments, and the diverse new HTTP headers required to serve such URI requests, considering such side conditions as the stripping-off of fragment parameters from a URI by Web browsers, or the
existence of caching Web proxies."
fragment uri via:connolly media url query http http-header 2009 Sep 10, 6:26Typekit's protections for their hosted fonts include referer header checking, and various obfuscations: "Our intent is only to discourage casual misuse and to make it clear that taking fonts from
Typekit is an explicit and intentional act."
via:kottke font typekit internet web security legal technical 2009 Jul 1, 2:24Stats on HTTP servers and HTTP server response headers. "Current statistics are based on a sample of 84604 probed servers, gathered in the last 386 days."
http statistics server internet http-header via:mnot technical 2009 Jun 22, 3:12HTML5's mime-sniffing is getting moved to an IETF doc: "Many web servers supply incorrect Content-Type headers with their HTTP responses. In order to be compatible with these servers, user agents
must consider the content of HTTP responses as well as the Content-Type header when determining the effective media type of the response. This document describes an algorithm for determining the
effective media type of HTTP responses that balances security and compatibility considerations."
mime mime-sniffing ietf http w3c html5 technical 2009 Mar 20, 5:03"This package contains header files and libraries to help you develop Windows applications that use Windows Internet Explorer."
ie8 ie msdn microsoft development C++ com visual-studio windows 2009 Jan 27, 10:41I just noticed that Google's Feeling Lucky doesn't work if your query contains a 'site:...' entry unless the HTTP request has a referer header pointing to Google. This person noticed too and wrote a
Google App that acts like Feeling Lucky without this restriction. "It appears that Google has some secret threshold to decide when to get in the way of your destination like an angry ceiling cat
catapulting itself onto your face."
google im-feeling-lucky search http referer http-header app 2008 Jun 30, 3:57"Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a
security flag in the IPv4 header as a means of distinguis
humor rfc security ipv4 ip 2008 May 2, 1:55Avoid sniffing using the HTTP range header: "...if we have an application...which protects against FindMimeFromData XSS attacks by searching the first 256 bytes for certain strings, then we can
simply place our strings after the first 256 bytes and get Fl
via:swannman http http-header range xss security 2008 Apr 21, 11:53
![['Neverending story' by Alexandre Duret-Lutz. A framed photo of books with the droste effect applied. Licensed under creative commons.]](http://farm1.static.flickr.com/90/252757784_3de44cbeb4_m_d.jpg)
Information about URI Fragments, the portion of URIs
that follow the '#' at the end and that are used to navigate within a document, is scattered throughout various documents which I usually have to hunt down. Instead I'll link to them all here.
Definitions. Fragments are defined in the URI RFC which states that they're used to identify a secondary resource that is related
to the primary resource identified by the URI as a subset of the primary, a view of the primary, or some other resource described by the primary. The interpretation of a fragment is based on the
mime type of the primary resource. Tim Berners-Lee notes that determining fragment meaning from mime type is a problem because a
single URI may contain a single fragment, however over HTTP a single URI can result in the same logical resource represented in different mime types. So there's one fragment but multiple mime types
and so multiple interpretations of the one fragment. The URI RFC says that if an author has a single resource available in multiple mime types then the author must ensure that the various
representations of a single resource must all resolve fragments to the same logical secondary resource. Depending on which mime types you're dealing with this is either not easy or not possible.
HTTP. In HTTP when URIs are used, the fragment is not included. The General Syntax section of the HTTP standard says it uses
the definitions of 'URI-reference' (which includes the fragment), 'absoluteURI', and 'relativeURI' (which don't include the fragment) from the URI RFC. However, the 'URI-reference' term doesn't
actually appear in the BNF for the protocol. Accordingly the headers like 'Request-URI', 'Content-Location', 'Location', and 'Referer' which include URIs are defined with 'absoluteURI' or 'relativeURI' and don't include the fragment. This is in keeping with the
original fragment definition which says that the fragment is used as a view of the original resource and consequently only needed for resolution on the client. Additionally, the URI RFC explicitly
notes that not including the fragment is a privacy feature such that page authors won't be able to stop clients from viewing whatever
fragments the client chooses. This seems like an odd claim given that if the author wanted to selectively restrict access to portions of documents there are other options for them like breaking out
the parts of a single resource to which the author wishes to restrict access into separate resources.
HTML. In HTML, the HTML mime type RFC defines HTML's fragment use which consists of fragments referring to elements with a
corresponding 'id' attribute or one of a particular set of elements with a corresponding 'name' attribute. The HTML spec discusses fragment use additionally noting that the names and ids must be unique in the document and that
they must consist of only US-ASCII characters. The ID and NAME attributes are further restricted in section 6 to only
consist of alphanumerics, the hyphen, period, colon, and underscore. This is a subset of the characters allowed in the URI fragment so no encoding is discussed since technically its not needed.
However, practically speaking, browsers like FireFox and Internet Explorer allow for names and ids containing characters outside of the defined set including characters that must be percent-encoded
to appear in a URI fragment. The interpretation of percent-encoded characters in fragments for HTML documents is not consistent across browsers (or in some cases within the same browser) especially
for the percent-encoded percent.
Text. Text/plain recently got a fragment definition that allows fragments to refer to particular lines or characters within a text document.
The scheme no longer includes regular expressions, which disappointed me at first, but in retrospect is probably
good idea for increasing the adoption of this fragment scheme and for avoiding the potential for ubiquitous DoS via regex. One of the authors
also notes this on his blog. I look forward to the day when this scheme is widely implemented.
XML. XML has the XPointer framework to define its fragment structure as noted by the XML mime type definition. XPointer consists of a general scheme that contains subschemes that identify a subset of an XML document. Its too bad
such a thing wasn't adopted for URI fragments in general to solve the problem of a single resource with multiple mime type representations. I wrote more about XPointer when I worked on hacking XPointer into
IE.
SVG and MPEG. Through the Media Fragments Working Group I found a couple more fragment scheme definitions. SVG's fragment scheme is defined in the SVG documentation and looks similar to XML's. MPEG has one defined but I could only find it
as an ISO document "Text of ISO/IEC FCD 21000-17 MPEG-12 FID" and not as an RFC which is a little disturbing.
AJAX. AJAX websites have used fragments as an escape hatch for two issues that I've seen. The first is getting a unique URL for versions of a
page that are produced on the client by script. The fragment may be changed by script without forcing the page to reload. This goes outside the rules of the standards by using HTML fragments in
a fashion not called out by the HTML spec. but it does seem to be inline with the spirit of the fragment in that it is a subview of the original resource and interpretted client side. The other
hack-ier use of the fragment in AJAX is for cross domain communication. The basic idea is that different
frames or windows may not communicate in normal fashions if they have different domains but they can view each other's URLs and accordingly can change their own fragments in order to send a message
out to those who know where to look. IMO this is not inline with the spirit of the fragment but is rather a cool hack.
xml text ajax technical url boring uri fragment rfc 2008 Mar 8, 11:44"This memo defines extensions to the RFC 2045 media type and RFC 2183 disposition parameter value mechanisms to provide ... a means to specify parameter values in character sets other than
US-ASCII..."
http http-header rfc standard reference ietf mime encoding charset language content-disposition 2008 Mar 8, 11:43"I was not able to find universal settings to do this task, but it looks like Mozilla based browsers accepts utf-8 encoded headers and headers Encoded Word Extensions from RFC 2231. Internet explorer
accepts utf-8 filenames only when 1. the data are URL e
http http-header charset ascii utf8 mozilla ie browser content-disposition
Some rights reserved