2009 Jun 22, 3:12HTML5's mime-sniffing is getting moved to an IETF doc: "Many web servers supply incorrect Content-Type headers with their HTTP responses. In order to be compatible with these servers, user agents
must consider the content of HTTP responses as well as the Content-Type header when determining the effective media type of the response. This document describes an algorithm for determining the
effective media type of HTTP responses that balances security and compatibility considerations."mimemime-sniffingietfhttpw3chtml5technical
2009 Jun 22, 2:53"Firefox 3.5 performs DNS prefetching. This is a feature by which Firefox proactively performs domain name resolution on both links that the user may choose to follow as well as URLs for items
referenced by the document, including images, CSS, JavaScript, and so forth."dnsfirefoxmozillanetworkingperformancedns-prefetchingtechnical
I had just created an OpenSearch description for WolframAlpha at work and was going about the process of adding another install link to my search provider
page so that I could install it. Thinking about it, I realized I could apply an XSLT to the OpenSearch description XML to produce the HTML automatically so I wouldn't have to modify additional
documents everytime I create and want to install a new OpenSearch description. While I was in there writing the XSLT I figure why not let the user try out searching with the OpenSearch description
file too. And lastly I made the XSLT apply to itself to produce HTML describing its own usage.
Incidentally, I added WolframAlpha at work to replace my FileInfo search provider for the purposes of searching for information about
particular Unicode characters. For instance, look at WolframAlpha's lovely output for this search for "Bopomofo zh".
2009 Jun 2, 5:11"THE PERSUADERS: What's going on in the world of today's marketers and advertisers? What are the new and surprising methods they're using to decipher who we are and what we want? And where is this
taking us?"videoadvertisingbusinesspropagandadocumentarypbspsychologymarketing
Looking at the HTTP traffic of Netflix under Fiddler I could see the HTTP request that added a movie to my queue and didn't see anything obvious that would
prevent a CSRF. Sure enough its pretty easy to create a page that, if the user has set Netflix to auto-login, will add movies to the user's queue without their knowledge. I thought this was pretty
neat, because I could finally get people to watch Primer. However, when I searched for Netflix CSRF I found that this issue has been known and reported to Netflix since 2006. Again my thoughts stolen from me and the
theif doesn't even have the common decency to let me have the thought first!
With this issue known for nearly three years its hard to continue calling it an issue. Really they should just document it in their API docs and be
done with it. Who knows what Netflix based web sites and services they'll break if they try to change this behavior? For instance, follow this link to add my Netflix recommended movies to your queue.
Netflix lets you watch a subset of their movies online via their website and a subset of those movies are available to watch on the Xbox 360's Netflix app. so its not always easy to find movies to
watch on Xbox 360. Yet, I regularly see my Xbox friends using the Netflix app and its a shame they didn't make an easy way to share movie recommendations with your friends. Instead we must share
movie recommendations the old fashioned way. Here's the movies I've found and enjoyed on my 360.
If you enjoyed Paranoia Agent you'll enjoy this movie in the same animation style and by the same director and
writer, Satoshi Kon. Its like a feature length version of a Paranoia Agent episode in which a dream machine lets outsiders view one's dreams but eventually leads to blurring the dreams and
reality.
I didn't see either of the Grindhouse movies when they first came out, but of the two, Planet Terror is the more humorous and exciting gore filled parody.
A hilarious documentary on the struggle between the reigning champ hot-sauce salesman and the underdog Washington state high school science teacher to obtain the Donkey Kong world record high
score. After watching, checkout this interview with the creators of the movie and the
villain.
2009 Apr 7, 1:59A URL shortening service that tries to find the normal form (which hopefully translates to shorter in length) of a URL via
via:connollytinyurlcanonicalnormalizeuriurl
2009 Apr 7, 1:30I really dislike how IE deals with non-US-ASCII in URLs. I should write up a post on what exactly IE does with non-US-ASCII characters in URLs. "Just like IRIs the URL is mapped to a URI using UTF-8.
Except for the query component of the URL (the bit after the question mark). Here for legacy reasons the encoding of the document is used instead. Except if the encoding of the document is UTF-16, in
which case UTF-8 is used. Effectively, using non-ASCII characters in URLs in documents not encoded as UTF-8 or UTF-16 will give you surprising results, to say the least. Yay for browsers!"httpencodinghtml5urluriunicodeiri
2009 Apr 7, 1:13A sort of vertical cross section of an overview of what the web should look like from HTTP & URIs to GRDDL & RDF. Oh, and there's a pretty graph at the bottom. "This finding describes how
document formats, markup conventions, attribute values, and other data formats can be designed to facilitate the deployment of self-describing, Web-grounded Web content."webw3cxmlhtmlhttpsemanticwebmicroformatsxhtmlatomgrddlrdfardf
2009 Mar 23, 6:19"GraphML Primer is a non-normative document intended to provide an easily readable description of the GraphML facilities, and is oriented towards quickly understanding how to create GraphML
documents."graphmlgraphformatxmlhowtoreferencew3c
I've made another extension for IE8,
Outline View, which gives you a side bar in IE that displays an outline of the current page and lets you make intrapage bookmarks.
The outline is generated based on the heading tags in the document (e.g. h1, h2, etc), kind of like what W3C's Semantic data extractor
tool displays for an outline. So if the page doesn't use heading tags the way the HTML spec intended or just sticks img tags in them, then the outline doesn't look so hot. On a page that does
use headings as intended though it looks really good. For instance a section from the HTML 4 spec shows up quite nicely and I find its
actually useful to be able to jump around to the different sections. Actually, I've been surprised going to various blogs how well the outline view is actually working -- I thought a lot more
webdevs would be abusing their heading tags.
I've also added intrapage bookmarks. When you make a text selection and clear it, that selected text is added as a temporary intrapage bookmark which shows up in the correct place in the outline.
You can navigate to the bookmark or right click to make it permanent. Right now I'm storing the permanent intrapage bookmarks in IE8's new per-domain DOM storage because I wanted to avoid writing
code to synchronize a cross process store of bookmarks, it allowed me to play with the DOM storage a bit, and the bookmarks will get cleared appropriately when the user clears their history via the
control panel.
Working on Internet Explorer extensions in C++ & COM, I had to relearn or rediscover how to do several totally basic and important things. To save myself and possibly others trouble in the
future, here's some pertinent links and tips.
First you must choose your IE extensibility point. Here's a very short list of the few I've used:
Once you've created your COM object that implements IObjectWithSite and whatever other interfaces your extensibility point requires as described in the above links you'll see your SetSite method
get called by IE. You might want to know how to get the top level browser object from the IUnknown site object passed in via that method.
After that you may also want to listen for some events from the browser. To do this you'll need to:
Implement the dispinterface that has the event you want. For instance DWebBrowserEvents2, or HTMLDocumentEvents, or HTMLWindowEvents2. You'll have
to search around in that area of the documentation to find the event you're looking for.
Register for events using AtlAdvise. The object you need to subscribe to depends on the events you want. For example, DWebBrowserEvents2 come from the webbrowser object, HTMLDocumentEvents come
from the document object assuming its an HTML document (I obtained via get_Document method on the webbrowser), and
HTMLWindowEvents2 come from the window object (which oddly I obtained via calling the get_script method on the document object).
Note that depending on when your SetSite method is called the document may not exist yet. For my extension I signed up for browser events immediately and then listened for events like NavigateComplete before signing up for document and window events.
Implement IDispatch. The Invoke method will get called with event notifications from the dispinterfaces you sign up for in AtlAdvise. Implementing Invoke manually is a slight pain as all the
parameters come in as VARIANTs and are in reverse order. There's some ATL macros that may make this easier but I didn't bother.
Call AtlUnadvise at some point -- at the latest when SetSite is called again and your site object changes.
If you want to check if an IHTMLElement is not visible on screen due how the page is scrolled, try comparing the Body or
Document Element'sclient height and width,
which appears to be the dimensions of the visible document area, to the element's bounding client rect which appears to be
its position relative to the upper left corner of the visible document area. I've found this to be working for me so far, but I'm not positive that frames, iframes, zooming, editable document
areas, etc won't mess this up.
Be sure to use pointers you get from the IWebBrowser/IHTMLDocument/etc. only on the thread on which you obtained the pointer or correctly marshal the pointers to other threads to avoid weird crashes and hangs.
2009 Feb 5, 8:47Copy of the Netscape Navigator document (the original's long gone) describing the Proxy Auto-Config (PAC) file format and mime-type. Its a javascript file with at least one well known function that,
given a host, returns a string describing which methods are appropriate for a web browser to connect to that host.javascriptpacproxyhttpreferencenetscapenavigator
2009 Feb 5, 8:39The long expired draft of the Web Proxy Autodiscovery Protocol (WPAD). To summarize, use DHCP and failing that DNS to find the name of a web server and on that web server find a Proxy Auto-Config
file at a well known localtion.wpadproxyinternetreferencebrowserdnsdhcp
2009 Feb 3, 11:15"r2719 specifies that browsers should not allow scripts to set document.domain to anything on the Public Suffix List, such as "com" or "co.jp". Essential background reading on why this is dangerous:
Untraceable XSS Attacks. Most browsers already block this attack, e.g. Firefox since 3.0. [Background: Re: Setting document.domain]"html5tldpublicsuffixdnssecurityhtmlinternetwebreferencew3c
2008 Dec 29, 2:20"But the most accurate account of the bomb's inner workings-an unnervingly detailed reconstruction, based on old photographs and documents-has been written by a sixty-one-year-old truck driver from
Waukesha, Wisconsin, named John Coster-Mullen, who was once a commercial photographer, and has never received a college degree."via:swannmanbombatom-bombatomic-bombhistorygovermentnuclearphysicssecurityresearchscience
2008 Nov 22, 6:01"There is a commonly held belief that Helvetica is the signage typeface of the New York City subway system, a belief reinforced by Helvetica, Gary Hustwit's popular 2007 documentary about the
typeface. But it is not true - or rather, it is only somewhat true"via:swannmannycsubwayhistoryfonttypographysignhelvetica
The text/plain fragment documented in RFC 5147 and described on Erik Wilde's
blog struck my interest and, like the XML fragment, I
wanted to see if I could implement this in IE. In this case there's no XSLT for me to edit so, like my plain/text word wrap bookmarklet I've implemented it as
a bookmarklet. This is only a partial implementation as it doesn't implement the integrity checks.
2008 Nov 13, 10:21"Ever since I read about the incremental updates feature of the PDF file format, I've been patiently waiting for a malicious PDF document with incremental updates to come my way. Thanks to Bojan,
that day has finally arrived."pdfsecurityjavascriptexploitmalwareadobe
2008 Oct 29, 9:50MTV's new music video web service's API. The API provides feeds of music videos by artist or search term, list of artists that are 'like' other artists. Things it doesn't do: doesn't provide access
to the video files instead provides URI to flash player. Also doesn't provide access to user's favorite videos or other user information.apivideomusicmtvwebfeedrss
I've made another extension for IE8,
Outline View, which gives you a side bar in IE that displays an outline of the current page and lets you make intrapage bookmarks.
Some rights reserved