2009 May 3, 10:26Seems very similar to that ShellExecute/Firefox app URL protocol handler exploit last year. "A vulnerability in the ChromeHTML URI handler allows an attacker to bypass the Same Origin Policy for any
site and also enumerate victims files and directories. When loaded in Internet Explorer, a specially crafted HTML page can launch Google Chrome with an arbitrary URI without requiring any user
interaction."
exploit security google chrome browser web url protocol 2009 Apr 29, 12:34"In this presentation, recorded at QCon San Francisco 2008, HTTPbis WG chair Mark Nottingham gives an update on the current status of the HTTP protocol in the wild, and the ongoing work to clarify
the HTTP specification."
http httpbis protocol ietf reference video authentication cookie uri url tcp sctp mark-nottingham via:ericlaw 2009 Apr 10, 9:48
A while ago I promised to say how an xsltproc Meddler script would be useful and the general answer is
its useful for hooking up a client application that wants data from the web in a particular XML format and the data is available on the web but in another XML format. The specific case for this
post is a Flickr Search service that includes IE8 Visual Search Suggestions. IE8
wants the Visual Search Suggestions XML format and Flickr gives out search data in their Flickr web API XML format.
So I wrote an XSLT to convert from Flickr Search XML to Visual Suggestions XML and used my xsltproc Meddler script to actually
apply this xslt.
After getting this all working I've placed the result in two places: (1) I've updated the xsltproc Meddler script to include this XSLT and an
XML file to install it as a search provider - although you'll need to edit the XML to include your own Flickr API key. (2) I've created a service for this so you can just install the Flickr search provider if you're interested in having the functionality and don't care about the implementation. Additionally, to the
search provider I've added accelerator preview support to show the Flickr slideshow which I think looks snazzy.
Doing a quick search for this it looks like there's at least one other such implementation, but mine has the distinction of being done through XSLT which I provide, updated XML namespaces to work
with the released version of IE8, and I made it so you know its good.
meddler xml ie8 xslt flickr technical boring search suggestions 2009 Apr 7, 12:12HTML5's registerProtocolHandler seems to come from a cool FireFox 3 feature: "With web protocol handlers, the web application can register the specific protocol it wants to handle. Firefox will then
prompt the user to choose which of the registered applications (web or desktop) it should use to handle the action. Any protocol, real or imaginary, can be used - mailto: is only one example,
webcal:, tel: and fax: are others."
firefox uri scheme protocol mozilla html5 registerProtocolHandler 2009 Apr 7, 9:02
I'm a big fan of the concept of registerProtocolHandler in HTML 5 and in FireFox 3, but not quite the implementation. From a high level, it allows web apps to register themselves as
handlers of an URL scheme so for (the canonical) example, GMail can register for the mailto URL scheme. I like the concept:
- Better integration of web apps with your system.
- Its easy for web apps to do.
- Links to URNs can now take the user to the sites the user prefers for the sort of thing identified by the URN. For example, if I have a physical address in HTML, instead of making that an http
link to Yahoo Maps, I can make the link a geo scheme URI and those who follow the link will get their preferred mapping site that
has registered for that scheme. Actually, looking at the geo scheme's RFC, maybe I'd rather use some other URN scheme to represent the physical location, but you get the point.
However, the way its currently spec'ed out I don't like the following:
- There's no way to know if you are the handler for a particular URL scheme which is an important question for web app URL protocol handler authors.
- There's no way to fallback to an http URL in the case that a particular URL scheme isn't registered. A suggested solution to testing the registration of a scheme is for browsers to provide an additional script method
to check if a scheme is registered. I don't like the idea of writing script that walks over all my page's links and rewrites them based on that method. I'd much rather see a declarative and
backwards compatible fallback mechanism, although I don't know what that would look like.
- There's no way to register for a namespace within the urn scheme URI, the info scheme URI, or the tag scheme URI. I want to register
info:lccn/... (Library of Congress Card Number identifiers) to LibraryThing or Amazon and I want to register urn:duri:... (dated URIs) to the Web Archive, among other things.
- Will this result in a proliferation of unregistered URL schemes with clashing namespaces? The ESW Wiki notes why this would be bad.
- And last, although this is nitpickier than the rest, I don't like the '%s' syntax used in the registration method. I'd much rather pass in an URL template, like the URL template used
in OpenSearch. If an URL template is used for matching rather than registering against a particular URL scheme, this could also allow for registering a namespace within a URN. For example
something along the lines of:
registerProtocolHandler("info:lccn/{lccnID}", "htttp://www.librarything.com/search_works.php?q={lccnID}", "LibraryThing LCCN")
url template registerprotocolhandler firefox technical url scheme protocol boring html5 uri urn 2009 Apr 1, 9:48"For our latest mission, 30 Improv Everywhere agents found a random funeral in the obituary section of the newspaper and turned it into the best funeral ever... The family, especially the older
couple in the middle, were seriously mourning. They seemed to be focusing on the priest and mostly ignoring us. Still, we had to be as serious as we possibly could. If anyone cracked a smile or
giggled we would completely ruin the funeral for the family."
humor parody video improv-everywhere 2009 Mar 26, 2:24"Yesterday's remix challenge -- to mock the ridiculous new "anti-terrorism" posters the London police have put up that tell you to spy on your neighbors -- was a smashing success. I've collected the
25 or so that came in to date below". I enjoyed: "A bomb won't go off here because people tend to be quite nice really." "Terribly convenient, isn't it? Incriminating evidence left right out where
you'll spot it and call it in..." "A bomb won't go off here because the true likelihood of you being the victim of a terror attack is really very low, especially when compared to other causes of
death or injury."
humor politics poster paranoia security via:boingboing.comments photoshop privacy 2009 Mar 25, 3:49A flashy Flash 3d chart of the electromagnetic spectrum. Pretty.
art visualization science radio sound 3d design electromagnetic flash 2009 Mar 23, 11:06The HTML5 spec tells us how it is in the real world for URLs: "This specification defines various algorithms for dealing with Web addresses intended for use by HTML user agents. For historical
reaons, in order to be compatible with existing Web content HTML user agents need to implement a number of processes not defined by the URI and IRI specifications [RFC3986], [RFC3987]."
html html5 url uri reference w3c 2009 Mar 23, 8:13
I've made another extension for IE8,
Outline View, which gives you a side bar in IE that displays an outline of the current page and lets you make intrapage bookmarks.
The outline is generated based on the heading tags in the document (e.g. h1, h2, etc), kind of like what W3C's Semantic data extractor
tool displays for an outline. So if the page doesn't use heading tags the way the HTML spec intended or just sticks img tags in them, then the outline doesn't look so hot. On a page that does
use headings as intended though it looks really good. For instance a section from the HTML 4 spec shows up quite nicely and I find its
actually useful to be able to jump around to the different sections. Actually, I've been surprised going to various blogs how well the outline view is actually working -- I thought a lot more
webdevs would be abusing their heading tags.
I've also added intrapage bookmarks. When you make a text selection and clear it, that selected text is added as a temporary intrapage bookmark which shows up in the correct place in the outline.
You can navigate to the bookmark or right click to make it permanent. Right now I'm storing the permanent intrapage bookmarks in IE8's new per-domain DOM storage because I wanted to avoid writing
code to synchronize a cross process store of bookmarks, it allowed me to play with the DOM storage a bit, and the bookmarks will get cleared appropriately when the user clears their history via the
control panel.
technical intrapage bookmark boring html ie8 ie extension 2009 Mar 12, 12:04Google's chart API can generate QR codes. Just specify in the URL the chart type as 'qr', and the data you want encoded and the returned resource is a QR code image for that data. Just installed a QR
code reader on my phone.
qr barcode google api chart mobile web cellphone qrcode 2009 Mar 6, 5:16
I've found while debugging networking in IE its often useful to quickly tell if a string is encoded in UTF-8. You can check for the Byte Order Mark (EF BB BF in UTF-8) but, I rarely see the BOM on
UTF-8 strings. Instead I apply a quick and dirty UTF-8 test that takes advantage of the well-formed UTF-8 restrictions.
Unlike other multibyte character encoding forms (see Windows supported character sets or IANA's list of character sets), for example Big5, where sticking together any two bytes is more likely than not to give a valid byte sequence, UTF-8 is more restrictive. And unlike
other multibyte character encodings, UTF-8 bytes may be taken out of context and one can still know that its a single byte character, the starting byte of a three byte sequence, etc.
The full rules for well-formed UTF-8 are a little too complicated for me to commit to memory. Instead I've got my own simpler (this is the quick part) set of rules that will be mostly correct (this
is the dirty part). For as many bytes in the string as you care to examine, check the most significant digit of the byte:
-
F:
-
This is byte 1 of a 4 byte encoded codepoint and must be followed by 3 trail bytes.
-
E:
-
This is byte 1 of a 3 byte encoded codepoint and must be followed by 2 trail bytes.
-
C..D:
-
This is byte 1 of a 2 byte encoded codepoint and must be followed by 1 trail byte.
-
8..B:
-
This is a trail byte.
-
0..7:
-
This is a single byte encoded codepoint.
The simpler rules can produce false positives in some cases: that is, they'll say a string is UTF-8 when in fact it might not be. But it won't produce false negatives. The following is table
from the
Unicode spec. that actually describes well-formed UTF-8.
|
Code Points
|
1st Byte
|
2nd Byte
|
3rd Byte
|
4th Byte
|
|
U+0000..U+007F
|
00..7F
|
|
U+0080..U+07FF
|
C2..DF
|
80..BF
|
|
U+0800..U+0FFF
|
E0
|
A0..BF
|
80..BF
|
|
U+1000..U+CFFF
|
E1..EC
|
80..BF
|
80..BF
|
|
U+D000..U+D7FF
|
ED
|
80..9F
|
80..BF
|
|
U+E000..U+FFFF
|
EE..EF
|
80..BF
|
80..BF
|
|
U+10000..U+3FFFF
|
F0
|
90..BF
|
80..BF
|
80..BF
|
|
U+40000..U+FFFFF
|
F1..F3
|
80..BF
|
80..BF
|
80..BF
|
|
U+100000..U+10FFFF
|
F4
|
80..8F
|
80..BF
|
80..BF
|
test technical unicode boring charset utf8 encoding 2009 Feb 14, 5:41"Now, you can simply add this link tag to specify your preferred version... and Google will understand that the duplicates all refer to the canonical URL:
http://www.example.com/product.php?item=swedish-fish. Additional URL properties, like PageRank and related signals, are transferred as well."
via:mattb google link html url uri canonical canonicalization web 2009 Feb 4, 4:30New URN schemes with no central minting authority. duri allows you to name a resource that was identified by the specified URI at the specified date (e.g. refers to the IETF's homepage at the end of
the year 2001). tdb allows you to name a physical object or entity that was described by a resource that was identified by a specified URI at the specified date (e.g. refers to IETF the orginization
as referenced by their homepage at the end of the year 2001). Date format is concise but I'd prefer RFC3339 rather than roping in another date format.
duri tdb uri url scheme reference ietf date datetime rfc 2009 Feb 3, 11:15"r2719 specifies that browsers should not allow scripts to set document.domain to anything on the Public Suffix List, such as "com" or "co.jp". Essential background reading on why this is dangerous:
Untraceable XSS Attacks. Most browsers already block this attack, e.g. Firefox since 3.0. [Background: Re: Setting document.domain]"
html5 tld publicsuffix dns security html internet web reference w3c 2009 Jan 19, 3:14Humorous webcomic on the topic of captchas
humor comic captcha 2009 Jan 15, 9:41"Russell and I thought it would be interesting to take some stuff from the internet and print it in a newspaper format. Words as well as pictures. Like a Daily Me, but slower. When we discovered that
most newspaper printers will let you do a short run on their press (this was exactly the same spec as the News Of The World) we decided to have some fun."
blog internet design art newspaper typography print publishing via:mattb 2009 Jan 7, 7:02All the appearances Neil deGrasse Tyson has made on The Colbert Report. Especially good are the ep from 08/17/2006 containing planetary trashtalk and 02/13/2008 where Stephen learns how to become an
astrophysicist.
neil-degrasse-tyson colbert-report stephen-colbert science video humor tv astronomy 2008 Dec 17, 2:27"Specifically, we have noticed that there is absolutely no training in the K-6 grades that prepares students to become mad scientists. In this competitive 21st-century world, the need for mad
scientists will only increase... We are pleased to announce the release of our Young Mad Scientist's First Alphabet Blocks."
humor science geek gift via:swannman shopping wishlist toy alphabet-blocks
Some rights reserved