Phillip Pearson - web + electronics notes

tech notes and web hackery from a new zealander who was vaguely useful on the web back in 2002 (see: python community server, the blogging ecosystem, the new zealand coffee review, the internet topic exchange).


Cookie security (43things example)

Are you on this list? It seems that it works in Firefox but not in Internet Explorer.

I think Firefox sends all your cookies (well, all of my cookies) whenever it makes a request to a site, no matter whether it's a "first party request" or a "third party request". The image in the above paragraph was a "third party request", which IE blocks, because 43things doesn't have a P3P privacy policy. It seems that not having a P3P policy is actually a Good Thing, because it makes it harder for people to exploit your users, at least if they are using Internet Explorer.

I guess the way to block this would be to require some sort of security token on links that result in something changing. Ideally it would only work for POSTs as well, but the important thing is the security token, as someone could easily post a form with javascript inside an iframe.


... more like this: []


Leigh Dodds - Connecting Social Content Services using FOAF, RDF and REST - interesting REST/RDF-oriented critique of a bunch of different API implementations.

VeriSign is running an OpenID server? Looks like it. I am The ID image thing is interesting. I guess it's there to prevent phishing, but couldn't someone just make a spoof of the whole website and grab your password on the way through, while still showing you the ID image? Perhaps you're meant to log in to VeriSign from a bookmark, in which case you should never have to log in in response to an OpenID request. That would make more sense. (BTW I've verified that I can log in to using my VeriSign ID, although if you wait too long before clicking Allow, the authentication seems to fail.)

Mark Nottingham - caching web 2.0 - something I've been interested in recently, since working on the AIM Pages modules. To try to reduce deployment complexity, we had the constraint that everything running on an AOL server had to be stateless, although there would be a caching proxy somewhere in the system. This meant that, for the first time, I actually had to work with rather than around HTTP caching. It turns out that it's not such a big deal; you just specify how long you want the page to remain in the cache with a Cache-Control: max-age=XXXX header (replacing XXXX with the number of seconds to keep it), and browsers and caches respect that.

Web Application Description Language (WADL) from Marc Hadley at Sun - WSDL for REST/XML based web services?

Sam Ruby is doing an ultra-liberal OPML parser - for subscription/reading lists.

Google reveals its AJAX toolkit - and it turns out to be a Java-to-Javascript translator. WTF? Check out the plumbing... more confusion over here. Richard has more.

Finally - apt-get install sun-java5-jre works! I've got it installed, although it looks like JRE 1.4.2 is still the default.

MacBook is out - finally.

... more like this: []