View News by Category
- Adobe (1)
- Amazon (36)
- AOL (12)
- APIs (182)
- BestMashups (112)
- BestPractices (12)
- Books (4)
- CaseStudies (5)
- Code (4)
- Contests (47)
- ebay (5)
- Enterprise (38)
- Events (53)
- Examples (151)
- Facebook (13)
- Featured (10)
- fun (6)
- Games (1)
- General (16)
- Google (75)
- Gov (21)
- Green (2)
- Hardware (4)
- HowTo (15)
- Infrastructure (7)
- Issues (47)
- Java (1)
- JavaScript (5)
- Jobs (1)
- Law (19)
- Mapping (67)
- Media (11)
- Metrics (5)
- Microsoft (35)
- Mobile (6)
- Money (62)
- Music (10)
- News (112)
- Nonprofit (5)
- OpenSocial (15)
- photo (18)
- Popular (19)
- PopularAllTime (21)
- Press (17)
- RIA (2)
- roundup (1)
- Ruby (2)
- Salesforce (8)
- Search (2)
- Security (14)
- SemanticWeb (2)
- Shopping (16)
- Site News (55)
- Social (45)
- Standards (4)
- Telephony (9)
- Tools (41)
- Video (23)
- Visualization (3)
- Widgets (19)
- Yahoo (44)
Monthly Archives
March 7th, 2008
Are You Logged-into Google?
Are you logged into Google right now? That’s the question JavaScript guru Kent Brewster set-out to see if he could answer in another one of his eye-opening series of how-to-tell investigations. Earlier we looked at Kent’s hack of NetFlix JavaScript (he’s also done Twitter and Facebook). This time it’s a Google service, as you can see in his post How to Tell if a User is Logged In to Google (Update: Kent has since decided to remove these live exploits, with an explanation here):
As the post describes, “what we’re looking for is an URL on the target domain that returns live JavaScript that is different depending on the user’s login status.” That opens the door to this tidbit of information. And it works: in his test the message below is what’s if it detects your Google status:
The small source code snippet used highlights some of the risks in client-side JavaScript. Risks that mashups have the potential to inadvertently cause or exacerbate. In general, his series of tests lead to two key pieces of advice for site developers:
- Don’t return live JavaScript that changes depending on the user’s login status.
- Any URL can be included as a SCRIPT tag, valid JavaScript or not. Test everything! If the browser throws a different error depending on the user’s login status, you’re giving away information.
One other useful bit of developer advice from the post is that “Tamper Data is your very best friend.” It’s a Mozilla extension that lets you: view and modify HTTP/HTTPS headers and post parameters, trace and time http response/requests, and security test web applications.
Posted by John Musser as Google, JavaScript, Security at 2:45 AM | 2 Comments »
January 28th, 2008
Get It In Gears
Tony Ruscoe of Google Blogoscoped reports that Google Gears alert messages indicates that support for Gears offline access to Google Docs is forthcoming. As Tony notes, the “the only official Google integration is for Google Reader (although evidence that offline functionality is coming to Google Calendar has also been spotted).”
As you can see in our launch coverage last May and our Google Gears API profile, Google Gears is an open source browser extension that lets developers create web applications that can run offline. Essentially it’s a mini-database and server with synchronization of online and offline tasks. The official site describes Gears as “an open source browser extension that lets developers create web applications that can run offline. Gears provides three key features: A local server, to cache and serve application resources (HTML, JavaScript, images, etc.) without needing to contact a server. A database, to store and access data from within the browser. A worker thread pool, to make web applications more responsive by performing expensive operations in the background.”
Here’s one example from our mashup directory, the personal finance site Buxfer that lets you auto-sync your banks and credit cards but also uses Google Gears to let you store your personal finance data locally in a Gears database instead of a remote server.
Google has representative examples that show off the synchronization and coding model. The Google Gears blog has examples like the application suite Zoho, along with an offline editor for Blogger. On the Salesforce.com developer site there is an extensive tutorial for using Gears to access account data. And here’s a mashup example with Gears and the Digg API that can capture Digg stories for offline viewing.
Posted by John Musser as Code, Google, JavaScript at 10:49 PM | No Comments »
January 27th, 2008
Facebook Extends Their Platform
An announcement by Facebook late on Friday spotlights how they are attempting to stay ahead of the curve in exploiting the social graph, and in doing so, to make their version of your friend’s list the default one that is used across the web. The key is this new JavaScript library that makes it easier for developers to to make Facebook API calls directly from JavaScript from any web site, not just when running on the Facebook Platform:
This JavaScript client library allows you to make Facebook API calls from any web site and makes it easy to create Ajax Facebook applications. Since the library does not require any server-side code on your server, you can now create a Facebook application that can be hosted on any web site that serves static HTML…This applies to either iframe Facebook apps that users access through the Facebook web site or apps that users access directly on the app’s own web sites. Almost all Facebook APIs are supported.
Along with allowing individual developers conversant in Ajax to bring Facebook friends into their website’s user experience, as John Potter points out, it opens up a role for third-party developers to craft Facebook-friendly widgets that are easily dropped into blogs and sites that don’t have any Facebook programming experience. The release of this library caused a fair amount of buzz over the weekend from folks including Nick O’Neill, Dare Obasanjo, Jeremiah Owyang, Duncan Riley, and Search Engine Watch.
Recent moves in data portability and OpenSocial-style compatibility suggest that we are moving towards an environment that allows some form of opt-in sharing between elements of the social graph, and Facebook wants to make sure that it is easier to identify your groups of friends by starting with their version. The function of allowing you to organize your friends into groups (family, close friends, business acquaintances, etc.) that was added in December is also a step towards making your control over your social graph easier, and adding lock-in to the Facebook data.
Posted by John Musser as Facebook, JavaScript, OpenSocial, Social, Widgets at 8:51 PM | No Comments »
December 20th, 2007
How to Tell if a User is Logged In to Netflix
Even wonder if the sites you log into on a regular basis might inadvertently let any of that information leak? If you want to see a very real, interactive example of just how prevalent this might be, just check-out JavaScript guru Kent Brewster’s series on “How to Tell if a User is Logged In to X”, where “X” is one of the leading online services millions of us use every day. Last week the “X” was Facebook and today “X” is Netflix. Because the examples are live and work with you and your own account they get your attention.
Read the rest of “How to Tell if a User is Logged In to Netflix” »
Posted by John Musser as Issues, JavaScript, Popular, Security at 12:51 AM | 2 Comments »
October 1st, 2007
Douglas Crockford on the Mashup Problem
If you’re at all interested on the future of JavaScript as a mashup platform, be sure to watch this engaging talk by Douglas Crockford on Gears and the Mashup Problem (for those of you who don’t know Douglas he’s currently senior JavaScript architect at Yahoo and is arguably the foremost expert on JavaScript and JSON today). It’s a Google Tech Talk from last month and here’s the abstract:
Mashups are the most interesting innovation in software development in decades. Unfortunately, the browser’s security model did not anticipate this development, so mashups are not safe if there is any confidential information in the page. Since virtually every page has at least some confidential information in it, this is a big problem. Google Gears may lead to the solution.
Read the rest of “Douglas Crockford on the Mashup Problem” »
Posted by John Musser as Issues, JavaScript, Popular, Security at 3:05 AM | 5 Comments »
Our Sponsors
Member of
