The web is abuzz today with Google’s entrance to the web browser war-field with its shiny new Chrome beta. You’ll find plenty of coverage elsewhere (Google’s blog is here, the comic strip (more about it later) starts here), I’d only like to focus on one conspiracy theory aspect: the first version of Google OS.

First of all, do read the comic strip by Scott McCloud and the Chrome Team. It is in itself a piece of marketing art and although its primary intended audience may be journalists and less technical people, it is a statement of how serious Google is about Chrome and full of hints for conspiracy theorists among us.

So some of my first thoughts will follow…

Read the rest of this entry »

Web application security is a critical issue as more and more businesses deploy mission critical systems containing privileged information. Still average developer awareness of fundamental good practices in coding securely is lacking. Now a consortium of organizations has an initiative to turn the tide and acknowledge the developers who are aware of secure-coding practices and spread the knowledge.

The SANS Institute has all the details about the Secure Programming Skill Assessment (SPSA) program, including sample reports, exam blueprints, and free practice tests for different language/platform areas (C/C++, Java/J2EE, .NET/ASP, PHP/PERL, etc.). One should not shy away from looking inside: they speak about the fundamentals of secure programming in a very accessible way (identifying the three most common programming errors as not validating and sanitizing user input, buffer overflow, and handling integers incorrectly).

Yours truly has done it again! Instead of finally getting to writing about Analog Clock I created another Morfik Labs sample application, a simple chat thingy.

You can take a look at the application here and download the source code in the Morfik Labs.

Telling the truth, I created the original chat app almost a year ago (February, 2006) and now due to interest in the Morfik forums I dusted it off and updated to the latest version of Morfik WebOS AppsBuilder (0.9.16.1). I thought originally it would be a two-three hours exercise, and man I was wrong! It took me two days to tidy up a few hundred lines of code :-) The reason was that the original version used subforms for displaying the messages, but that was tooo sloooow, so I decided to wander a little bit into the wonderland of DOM programming.

So some details (shamelessly copied form the readme.txt): the Basic Chat example application is the innermost prototypical core of a chat engine and still it can provide some insight into areas of Morfik programming. A few examples:

- using web methods
- using inline JavaScript functions with parameters
- using critical sections in server logic to accommodate concurrency
- using in-memory caching on the server (the chat session is stored in server memory)
- using visual effects for highlighting UI changes
- no security measures: a very good example for many types of web application security attacks, especially injections :-)

PLEASE NOTE: this version of the chat engine is NOT secured, there are gaping holes and can be mistreated quite easily, so DO NOT use it for production purposes. It is very basic as well, you cannot set up chat rooms, or schedule events, authenticate users, there is no smiley handling, there are no application specific extensions, etc. Please also note that at the moment there are some open issues related to resource consumption in the Morfik framework that do affect the performance of the chat app. It has not been overly optimized either so substantial performance improvements can still be achieved.

If you need a production quality, secure chat engine, please contact me ;-).

Google Search and other similar crawlers have a difficult time with AJAX applications: they were tuned for full-page-load style traditional web content and don’t adapt well for single-page web applications, where many times there are no well identified URLs for different content and getting to content in the first place is trickier than following a few links (did I mention Flash-based apps?). And still, for most of these sites getting into searches (i.e. exposure) is essential.

ACAP (Automated Content Access Protocol) is a new initiative from the international publishing community to turn the challenges facing the industry from web technologies (especially search) into opportunities in a win-win way, and as a side effect can help Web Applications out, too.

Read the rest of this entry »

James Smith writes:

“An additional point is that the right no-cache settings have to be identified for each browser (IE, Moz, Opera), so sensitive rendered data is not leaked through the browser cache to your local drive. Another issue I’d like to be fully versed on.”

I have to totally agree. One interesting question is how AJAX affects the picture. Do those asychronous requests get cached as well?