jQuery Wiggle
Ladies and gentlemen, I present to you the greatest jQuery plugin of all. jq-wiggle.
That’s right. By far the most useful plugin to date, it does it all.
Aggressive Browser Updating
One of the biggest issues web developers have to face in every project they do is dealing with older browser versions and the features they lack and the features they got wrong (here’s looking at you IE). The web attempts to be an ever-changing platform, but struggles to do so because it is particularly difficult to add, change, and (especially) remove features without breaking compatibility with older, inferior browsers.
It can be blamed partially on lack of awareness on the users part, but in most cases it can’t be expected for the user to keep with the latest browser updates. Often users of older versions of IE, such as IE 6 (shudder) do so because job requires it. Management has a hard time accepting new versions of browsers because in their view nothing is wrong with the one they are using, and they feel that in order to update, the new version must be heavily vetted by the IT team. Of course, their IT Team is likely already telling them they should update, that the latest IE or Firefox is stable and they have nothing to worry about. But management rarely understands.
In other cases it’s because the user isn’t exactly tech savvy. It may be an older person who knows little about using a computer, such as my grandparents, or, well, the entirety of my family. They can’t be expected to know that their browser should be updated. Even if they find out there is a new version of their browser (I have my sister and mother using Firefox, and I tell them about new updates) they likely won’t realize the significance of this and aren’t liable to do so.
I, however, see a future where this isn’t the case. Users of Google Chrome such as myself probably already know of it’s automatic, seamless updating in the background. Chrome does not alert you of these updates, does not ask for your permission, and doesn’t tell you when the update is finished (and doesn’t ask you to restart your computer or even your browser). At first this may seem like a dangerous or even shady method; common practice is that users should know of updates and be given a choice to do it of their own volition. However, this has proved a fatal practice, as the above issues have made clear. For instance, Windows updates are not necessarily done automatically by default. Windows will alert you of updates, sure, but will not install them itself unless directed to do so. The result is one of the largest reasons for Windows infamous issues with viruses: users don’t update their system because it seems inconvenient. Aggressive updating Ala Chrome is the solution.
And it seems Chrome and users like me aren’t the only ones to see the advantage. Firefox 4 decided to go this route, and I predict (and sincerely hope) that Opera and possibly other browsers will follow suit. Changing the web platform is a complex, difficult task, causing headaches for developers and standards makers alike. The day all major browsers use this seamless, background updating, is the day we can all take a huge sigh of relief.
Of course, if and when all browsers use this practice all our problems won’t be solved. There will still be users of older browsers that do not auto-update. But it will be a huge step towards a better web platform. It will take some time for users to migrate to these theoretical browser versions, but with the help of techniques such as the IE 6 Update Bar this can be done quickly if adopted widely.
The implications of this on the web platform are astounding. Brilliant new features, such as the CSS Flex-Box Model (the only way CSS can be made tolerable) will be able to be dependably used because once the latest versions of all the browsers implement it, virtually all users will be able to use it. New features can be added without the frightening logistical headaches that accompany them now. And the web as a whole will improve greatly and consistently as a result.
Solving the XSS Problem?
I want to start this out by saying I’m not a security expert. Which, in some ways, is a good thing. I’ve never once heard anything from a security expert that would even remotely work to fix the XSS problem we have in web development. A friend showed me a link today to some slides from an “expert” who claimed that not only is XSS the fault of JavaScript, but that the only way to fix it is to “kill” JavaScript. Not only is this a completely incorrect evaluation of the problem, but even if it were the fault of JavaScript, replacing it would not be an acceptable solution.
The Problem
If you’re not familiar with XSS, or cross-site scripting, attacks, it has to do with outside parties getting their code on your site. When a malicious script gets on your site (generally through cross-domain scripts, although sometimes it even happens locally within a single site) it can do anything you, the developer, can: it can bring in new scripts, give and get information from any server in the world, potentially interact with your database, track user actions, etc. I don’t believe I need to go into detail in how many security issues this poses, it’s the web equivalent of a hacker getting complete control over your computer.
The Cause
In a large way, the overall cause of this vulnerability is the convoluted, over-complicated web platform, as a whole. JavaScript and CSS can both be external, and inline in HTML. They can have different encodings, and can be mixed and matched into each other in complicated and confusing ways. And what’s worse, the way JavaScript is integrated into a HTML document is atrocious; all scripts on the page share the same global namespace, and all scripts have complete access to everything in the document. Now, this is fine when you’re writing all your own code, there’s plenty of very good best practices out there that make this a non-issue. However, when external code, especially code linked from an external source, is involved you get what we have now: an unsettling uncertainty that all the code on your site is serving the interest that you think it is.
This is all very much an issue of the current web standards, particularly relating to HTML and browser security. The same-origin policy obviously is proven to be ineffective, and the standards require this poor model. And to make matters worse, they completely ignored this with HTML 5. Cross-side scripting attacks have been around since 1995, and since then no real work has been made to remedy the issue. In the HTML 5 specs, rather than focusing on this long ignored issue, they decided to add on to the web platform; add new elements, new features, and different functionality. This not only does not do anything to fix XSS, but in fact makes it worse. The more features we add the higher the potential for new techniques and methods for attackers, and the less we’re able to understand the web stack in enough detail to evaluate these issues.
The Cure
There’s no one fix, but the fantastic thing is that there are a lot of very good, and fairly simple ideas out there to fix this issue. First of all is the means of integrating scripts within an HTML document. The idea that all scripts should share the same global namespace is terrible. Ideally, there should only be one initial script that is introduced to the entire HTML document, maybe in a way similar to this:
And then additional scripts can be introduced through a dependency management system. Something similar to the API in Node.js would be the most logical:
var jQuery = require('js/libs/jquery-1.4.4.min.js');
Features and parts of the document could then only be accessed by external libraries through introduction; for instance, in a library you trust like jQuery you could pass the root DOM node to it for it to keep a reference of so that you can use it for DOM traversal and manipulation.
This would not only be a more secure model, but enforces very good program design. This model would suggest a modular design, very much like my JavaScript Architecture example I proposed in an earlier post, but this time in a far stricter way: all modules would quite literally only have access to their respective elements, and modules that are not related to a part of the document would have no possible way to mess with the page.
The same goes for integrating CSS. There already exists the functionality for including additional stylesheets into another one, so what’s the necessity for multiple link tags? I think the more sane approach would be virtually identical to what I proposed for specifying the document JavaScript:
This doesn’t necessarily effect XSS attacks, but it’s a nice design pattern and for once provides uniformity to the web platform.
I firmly believe that this approach, or one like it (I don’t claim to be a genius coming up with the end-all be-all solution) would not only solve XSS, but provide a programming model that could make front end development an order of magnitude better, and result in some really great code written and awesome web applications (and less crappy, unmaintainable code!). Will anything like this ever be done? Who knows, I hope, but we all know that changing something once it’s already been added to the web platform is not exactly trivial and rarely happens. But, we can all, as a development community, work towards this goal, and hope for the best.
Cr-48 First Impression
Today, much to my surprise, I found a mysterious box at my front door, labeled for me. I had just ordered some new DDR3 1600 RAM off New Egg a couple days, but I shouldn’t be getting it for another few days, so I was very confused. There were no words, labels, or markings that seemed to indicate what it might be on the outside. Very mysterious! I open it up to see, unexpectedly, a Google Cr-48 netbook (the test pilot hardware for the new Google Chrome OS), free for me to use! I never expected I would get one after three attempts and a few months waiting for it. So here is what I think of it after roughly 4-6 hours of use.
Appearance
It’s a sleek little machine, at least for my tastes. It’s about 12×10 inches width and height, very thin, and it can’t weigh very much. It’s plain black, with no real markings, as it’s not intended to be a commercial machine, but the package did come with plenty of cute Google-themed stickers to style it up a bit.
Features
The CR-48 has the standard qwerty keyboard you would expect with two notable exceptions. The caps-lock button has been replaced with a search button, and the top keys (F-keys and the like) have been replaced with more specific functions like back, forward, refresh, etcetera. Personally, I wish all keyboards would replace the caps-lock key. Anyone who has looked at YouTube comments can testify that it’s never led to an intelligent discussion. As far as the other keys go, they are a useful replacement for the otherwise useless function keys (at least useless in this OS).
One often complain about netbooks is that they aren’t very useful without a network connection, and this one isn’t any exception. However, Google decided to remedy this to an extent by not only providing 3G support through Verizon, but offering 100MB data free per month for 2 years for test pilots, as well as other data plans through Verizon. I haven’t enabled this yet, since it requires actually signing up for a plan and giving credit card information (I doubt I’ll remember to cancel the plan after the 2 years is up), but if I find that I use this netbook often enough I might consider getting an extended 3G plan.
For anyone who doesn’t know about the Google Chrome OS, it’s an extremely stripped down OS (built on Ubuntu Linux) that is, for all intents and purposes, just the Chrome Browser (a slightly specialized version, at least). At first this sounds extremely limiting and detrimental, and when you view it from the perspective of general-use computing, then yes, it is. However, to fully appreciate the impact this makes you have to understand Chrome OS’s intended purpose. The most common usage for computers is browsing the web and various other simple tasks like document editing and email. This can all be accomplished within a browser, and when combined with the target market usage of a netbook, it turns out to be a perfect fit, as this is all netbooks are really intended to do. So you can then deploy an even more stripped down netbook that is not only cheap and works, but it extremely fast.
Speaking of fast…
Usage
It’s very fast! And, of course, why shouldn’t be? It’s designed to be only exactly what you need to browse the web and use web-based services, with no bloat, on hardware intended to do just that. On the first boot it took about a minute and a half to set up and install updates, and after that all other boots take anywhere from 10-15 seconds. Going in and out of sleep mode doesn’t even feel like that; it’s instant. So far the only loading and waiting I’ve really had to do is waiting on the network to fetch me web page.
So far I’ve found some very nice web app alternatives to native applications. I’ve already been using Google Calendar and Google Docs, as well as gmail (although I recently migrated to using Mozilla Thunderbird as mail client to manage both my personal gmail account and my site email) for a long time now, but there’s some nice apps out there. It’s nice to have access to a lot of my personal files through the Dropbox site. The Google App Store is growing at an impressive rate, and in fact there are plenty of apps that, for all intents and purposes, are native applications running on offline HTML5 technology (however they’re stored in the cloud rather than locally, since the Cr-48 pretty much does not have local storage).
Of course, on any test piece of hardware you’re going to expect some flaws and bugs, and the Cr-48 is no exception. Most of it’s faults lie in it’s track pad. Google apparently decided that in an era where multi-touch track pads are feasible and common that a dedicated right click button and scroll area (most notebooks I’ve used have an area on the right of the track pad meant for scrolling) are no longer needed, in favor of multi-touch gestures. Right clicks are performed by tapping with two fingers, and scrolling is done by sliding up and down with two fingers. Scrolling turns out to be simple enough, if a bit intrusive, as I’m used to using two fingers to click and drag an object on the screen, which will more often than not resulting in Chrome OS trying to scroll. Right clicking, however, is awful. Whereas scrolling is too sensitive, right clicking is not sensitive enough. I’m finding myself often trying several times just to right click once. On top of this, the track pad suffers from the same annoying issues that all track pads do, where you’re trying to type but you’re constantly clicking somewhere else on the screen, interrupting your typing or even causing you to start typing somewhere else in the document (I’ve had this happen to me several times while writing this post). I’m used to just plugging in a mouse to the laptop and turning off the track pad, but, while I haven’t tried using a mouse with the Cr-48 yet, there doesn’t appear to be a way to turn off the track pad.
The number of apps (both web apps and Chrome apps) that replace functionality that is normally done in native applications is increasing constantly, and some of them out there are both surprising and impressive, however there are still some areas which are extremely lacking in this field. For instance, there is no viable way for me to code on this netbook, and forget anything more than the simple Flash games you’ve grown used to. However, this is to be expected; this netbook and OS aren’t designed for those uses, it’s designed for basic everyday use, not for power users or gamers. I do, however, to expect to see apps in the future that support this kind of functionality in both Chrome and Chrome OS.
In Conclusion
Considering that it is a test piece of hardware for a very new, and very beta Operating System, I am thoroughly impressed. However, the Cr-48 (or something like it) is not yet ready for commercial users. In fact, the Cr-48 itself will not ever see the light of day outside of the pilot program. However, assuming that Google listens to it’s “test pilots” (which they will), I can see descendants of the Cr-48 not only being successful, but being paving the way for a future of casual computing that I can’t wait to see.