Quality Reads

Wednesday, November 07, 2007

The Gmail Upgrade Has Arrived...

...at least for me. I'm not sure if everyone can see it yet. Below is a sneak peek ofa the new Contact Manager. If you're working in a small shop it looks like it can be a decent little CRM.
As for the main interface, not a whole lot has changed except for the inclusion of a dropdown menu.
The interface changes are nice but the main upgrade is speed. You'd almost think this is running on the desktop, near seamless experience. They actually prompted me to shut off Firebug just so it wouldn't ruin the experience. The Net Monitor intercepts all the incoming requests slowing things down a bit.

I'm sure I'm missing a couple items but that's all I have to report for now. Hope you get to check it out soon!

Cheers,
Todd

Tuesday, November 06, 2007

Basecamp JS Injection

I've used Basecamp on and off for a couple years now. Generally, I thought it was a great application: secure, well-designed, simple & efficient. That is until I ran into this little beauty today.


In case you can't figure out what you're looking at, thats a lightbox with an Iframe pointing to pierinc.tickspot.com. No, that's not a new feature for Basecamp that you missed out on. One of my colleagues, today, noted that he could enter HTML into the Todo list. Immediately, I was like uh-oh...I wonder if I can....out come the <script> tags. You can insert html script tags right into the Todo list and it doesn't get sanitized. A little scary if you use Basecamp for larger projects, perhaps with a developer you don't completely trust.

After a little inspection of the DOM and playing around, I "mashed up" tickspot, our time tracking application, with basecamp so I can kill two birds w/ one stone. Beyond the security risk, this could actually be kinda fun. Tossing anything I want onto my Basecamp page for easy access. I still think Basecamp is a great application but this a serious no no. I had higher expectation from the 37Signals folks than this (perhaps its a feature...lol).

Cheers,
Todd

PS-I don't have a picture of it but the first thing I did was animate all the <div> tags. I had them flying all around the page...great way to freak out your boss ;)

***Update***
37Signals Support responded with this message:

Basecamp intentionally allows HTML (and JavaScript) because many ofour
users find great value in being able to use that. We're fullyaware that this
allows for XSS attacks, but Basecamp is based on thenotion of trusted parties.
You should only allow people into thesystem that you believe won't hack your
system (just as you shouldonly invite people into your office that you don't
believe will stealfrom you). If your friend becomes a foe, you can revoke their
accountand change your login credentials. Just like you would simply not letthem
into your office.

If this was a public system, it would definitely be different. You can't
have a public forum today without carefully dealing with XSS issues.

In the 3+ years we've operated Basecamp, we've never had a single suchcase
occur, though. So it doesn't seem like it's a big problem. And I know many of
our customers would scream murder if we removed the option to use HTML in their
messages, as they've become accustomed toover the past 3+ years.


I'm not sure I total agree with the sentiment of leaving security up to your users but its certainly a refreshing change from the pervasive concept of the "low-trust" internet.

==>If you're into javascript...hack away!

Friday, November 02, 2007

Shakakai.com

If you're wondering why I haven't been posting here as often as I used to, I've been tied up on my new website Shakakai.com. Its a site that was created with two main goals:
  1. To aggregate all the content I'm generating over the web, be it blog posts, tweets, del.icio.us or digg tags, and a host of social website content.
  2. As an experiment into using Google as Content Delivery Network ( commonly referred to as a CDN)
The former point isn't particularly groundbreaking, everyone is cranking out mashups nowadays. The latter is a radical restructuring of how a website is built. Rather than construct and consume services for my own view layer, I'm capturing all the dynamic content for the site in RSS feeds. Then using Google's AJAX feed API, I'm using request the content from Google rather than my own server. As long as I optimize my JavaScript code, I should see a massive reduction in the bandwidth consumed per visit (in theory). This loose coupling of data from the view also serves to enforce proper MVC development practices while moving much of the application logic to the client.

There's a couple things I need to watch out for taking this approach:
  1. Accessibility - When building out the view, you need to actively review the accessibility of the markup you're using. Its very easy to blow off the standards when you're waist deep in JavaScript.
  2. Load Time - Minimize the amount of JS that gets loaded up front so the initial load time appears extra snappy. Then switch over to on-demand loading for any additional functionality (e.g. a "donate now" button)
The site is still in its infant stages but I hope to make a major dent in the development effort by the end of the weekend. So check in sometime next week: www.shakakai.com

Cheers,
Todd