melbourne chapter

Web 2.0 is proving to be an important step towards extending the capabilities of the HTML interfaces through technologies such as AJAX that use Javascript and asynchronous calls to the server. It has a number of benefits such as reducing the load on the web server through limiting the amount of traffic to perform a simple query or manipulation of the users session state. It also allows the clients interface to be more intuitive and offer potentials such as drill down menus, input suggestion and smarter client side validation. Javascript is used with the DOM to modify sections of the HTML to update the interface based on a request or a response.

It differs from the typical process that we have experiences in “web 1.0” of the past in that we typically have had to perform all server functionality in a single page request, such as a user submitting a product to their cart, or searching for a set of records. This process meant that to process even the simplest of actions required a page refresh.

The shift towards Web 2.0 is something that we are seeing more of. A lot of developers are eager to get any form of AJAX integrated into their site just to feel current with the industry and say they are “doing web 2.0”. Often developers are jumping into Web 2.0 without thinking about the potential implications both on Accessibility or Security.

Recently I read an article appearing on CNet identifying the hype behind Web 2.0 neglecting the Security implications that Web 2.0 raise as web developers push for features, neglecting design and security.

The buzz around the new technology echoes the ’90s Internet boom–complete with pricey conferences, plenty of start-ups, and innovative companies like MySpace.com and Writely being snapped up for big bucks. And the sense of deja vu goes even further for some experts. Just as in the early days of desktop software, they say, the development momentum is all about features–and protections are being neglected.

In previous articles we have discussed the realistic threat of security exploitations such as Cross Site Scripting and some techniques to overcome the cross site script attacks. AJAX increases the possibility of security exploitation due to increased “attack surface”. By this it is meant that increasing the scripts and request infrastructure we are potentially opening up more areas for exploitation of our application.

The increased “attack surface” is the result of upping the complexity of the client side interface but also the additional server side scripting required to provide the required functionality. The analogy been thrown around at the moment is that Web 1.0 is more like a house with no windows, just one big door. In this model you can spend time putting great big locks and beefy security on that one big door. Web 2.0 introduces new windows that have to have equal security to secure the whole house.

The model of Web 2.0 is fairly new, and has no real official practices available for the average “joe” programmer to identify. Most script appearing online and in recent books are not intended for “Production Ready” sites. Often the average “joe” will be implementing a whole bunch of server side scripts and client side scripts without having the correct models to secure those scripts.

Before rushing out and implementing dozens of scripts to perform AJAX think of the potential security risks associated with creating those “windows” in your application and how you will treat the requests and any sensitive responses.

XBox Live subscribers will have their opportunity to download the full version of a Texas Holdem Poker game on Wednesday 23 of August, but it will only remain free for 2 days. View more information about the release on CNet: Free poker game on Xbox Live. Now just to remember to get it on that night!

Just surfing the ole YouTube and always come across some YouTube recommendations. I thought I would start this post and then use the Comments field to post regular finds as I come across them, often it is hard to find links and it is great to get condensed favourite lists. Feel free to post your own recommendations:

A group of us went up to Falls Creek on Thursday through till last night. We stayed at the Alpha Lodge which was community style lodge with shared kitchen/bathroom facilities. The lodge was very well equiped (somewhat almost too well stocked, which about 5 of everything, from electric frying pans to toasters) and the people were really cool, playing poker and drinking.
The snow was also very good, but not much of the mountain was open. No ice sections, but perfect blue skies all 3 days of snowboarding. Of what was open there was great covering, (about 73+cm average man made depth). It included runs like Highway 83, Main Street, Ruined Castle and Scotty’s. It gave a good opportunity to go back to some green runs as well to muck around with ollies/180’s trying to improve technique.

Will hopefully upload some photos in the next 24′ish hours once that I can get them off the camera.

I’m off to the US for 2 weeks as of this Saturday. The plan is to spend 4 days in Las Vegas partying up with mates then onto Colorado for some action-packed fun - rock climbing, white water rafting and down hill mt bike riding . Eventually we’ll end up in Minnesota sometime next week for a wedding.  Can’t wait. See you guys in 2 weeks time!

With the hype of “Web 2.0″ I find there’s a certain expectation to use cutting edge technology in each new project. But you have to ask yourself, by using this technology am I really going to benefit the end-user? Take AJAX for example. It’s cool, but it’s not a toy. It’s great for forms, but consider JavaScript doesn’t mesh well with the likes of the back button - a great feature of standard web site user interfaces - good reasoning for not developing a pure JavaScript App (source: http://alexbosworth.backpackit.com/pub/67688) .

An excellent column on useit.com, by usability expert Jakob Neilson covers some great points in relation to technology and usability. Of specific interest was Neilson’s article on “Growing a business Website: Fix the basics first “. In the article Neilson discusses the growing trend of businesses to focus on the “latest and greatest” and forget the basics of usability.”Clear content, simple navigation, and answers to customer questions have the biggest impact on business value.” says Neilson. “Advanced technology matters much less” as on what Neilson describes as the “Elite Experience Vs User Experience”. I couldn’t agree more. I’m constantly forwarded links to “gasp, how cool was that!?” websites from friends and colleagues and I sometimes wonder, is this website really addressing the end-user? Or is web developer/designer just trying to impress friends?

As a developer working on e-commerce sites I’m constantly revisiting user scenarios, but that’s not to say I don’t get tempted to implement “useless” technologies. Quoting Neilson again, “it is tempting to work on what’s hot, but to make money, focus on the basics that customer’s value”.

Here are a few good tips from Jakob Neilson to take away with you;

1. Communicating clearly so that users understand you. Users allocate minimal time to initial website visits, so you must quickly convince them that the site’s worthwhile.
2. Providing information users want. Users must be able to easily determine whether your services meet their needs and why they should do business with you.
3. Offering simple, consistent page design, clear navigation, and an information architecture that puts things where users expect to find them.

And just remember Web 2.0 isn’t all about *new* technology, rather it’s a set of principles and practices aimed at delivery more service-orientated web applications.

For more information on Usability visit Jakob Neilson’s website useit.com, and for Web 2.0 checkout “What is Web 2.0?” by Tim O’Reilley (oreillynet.com)

There is a lot of buzz going around RIA and Web2.0 these days, and at the heart for HTML this involves AJAX. We use AJAX as a way to make a request via JavaScript and return a response from the server, which can be Text or XML.

The fundamental object we use in AJAX to perform this functionality is the XMLHttpRequest class. This class allows us to create a HTTP request and receive a response from the server. The object as itself is quite basic, and allows you to inject in header variables, such as POST vars, and return back a string or XML (DOM Compliant object) response.

I thought I would quickly provide a quick outline of making a request using this object, that I can build examples off in the future, and hopefully discuss a JavaScript framework I wrote around it to handle calls and relaying the responses to appropriate functions.

Creating XMLHttpRequest Objects

There are a few different way for us to create an XMLHttpRequest object, between IE and Mozilla style browsers. The most effective way to create a XMLHttpRequest would be to create a factory method that returns our XMLHttpRequest object depending on the browsers support. Our method would return NULL if our browser isn’t capable of performing the functionality.

function createXMLHttpRequest() {
  if(window.XMLHttpRequest) {
    try { 
      xmlHttpRequest = new XMLHttpRequest();
    } catch(e) { return null; }
  } else if(window.ActiveXObject) {
    try {
      xmlHttpRequest = new ActiveXObject("Msxml2.XMLHTTP");
    } catch(e) {
      try {
        xmlHttpRequest = new ActiveXObject("Microsoft.XMLHTTP");
      } catch (e) { return null; }
    }
  } else return null;
  return xmlHttpRequest;
}
 

Creating a request

We can now create XMLHttpRequests and instruct them how to perform. Here is an example to make a request using our XMLHttpRequest object:

  xmlHttpRequest = createXMLHttpRequest();
  if( xmlHttpRequest  == null) alert("No XMLHttpRequest available");

  // Make the call
  xmlHttpRequest.open("GET", "http://localhost/myscript/?do=whatever", true);
 
  // Associate the ready state change
  xmlHttpRequest.onreadystatechange = function() { alert("We have a changed state!"); }

  try {
    // Send the Method Data
    xmlHttpRequest.send(null);
  } catch(e) { alert("Send  failed"); }
 

When we create the XMLHttpRequest object and use the send() function we need to specify a “onreadstatechange�? function that gets called when the XMLHttpRequest object changes state.

The XMLHttpRequest object has several different properties we can access to retrieve our response.

readyState - Object Status INT

responseText - Response as a String

responseXML - DOM Compatible document object from response

status - HTTP Response Codes (200, 404 etc)

statusText - HTTP Response Code Text

Throughout a request lifecycle of the XMLHttpRequest object, it rotates through the following states:

0: “uninitialized”
1: “loading”
2: “loaded”
3: “interactive”
4: “complete”

We can access the response once the state of the XMLHttpRequest object has reached state “4�?.

Changing our above example, we can incorporate the XMLHttpRequest properties to determine our result:

xmlHttpRequest.onreadystatechange = function() { 
  try {
    if(xmlHttpRequest.readyState == 4) {
      if(xmlHttpRequest .status == 200) {
        // We have a successful HTTP request with data
        alert("we received:" + xmlHttpRequest.responseText);
      } else {
        // We have an error
        alert("our call failed:" + xmlHttpRequest.status + " " + xmlHttpRequest.statusText);
      }
    }
  } catch(e) { alert("Unable to determine the state of the call");
}

Security

It is also worth noting that due to JavaScript sandboxing issues, it is necessary to:

a) Check from a HTTP: protocol, not a FILE:

b) Only access the information from the same domain, don’t make a call to a different domain.

Where to from here?

Overall this gives us a very basic framework that we can wrapper and write our own functions around. We can extend the base xmlHttpRequest object to handle functionality such as implementing

• Event Listeners

• Timeouts/Abort

In the near future I will post an article with an example of making a request and handling a response.

The 14th DefCon Convention ends today at the Riveria Casino in Las Vegas. For those of you in the know DefCon is said to be the neutral ground for hackers, security specialists and government agents alike. In a recent article on AustralianIT Kenneth Greer, Security Specialist for the US Military, commented that the convention is an excellent place to glean new hacking tactics, network vulnerabilities, and recruit “rock star hackers” to help harden his military networks - networks responsible for air craft carrier communications and missile guidance systems (source: AustralianIT). It really makes you wonder. Will the next terrorist attack be a complex, well planned attack from some extremist group or just your neighbour playing on his/her PC…

Cyber crime ranks only behind terrorism and counter-intelligence as top priorities at the Federal Bureau of Investigation.

I am working on a new temporary template that will do us for a while until we can get a nice one designed up. I will hopefully have made more progress later tonight. As we are parsing more than 150 posts we have to get past the standard “classic” template that we have been trying to get away with for some months. Instead I have tried to fix the typography of the site which was starting to get very confusing.

For now there will be no colours, just typography and layout. Thoughts would be appreciated.

I found this link in a CNET article today and I definately feel it is necessary to post on.

Have a look at the link: http://phototour.cs.washington.edu/ - It is a virtual photo gallery application that allows you to view a tourism site in 3D using (what I imagine) is photos pulled in from flickr. You can look at the site from different angles, and select a section that you want to view closer. Very impressive little Java Applet!

It is also worth placing a link to the Microsoft Research, Interactive Visual Media for their paper on the technology directions!