Posted by Tom Moertel
Tue, 31 May 2005 16:00:00 GMT
I read a lot of academic papers, most of which are distributed in
Postscript or PDF format. Because they are usually typeset for
publication in journals, reading them on the computer is
fatiguing. The type is too small, and I must zoom and scroll to
compensate.
For this reason, I almost always dispatch the papers to the laser
printer, staple the resulting stack of pages, and then read the
printed version. Not only is this easier on the eyes, but also I can
read while reclining in a comfortable chair, preferably with an
espresso on the side table. I can also scribble notes in the
margins. It’s a good deal.
But there’s a catch: the system only works for short papers. If more
than fifteen pages come out of the laser printer, the weak link is
readily exposed: the everyday desk stapler. Try to bind a non-trivial
stack of pages, and you’ll soon have bent staples, mangled pages, and
a stapler that is flat-out jammed.
Nevertheless, I can go further than most. For I have learned the dark
arts by which desk staplers can be made to bind beyond their mortal
limits. Through cunning manipulation and fell incantation (swearing,
mostly) I can coerce an ordinary desk stapler into binding perhaps
twenty pages. But that is the utmost limit; beyond, there is only
suffering.
That is, until today. For today I walked into my local Staples and saw
the One-Touch high capacity stapler. Half stapler, half hammer
tacker, this bad boy had my name written all over it. The price tag
was a suspiciously high $29.98, but I didn’t care.
Sold.
Read more...
Posted in good stuff
1 comment
no trackbacks
Posted by Tom Moertel
Sun, 08 May 2005 16:00:00 GMT
As I wrote earlier, it’s time for web developers to do away with the fundamentally broken practice of using hypertext links to trigger dangerous events such as deleting things. One of the first places we ought to clean house is in the burgeoning Rails web-application framework, where this practice is pervasive.
The primary culprit in Rails is the all-too-easy link_to method, which is (presently) the orthodox means of creating links to any action, even unsafe ones. For example:
link_to "Destroy", :controller => 'accounts',
:action => 'destroy', :id => 6
The above code generates the following HTML hypertext link, which when followed will merrily delete account number 6:
<a href="/accounts/destroy/6">Destroy</a>
Because this practice is dangerous and contrary to the decade-old convention that links be safe, the link_to method thoughtfully lets us request that a Javascript confirmation dialog be tacked onto the link for added protection:
link_to "Destroy", ..., :confirm => "Are you sure?"
The resulting “safe” HTML:
<a href="/accounts/destroy/6"
onclick="return confirm('Are you sure?');">Destroy</a>
Unfortunately, the Javascript protection doesn’t work. First, not all web browsers care about it. Lots of people surf with Javascript turned off. Second, a whole slew of things besides web browsers live on the Internet, and almost all of them are oblivious to Javascript. Web crawlers fall into this category. They will be more than happy to follow any link you feed to them. “Hey, Googlebot just deleted every account in our database!” Oops.
Thus another layer of protection is commonly used: authorization. The theory is that dangerous links can be safely corralled in the private parts of a web application, where the public and web crawlers cannot go. Only authorized users can get into those parts, and those users will be smart enough not to click on the truly dangerous links unless they really mean it.
The problem is, any number of intermediary agents can be operating on behalf of an authorized user, and these agents are free to do anything the user is allowed to do, such as follow dangerous links. Google’s Web Accelerator is one such agent. It tries to make your surfing faster by (among other things) pre-fetching the resources that are linked to on the pages you visit. And what happens if you, an authorized user, visit a page containing dangerous links? That’s right, Web Accelerator will fetch the “resources” those links point to – and delete a bunch of your stuff.
I hope by this point that I have argued convincingly that using links for unsafe actions is a bad idea. Even if you feel justified in ignoring the applicable parts of the HTTP RFCs, it’s a bad idea. Even if you tack on Javascript confirmations and hide your links in authorization-protected zones of your site, it’s a bad idea. It is, all around, a bad idea. Don’t do it.
So what alternatives are there? Read on for one possibility, button_to.
Read more...
Posted in ruby, web development, rails
Tags get, gwa, link_to, post, rails, safe, unsafe
8 comments
no trackbacks
Posted by Tom Moertel
Sat, 07 May 2005 01:55:00 GMT
Google Web Accelerator offers web developers an important opportunity
There has been a lot of heat lately about Google’s Web Accelerator (GWA)
exposing serious problems in some popular web
applications. The problem, in short, is that these applications use
GET-based links that when followed perform dangerous actions such as
deleting records in a database. According to web standards going back
a decade, that is a no-no: Links should be safe to follow. Thus GWA,
expecting links to be safe, tries to help you out by pre-fetching
various resources that are linked to by the pages you
visit. Unfortunately, if the page you happen to be visiting contains
lots of dangerous links, GWA will innocently try to pre-fetch the
“resources” that the links point to, and in doing so will accidentally
delete a bunch of stuff. Oops.
That’s the backdrop for our real story, which is the response from the
community of web developers. What I find fascinating, and somewhat
disheartening, is the number of people who say the problem is Google’s
to fix. Yes, there are a lot of broken web apps out there, and Google
could have been smarter about working around the minefields those apps
represent. But that’s a side problem. The real problem is that there
are a lot of broken web apps out there, and they do represent
minefields. Worse, a lot of web developers think it is acceptable to
brush aside fundamental conventions of the web going back a decade
when they find it sexier to use GET instead of POST.
What these developers overlook is that the web is not a bunch of
colorful pages with buttons, clickable links, and pretty
pictures. Rather the web is a distributed collection of hypertext
documents, each of which has a meaning that is given by standards that
most people have agreed to follow. While the collection may look like
a bunch of colorful pages in one particular visual presentation, it
really, truly is not.
Nevertheless, many web applications are designed with the prevailing
mindset that the meaning of the web is nothing more than how it looks
and behaves in a web browser. Even if those web applications are not
intended for use outside of a few approved browsers – the escape
hatch that is often used to justify departures from the
standards – this mindset is wrong.
The reason it is wrong is because, like it or not, web applications
are implemented in terms of protocols and languages that mean
something. The bits and pieces of a web application each mean
something, even if what they mean is not in harmony with the
designer’s overall vision. What a web designer may see as a bold, red
link that says “delete” and is protected by a Javascript confirmation
dialog, is actually a hypertext reference – a pointer
to another resource that the standards say should not be dangerous to
follow. Thus there is a fundamental mismatch between what the designer
is trying to say – “follow this link only if you
really, no-kidding want to delete something” – and
what his markup actually means: “this link is safe to follow.”
The bottom line is that hypertext links are supposed to be
safe. Dangerous links can’t be made “safe” by layering tricks on
them. Wrapping them with Javascript confirmation dialogs doesn’t make
them safe. This trick fails fundamentally because the meaning of a
link doesn’t change when there is Javascript associated with it. It
fails practically because not all consumers of hypertext evaluate
Javascript, nor do any standards suggest that they should. (This is
also why client-side validation cannot be trusted on the server side.)
Hiding dangerous links in authorization-controlled portions of a web
application does not make them safe, either. This trick might shield
the links from external spiders, but the standards allow for any
number of intermediary agents (such as Google’s Web Accelerator) to
work on behalf of an authorized user. Anything the user is authorized
to do, so are the user’s agents. If the user can click the “delete”
link, so can the agents.
Let’s answer the wake-up call.
GWA is only the first of a new breed of
smarter user agents that promise to make the web a better place for
all of us. If you’re a web developer, take the slew of problems that
GWA uncovered as a wake-up call. Even if Google works around your
problems, other user agents may not. As developers, it’s time to admit
our mistakes and fix the stupid things that our web applications do.
First, let’s drive a stake in the notion that dangerous links are OK
if we’re “careful.” They’re not. Dangerous links are
lazy. “Confirming” them with Javascript or “hiding” them behind
authorization doesn’t work.
Second, let’s clean house. Let’s find those places where we have laced
our web applications with dangerous links and remove them. Break out
the forms! Long live the POST!
Third, let’s take a look at how we got into this mess and try to learn
from our mistakes. Do we value sexiness more than substance? We like
to think that form follows function and that good design and good
implementation go hand in hand, but the reality of this debacle
suggests otherwise. I think the truth is that on the web, sexiness and
hype are what gets attention, and we seek attention more than we like
to admit.
Maybe the best thing for us is a good dose of humility. And, come to
think of it, that’s just what Google’s Web Accelerator offered us.
Posted in web development
Tags get, gwa, post, rails, safe, unsafe
no comments
no trackbacks
readers
