SNF Labs

assemble the ways

2008-08-17T19:52:10Z

Shoplifters, Unite is now iPhone-friendly! More on this later.

oh stewardess, I speak five

2008-07-27T23:47:50Z

Backwater, a.k.a. chompy 3, is public now, and it uses HTML 5. While HTML 5 adds many interactive features that aren't going to be supported by any browsers for a while (plus a few that are already supported, like canvas), it's not too hard to get some of the passive elements like section, nav, article, aside, header, and footer working on current browsers like Safari 3, Firefox 3, and Opera 9.5. All you really need to do is set the display CSS property to block or inline as appropriate in your stylesheet.

Older browsers are a different story. Both Firefox 2 and Internet Explorer 7 have trouble handling unknown elements; if you use the above HTML 5 elements to contain child elements as they're intended, both browsers will prematurely close the tags and punt their child elements into sibling positions on the DOM tree. You can verify this by using the DOM Inspector. What you'll see is that something that should look like this:


    we're sailing at the edges of time
    we're drifting at the waterline

Looks like this to the renderer:


we're sailing at the edges of time
we're drifting at the waterline

It turns out that there's an easy solution for IE; just use Javascript to programatically create one of each element that you wish to use. Using the example above, the fix is simply to execute the following code:

You don't even need to append the new element to anything in the document tree; just creating it somehow kicks IE's parser into working order.

So that's easy, but it doesn't work in Firefox 2. In Firefox 2, unknown elements can't contain child elements unless the page is served as XHTML. Serving a page as XHTML doesn't mean just slapping a different DOCTYPE declaration on the page and running it through the validator; this means writing the page using the XHTML serialization of HTML 5 and serving the page using the application/xhtml+xml content-type, which forces your browser to parse the page as XML, which means that you have to be utterly scrupulous about well-formedness, because one error will cause the browser to barf up an error page.

I did this for years with chompy.net and remake/remodel, and it's harder than it looks. I'll probably end up writing scores of unit tests to shake out any XML well-formedness bugs in backwater's codebase.

GET action

2008-07-12T02:56:12Z

For reasons of aesthetics and user friendliness, logouts are initiated by simply clicking on a link. This is a problem, however, because clicking on a link causes a GET request, and GET requests are supposed to be idempotent; that is, they are not supposed to generate side effects. The proper HTTP method for logouts, therefore, is POST. But how to POST a logout request through a link?

The solution is to first force the logout handler to reject any GET requests and only accept POST requests. Then, give the user two means to POST a logout, depending on whether or not they have Javascript enabled:

If Javascript is disabled, the link simply triggers a GET request, as it normally would, and an additional page is displayed with a logout confirmation form. This form uses the POST method.
If Javascript is enabled, then a Javascript function is added to the onclick handler for the logout link. This Javascript function submits an appropriate POST request to the logout handler when the logout link is clicked.

This Javascript function is called SNF.logout() and can be found in /js/catfood.js. Attach the function to the logout link like this:

// This example uses Mootools
if ($('logout-link')) {
    $('logout-link').addEvent('click', function(event) {
        var clickEvent = new Event(event);
        // SNF.logout() posts the logout request
        SNF.logout();
        // Stopping the click event keeps the browser from loading 
        // the URL in the logout link's href; that's only there
        // as a fallback.
        clickEvent.stop();
    });
}

(You could also throw something like onclick="SNF.logout();" directly into the a tag, but the unobtrusive approach shown above is more maintainable.)

As of this writing, SNF.logout() is not completely robust and will not gracefully handle error conditions, but it works fine under normal circumstances. I'll update it soon.

Finally, a nice side effect of forcing logouts to use POST is that a basic CSRF attack vector is eliminated.

Be sure to check the wiki for any updates to this discussion of the logout process.

moot tools

2008-07-10T17:31:22Z

I'm quite unhappy with the way the Mootools team has been running their project lately, so I'm going to evaluate jQuery for fitness to purpose, and if it looks good, switch SNF over. Rewriting a ton of Javascript won't be fun, but jQuery seems to attract a more sober set of developers and appears to be run a bit more professionally. In the long run, switching might be good for the site.

This would be a good opportunity to bring the pre-AJAX-era AJAX in 15 Ways up to date, too.

SNF: TNG

2006-03-24T18:39:59Z

So, Chris, you had mentioned throwing everything out and starting from scratch... What do you have in mind? Let us discuss.

i was bored before i even began

2005-12-01T17:31:30Z

The sequel to Shoplifters, Unite will have to wait. I began rewriting it yesterday and had completed the initial basic work — creating song and request classes, displaying a rudimentary index page, etc. — when I moved on to implementing downloads and quickly hit a wall. The download code in Shoplifters works like this:

verify that user is allowed to download
check that requested file is available
output HTTP headers
output the file using a call to readfile()

It turns out that the last step no longer works. In PHP 5.0.4 and only PHP 5.0.4, readfile() has a bug that causes it to halt output at about 1.9 MB. This means that only the tiniest of files can be downloaded successfully from Shoplifters.

I sent a note to Dreamhost support and even created a demonstration page for the bug so that they can see what I’m talking about. All they have to do to fix the issue is to upgrade PHP to any subsequent version, but they’re very conservative about PHP upgrades, so there’s no telling when that might happen.

There are things I could do to work around the problem, but I don’t like any of the options that I’ve been able to come up with:

link directly to download files instead of passing them through an intermediary script
downgrade to PHP 4
write Shoplifters 2 in some other language

help me, chris

2005-10-28T20:10:41Z

The following query is intended to show the number of revisions to the wiki over the past 14 days:

SELECT DATE_FORMAT(date, '%Y-%m-%d') AS dom, COUNT(id) 
    AS revisions FROM version WHERE DATE_SUB(CURDATE(), 
    INTERVAL 14 DAY) <= date GROUP by dom;

Because a few days during the last two weeks had no activity at all, the results look like this:

+------------+-----------+
| dom        | revisions |
+------------+-----------+
| 2005-10-17 |        11 |
| 2005-10-18 |         2 |
| 2005-10-19 |         9 |
| 2005-10-21 |        11 |
| 2005-10-22 |         2 |
| 2005-10-23 |        13 |
| 2005-10-24 |        11 |
| 2005-10-25 |         3 |
| 2005-10-26 |        10 |
| 2005-10-27 |         4 |
| 2005-10-28 |         3 |
+------------+-----------+
11 rows in set (0.03 sec)

But I need my results to look like this:

+------------+-----------+
| dom        | revisions |
+------------+-----------+
| 2005-10-15 |         0 |
| 2005-10-16 |         0 |
| 2005-10-17 |        11 |
| 2005-10-18 |         2 |
| 2005-10-19 |         9 |
| 2005-10-20 |         0 |
| 2005-10-21 |        11 |
| 2005-10-22 |         2 |
| 2005-10-23 |        13 |
| 2005-10-24 |        11 |
| 2005-10-25 |         3 |
| 2005-10-26 |        10 |
| 2005-10-27 |         4 |
| 2005-10-28 |         3 |
+------------+-----------+
14 rows in set (0.03 sec)

That is, I want the days with no activity to show up in the results. How do I do that?

happy jax

2005-10-24T19:23:14Z

I redesigned the wiki yesterday to more closely resemble the main SNF Labs site, and also added a sitewide recent comments page, plus a "what links here" feature for every article.

The "what links here" feature provides a good chance to discuss when AJAX might be used and one way you can do it. My thought process went something like this: I could have put each article's incoming links on a separate page, but since each page's list of incoming links is likely to be small, it made more sense to display them on the same page as the article text. At the same time, I didn't want an additional database query slowing down every page load, so I decided to make the list of incoming links only display when requested by the user. This required making an xmlhttprequest to the backend from the client-side code.

This is the Javascript code that does all the work:

function getIncomingLinks(articleName)
{
    var progress = document.getElementById('progress');
    var loadingMsg = document.createTextNode(" loading...");

    var loadingFunc = function(t) {
        progress.appendChild(loadingMsg);
    }

    var loadedFunc = function(t) {
        progress.removeChild(loadingMsg);
    }

    var errFunc = function(t) {
        alert('Error ' + t.status + ' -- ' + t.statusText);
    }

    var url = 'http://labs.spaceshipnofuture.org/icky/ajax.php';
    var params = 'mode=getIncomingLinks&q=' + articleName;
    var options = {
        method: 'get',
        parameters: params,
        onLoading: loadingFunc,
        onLoaded: loadedFunc,
        onFailure: errFunc
    }
    new Ajax.Updater('incoming-links', url, options);
}

This ought to be easy to follow. When the user clicks the "what links here" link, a call to getIncomingLinks() is made. getIncomingLinks() creates an Ajax.Updater object (part of the Prototype Javascript library). We provide Ajax.Updater with a URL to contact, the HTTP method to use ('get'), and a number of callback functions that are triggered depending on the HTTP request state. When the request completes, Ajax.Updater updates the contents of the HTTP element with the id 'incoming-links' using whatever output the backend sent. That's it.

The client-side code and backend code are rather tightly coupled here. If you don't want the backend to send formatted output, you could use Ajax.Request instead and have the backend send its output as JSON. Your client-side code would then unpack the JSON output and format the data using the DOM.

SURBL bobble

2005-10-21T20:33:49Z

In addition to the blacklist checking mentioned previously, a good future project would be to extract URLs from comment bodies and scan them against a SURBL. A SURBL differs from a conventional spam blacklist in that it doesn't check the sender's origin (that is, the IP address), but instead checks the sender's payload (any URLs in the message body). This is also supported by Net_DNSBL, so implementing this ought to be easy, and is probably much more effective than an IP address blacklist.

a spy in the haus of spam

2005-10-19T18:14:36Z

Comment spam hasn't really been much of an issue with SNF, since we require registration, and that's sufficient to thwart almost all automated spam attacks. Still, it doesn't hurt to provide other layers of reasonable safeguards, so today I changed the link-o-matic to check all incoming comments against the Spamhaus realtime IP address blacklist. I thought this might turn into a real project, but it ended up being easy because a PEAR module called Net_DNSBL already exists to do all the work.

I've implemented the check in a static method of the SNFComment abstract class:

public static function checkBlacklist($user)
{
    require_once('Net/DNSBL.php');
    $dnsbl = new Net_DNSBL();
    $dnsbl->setBlacklists(array('sbl-xbl.spamhaus.org'));
    if ($dnsbl->isListed($user->ip)) {
        throw new SNFCommentBlacklistException();
    }
}

Here's how you would use it in your code:

require_once('SNF/exceptions.inc');
require_once('SNF/users.inc');
require_once('SNF/comments.inc');

$user = new User();

try {
    // Check real-time IP address blacklist
    SNFComment::checkBlacklist($user);
    // Post comment...
} catch (SNFCommentBlacklistException $e) {
    // Reject comment...
}

This is pretty basic: if an SNFCommentBlacklistException is thrown, you reject the message; otherwise, you post the comment. If you wanted, you could get fancy and shove the message into a moderation queue instead of throwing it away.

If everything seems to work smoothly with the link-o-matic for a while, then I'll add support to 15 Ways later. (The weblogs are already safe, because Movable Type has built-in blacklist checks as of version of 3.2, and it's been working impressively well over at chompy.net.)

first things

2005-10-12T22:07:44Z

This is the pretend first entry, not to be confused with the for-real first entry. A for-real first entry would have a substantial amount of content and some sort of purpose distinct from the blog itself. This is a pretend first entry, so it's really about nothing except making sure that the blog works and filling up some space.