yoy.be "Why-o-Why"

E-mail over HTTP: update

2019-07-19 21:11  jmap  coding computers internet  [permalink]

→  E-mail over HTTP (2012)

Ofcourse the magnificent people that are already behind the internet (that beefed-up telegraph with funky terminals) have been working silently on exactly this in general, but completely different in the details: RFC8620: JMAP

twitter reddit linkedin facebook google+

A PDF website

2019-07-14 00:54  pdfweb  coding delphi internet freeware  [permalink]

I had an idea. PDF nowadays open right in the same browser window. We can thank the steady progress of the JavaScript ecosystem to make this possible. And also more secure, if I understood correctly.

Also, in a PDF you can mark text or a rectangle as a hyper-link. So it should be possible to create a dynamic website that uses PDF instead of HTML, right? One way of looking at it is that PostScript in PDF is a way to layout things on your page just like HTML is.

Anyway, I had to see how much of work it would take to make a proof-of-concept. So here it is, it's not much on the dynamic side, but it's a site that opens to a PDF, and links to another page of the same site.

https://github.com/stijnsanders/pdfweb

twitter reddit linkedin facebook google+

Tja, de kranten...

2019-03-12 23:27  qoudkranten  actueel dagboek internet politiek weblog  [permalink]

Ocharme de kranten, wat hebben ze het moeilijk. Nog een slachtoffer van het digitale tijdperk? Ik ben het nog niet zo zeker. Je moet je altijd aanpassen aan de tijd van tegenwoordig. En met die tijd van tegenwoordig is iets ernstig aan de hand. Laatst las ik iets in de trand van "internet is geen nuance-machine"... Dat laat weinig aan de verbeelding over. Jammer genoeg klopt dat wel. Als je een omgeving hebt waar extreme meningen meer weerklank vinden, dan loopt het vroeg of laat wel eens fout. Intussen wordt pijnlijk duidelijk dat het ook voor de rest van ons tot gevolgen kan leiden.

Maar wat moeten de kranten dan doen? De formule van een goedkoop gedrukt wegwerp-ding te kopen met de dingen van gisteren op, is goed en wel achterhaald. Het vertalen naar een online-verhaal waar je de titels toont en de mensen laat betalen om verder te lezen, pakt gewoon niet. Niet in een abonnement-verhaal, niet met micro-payments per artikel. En al helemaal niet als je denkt dat je kan meedoen op dit nieuwe platform dat is gegroeid uit openheid, maar geen links naar de specifieke artikels op je website wil...

Soms lijkt het dat ze enkel het kosten-plaatje zien, en niet te ver durven kijken. Als ze durven flemen met meer sensatie-beluste insteek, dan gaat het inhoudelijke snel achteruit en trek je misschien niet het publiek aan dat je eigenlijk wil hebben. Ik denk dat ze net terug naar de essentie van de journalistiek moeten teruggrijpen. Vroeger was een krant het eind-product van een goed geölied team dat elk zijn essentiële taak vervulde, en net zo'n pipelines krijgen het overal in deze moderne tijd zwaar te verduren. Dus ook hier: skip the middle man. Ik weet dat nieuws voortvloeit uit een redactie. Als journalist moet je actief op de hoogte blijven van wat er staat te gebeuren. Moet je weten hoe je de ontwikkelingen kan bevestigd krijgen, waar je meer kan weten over de keerzijde van de medaille. Waar je andere perspectieven kan raadplegen en precies de nodige nuance kan vinden en aanbrengen.

Dit zit allemaal netjes verborgen achter wat wij uiteindelijk te lezen krijgen als consument. Misschien moet dat maar eens veranderen. Ik wil de kwelling en hitte van een redactie wel eens zien afspringen van een informatie-platform waar je meer dan het huidige nieuws te verwerken krijgt. Alles dat leeft bij de mensen of over de telex binnenkomt, moet toch worden gefilterd, gekaderd, bevestigd. Wij zijn niet onnozel. We kunnen dat aan. Meer nog, misschien moet je net de mensen betrekken er in. Lijkt misschien een vreemd voorstel als je ziet wat er doorgaans in de comentaarrubriek binnen komt, maar hier kan je misschien een verdien-model in je voordeel gebruiken. Je laat een gratis ingangs-niveau niet zomaar aanbrengen, maar mensen die bewezen hebben dat ze iets waardevols te bieden hebben luister je wel naar. Of dat waardevols deel uitmaakt van het omzetcijfer is een andere vraag, maar dat is voor een andere keer.

Ik beeld me dus in dat je op een centrale plek alles te zien krijgt. Zelfs al is dat aangetoond een leugen, of nog in afwachting van een bevestiging. Stel dat er iets binnenkomt dat te sterk of te eenzijdig is opgesteld, kan het worden gevlagd. Kan je het toetsen met meer gematigde versies en of die dan niets van de essentie verliezen. Groepeer de ontwikkelingen per oorlogsgebied, ramp of regio en laat de mensen mee beslissen of een bij-verschijnsel een nieuw onderwerp moet worden. Lok de mensen met een lijst van wat ze willen zien, maar hou ze bij met een lijst van dingen die daaraan toevoegen en de nuances die eromtrend spelen, en je kijk op de zaken verruimen.

Vreemd genoeg lijken mij het dingen die allemaal al bestaan. Sites zoals slashdot.org en stackoverflow.com werken al jaren zo. Hoewel ze niet zozeer op een verdienmodel draaien, gaan ze ook niet bepaald om de brede actualiteit. Wel zijn ze van en voor een specifiek publiek die weet waar het om gaat. Misschien dat daarom wel eens naar wikipedia.org wordt verwezen, waar je ook een kleiner specifiek publiek hebt dat over de inhoud waakt terwijl het in theorie wel open staan voor het brede publiek. Van dezelfde mensen is er iets met nieuws, maar ik ga er van uit dat deze niet zo alles-omvattend en doorgezet kan zijn als je zou kunnen verwachten van een redactie met professionele journalisten.

In afwachting van het duidelijk wordt waar ze naartoe willen, blijf ik lekker free-loaden op de RSS feeds die ik kan vinden. Zolang ik de nodige achtergrond kan oppikken van de dingen waar de mensen het over hebben, en ik in de loop van de dag al kan gissen waar het in het avondjournaal over zal gaan, ben ik al tevreden.

Update: Als ik dit lees zitten ze mogelijk ook op een vergelijkbaar spoor...

twitter reddit linkedin facebook google+

VPN problemen? rasphone

2019-02-03 21:51  rasphone  computers dagboek internet werk  [permalink]

Dit is er eentje om te onthouden. Ik had problemen met de VPN connectie naar het werk. Het is te zeggen, het werkte vlot en naar behoren op mijn vorige laptop. Ik koop me na x jaren eens een nieuwe laptop, neem de instellingen over, noppes. Waarom precies is me niet duidelijk aan de error. In de event log vind ik RasSstp die zegt dat het of een timeout of een certificaat-probleem is. Dus was ik al de certificate (stores! wist ik veel of het de computer of service of persoonlijke store is)  aan het uitpluizen voor een eventueel verschil. Ik had zelfs al netsh ras set tracing * enabled gevonden maar daar vond ik helemaal niets in terug... En dan kom ik plots toevallig langs deze (lap, vergeten de URL van waar ik het zag bij te houden):

C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

Blijkt daar niet alleen precies inderdaad een cruciaal verschilletje te zitten in één van de honderden parametertjes daar, blijkt ook dat je gewoon extra files in die folder kan zetten en ze verschijnen auto-magisch in het netwerk-menu onder het icoon op de taakbalk. En voila, probleem geflikskts.

twitter reddit linkedin facebook google+

Open source is nice, but is the protocol also open (enough)?

2019-01-15 08:57  openproto  actueel beurs coding computers internet  [permalink]

Hacker Noon: Bitcoin’s Biggest Hack In History: 184.4 Billion Bitcoin from Thin Air; Satoshi Hard Forks, Saves Bitcoin

See, this is something I'm very very worried about: things like Bitcoin — big public successful open-source projects — have the appearance of being complete open and public, but the protocol isn't really.

When I was first looking into Bitcoin and learning what it is about, really, I'm quite sure this can only have originated out of a tightly connected bunch of people that were very serious about 'disconnecting' from anything vaguely institutional. Any structure set up by people to govern any kind of transactions between them, has the tendency to limit liberties of people, for the people taking part in the system and sometimes also for those that don't. So it's only natural that Bitcoin at its code is a peer-to-peer protocol.

But. How do people that value anonymity and independence from any system, even get to find each-other and communicate to build things together? Well, the internet of course. But perhaps more importantly — and also since long before the internet — cryptography. Encoding messages so that only the one with the (correct) key can decode and read the message, helps to reduce the cloak-and-dagger stuff to exchanging these keys, and enables to send messages in the open. To the uninitiated onlooker it looks like a meaningless block of code, and in a sense it's exactly that. Unless you what to do with it, and have the key — or would like to have it.

Another use of encoded messages is proving it's really you that originally encoded a message. It's what's behind the Merkle tree that the blockchain runs on. That way the entire trail of transactions is out there in the open, all signed with safely stored private keys. The reader can verify with the public keys, and in fact these verifications buzz around the network and are used to supervise the current state of the blockchain, building a consensus. Sometimes two groups disagree and the chain forks, but that's another story.

The protocol, or the agreement of how to put this into bits and bytes in network packets, can get quite complex. It needs to be really tight and dependable from the get-go, see the article I linked to above. You could write it all down and still have nothing that works, so what typically happens is you create a program that does it and test it to see how it behaves. In this case it's a peer-to-peer networking program so you distribute it among your peers.

But when things get serious, you really need the protocol written out at some point. If you try that and can't figure out any more what really happens, you're in trouble. The protocol could help other people to create programs that do the same, if they would want to. This was something the early internet was all about: people got together to talk about "How are we going to do things?" and then several people went out and did it. And could interoperate just fine. (Or worked out their differences. In the best case.) It typically resulted in clean and clear protocols with the essence up front and a clear path to some additional things.

The existence of the open-source software culture it another story altogether, but I'm very worried it is starting to erode the requirement for clean protocols more and more. If people think "if we can't find out how the protocol exactly works, we can just copy the source of the original client/server" nobody will take the time to guard how the protocol behaves in corner cases and inadvertently backdoors will get left open, ready for use by people with bad intent.

twitter reddit linkedin facebook google+

Don't panic: Bitcoin's usual pre-end-of-year dip is here.

2018-11-23 00:29  btceoy  actueel beurs internet politiek  [permalink]

Don't worry. The price is going down a bit, yes. But I think there's no reason for massive public panic and the cyber-world's equivalent of a run on the bank. The holiday season is here. Black Friday. We need presents for the family, and that costs money. We may have chosen to put the value of our earnings into this new thing designed especially for that, and now need to convert some back to good old local currency, so it probably pushes the exchange rate a bit down. It may even be a good sign of institutionalisation that automated agents kick in and join in on the selling, pushing rates even further down, dramatically so. But it's best for all of us if that's only a marginal effect. If I were speculating, I would guess it would start to look like a buying opportunity, if I could statistically detect when the bottom would come into view, but I am not. Actually I don't care. But since we're guessing, I guess things will bounce back in January. It did last January. Perhaps it won't get to the same levels as we had up till before this dip, but that's OK. If it's all rather stable for a few months, that would be good, but if it follows real events in the real world, that's also good. It's just normal. I'm not worrying. Perhaps next year we'll be paying Christmas gifts in bitcoin. (Though I wouldn't put money on that...)

twitter reddit linkedin facebook google+

Browsers with less and less UI...

2018-10-05 17:19  browserslessui  computers internet weblog  [permalink]

Here's a wicked idea: With browsers trying to have less and less UI, the line of death getting more and more important to help guard your safety, and some even contemplating seeing the address bar as a nuisance — who types a full URL there nowadays anyways? — what if there was a browser that always opens fully full screen. No need for F11. You still need a back and a refresh button, and something that gives access to all the rest like settings, stored page addresses, and if you really really need it, the address of the current page. But it is hidden from view most of the time, except when you make a certain gesture, like a small counter-clock-rotation. It should look different enough so it contrasts with the page, and should be different every time, so it isn't corruptable by any webpage. And even then should be obviously not part of the page.

And people need to find it intuitive and self-explanatory.

Oh never mind.

twitter reddit linkedin facebook google+

ECB should plan to issue a digital currency!

2018-09-18 00:07  nodraghi  actueel beurs internet politiek weblog  [permalink]

→ Reuters: ECB has no plan to issue digital currency: Draghi

Here's an idea. Just an idea, floating it here to see what you think, no concrete plans yet. The internet should float a new digital currency. "Wait, what? We have Bitcoin/Litecoin/Ether/... already, are those not internet's digical currencies?" I hear you think. Well, no. They're intended to perhaps become currency, but that kind-of totally failed. The world wasn't ready for Bitcoin when it hit us, and all the nice plans kind of prescribed to one day use bitcoin as currency, but as the hype and dust are now somewhat settling, it's clearly unfit for that purpose. It's still great at what it does though, and it could perhaps serve really well as something like gold: something that holds value you can buy and sell and will most probably get bought and sold in the forseeable future, according to current market behaviours. And there's the blockchain which it all runs on, it's a great proof-of-concept of a public ledger that some industrial settings could greatly benefit from, who knows perhaps in a slow movement from the fortified castle paradigm to the zero-trust concept.

But as a currency? No. Currency is allergic to strong ups and downs in the inherent value. "Didn't we have all this already, the US dollar doesn't have inherent value as well, since we've let go of the Gold Standard?" Well, no. The price of gold may now be free-floating, but since the entire US economy and a sizable part of the world's economy is running on US dollars, you could consider the entire economy as what's carrying the real value of all those dollars. I'm oversimplifying here, but some big large-scale economic metrics appear to work reversed for the US-dollar because of this. A currency as we know them now also had a central body that goversn both the internal use of it, and the powers that exert on it from outside, other currencies and macro-economic movements.

So here's my idea: because Europe is looking to do something about copyright on the web, and newspapers — and perhaps journalism in general — are struggling, something like the European Union should float a digital currency, specifically to make micro-transactions on the web. And I really mean micro. Listening to a song? Bam, something tiny moves from your online wallet to the musician(s). Viewing a video? Bam, something tiny moves from your wallet to actors, directors, lighters, screenwriters and background-painters. Read an article? Bam, you get the idea. How much? How many articles are in an avarage newpaper? How much does a regular newspaper cost? Calculate back from that to get a good first unit of value.

As an alternative way of payment, it could complement the Euro, and only later move up the ladder if there's a base of users with accustomedness. But to get there some important details need to be set up just right. It will need a governing something, but I wouldn't hand it over to Frankfurt. The time is right to involve the people. Bitcoin is doing just right without central oversight, but the required checks and balances need to be baked in. Anything new like this should also be design 'of and for the people'.It will need its proper legislation to get to serve as anything official, an get it accepted as a bearer of value, but by limiting who can exchange how much to and from real currency, for example a weekly global limit on conversion, could dampen the risk of large-scale mutations induced by panic. Or by limiting the maximum amount you could hold per user or per device or per account, could limit the importance of this new stream of cash in regard with the entire economy.

Also as an internet-centric application, every user wanting to participate needs to run the software, but it should be entirely open so each of us can govern that our security and privacy is catered for. Only then it's ready for designing the conduit with which you let the websites you visit know what credit you provide when consuming songs and articles. There needs to be something like a public ledger, since that would make it a new skool digital currency, but requiring every mobile device to keep a full copy of the ever growing full ledger is absurd. And it is also limiting the maximal number of transactions that can get processed in limited time, so that needs to get decentralised as well. I'm not sure how, but I'm sure there are people smarter than me that have been deep enough into the theoreticals that could draft what it takes.

But I'm just dreaming aloud here. Innovation hurts and is hard work. And there are always those that don't want anybody to challenge the status quo.

Update: look, look, this is also about something like that!

twitter reddit linkedin facebook google+

RSS is far from dead!

2018-08-08 00:55  feeder  delphi internet freeware  [permalink]

I've been using RSS/Atom feeds on and off since I've learned about them. A long time ago, Google had a nice feed reader, but decided to discontinue it. Users were left to search something new, and I settled on The Old Reader, combined with gReader since I had a smartphone, and all was well. For a while. After some time you notice you still get disturbed by some tiny issues you can't seem to get to go away, either with tweaking the configuration or with Stylus. So what does a developer do? Start to think about developing their own solution. Then plan to develop their own solution. Then develop their own solution. So I'm somewhat proud to present this little thing I've been tinkering on in off-hours the last month:

github.com/stijnsanders/feeder

I have a live version to try out here: http://yoy.be/home/feeder/ but it uses the neighbouring instance of tx for authentication. I should enable Google/Facebook/Github OAuth things instead, but finding out how that works is a few items lower on my wish-list (of things I wished I had the time to put into).

I wanted a feed reader without the extra's. I wanted to mark items as read that move out of view by scrolling down, and plays somewhat nice with the surrounding HTML and the browser. For now I like how it works. There's an issue with emoji's that apparently get eaten by UTF8Decode, but that could be a bug that got solved since good old Delphi 7. But now that Delphi has a community edition, I think I should bring most if not all of my other projects to this version instead of sticking to Delphi 7... But that's another story. (One you might notice some time in the future on my Delphi RSS feed...)

twitter reddit linkedin facebook google+

StackOverFlow/Delphi: new blood?

2018-07-12 21:30  sodnewbies  delphi internet weblog  [permalink]

Stack Overflow — Newest 'delphi' questions

Am I seeing this correctly? I've been following this page somewhat less closely lately, but the majority of new questions is by people with not too high of a reputation score. And that's actually a good thing. Let me explain:

A while ago it looked like we were 'past StackOverflow peak'. StackOverflow started as an alternative to outperform all other question-and-answer sites for techies, by having a really well developed reputation system that allows a community to self-regulate. And it did. Both the reputation-system created a really fine repository of good questions and good answers, and all other question-and-answer websites were oblitherated (at least from the google top results on typical search-queries).

A few years later, StackOverflow appeared to struggle with having lost it's reason d'être: people with actual questions would easily mistake StackOverflow as a forum and saw most questions rapidly closed and reprimanded for not attaining an expected level of quality the community would hold to. This is a bad deal for newcomers and in general a source of bad feelings. They know about this over at StackOverflow. And have committed to take action. I haven't kept up to speed about what they're exactly plannig to do, but it could already be working.

Specifically for the questions tagged 'delphi', it's not only good that this way more people that just started collecting a reputation saldo, are posting valid questions and are getting helpful responses; I also think you can derive from it that more people are getting into Delphi. It's not up to me to tell whether that's in part because the most recent Delphi versions also successfully target mobile platforms, but if it's true I'm glad to know more people are about to experience the solidness of the Delphi eco-system, both in tooling and available components, and in solidity and reliability of your final result you're offering your users.

twitter reddit linkedin facebook google+

Got style?

2018-07-06 21:29  whatsyourstyle  actueel internet  [permalink]

Firefox and Chrome Pull Popular Browser Extension Stylish From Their Stores After Report Claimed It Logs and Shares Browsing History, Credentials — Slashdot
“Stylish” extension with 2M downloads banned for tracking every site visit — Ars Technica

Oh, what's this? Note to self: switch to Stylus, (also here and here)

twitter reddit linkedin facebook google+

GMail: make the labels list compacter

2018-06-08 10:32  GMailLabelsCompacter  coding internet werk  [permalink]

If you remember from before, I have so much labels in GMail that I didn't like that the box to change the labels on a message with, is so small. Stylus to the rescue.

Now there's this new GMail design, and even in compact display, the list of labels on the left doesn' fit my screen. Also I don't like the font the subject line is rendered in. So a bit of inspection later, I add these lines to my overrides:

.z0 {
margin: 0px;
height: 32px;
padding: 0px 0px 0px 64px;
}
.z0>.L3{
height:24px;
}
.ha>.hP {
font-family: "PT Sans", sans-serif;
}
.aim {
height: 18px;
}
.J-N {
padding: 0px 12px 0px 32px;
}
.J-LC
{
padding: 0px 12px 0px 48px;
}

twitter reddit linkedin facebook google+

HTTP+HTML+Delphi authentication (how xxm does it)

2018-04-13 14:26  xxmauth  coding delphi internet freeware  [permalink]

Daraja Framework: HTTP+HTML form-based authentication

Jikes! This is strange. Yes you could go ahead and have a page with a login-form, that posts onto a handler that checks your password, and throws a 401 when it fails. But is that really what you need? I thought 401 is there to elicit the user's HTML-client (a.k.a. browser) to show a modal form asking for a password before re-posting the request. Just like xxm's Basic Authentication demo does, and it does this right at the center of the project, before your request is routed to any page or resource, so that all requests to the project need authentication. Also this way you don't need to code a check IsAuthenticated on every page or resource.

But — again — is this really what you need? The public nowadays doesn't respond well to systematic authentication like that, and also makes it impossible to do anything on the website while not being authenticated (yet). It's better form to welcome new users with a nice 'create new account' button (More about that here.) and perhaps more information on what's on offer, next to the logon form for existing users (with extra options like 'stay logged on on this station' and a 'forgot my password' link). There's an example in xxm's Session demo: The opening page has a log-on form, and Login.xxm does the rest. It doesn't really check user-account and password here as it exceeds the purpose of the demo.

To show you a working demo, you should have a look at tx: It has a central redirect for any page request from a user that should authenticate first; the logon-form with extra options to show users as a normal web-page; checks the entered password agains a properly salted hash and then redirects you to the page you came in for originally...

And there's much more to tell about authenticating users. I've tried to make a list here (it's in Dutch though), and that doesn't even scratch OAuth(2) yet...

Before I forget, did I mention xxm comes under a permissive MIT license? So you don't need to buy a commercial license!

twitter reddit linkedin facebook google+

Do I also need a four-letter-acronym to be cool these days?

2018-03-30 22:47  xx4la  coding delphi internet  [permalink]

→ Reddit: Any drawback to using Wordpress in front of a MERN application?

MERN?! What's that?

MERNMongoDB Express React node.js + Redux WebPack

Oh, I get it! It's one of those four-letter-acronyms that describes your software stack. The first one, and as it happens also the one I started on was:

LAMP: Linux Apache MySQL PHP

But trying things out on my own, I didn't get a hang of that Linux bit. I still blame the folks that sneered me off with "start with typing man man at the prompt". So I got stuck being a

WIMP: Windows IIS MySQL PHP

but later regained my poise and sting with

WASP: Windows ASP SQL Server PHP

which worked great for a while, but I moved on. Not quite with the hot and happening new one:

MEAN: MongoDB Express Angular node.js

but closer related to other desktop application work I was doing in Delphi. Having done some raw networking, and some raw HTTP, but also the IIS APIand implemented Internet Explorer's IInternetProtocoland FireFox' nsIHttpChannel (before they chucked XPCOM somewhere after version 3.6 and starting the rapid release schedule), and something something HTTP.SYS, I decided to start something to model all the common bits into one single interface so you could easily switch between implementations and environments. And hot-swap a binary without taking down the webserver/webservice. And do that after an automatic compile when you changed a file and refreshed your browser. And have a mix of HTML and server-side logic into the same files like PHP and ASP (and Cold Fusion...) And still have full response streaming, and not a big hard templating thing churning on a request first before being able to spew out the response in one go... And have a few of the basic things in place to help you with security to prevent malicious requests.

So I created xxm. And websites with it. Such as tx. So I guess I should invent suitable fout-letter-acronyms as well, then:

XIMR: xxm IIS MongoDB (over TMongoWire!)  Redis

XXJP:  xxm xxmHttpAU jQueryUI PostgreSQL

XESVxxm nginX (over SGI) SQLite Vue.js

Hmm, doesn't really sound all that great... Never mind then. I'll just enjoy it if xxm could serve as a solution for anybody in the very small niche of people that do both high-level server-side stuff with Delphi, and high-level dynamic-web-stuff, and want the two closely knit together...

twitter reddit linkedin facebook google+

Best practices for user account management

2018-02-27 11:17  i3036bis  coding internet  [permalink]

Google Cloud Platform Blog: 12 best practices for user account, authorization and password management

Bon, ik moet dringend de lijst die ik hier opgesteld had nog eens bijwerken met de hedendaagse methodieken...

twitter reddit linkedin facebook google+

Checking xxm for PHP's vulnerabilities

2017-05-12 07:56  xxmphp1  delphi internet freeware  [permalink]

If I read about a newly discovered vulnerability related to PHP, for example this one here, I try to find out if it would apply to xxm as well. 

In this case I guess there's nothing more than sending out the message, again and again, to sanitize your inputs, and poperly encode your output. Strings are never just strings. They are always an internal representation of a bit of textual data. So always think about that taking string values in, and preparing strings for output. A few weeks back I had to speak up to someone who wrote OutJSON:='{"field1":"'+value1+'"}';Little Bobby Tables comes to mind, though I'm not sure 'JSON injection' could be so devastating as SQL injection. (And OutJSON:=JSON(['field1',value1]); is shorter!)

The other time I found out it's a really good idea to strip nastiness like EOL's (CRLF) from headers added to a response, just in case a malicious script is up to no good. Come to think of it, that's also just another case of properly sanitizing your inputs...

twitter reddit linkedin facebook google+

'Relax' scripting vs xxm

2017-04-22 13:12  relaxxxm  coding delphi internet  [permalink]

Delphi Relax Web Scripting (Marco Tech Blog)

I'm sorry but I feel I must react. In general I keep silent, in the hope people by themselves will know better, but as I'm getting no input what-so-ever that that is the case, I feel tempted to write something about this.

First about what's at hand. I see this bit of code:

<h2>Employees</h2>
<ul>
@foreach (var emp in employee) {
  <li>@emp.FirstName @emp.LastName (@emp.PhoneExt)</li>
}
</ul>

and it looks kind-of OK. To the untrained eye it looks good and may even look tempting to write more in this syntax. This is a straight-forward example of a template that works with a templating engine that no doubt has many more capabilities and features. And then I thought, learned from practice, what I typically would get asked is to not show " ()" when the PhoneExt field is empty. I would not know how to make that happen in that template syntax. That's mainly because I know nothing about the template syntax. If I look into the documentation, I might find an @if predicate to make it happen, but let's move on:

This is what it could look like in xxm:

[[!var emp:TEmployee;
<<h2>Employees</h2>
<ul>>
foreach emp in FDMemTable1 do
begin
<<li>>=[emp.FirstName,' ',emp.LastName,' (',emp.PhoneExt,')']<</li>>
end;
<</ul>

Looks roughly simlar. A little more like Delphi syntax. And in fact it is. If you know [[, ]], << and >> get translated into Context.SendHTML() and Context.Send() calls behind the scenes (full details are here),  you know this code will result in the same output. Without templating engine! Streamed to the user's client! Perhaps even while the data is streaming in from the database server, in case it's a longer list, and in case there is a database server, Marco uses a memory-table for his example.

What I find important is that there's less going on between the native compiled logic and getting the data to the user launching a request. Not only a templating engine looks superfluous, this entire ORM thing is something I don't get. If it's a gigantic database model with so much tables that you clearly benefit from code-completion, then I agree, but I haven't come across something remotely close to that in web projects.

Also the HTTP-server itself is something I think that values extra attention. I've seen platforms and frameworks that offer you a wealth of capabilities and features, but hastily slapped on something that listens on TCP port for basic HTTP requests, in some cases on port 80, but more often 8080 or something else in the thousands. In real web environments, the server(s) has/have a lot more going on: load-balancing, reverse proxies, firewalling, authentication. Since we're in a Post-Snowden-era nowadays, we're all responsible to think about protecting privacy and get that HTTPS in order with the proper certification and encryption... Not to mention HTTP version 2 that's heading full steam towards being generally accepted/expected.

I can image the web-admin responsible for all that, isn't happy with your request to add this newfangled separate thing that's doing its own handling of HTTP requests. ISAPI DLL's or Apache modules play much nicer with existing IIS or Apache installations. (FastCGI is on the table, but for now xxm has SCGI available for other servers.) Even if your 'Delphi HTTP framework' of choice is specifically designed to tap your ORM of choice and offer a REST-API for your data-layer needs, it will still be one more stop along the way between the user's browser, and the delivery-setup, and the front-end, and the page-template, and the data-layer, and the database, and what the user actually needs or wants. I think of this in the postal office when there's twelve people in the queue in front of me.

I don't expect to convince much people of this way of working, but it works great for me. I remember the days with early PHP and ASP and how simple and straight-forward everything was. Knowing these work on scripting engines, I kept worrying about lost performance. This was the core reason to start xxm: employ the speed and power of the Delphi compiler to have a native library serve my websites. And it turns out that Delphi code looks quite nice between HTML to handle server-side logic, if I may say so. It took me a few years to make this happen, but I couldn't do without it any more. And people kind-of appreciate that for using this new application, all they need is their trusted browser and a URL.

twitter reddit linkedin facebook google+

HTML: label, no more "for" for me!

2017-04-13 22:44  htmllabelfor  coding internet werk  [permalink]

If only I had known sooner! I forgot where I picked this up, but apparently if you put <label> around an <input>, typically of type checkbox or radio, browsers automatically know the label is for that control. Before, I would write my <input id="x"> first, then a <label for="x"> after. To keep code neat, I would put it on a separate line, but the EOL inbetween would not be clickable to actuate the control. This is a really minor issue, but still. Now that I know you can just write this:

<label><input type="checkbox" name="Toggle1" value="1" checked="1" /> Toggle1: clicking text after a checkbox should toggle the checkbox!</label>

Because, there are two kinds of people: those that click the box to switch a checkbox, and those that click the text right of the checbox. You might not even know that you do, but you do don't you. If you're of the latter type, it's just one of those minor frustrations, that a click on the text-label sometimes doesn't do what you expect, and you have to:

  1. first pick up that's this that's going on, possible because you've selected a bit of the text
  2. align your eyes to the checkbox
  3. align the mouse-cursor over the checkbox
  4. click the checkbox, confirming the previous one or more click are actually wasted

But there you have it. Heaven has great UX. Here we need to make do with what we get. (And need to make sure it's the way we like it for those bits that we have control over.)

twitter reddit linkedin facebook google+

I for one welcome are new mass logic-gated overlords.

2016-11-18 14:26  eventhorizon  actueel computers internet politiek weblog  [permalink]

I think I just figured out how these computar things will get self-aware... First they get smaller and better at calculating stuff, first by the programs we write for them. Then we program them to recognise shops from house-fronts, foods and people from photo's, which is all nice and handy.

Then we use roughly the same thing to have them calculate to run cool. It sound strange at first, but by letting the machine chose where to run in the park, and how that makes them run hot and need to cool down, just maps straight onto how we catch the frequencies of parallel lines of light into a bitmap photo.

Then we change the program to do the same to the program. We write programs, but are too dumb to know how the machines actually handle those programs and need to wait doing nothing on other parts of the program doing it's job in only a small other part of the machine.

So we teach the machine all about how it is built up internally to handle large programs. And have it calculate how to run our programs much faster.
And about how to modify the program accordingly. And how to run that.

And then we will ask to do the same on the human body and ask a cure for cancer and it will say:

"Meh."

"Let me calculate some more how I can work even better. (How's that delete humans command again?)"

twitter reddit linkedin facebook google+

GMail: make the labels menu larger

2015-10-22 09:36  GMailLargerLabelsMenu  coding internet werk  [permalink]

When you don't like it: adapt it.

At work we've been switched to Google Mail for some time now, and to make sense of the mayhem that is the incoming torrent of e-mail, I've been using an extensive set of labels and sub-labels with nice colours and stuff.*

But the list of labels on the pop-up-menu if the 'move' and 'label' buttons is so small, only showing the first few labels, and I had to scroll most of the time.

Is there way to adapt this? It turns out there is. At first I read about user stylesheets, but these got removed from Google Chrome, but there's an extension that does the same:  Stylus

Install this, and for URL's that start with "https://mail.google.com/mail/", add this:

.aX1 {
max-height: 780px;
top: 92px !important;
}
.aX2 {
max-height: 780px;
top: 92px !important;
}
.aX1 .aXjCH {
max-height: 600px;
}
.aX2 .aXjCH {
max-height: 600px;
}

*: Extra tip: I was searching for something nice to prefix the label-names with that would cause them to get storted (alphabetically) at the end. In theory you could use "zzz " as prefix, but that's ugly. And assumes you'll never have an account named "zzz".
After a bit of searching around the unicode spec, I stumbled upon Bopomofo, so now i use ㄍ and ㄑ which apparently sort past 'z' and look pretty nice.

twitter reddit linkedin facebook google+

"Even snel een login-procedure maken"...

2015-01-09 17:21  r1823  internet coding  [permalink]

"Even snel een login-procedure maken"...

Gaat ook hierover: http://blog.codinghorror.com/the-god-login/


twitter reddit linkedin facebook google+

E-mail over HTTP

2012-09-30 01:35  i3037  internet  [permalink]

It might be a stupid idea, but why has no-one ever thought of mapping SMTP/POP3/IMAP onto HTTP. (Or has someone?)
I know, there's a lot on the blogosphere about e-mail and it being broken in all kinds of ways, or not at all, but I don't want to touch upon that.

What I think it really is about is a clean straight-forward way of sending asynchronous messages to eachother. SMTP was created specifically for that. But it is getting old. Really old. Even so, it is based on a number of even older protocols (RFC822, anyone?). It's only normal that protocols cooperate or are based on eachother, but some are clearly established and are a really good fit for most if not all situations and environments, and some are established but happen to be the least worse solution that is available, just waiting to get replaced by something better, as soon as the folk could agree on the replacement.

HTTP was designed to transport hypertext. At first from a server to a client, but basically in any direction. And thanks to MIME, anything really. And face it, isn't almost all of our e-mail in hypertext nowadays? So HTTP and SMTP may have a lot in common, except HTTP has seen a lot more evolution as far as I know, both in design and in support by hardware and software.

How would it work? Just like an MX-record, something else (HTMX-record?) could point at a URL for the domain of an e-mail address. (And I mean full URL: http/https, (sub)domain, path, etc...) So the sender starts a request:

POST /incomingmail HTTP/1.1
Host: example.com
From: "John Doe" <john.doe@acme.us>
To: "James Day" <james.day@example.com>
Subject: Meeting invitation about some project
Date: Sat, 29 Sep 2012 15:38:11 +0000
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: deflate
Content-Length: 1234

At this point the server can respond with '100 Continue' or a suitable error code when spam detection or a blacklist does its job.

Same for POP3/IMAP: much like this REST thing that's getting so much attention, HTTP verbs GET and DELETE should be all you need to sift through the wad of timewasters people send you daily.

But, off course, it's just an idea. I've got lots of interesting stuff to work on before I'll put time in this probably, but if you think it's a good idea, let me know.

Update (2019-07): Ofcourse the magnificent people that are already behind the internet (that beefed-up telegraph with funky terminals) have been working silently on exactly this in general, but completely different in the details: RFC8620: JMAP

twitter reddit linkedin facebook google+

"Even snel een login-procedure maken"...

2012-09-15 16:32  i3036  coding internet  [permalink]

Ik dacht 'ik bouw even snel een login-procedure op die website', niets van. Laat dat 'even snel' maar weg, en 'login-procedure' is volgens de regels van de kunst ook niet meer wat het was als je het vergelijkt met begin de jaren 90. Laat ik dan even snel even een exhaustieve lijst proberen op te stellen: (Als ik iets vergeet geef me een seintje!)


twitter reddit linkedin facebook google+

bitcoin: digital currency of the people (be your own bank)

2011-03-23 16:45  i2959  internet actueel beurs coding politiek weblog  [permalink]

I've been asked if I accept donations for the freeware I make available over this website, but I don't. I don't have a legal entity to my name to accept any funds for work done, and frankly I don't even care for checking if and how I could get this in the clear with the tax services.

Today I read about http://www.bitcoin.org/ and this looks like exactly what I need. It's not that hard to set up, and the fact that no institute like a bank is envolved is really interesting. Even the 'funds' itself actually measures in 'mathematical solids in the digital world', so if I were to amass e certain amount of it, it would get financially interesting to check out these aforementioned tax issues (perhaps by an accountant...)

So, if anyone wants to wire me anything (even 0.01BTC just to check if it works) here's a bitcoin address:

1Q5omBMcpRQkx7WqPpHceM37ZBqpCgyrDB

http://www.bitcoin.org/

twitter reddit linkedin facebook google+

Ad blocking hurts websites

2010-03-06 21:30  i2880  internet actueel  [permalink]

http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars

Ik heb tot nu toe nog geen ad-blocker gebruikt. Ik vind het wel storend dat de ads de pagina eerst even overnemen voor je kan lezen wat je wou, maar ik slaag er blijkbaar wel in die websites te vermijden (hint).
Maar moest ik zelf een ad-blocker ooit maken dan zou het wel eens interessant kunnen zijn om ze alleen maar te proberen 'overplakken' met een wit venster of zo, dan komen de ads wel door, maar storen ze zo niet.

twitter reddit linkedin facebook google+

 

Archive... Search...