The Cafes » Web Development

This tip is dedicated to all the W3C working groups that keep writing things like “you may send your comments to the W3C XSLT/XPath/XQuery mailing list, public-qt-comments@w3.org. It will be very helpful if you include the string [UPD] in the subject line of your comment, whether made in Bugzilla or in email” in their drafts. I’ve gotten tired of making the following suggestion to each and every working group, so let me publish it here publicly for all to see.

It is easy to code a mailto link such that the subject line you’d like correspondents to use appeard automatically in their mail client. That way they don’t have to waste time typing it, and you don’t get so many messages where the correspondent forgets to put the magic keyword in the subject line. Here’s how:
(more…)

What’s more important? Attracting new customers or keeping the ones you’ve got? Almost any sales text will tell you that it is far, far easier to keep an existing customer than it is to recruit a new one. In fact the cost of attracting a new customer can be measured. The exact cost varies from depending on what it is you’re selling and what industry you’re in, but you usually don’t even make your money back until the third or fourth sale, especially on relatively low-priced consumer goods.

Given this simple fact of business, you’d think that online businesses would do everything they could to make life easy for their existing customers, especially when they can do so at almost zero cost. You might think that, but sadly you’d be wrong. I remain amazed at sites that manage to recruit customers and retain them for multiple transactions but still can’t do one simple thing to make these customers’ lives easier:

Put the login on the home page.
(more…)

A resource is identified by URI and may emit representations. There’s no way to tell from the representations what the resource “is”; I tend to believe a resource is what its publisher says it is as a good rule of thumb. But it doesn’t affect the software very much.

–Tim Bray on the xml-dev mailing list, Wednesday, 23 Jul 2003

REST is like Quantum Mechanics; or, more specifically, resources are like atoms (and I do mean atoms, not ATOMs). In quantum mechanics you cannot actually say what an atom is, where it is, or how fast it is moving. You can only predict how it will respond to certain experiments, and then only in a probablistic fashion. As soon as you try to figure out what the wave function actually represents, well then you fall down a sink hole of bad physics and worse philosophy.

Resources are the same. When designing RESTful systems, you never see the resources. All you see is the URL and the representation of the resource the URL provides. What resource does the URL identify? Who knows? The only way to reason about it is through the Copenhagen interpration.
(more…)

In the ongoing discussion about check_admin_referer, and how CSRF attacks can be used to trick administrators into deleting posts from their blogs, I missed another attack suggested by Paul Mitchell. This attack only affects blogs that allow users to register and submit drafts. However for those sites it’s a nuclear attack.
(more…)

Recent discussion on the wp-hackers mailing list has convinced me that there is a major security hole in all recent versions of WordPress that enables an attacker to delete posts. The vector for this attack seems to be including certain links in comments which are then viewed or modified by the administrator. I don’t fully understand the claimed attack yet, but it seems plausible, and Brian Layman says he has a proof of concept. I hope I’m wrong about this, but in case I’m not I’ve temporarily disabled comments on this and my other WordPress hosted blog.
(more…)