Sharovatov’s Weblog

moving to github

Posted in no category by sharovatov on 5 January 2013

This is the last post here as I’m moving to http://sharovatov.github.com/ and all future content will only appear there.

It’s much easier to blog with static site generators like docpad because you control everything and can embed any content plus static resources are perfectly cacheable.

And what’s even more important – it makes more sense to me that blogposts (which are in essence static content) are served statically and are also managed by a DVCS.

Opera Unite is dead

Posted in no category by sharovatov on 22 October 2012

So it turns out I was right in my earlier blogpost about Opera’s so-called “web revolution” and “reinventing the web” marketing bluff – it was a dead end right from the start.

As officially noted on the Opera blog, Opera Unite has been discontinued from the 24th April 2012 with Opera 12 release. Not a big surprise at all.

Installing Opera Mini emulator locally

Posted in no category by sharovatov on 17 October 2012

If I remember correctly, Opera website earlier had instructions on how to use Opera Mini on the desktop, but now they are either gone or unreachable. So here’s a simple set of instructions to get Opera Mini running in a JVM emulator.

  1. make sure that JRE is installed
  2. download latest microemulator  and unzip it somewhere
  3. download Opera Mini jars:
  4. run microemu: java -jar microemulator.jar
  5. Make sure Options->MIDlet network access is checked so that your emulator will have access to the network
  6. Select Options->Select device and choose “Resizable device” and set it as a default – this will allow you to resize your emulator to any width you like
  7. Select File->Open midlet, locate mini.jar and select it

However, this setup is only useful to see how your website looks in Opera Mini, and is certainly not a proper development environment. For instance, I couldn’t find a way to inspect what’s being transferred over the network – and even if I did, I’d obviously only see Opera’s OBML traffic between the jar and Opera’s servers and nothing more.

The only useful thing hiding in Opera Mini is server:source.

Basically, if you want to view the source of the page, you can type in server:source in the address bar while viewing a website and you’ll get awfully-rendered page source (note that this will not be OBML, but rather the original page source that Opera’s servers got from the URL you specified). And if want to inspect the source on your desktop rather than small emulator screen, you can ask Opera’s servers to post the source to a URL by specifying server:source?post=http://youraddress/script and three values will be POSTed to the URL provided:

  • html – the original page source
  • host – the HTTP host field value
  • URL – the URL that was fetched

iframe height auto-resize

Posted in no category by sharovatov on 24 January 2012

If you have a page and an iframe in it,  and the iframe viewport height changes, browser adds scrollbars to the iframe.

Sometimes it’s ok, but when you need your iframe to “expand” automatically on the host page, you have to change the iframe object height style property. And it’s dead easy when both iframe and the host page are from same origin – you just talk to parent window from the iframe and make it set the object height.

However, when cross-origin security model applies, everything gets more interesting, and you’re pretty much limited to CDM/window.name/location.hash transports.

So the proper approach would be to use CDM with a fallback to location.hash – newer browsers (IE8+ and current Firefox, Opera, Safari and Chrome) support postMessage, older versions will fall back to setting parent page location.hash property and on the parent page – interval polling for changes.

Here’s a basic working sample implementing this approach and here’s the code for it:

Please note that in this sample no origin check is done for the message on the parent page and the message is sent from the client page to * origin. This might be a serious security breach since the parent page will process a message send from any page, but in my case it’s OK because the worst thing that can happen – the iframe height will change. Please don’t use this as a universal solution for cross-iframe communication – there’re plenty of plugins and libraries that do it properly. I built it this way just to fit my exact needs – i.e. change height of the iframe object on a parent page.

Tagged with: , ,

X-FRAME-OPTIONS

Posted in no category by sharovatov on 22 January 2012

This X-FRAME-OPTIONS HTTP header invented by Microsoft for IE8 provides an easy way to work around Clickjacking security issue (see this great paper for even more details). The main article explaining how X-FRAME-OPTION works is this: http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

Basically, here’s what behaviour you get with different X-FRAME-OPTIONS values:

DENY browser will not render the iframe contents in any case
SAMEORIGIN browser will only render the iframe contents if host page origin is the same as the iframe page origin
ALLOW FROM http://host browser will only render the iframe contents if the iframe host is http://host

Please note that specifying the header in META tag won’t work.

Good news – all browsers vendors copied this from Microsoft and now we’ve got all modern browsers supporting this header (Firefox 3.6.9, IE8, Opera 10.50, Safari 4.0, Chrome 4.1).

Unfortunately, for some reason only Opera and IE show a meaningful message why the frame was blocked, all others just display the empty iframe (it’s especially weird for Firefox, which should show the warning as per their bugzilla):

image

In any case, study the security papers I linked to above to understand how the attack works and what it can do to your visitors or your business.

However, if you strongly believe no one should embed your page in an iframe – then your silver bullet is to add X-FRAME-OPTIONS: DENY to all the pages you serve.

P.S. X-FRAME-OPTIONS is now proposed to IETF: http://tools.ietf.org/html/draft-gondrom-frame-options-01

small piece of js code explained

Posted in no category by sharovatov on 31 January 2011

Today a colleague showed me a piece of js code and asked to explain how it works.

Here’s the code:

(function(x) { return x(x) })(function(z){ return function(y) { return z; } })(1)(2)(3)

For many from non-js background it would be easier if I rewrite first two function expressions as function declarations, turn third function expression into named function expression and break the execution into parts:


function f1(x) { 
  return x(x); 
} 

function f2(z) { 
  return function f3 (y) { 
     return z; 
  } 
}

var result1 = f1(f2);

var result2 = result1(1);

var result3 = result2(2);

var result4 = result3(3);

So let’s see what each function does first:

Function f1 accepts one argument and calls this argument as a function and passes it with  itself as a parameter.

Function f2 accepts parameter z and creates another function. As f2 scope gets copied to f3, argument z is always accessible from within f3; and what f3 does is it returns this argument z.

After we grasp the idea of what these functions do, let’s see how everything is executed.

When var result1 = f1(f2) is executed, f1 is called with f2 passed as a parameter. return x(x) means that we need to call f2(f2) and return the result.

When f2 is called with f2 as a parameter, function f3 will be created and it’s z will hold a reference to f2. And this f3 is returned to result1.

Now we know that result1 actually holds a reference to f3 which regardless of the parameters always returns a reference to f2 which it “remembered” earlier. Hence, when we come to execute var result2 = result1(1), we actually call f3(1) and our f3 just returns a reference to f2.

So, this part of the code (function(x) { return x(x) })(function(z){ return function(y) { return z; } })(1) could be replaced with (function(z){ return function(y) { return z; } }).

Let’s move on and execute var result3 = result2(2);. We’ve just found out that result2 holds a reference to f2, so it’s rather f2(2) that we’re seeing here, which – as we remember – creates f3 function and stores z in it’s context. This f3 will always return 2, result3 is a function will always return 2.

And when we execute var result4 = result3(3), f3(3) is actually called and returns 2 as expected.

I think, this again proves that javascript is syntactically very powerfull language.

Deleting flash plugin (flash.ocx)

Posted in no category by sharovatov on 9 November 2009

Our great system administrator amongst other sysadmin-specific posts published a really interesting post about deleting the flash plugin.

Проблема заключается в том, что хитрый установщик Flash, при установке дополнительно выставляет в ACL файлов информацию о запрете на запись (write) данных файлов для всех пользователей. Данное правило перекрывает все остальные права и не даёт удалить файлы в операционных системах считающихся с правами доступа NTFS. То есть для удаления достаточно зайти в свойства файла, на вкладке «Безопасность» (Security) нажать кнопку «Дополнительно» (Advanced) и удалить две строки описывающих запрет (Deny) на запись. После этого файлы удаляются без проблем.

For those who can’t read in Russian, here’s the essence excerpt:

When you try to delete flash plugin (flash6.ocx, flash10c.ocx) from %windir%\system32\Macromed\Flash folder, you get “permission denied” even if you’re the owner of the directory. The reason is that Flash plugin installer sets DENY WRITE permissions in NTFS ACL for this file, and DENY permissions rules always override ALLOW rules. So when you try to delete even you’re the owner of the files, you’re denied to do that :)

To fix this and delete the file, first run regsvr32 /u <path_to_file> command to unregister the file (if it’s registered in the system). Then you have to open file properties, go to “Security” tab, click “Advanced” button and remove two “Deny” entries there. Then you won’t have any problems deleting the file.

Thanks for sharing this, Dmitry!


Share: 

Tagged with: ,

Opera revolution fail

Posted in no category by sharovatov on 16 June 2009

Opera announced “Opera Unite” concept – they integrated a web-server right into Opera and made Opera Desktop Gadgets run on it.

All the services Opera Unite offers are web gadgets, so they are built in html+javascript with some additional API provided by the browser.

To get any of the services, you must register at Opera. When you register, you give your computer a name, e.g. “home” and then you are provided with a URL home.yourlogin.operaunite.com where yourlogin is what you chose as a login when you were registering.

File sharing service is basically a web server directory listing exposed to the internet. This is my understanding how it works:

  1. You point Opera Unite to a directory
  2. Opera internal web server starts listening 8840 port locally
  3. Opera opens a persistent connection to operaunite.com (213.236.208.30 IP address in my case)
  4. So when anyone opens up home.yourlogin.operaunite.com, operaunite.com server requests the list of files from your machine using a persistent connection that you opened and sends the response back to user.
  5. when you close Opera, web server is shut down, connection is dropped and nobody can download anything.

So sharing can work ONLY when your computer is working and Opera is running.

So none of the services can work when computer is turned off or Opera is not running.

When you want your sharing/chat/fridge services to be working, you will need to keep your Opera running. And if several users start using it, your computer will slow down significantly. And if you by any chance put a link to an image hosted in your Opera Unite on a popular site… Your computer will either stop responding or eat 100% resources.

That’s what John Resig, the author of beautiful jQuery says:

I just tried to visit six Opera Unite pages and only one resolved. The future of the web is two 9s: 0.99% uptime!

Useful service? I doubt.

Photo sharing service is just crap at the moment. My Opera Unite serving 1 client with a Photo Sharing page with thumbnails eats 60-70% of CPU and up to 200 Megabytes of memory. Full-blown web servers like IIS7 or Apache2 would serve this page and static files in a milliseconds without any noticeable resources eating. Thumbnails are created in really poor quality.

In Web Server service CGI is not supported, in-memory modules are not supported. PHP is not supported. The only language you can use is javascript. HTTPS is not supported.

Opera says that the communication between users is done directly. Truth is that it’s done through operaunite.com. Let me repeat it, all the traffic goes through operaunite.com. Are you ready to give all your information to Opera? Do you trust them so much? Do you care about your privacy? Do you think they will care about users after what they did to Windows 7 users in Europe?

Opera says this is a revolution – I can only see a bad (or alpha, not even beta) implementation of a rather poor technology. When I go out, I don’t leave my laptop working and Opera running, so the sharing won’t work. And I don’t want my browser to take 100% CPU and 400 Mb RAM when two users are watching static pages with static thumbnails. And it’s not p2p as all the traffic goes through Opera servers. There’re plenty of good services that do their work and don’t pretend to do a revolution where there’s clearly nothing revolutionary.

This makes me laugh:

Our computers are only dumb terminals connected to other computers (meaning servers) owned by other people — such as large corporations — who we depend upon to host our words, thoughts, and images. We depend on them to do it well and with our best interests at heart. We place our trust in these third parties, and we hope for the best, but as long as our own computers are not first class citizens on the Web, we are merely tenants, and hosting companies are the landlords of the Internet.

P.S. Opera engineers said that in the final version p2p file sharing will be implemented – well, let’s see.


Share :

Intel mini ITX D945GCLF2D motherboard

Posted in no category by sharovatov on 10 June 2009

I always wanted to have a second computer where I could install Windows Web Server 2008 (or Win7) with IIS, SQL Express 2008 and run, develop and test my hobby projects locally. Well, you know what it’s like to have a second computer – you can do whatever you want on it and never be afraid that you do anything wrong with your work PC :)

My work PC is quite noisy and I just can’t find time to determine which one of 4 coolers is causing the trouble and replace it. So I wanted to  build a computer that would be really quiet (or silent at all) so it wouldn’t add any noise and that I could leave it working at night if required. Then I thought that I didn’t need this computer to be really powerful – I wasn’t going to encode video on it :) And I could save a fortune on buying something that wasn’t a cutting-edge most powerful Core 2 Duo Quad Extreme Mega Turbo Something with 64 gigs of RAM.

I’ve been reading a lot about nvidia ION platform recently and thought it would be the best solution for the task – extremely small and nearly silent platform with great specs: dual-core Atom 330 CPU, up to 4 gigs of RAM, good Nvidia graphics card. But then first motherboard with NVIDIA ION and Atom 330 was announced – ZOTAC IONITX-A-U, which is great but according to different sources would cost $300, which is way too much for such a device.

So I had a look at Intel’s motherboard – D945GCLF2D. Yes it has Intel GMA950 video chipset, but as this machine was considered to be used without a monitor, I didn’t care which video card it would have. It also doesn’t have a WI-FI, but at the moment I’ll just plug it in the network switch and if required will add a wi-fi card later. And the price was great – I was able to get the motherboard and a 2Gb memory card at $125 total. I already had a HDD but had to buy a power supply – and here it is, a computer for 160 dollars. 2 Gb RAM, integrated dual-core Atom 330 CPU, 80 Gb HDD and 2 Gb USB flash card for Ready Boost – a great local web and database server, NAS and download box.

The only noise I can hear from it is a small noise of power supply cooler – so I plan to measure what power consumption this system has and get a fanless power supply fitting this motherboard needs. And also I’m planning to build my own case for it – something that could be screwed to the wall near the network switch.

And I’m also sure that such a computer would be ideal for most office needs – it’s capable of doing any office work, it’s really cheap ($300 with any of the great mini ITX cases on the market) and it’s small so it won’t take precious office space.

Awesome, just awesome.

Thanks, Intel!


Share :

Tagged with: , ,

Best Windows 7 gadgets

Posted in no category by sharovatov on 16 May 2009

Found the best blog with windows 7 gadgets – http://blog.orbmu2k.de/

I installed Memory usage gadget, updated version of CPU Usage, Network traffic, Volume control and Top 5 processes gadgets. Really great!

I also downloaded all Windows 7 themes from http://windows.microsoft.com/en-US/Windows7/Personalize page – they are just awesome :)

Now the right side of my 2nd monitor looks like that:

gadgets-screenshot2[1]

Follow

Get every new post delivered to your Inbox.