Browser Security Bug Can Fill Your Hard Drive

HTML5A universal truth in software security is that your security can come crashing down with one person’s new discovery. So it was with several different web browsers when a clever researcher discovered a new trick to coerce a browser into filling its hard disk with garbage. All a user needs to do is browse to the wrong site on the web, and bye bye disk space.

How does this amazingly clever attack work? Feross Aboukhadijeh explains it in a recent post on his blog where he also links to a proof of concept site that really will fill up your hard drive. (The blog post link above is safe. What you click after you end up on Feross’s blog is up to you.) Here’s how the whole problem works:

HTML5 allows websites to ask a browser store information about a users’s session on the disk. It’s pretty nifty feature, expanding the power of websites to store session data beyond the miniscule amount permitted by a cookie. The HTML5 spec is also pretty clear that browsers should set a limit on how much a particular site can store:

User agents should limit the total amount of space allowed for storage areas.

What Aboukhadijeh discovered is that subdomains might not count against the same limit. That means that if my browser permits each site to have 5MB, then 1.example.com, 2.example.com, 3.example.com, etc. would each get 5MB. A clever attacker just needs to create a long list of subdomains and then coerce the visitor’s browser into loading them all at once.

So is this a bug with HTML5 or the browsers?Continue Reading

How CBS Handles Mobile

CBS InteractiveStill struggling with the choice between mobile web or native app? If you’re a large company, or have several different facets of your business you’d like to represent, it might benefit you to chose on an piece-by-piece basis rather than going with a single, end-all-be-all method across the board.

CBS uses this patchwork method to their advantage and considers factors such as visitor traffic and budget to determine which of their many holdings get which type of mobile representation. For example, CBS.com, CNet and 60 Minutes all have native apps while GameFaqs and ZDnet have mobile websites. Peter Yard, CTO of CBS Interactive, broke down the corporation’s thought process when it comes to mobile media in an article on CNet:

Where’s the traffic coming from?
If the majority of a site’s traffic is side door traffic from Google, Facebook, and Twitter, the site should embrace mobile web and HTML5. Since most of the site’s users are arriving via links, the content must quickly load in the mobile browser. …

If a majority of a site’s traffic is direct but intermittent traffic–meaning users come directly to the site, but only once in a while–the site should implement HTML5 mobile Web. These types of sites are “tourist sites” that are not visited regularly by people and therefore users are very unlikely to download an app. …

If the majority of a site’s traffic is direct traffic where people are regularly going straight to the site’s home page from a bookmark or typing in the URL, the site should use native apps. …

For sites with a lot of direct traffic, native apps also provide useful additional features such as push notifications and offline storage, which are not relevant to sites with intermittent or side door traffic.

Sites that have an even mix of direct and side door traffic should also implement both native apps and an HTML 5 mobile view.

Continue Reading

Gone In A Flash – Mobile Flash Player Discontinued

Game Over?

In the battle over the mobile web, the Flash Mobile Player has officially been blocked by the HTML5 lineup (arguably with Steve Jobs as the forward-thinking QB). In an Adobe blog post yesterday, VP Danny Winokur stated:

“We will no longer continue to develop Flash Player in the browser to work with new mobile device configurations (chipset, browser, OS version, etc.) following the upcoming release of Flash Player 11.1 for Android and BlackBerry PlayBook.”

For phones and tablets, the future is clear; however, the battle isn’t over. According to Mashable, “Adobe has added more robust cross-platform mobile development features to Flash Professional and added native iOS streaming to Flash Media Server,” maintaining “a strong commitment to Flash as a development platform separate from a technology stack.”

In line with more brands moving toward a hybrid approach (see post on Pandora), Adobe is astutely refocusing its efforts on native apps and aggressively contributing to HTML5.

What do you think? Without mobile, has Adobe Flash become irrelevant?

Update: Adobe also told GigaOM it has stopped supporting Flash on digital home devices, such as HDTVs.

Pandora Says You Don’t Have To Choose HTML5 Or Native App

You can have your cake and eat it too! While there are concrete arguments both for and against using HTML5 vs. native apps, there is also a hybrid approach. In a recent GigaOM article, Pandora – the booming internet radio service that just launched an HTML5-run website – offers their advice to mobile app developers:

CTO Tom Conrad said that he could see the company developing a hybrid HTML5-native app. “It’s the best way to get the best of both worlds with the technology that’s available right now,” said Conrad. “That gives you integration with the OS and really, really high performance and really fluid user experiences. But integrated with some HTML5 content, whose strong suit is uniform platform dynamics, and rapid turns on user interface development.”

See more arguments both for and against HTML5 vs. native apps after the bump!

Continue Reading

Do Testers Like HTML-5 More Than Developers?

By now, everyone in the world of web programming has had at least some experience with HTML-5. The web is loaded with great resources that provide all the details you’d ever want to know about this new standard for structuring your webpage. But with all the information out there, some are still confused as to what all the fuss is about.

Well, I’ll tell you. Here are a few of the things that I’m most excited about with regard to HTML-5:

  • New Semantic based tags instead of old div’s: Traditionally, a web developer’s life was overrun with generic divs and spans for all kind of containers in HTML. With HTML-5, there are new semantic-based tags which are container relevant to their usage. There are a number of tags introduced named <header> for header of webpage, <footer> for footer , <section> etc which are more relevant to their usage than the previous generic divs.
  • No Plug-in for Video: Previously, video required some type of plug-in, like Flash, QuickTime or Silverlight to name a few. With HTML-5, we can now simply use the <video> tag – how easy is that? However, for playing video with HTML-5, the limitation is that we need to encode video into 4 different types of formats to play it consistently across the web (and more than 10 types of video formats to play it across all the mobile devices).  The reason being is that we’re in the middle of a browser war when it comes to supporting video format. Someday, the battle will be over, but not anytime soon.
  • No Plugin for Audio : Similar to video, audio can now be played using <audio> tag with the help of HTML-5. Again the downside is that not all browsers support them.
  • Canvas Support: Canvas support is huge deal for web developers. With the power of Canvas, they can now draw things programmatically and dynamically (on the fly) on to their screen (stage). In the past, they were dependent on languages like action script for such activities.

I can go on praising HTML-5 for its other features – like support for geo-location, offline storage and history API – but that’s not point of this blog. There are a lot of informative resources available online (like this) if you are interested in knowing more about that.

The reason I’m so interested with HTML-5 has to do with the terrific support and response from the developer community. Specifically, I’m wondering if the tester community has (or will have) the same sort of enthusiasm for HTML5.

Continue Reading

Friday HTML5 Fun – Testers Rock

American band Ok Go is well known for their sensational and imaginative music videos that combine simplicity with raw imagination. Their latest video is no exception, but for this one they took it one step further. After partnering with Google, they have created an HTML5 video/multimedia/app thing that takes full advantage of the capabilities of Google Chrome.

Being big fans of HTML5 and music videos (we were part of the MTV generation, after all), we couldn’t pass up sharing this. We’ve also included a little message in the video for all you software testers out there. Fire up Chrome and watch the whole thing here.

Hashbangs – The Future of URLs or The End of The Internet?

Quick – what’s a URL? Most of you would point to that string of text at the top of your browser that defines the location for this page. But URLs represent a lot of things: references to pages, pointers to content, and the foundations of links. They’re the fiber of the web, and the entire notion of HTTP is about pages pointing to pages using URLs.

However, a new approach to building websites is threatening to turn this notion of URLs on its head. Two simple characters – #!  (called either a hashbang or a shebang) – are creating more trouble than anything seen in years. Adding those to a URL makes it something else entirely, but to understand why we need to first go over a couple of web fundamentals.

Continue Reading

HTML5 is Going to Solve All of Your Problems…Right?

There’s a lot of talk these days about HTML5, specifically in regards to the web and what it means for the future of video. Did you not get the memo?

“Dear Desloper (Designer+Developer) community, HTML5 has introduced a <video> tag and all you need to do is give the source of your file and it will play videos in all the browsers and devices of the universe.”

Can it really be that easy? Nope. As the saying goes, “There’s no such thing as a free lunch” – and the same applies to embedding video in HTML5.

The popularity of HTML5 becomes more and more important with the way arch-rivals Adobe and Apple get along with each other.  The miserable deslopers start looking for an alternative to Flash to play video on Apple devices. HTML5 – and its <video> tag – is therefore seen as somewhat of a savior. No Flash or Quicktime to play a video? Where do I sign up?

However, with different parties supporting different video standards, the desloper community needs to keep in mind that they need to encode video into different formats so that various browsers can understand their video format.

For converting the video to iPhone, Apple provides a tool named Quick Time Pro which you can buy (or let your generous boss pay for it) for conversion purposes. Quick Time Pro will make your life easy to convert your video (Quick time format) file into MP4 which you can play on iPhone for both web and desktop applications.

The fun starts when you have to play H.264 video format in Mozilla Firefox (my favorite browser and probably most developers’ favorite too).

Continue Reading

W3C: HTML5 Is Not For Production Sites

Well what do you know? Just 6 months ago in my post about 5 Reasons Flash is Here to Stay, I wrote reason #1 is that HTML5 is an immature and incomplete standard. Well now I have some support for that from none other than the web standards setting body itself – The W3C.

In an interview today on InfoWorld, W3C lead Philippe Le Hégaret had this to say about HTML5:

“The problem we’re facing right now is there is already a lot of excitement for HTML5, but it’s a little too early to deploy it because we’re running into interoperability issues.”

“I don’t think it’s ready for production yet.”

Continue Reading

Pac-Man is Like Crack, Man – Google Brings Back a Classic

Worldwide productivity surely took a nose-dive today, as thousands of worker bees (like me) discovered that Google was featuring the classic Pac-Man arcade game on its ever-changing homepage. What began as a scholarly search for “regression testing tips” quickly devolved into “five” minutes of ghost-chomping fun – but don’t tell my boss.

In honor of Pac-Man’s 30th birthday, Google developed the application (in what we presume is HTML5) to look, sound and behave just like the original version from 1980. [UPDATE: Here’s how to download the Pac-Man game for free] We’re not yet sure if this includes the infamous Pac-Man kill-screen bug, but I am determined to find out. I’ll work nights and weekends if that’s what it takes. That’s just the kind of dedicated employee I am.

Anyway, since we’re a software testing company, many of us in the office were curious to see how the application would perform on the various mobile devices we have in-house. Here’s a quick run-down of our findings for each device, including whether or not it worked, along with a few notes:

Continue Reading