Browser Security Bug Can Fill Your Hard Drive

HTML5A universal truth in software security is that your security can come crashing down with one person’s new discovery. So it was with several different web browsers when a clever researcher discovered a new trick to coerce a browser into filling its hard disk with garbage. All a user needs to do is browse to the wrong site on the web, and bye bye disk space.

How does this amazingly clever attack work? Feross Aboukhadijeh explains it in a recent post on his blog where he also links to a proof of concept site that really will fill up your hard drive. (The blog post link above is safe. What you click after you end up on Feross’s blog is up to you.) Here’s how the whole problem works:

HTML5 allows websites to ask a browser store information about a users’s session on the disk. It’s pretty nifty feature, expanding the power of websites to store session data beyond the miniscule amount permitted by a cookie. The HTML5 spec is also pretty clear that browsers should set a limit on how much a particular site can store:

User agents should limit the total amount of space allowed for storage areas.

What Aboukhadijeh discovered is that subdomains might not count against the same limit. That means that if my browser permits each site to have 5MB, then 1.example.com, 2.example.com, 3.example.com, etc. would each get 5MB. A clever attacker just needs to create a long list of subdomains and then coerce the visitor’s browser into loading them all at once.

So is this a bug with HTML5 or the browsers?Continue Reading

Essential Guide to Mobile App Testing

How CBS Handles Mobile

CBS InteractiveStill struggling with the choice between mobile web or native app? If you’re a large company, or have several different facets of your business you’d like to represent, it might benefit you to chose on an piece-by-piece basis rather than going with a single, end-all-be-all method across the board.

CBS uses this patchwork method to their advantage and considers factors such as visitor traffic and budget to determine which of their many holdings get which type of mobile representation. For example, CBS.com, CNet and 60 Minutes all have native apps while GameFaqs and ZDnet have mobile websites. Peter Yard, CTO of CBS Interactive, broke down the corporation’s thought process when it comes to mobile media in an article on CNet:

Where’s the traffic coming from?
If the majority of a site’s traffic is side door traffic from Google, Facebook, and Twitter, the site should embrace mobile web and HTML5. Since most of the site’s users are arriving via links, the content must quickly load in the mobile browser. …

If a majority of a site’s traffic is direct but intermittent traffic–meaning users come directly to the site, but only once in a while–the site should implement HTML5 mobile Web. These types of sites are “tourist sites” that are not visited regularly by people and therefore users are very unlikely to download an app. …

If the majority of a site’s traffic is direct traffic where people are regularly going straight to the site’s home page from a bookmark or typing in the URL, the site should use native apps. …

For sites with a lot of direct traffic, native apps also provide useful additional features such as push notifications and offline storage, which are not relevant to sites with intermittent or side door traffic.

Sites that have an even mix of direct and side door traffic should also implement both native apps and an HTML 5 mobile view.

Continue Reading

Essential Guide to Mobile App Testing

Gone In A Flash – Mobile Flash Player Discontinued

Game Over?

In the battle over the mobile web, the Flash Mobile Player has officially been blocked by the HTML5 lineup (arguably with Steve Jobs as the forward-thinking QB). In an Adobe blog post yesterday, VP Danny Winokur stated:

“We will no longer continue to develop Flash Player in the browser to work with new mobile device configurations (chipset, browser, OS version, etc.) following the upcoming release of Flash Player 11.1 for Android and BlackBerry PlayBook.”

For phones and tablets, the future is clear; however, the battle isn’t over. According to Mashable, “Adobe has added more robust cross-platform mobile development features to Flash Professional and added native iOS streaming to Flash Media Server,” maintaining “a strong commitment to Flash as a development platform separate from a technology stack.”

In line with more brands moving toward a hybrid approach (see post on Pandora), Adobe is astutely refocusing its efforts on native apps and aggressively contributing to HTML5.

What do you think? Without mobile, has Adobe Flash become irrelevant?

Update: Adobe also told GigaOM it has stopped supporting Flash on digital home devices, such as HDTVs.

Essential Guide to Mobile App Testing

Pandora Says You Don’t Have To Choose HTML5 Or Native App

You can have your cake and eat it too! While there are concrete arguments both for and against using HTML5 vs. native apps, there is also a hybrid approach. In a recent GigaOM article, Pandora – the booming internet radio service that just launched an HTML5-run website – offers their advice to mobile app developers:

CTO Tom Conrad said that he could see the company developing a hybrid HTML5-native app. “It’s the best way to get the best of both worlds with the technology that’s available right now,” said Conrad. “That gives you integration with the OS and really, really high performance and really fluid user experiences. But integrated with some HTML5 content, whose strong suit is uniform platform dynamics, and rapid turns on user interface development.”

See more arguments both for and against HTML5 vs. native apps after the bump!

Continue Reading

Essential Guide to Mobile App Testing

Do Testers Like HTML-5 More Than Developers?

By now, everyone in the world of web programming has had at least some experience with HTML-5. The web is loaded with great resources that provide all the details you’d ever want to know about this new standard for structuring your webpage. But with all the information out there, some are still confused as to what all the fuss is about.

Well, I’ll tell you. Here are a few of the things that I’m most excited about with regard to HTML-5:

  • New Semantic based tags instead of old div’s: Traditionally, a web developer’s life was overrun with generic divs and spans for all kind of containers in HTML. With HTML-5, there are new semantic-based tags which are container relevant to their usage. There are a number of tags introduced named <header> for header of webpage, <footer> for footer , <section> etc which are more relevant to their usage than the previous generic divs.
  • No Plug-in for Video: Previously, video required some type of plug-in, like Flash, QuickTime or Silverlight to name a few. With HTML-5, we can now simply use the <video> tag – how easy is that? However, for playing video with HTML-5, the limitation is that we need to encode video into 4 different types of formats to play it consistently across the web (and more than 10 types of video formats to play it across all the mobile devices).  The reason being is that we’re in the middle of a browser war when it comes to supporting video format. Someday, the battle will be over, but not anytime soon.
  • No Plugin for Audio : Similar to video, audio can now be played using <audio> tag with the help of HTML-5. Again the downside is that not all browsers support them.
  • Canvas Support: Canvas support is huge deal for web developers. With the power of Canvas, they can now draw things programmatically and dynamically (on the fly) on to their screen (stage). In the past, they were dependent on languages like action script for such activities.

I can go on praising HTML-5 for its other features – like support for geo-location, offline storage and history API – but that’s not point of this blog. There are a lot of informative resources available online (like this) if you are interested in knowing more about that.

The reason I’m so interested with HTML-5 has to do with the terrific support and response from the developer community. Specifically, I’m wondering if the tester community has (or will have) the same sort of enthusiasm for HTML5.

Continue Reading

Essential Guide to Mobile App Testing