Jan 24, 2007

AJAX, javascript libraries and ideas

Last months I use JavaScript very intensively and found a very convenient and efficient approache that I did not read about.

You can see many Javascript libraries around, at least 3 of them are well-established and popular:
Prototype (with script.aculo.us), Yahoo! User Interface Library and a Google Web Toolkit.

I personally don't like to watch a progress bar while those bells&whistles of a web 2.0 site are loading. The only way to save visitors of your site from a tedious waiting is to count the size of your web applications and place efforts to minimize it.

Here are my ideas on how to achieve great effects on the site, save bandwidth and development time.

* One idea I found to be very efficient is that one library is not enough.
Good results can be achieved when using Prototype as a base helper library and the DOM Tooltip to draw menus.

Developer can combine best parts of different libraries to achieve better resulsts.
For example, I like YahooUI for it's great ready-made animation effects.
But for AJAX, DOM, Events and general DHTML development I prefer Prototype 1.4
Yes, Yahoo library has means to process AJAX and events, and script.aculo.us has many great features, but I like them less them.

* Second idea - JavaScript can be optimized before publishing.
Consider processing your .js files with a tool like JSMIN before uploading to the production server.

The first advantage - file size is reduced by 15-30%, and prototype 1.4 becomes 35 Kb instead of initial 47 Kb.
Second advantage - you can format your code, write full detailed comments, and not suffer from filesize penalty.

Unfortunately, not all javascript code keeps working after being optimized by JSMIN, so check first.

* Third idea is to take HTTP into account.
Developer can foresee and utilize caching abilities of the browsers.
One can also try to foresee the utilization of the keep-alive connections.

If you place a relative URL to the library - there is a chance it will be loaded in the same keep-alive connection with another HTTP request.
If you have subdomnains, you can use an absolute URL and the cached pre-loaded library will be immediately available on the pages of the subdomains.

To be continued! There is so much to write about AJAX :)

Jan 19, 2007


Once I had a conversation with a customer about security.
He sent me a link to some article, but I decided not to read it.
Talking about it I understood that I need to explain - what the security is when it comes to the web development and AJAX in particular.

I asked for the permission to publish the chat, and here it is:

Gri (12:11 AM)
AJAX is the client-side technology.
The security of the web system does not rely on the data received from the client (browser), if developer is assuming that the data as dangerous always.

customer (12:16 AM) :

yes. although it is not our first email about it.... we don't doubt you.

Gri (12:16 AM) :
There are several major security problems in web applications.
This is not written in articles for some reason (maybe I should write one?)
- server security (OS, firewall, non-web-related issues)
- web application security (scripts issues)
- cross-server scripting vulnerabilities

Gri (12:19 AM) :
The first is a server/cluster configuration, it will not be a problem.

Second also separates by different categories, from application design to sql injections and unknown platform bugs.
This is what I don't worry about also.

3rd is a "hard-to-forsee problems" category.
How and in what context will some people want to exploit somebody's security - I don't know.

Gri (12:21 AM) :
I can tell a good story, how people were stealing ICQ numbers

customer (12:22 AM) :
I'm sure that you've seen a lot from behind the scenes
we expect a lot of incoming troublemakers.

Gri (12:22 AM) :
Sometime ago hotmail made accounts expire in 3 months;
Lots of people regietered ICQ with hotmail addresses, hackers found this expired accounts, registered new ones in place of expired with the same hotmail addresses - and got the passwords...

Neither hotmail nor ICQ is directly guilty, as you can see.
Just many months later hotmail fixed a problem - the web mail systems don't allow to re-register an expired accounts anymore.

Gri (12:25 AM) :
The last issue is DDOS. This is a problem in general, and noone has a uniform solution.
Last month e-gold (a big payment processor) was periodically offline for several days day due to DDOS attacks.

customer (12:25 AM) :
but, everyone is aware of it and working on it, correct?

Gri (12:25 AM) :
I never practically experienced a really hard DDOS attack.
Though, I keep it in mind and don't leave the obvious performance bottlenecks in the system.

The only solution is monitoring, detecting attacks and fighting against when it happends.

customer (12:27 AM) :
when more and more applications move to database and become popular... more and more people will try to attack things.

Gri (12:27 AM) :
People don't attak themselves. The hackers attack through controlled computers.
Most serious attacks are from infected computers.
But they are rare, as serious epidemies are rare and hard to organize.

new blog

Hi all,
here I am starting my new blog on web development.
There will be notices, short articles and other staff I want to get published, but don't want to bother placing it on my main site :)