-
Protecting Your Cookies: HttpOnly (105)
on
Coding Horror (454) permalink
So I have this friend. I've told him time and time again how dangerous XSS vulnerabilities are, and how XSS is now the most common of all publicly reported security vulnerabilities -- dwarfing old standards like buffer overruns and SQL injection. But will he listen? No. He's hard headed. He had to go and write his own HTML sanitizer. Because, well, how difficult can it be? How dangerous could this silly little toy scripting language ...Shared by _dot_ (0) | Balu | (0) Adam (17) Alan (28) Alastair Binns (3) Alec Resnick (135) Alex (6) Alexandru Savu (36) alfred westerveld (25) AndrewBadera (36) Andy (10) Andy Davies (5) Anthony Bowyer-Lowe (6) Arik (10) Artem (52) atul (81) Aviv (1) Azeem (39) Barry Ferg (16) Brakara (3) Cade (7) CannonGod (238) Catto (8) chimeric (13) Chris (10) Chris Newman (0) cnu (2) Compuwizard123 (34) D. Hayes (2) D. Lambert (2) Daniel (7) Danny (4) Daryl Milne (2) David (5) dd (7) Denis Gobo (29) Dennis (17) Denny (15) Dominik (34) Drew (19) FX Poster (7) iamnoah (0) Ian (14) James Mead (0) James Smith (17) Jamie Eisenhart (2) Jason Cartwright (10) jerobins (15) Jeroen (4) Jim (22) jmserra (31) jmvidal (15) Joel (2) John (0) John Higley (1) Jorriss (15) Julien Tartarin (2) Justin Yost (81) Karol F (34) KC (0) kebernet (98) Kevin (30) LouCypher (57) Marcio (5) Masakuni Kato (10) mathowie (7) Matthew Schultz (10) Mike Aizatsky (0) Mike Stenhouse (6) MikeG (5) Mone (6) Morton Fox (76) mucit (8) Nikki (67) OJ (2) Otto R. Radke (2) Paul (9) Paul Greeve (5) Paul Holbrook (5) ProfVegas (181) ritesh (16) rochoa (8) SamHyland (0) Santosh (5) Scott (9) Shaun (16) smerrell (2) smuggyuk (2) spoon16 (37) Srinvard (68) Takayuki (32) tig (48) Tim (48) Tim Disney (0) Tim Pickles (5) TiTi (109) Tom Drummond (4) Tony Ruscoe (14) Uri (10) vevck (12) William Spaetzel (44) Yaakov (10) Yuvi (29) zapnap (34) 狮子真好吃啊 (26)- Mone said: manca un punto, poter accedere ai cookie tramite javascript può servire a proteggersi da XSRF.HttpOnly cookies impediscono questa difesa ma non impediscono XSS, 'bloccano' (lui stesso parla dei buchi nelle attuali implementazioni) solo l'acceso a un'informazione delle tante disponibili a un javascript iniettato. Un esempio banale, il codice attaccante può sempre simulare una finestra di login falsa all'interno di una pagina valida...
- jmvidal said: Good tip.
- dd said: When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden.
Contribute comment -
Podcast #19 (2)
on
Blog - Stack Overflow (4) permalink
This is the nineteenth episode of the StackOverflow podcast, wherein Joel and I discuss the following: We’ve mapped our voting functionality to what you see in Digg and Reddit, but we’re a Q&A site, not a link aggregation service. Should we allow voting on questions as well as the answers? Or should questions simply be taggable as favorites, which are a de-facto vote? I believe voting and favorites are related, but not quite the same ...Shared by charlesnadeau (59) omars (2)Contribute comment -
Stack Overflow on Herding Code (1)
onI was invited to participate in the latest Herding Code podcast. This was a fun one for me because I’ve known the four hosts of the program — Jon Galloway, Kevin Dente, K. Scott Allen, and Scott Koon — through their blogs since forever, eventually meeting most of them in person. All of their blogs predate mine by years. I’d almost say we were blog buddies. If you could call people blog buddies. Which I ...Shared by Ian (14)Contribute comment
-
Deadlocked! (39)
onYou may have noticed that my posting frequency has declined over the last three weeks. That's because I've been busy building that Stack Overflow thing we talked about. It's going well so far. Joel Spolsky also seems to think it's going well, but he's one of the founders so he's clearly biased. For what it's worth, Robert Scoble was enthused about Stack Overflow, though it did not make him cry. Still, I was humbled by ...Shared by _dot_ (0) [Curtis W] (25) Alex (20) Assaf (15) BIGODE (23) Bill (17) Brit (24) Catto (8) clementi (18) Compuwizard123 (34) D. Lambert (2) David (7) Denny (15) Derrik (37) Duk (3) Eduardo (2) fmavituna (25) James Socol (4) Jeremy (91) jmserra (31) Justin Yost (81) kidakaka (0) ManiacD (30) Morton Fox (76) MPx (16) Nick Campbell (5) omars (2) Paul (9) pmfa (2) Quinny (36) Roberto (21) Roshan (8) Saul (22) Srinvard (68) Steve (10) tim (35) TiTi (109) Warren (2) Yuvi (29)Contribute comment
-
Check In Early, Check In Often (80)
onI consider this the golden rule of source control: Check in early, check in often. Developers who work for long periods -- and by long I mean more than a day -- without checking anything into source control are setting themselves up for some serious integration headaches down the line. Damon Poole concurs: Developers often put off checking in. They put it off because they don't want to affect other people too early and they ...Shared by Abdullah Cetin CAVDAR (56) Alan Dean (55) Alan Kelon Oliveira de Moraes (17) alex (3) Andrei (18) BabaSucks (3) Bartek (5) Bill (17) Bojan (7) Brit (24) Cade (7) Caiwangqin (11) Catto (8) Cem (12) chusemann (4) Claude (19) CMS (3) codefin (10) Compuwizard123 (34) David (11) Denis Gobo (29) Doug (26) Elijah Manor (3) Glen Horton (4) Gubatron (65) James Mead (0) James Socol (4) jasonb (13) Jeff (43) Jeffrey Vanneste (5) jerobins (15) Jim (19) Joel (2) jonezy (21) Jonjon (16) keith (76) Ken (1) Ken Sykora (2) kev (15) kidakaka (0) Kurt (2) lishevita (5) mathewbutler (6) Matt (6) Matthew J Hendrickse (0) Mike (6) Morton Fox (76) Mrinal (1) Nick Campbell (5) Nicolas Roberge (14) Nigel J (23) Page (9) PhatBoyG (14) Rich (7) Rob (132) robin (5) Ron (9) Roshan (8) Ryan Joseph (13) Saul (22) Sebastian (9) shivanand (4) Srinvard (68) Steve (15) Steve (5) Ted (17) tgeros (0) tim (35) Tim (48) TiTi (109) tOMPSON (5) Uri (10) Vashira (5) vevck (12) Vishy007 (5) Vodex (18) xrx (39) Yuvi (29) zapnap (34) Zoram (20)Explore read seven notes
- Ken said: Atwood as usual with some excellent advice
- jonezy said: good advice for developers here
- Nigel J said: amen
- Vishy007 said: totally agree!
- Claude said: I thought I was crazy committing small chunks of tested work.
- tOMPSON said: I wish some of my colleagues would stick to this
- David said: That's where branching comes in and exclusive locks go out. Unfortunately for us at DTC, MKS is junk :)
Contribute comment -
The Perils of FUI: Fake User Interface (60)
onAs a software developer, tell me if you've ever done this: Taken a screenshot of something on the desktop Opened it in a graphics program Gone off to work on something else Upon returning to your computer, attempted to click on the screenshot as if it was an actual program. And let's not forget the common goating technique where you take a screenshot of someone's desktop, make it the desktop background, then proceed to hide ...Shared by abhi (2) Adam (18) AdmOd (1) AJ (190) Alexandru Savu (36) Amit (16) andrin (0) Anu (5) Arik (10) Bruno Campagnolo de Paula (60) BuildMaster (11) Burad (17) Catto (8) darkeye11547 (247) Darrin (0) Dedalus (22) Denny (15) Fernando (27) fmavituna (25) Heather (38) HejGustav (31) Imran (0) James Socol (4) Jamie (1) János B (11) Jeff (43) Jesús Dugarte (3) jmvidal (15) John (21) Justin Yost (81) Ken (1) lishevita (5) LouCypher (57) Mark (16) mathewbutler (6) Maurice (18) Michael Kuhn (4) Mike (6) Mike F (465) Morton Fox (76) muchio (0) Nikola (9) Olivier Favre (Innovablog) (30) Phillie Casablanca (11) poorbird (17) Richard Bradshaw (15) Roberto (21) Scott (5) Srinvard (68) Stuart Maxwell (3) sumidiot (5) Tanel (22) Todd (10) tOMPSON (5) TroubledWine (10) turker (9) Uri (10) Vashira (5) Vipul (42) xeal (13)Contribute comment
-
Please Give Us Your Email Password (14)
onA number of people whose opinions I greatly respect have turned me on to Yelp over the last six months or so. Yelp is a community review site, and a great way to discover cool new places in whatever neighborhood you happen to be in. I've enjoyed using Yelp, and I wanted to participate by submitting my first review, so I created a new account there. As part of the account creation process, I was ...Shared by -ds (13) Augusto (12) b (0) Branton (5) Chris (14) Eduard (14) Ernesto Jiménez (16) Gavin Rehkemper (12) JD Hancock (16) msimoens (9) OfficeOfTheLaw (15) Olivier35 (21) Ryan Mulligan (5) stevied (11)
- b said: test
Contribute comment -
Coding Horror: ASCII Pronunciation Rules for Programmers (21)
onShared by [mRg] (14) AriT93 (0) Blake Matheny (10) Eva Lucia (13) j (0) jac (16) John (7) Mark (15) Mauron (4) Michael (15) negonicrac (12) Nik (5) Nitro (11) Olivier35 (21) PhatBoyG (14) Pofeng Lee (9) ravil (1) sooraj (15) Stephen (15) syber (11) Tapsa (17)
- j said: It's an exclamation POINT but whatever. Still useful.
Contribute comment -
Secrets of the JavaScript Ninjas (82)
onOne of the early technology decisions we made on Stack Overflow was to go with a fairly JavaScript intensive site. Like many programmers, I've been historically ambivalent about JavaScript: The Power of "View Source" The Day Performance Didn't Matter Any More JavaScript and HTML: Forgiveness by Default JavaScript: The Lingua Franca of the Web The Great Browser JavaScript Showdown However, it's difficult to argue with the demonstrated success of JavaScript over the last few years. ...Shared by abhi (2) Abhinav Modi (3) Alan (0) Alan (26) Amit (16) Appu (19) Benk (15) Bojan (7) Brakara (3) Bramha (14) Brent the Closet Geek (31) Cade (7) Catto (8) Chandoo (9) Charles (3) Chris K (16) cisellis (25) Compuwizard123 (34) dalelane (2) David (11) Dedalus (22) Denis Gobo (29) Denny (15) djspark (55) Dr. Ernie (59) DXL (1) Edin (13) Eduardo (2) enguillem (5) Eric (7) History of Blogging (189) hybridite (40) iamnoah (0) Jamie Eisenhart (2) Jannik (1) jerobins (15) JHill (5) Joe (70) John Higley (1) JonB (9) Joseph (0) kapoing (0) Kevan (2) Kevin Shaum (2) LouCypher (57) Mark (16) Martin Salias (1) Matt Blodgett (2) miasarmento (110) Michael (14) Michael Sallmen (12) Mike F (465) MikeG (5) Morton Fox (76) neilfws (19) Nick Campbell (5) Nick Nogueira (20) Nirav (28) Paul Holbrook (5) Peter (8) Phillie Casablanca (11) psvensson (25) Ralph (4) Richard Bradshaw (15) rick gordon (6) Robert (0) Ron (9) Roy (0) sczizzo (5) Shad (10) shivanand (4) Srinvard (68) Stephen (8) Tim Disney (0) Tom (11) Travis (3) vevck (12) Vinay (3) Voyagerfan5761 (27) WebFlint (3) xrx (39) Yuvi (29)
- Kevin Shaum said: True, true, true. Jeff neglects to mention that these frameworks also provide some useful shortcuts (like the $() function in Prototype) that have nothing to do with cross-browser compatibility, but are simply usability enhancements. I've been playing with Prototype and enjoying it, and plan to dig into Dojo in the near future. JavaScript has become an essential tool, and will become an increasingly important part of the computing landscape, even for server-side programming. On top of that, it is also the new Basic: for many people, it is their first exposure to programming.
- Travis said: this is a great testimonial for jQuery
Contribute comment -
Music to (Not) Code By (23)
onOccasionally people will ask me what kind of music I like to code by. I'm not sure I am the right person to ask this question of. Allow me to explain by citing my 2001 Amazon review of a particular album. It all started so innocently. I purchased this CD on a lark in mid 1998. Subsequently, I put on this CD at high volume to torture my then-coworkers. It became a running joke. We'd ...Shared by Azeem (39) Colin Charles (27) Compuwizard123 (34) corntoole (5) D. Lambert (2) Dave (5) Denis Gobo (29) Dennis Hostetler (22) Denny (15) Diane (2) grant (19) Icefreez (18) James (5) James Dorminey (6) Lou (6) mgrigni (3) Mike (0) Paul (9) psi (9) Roy (0) Srinvard (68) Steve K (14) Terence Lo (4)Contribute comment
-
Bad News, Good News (3)
onI’ve got some bad news and some good news. I like to start with the bad news, and you don’t get a choice, so here goes: There will be no podcasts for the next two weeks. Joel is on an extended vacation. Our apologies, but the logistics of recording remotely are too daunting. Plus, we want Joel to enjoy his vacation, right? Me, I don’t get a vacation. I have to work frantically with Jarrod, ...Contribute comment
-
On Our Project, We're Always 90% Done (93)
onAlthough I love reading programming books, I find software project management books to be some of the most mind-numbingly boring reading I've ever attempted. I suppose this means I probably shouldn't be a project manager. The bad news for the Stack Overflow team is that I effectively am one. That's not to say that all software project management books are crap. Just most of them. One of the few that I've found compelling enough to ...Shared by AdmOd (1) AJ (190) Alan Kelon Oliveira de Moraes (17) ali (13) Andrés David (4) Anthony Rizk (8) Appu (19) Artem (52) b (0) Barney (5) blogan (8) Brakara (3) Brent (43) Catto (8) chrishawn (3) cisellis (25) cmm324 (6) Daniel (8) Daniel Bell (7) David Langer (0) Denny (15) dgdeschenes (11) Dom Derrien (4) Dominic Hopton (3) easyon (6) Eduardo (2) Emad (14) Eric Sinclair (0) Espig (5) Frank Sons (10) Gerry Scheetz (0) Greg Lavallee (5) Gregg Hartling (12) Harper (91) Jack Baty (4) jerobins (15) Jeroen (4) Jim Vuccolo (5) John (12) John (21) Jorriss (15) Justin Yost (81) kapoing (0) Ken Sykora (2) kevin (0) kidakaka (0) LaptopHeaven (7) Lenny (14) lisamac (1) Mark Nassal (0) marshall (1) Mauron (4) Michael Jervis (16) Migs (3) Mike (0) Miles E (19) Mrinal (1) negonicrac (12) Nick Campbell (5) Nicolas Roberge (14) Nigel J (23) Oddly Zen (27) Olivier35 (21) OnyxRaven (4) Oran (1) Peter (3) Peter (6) Roberto (21) RTPeat (24) Ruben Llibre (12) Sam Judson (17) sascha (8) Scott (9) Sebastian (9) Sheehan (8) shivanand (4) Sol Young (7) Stephen (8) Takayuki (32) terababy (4) Thomas.Paine (35) Tim Saylor (9) tjd1 (2) Toby (0) Tom Elias (5) userXPerience (14) Vashira (5) Vishy007 (5) Vodex (18) xrx (39) Yaakov (10) Yuvi (29)
- Tim Saylor said: Absolutely true. I did this for a job and even then I didn't have everything I needed to do on the list. It's hard, but it's very important.
- Lenny said: Couldn't agree more
- Vishy007 said: The PDF on compensation is a must read
Contribute comment -
Quantity Always Trumps Quality (98)
onNathan Bowers pointed me to this five year old Cool Tools entry on the book Art & Fear. Although I am not at all ready to call software development "art" -- perhaps "craft" would be more appropriate, or "engineering" if you're feeling generous -- the parallels between some of the advice offered here and my experience writing software are profound. The ceramics teacher announced on opening day that he was dividing the class into two ...Shared by [ebarrera] (20) aconbere (15) Alan (26) Alex (6) Alex (0) AlexandrosM (7) alice (8) alleycat (3) Anand (2) Andrés David (4) AndyF (3) Antonio (3) Arik (10) Arvind (10) Baldo (7) benexia (2) Brent (43) bryantsai (15) C.M (2) Cade (7) Caleb (12) Carl Fyffe (6) Christoph Thelen (1) cisellis (25) clementi (18) Cocoy (34) Colin Charles (27) Compuwizard123 (34) crazyjaf (44) Danny Navarro (12) Dave (5) Dmitry Lomov (2) Dylan Bennett (8) easyon (6) Evgeni L. / Reepicheep (15) Forrest (16) Frank Sons (10) g9yuayon (7) Gangles (4) gautamg (12) Guillermo Esteves (13) Isaac (3) Iulian (11) James (10) Jannik (1) Jeff (43) Jeffrey (35) Jeremy (91) Joe (70) Johan (12) John Higley (1) Jon Winstanley (1) Jonathan Christopher (0) jonezy (21) jpwain (4) june29 (32) jvn (1) Kartik Agaram (3) Keith (3) Kenneth LeFebvre (0) Khanh Dang (0) Mark (16) Martin (5) Mike (0) Morton Fox (76) naseer (2) Pedro Lozano (0) Peter Cooper (0) peysal (3) Phillie Casablanca (11) possible248 (2) Rick Turoczy (66) Robbie (13) Roberto (21) Ron (9) Ryan S (45) S Anand (5) sarah (329) Saul (22) saurabh (14) Scott (2) Scott (13) shivanand (4) Simon (0) skabaru (13) smuggyuk (2) stefan (3) Stephen (8) Ted (13) Tim Saylor (9) TiTi (109) Toby (0) Trey (15) vevck (12) wmdmark (13) xeal (13) xrx (39) Zane Shelby (2)Explore read seven notes
- alice said: Jeff Atwood gets it right again.
- Zane Shelby said: Anyone who is familiar with the NewMUD project should see the wisdom in this article.
- Simon said: I've paraphrased what Jeff is saying here. It is really quite profound and extends way beyond software developer or ceramics. It permeates every aspect of our life. Don't know how play the guitar? Are you going to read about it, or pick up a guitar and start practicing? Don't know how to ride a motorcycle? You can read the manual, or take one out for a spin (carefully). You did sell enough stuff? You can study more about the product and the region and the demographics, or you can knock on another door or make another phone call.In general, life is about refinement... about constantly refining who we are and what we do. Someone said to me that you can't steer a parked car. So true... the car must be moving before you can get it going in the right direction.God does the same thing with us. He asks us to make disciples as we go into the world. We may be afraid and feel unprepared, but in the act of doing, He grows us and trains us and we become more able all the time.
- Carl Fyffe said: Amazing. I have witnessed this in many different aspects of life.
- AlexandrosM said: an amazing idea. an a-ha moment if you will.
- smuggyuk said: And this is why I spend my evenings hacking away on little code projects ;0)
- Forrest said: though I've been disappointed with codinghorror of late, this was a really good entry
Contribute comment -
Stack Overflow Private Beta Begins - stackoverflow (9)
on
