ContactCard 1.1.0 Released
The new version adds the ability to render XFN data for links that have no other contact information attached and fixes a positioning bug.
The new version adds the ability to render XFN data for links that have no other contact information attached and fixes a positioning bug.
It’s 7:00p, and after a long day at work, Jenn and I decide it’s time to go get something to eat. Pizza sounds good, so we head to the local Schmizza to get a couple of slices.
Jenn gets a slice of “Sch’meat’za” (an all-meat special), an order of breadsticks, and a small drink. I think the “No Kiss Tonite” (garlic chicken, alfredo, feta, and red onion) sounds good, so I get that, a “Genoa” (another all-meat special), and a small drink.
The mood is relaxed as we eat our pizza, watch a little Nickelodeon on the TVs hanging around the place, and talk about our recent debacle making wedding invitations. (No, the invitations aren’t going quite as smoothly - or as cheaply - as I’d like, but I think we’ve got the details ironed out now, so it’s time to jump in and make them. But I digress.)
The pizza is finished and it’s time to pack up and go. Jenn has some breadsticks left over, so she gets up to get a box to take the remainder home in. It’s a bus-your-own-table kind of joint, so while she does that, I take the plates over to the garbage can.
I scrape the plates off into the trash, then put the plates and silverware into the box sitting on top of the trash. I pick my cup up and decide that, before we go, I should top it off with some soda so I can take that in the car with me.
I take a drink of soda as I head toward the dispenser and look over to see how Jenn’s doing. Looks like she’s loaded up her breadsticks and is waiting. The breadstick box is on the table, her drink is on the table, my drink is on the table…
My drink is on the table.
Hang on, my drink is on the table.
Then what’s this drink in my hand?
No.
No, no, no.
Nonononononononononononono.
Please don’t tell me I just picked this drink up off the top of the garbage can and started drinking it.
But I did. I’m drinking some random drink. From on top of the garbage can.
I think I’m going to be sick.
“Jenn, we need to go home now. I have to Listerine and brush my teeth.”
I have the Mr. Potato Head “Darth Tater” toy, but they’ve got the “Spud Trooper” and “Artoo-Potatoo” now. Damn merchandising!
We bought a weed whacker this weekend, a $50 Black and Decker special from Home Depot.
I am the King of Weed Whacking.
And edging. I edged my whole lawn, front and back.
I’m telling you, more weeds were whacked than I can explain. There’s a whole section in our back yard that is/was a veritable weed forest, and that’s gone. Grass along the fence line - gone. And the edge of the lawn makes it look nice and crisp. First time we did that since we moved in.
Next up, a whole line of home improvements: The weed forest area (which is also, coincidentally, a drainage problem) is getting killed off and rototilled so we can put some wet-ground-friendly plants in there; the house is getting pressure washed and the trim will be repainted; and a sprinkler system will get put in to make sure we’re actually getting the thing watered correctly. Of course, none of that is cheap (particularly not the sprinkler system, and no, I’m not doing it myself, nor am I getting that friend of a neighbor’s buddy who happens to install sprinklers on the side).
In my feverish realization yesterday of how much interesting technology is coming out of seemingly nowhere, and in my desire to integrate FOAF, hCard, and every other up-and-coming data format into my ContactCard script, there’s something I totally spaced out on.
Cross-site scripting.
There is no way I can tell the ContactCard to get all the contact information from all these external sites because that’s cross-site scripting and the browser’s not going to allow it (or the user’s going to have to click a little dialog to OK the transaction).
Which brings me to another realization: AJAX is neat, but it’s not so cool if you want to do anything with data gathered elsewhere.
It puts a pretty severe limit on what you can push into the client and what you can’t. There seems to be this huge push to get things back in the client (the classic “centralize/decentralize” seesaw), but we’ve got this [justifiable] security barrier that’s stopping truly rich client-side web-based applications from working.
It’s so limiting. There are a lot cool services available out there - Amazon, Google, etc. - and I have to proxy the web service calls. Which means I can’t just stick the script on my site and call ‘er good.
So what now? Do I need to set up a web request proxy? Is it worth the bother?
Think about this - I can include script from other servers dynamically (through <script /> tags), I just can’t make separate requests for it. What if people stopped coming up with XML description formats and microformats and all of these other ways that I can’t access the data from the client and instead came up with data formats in JSON? (Yeah, I’m throwing away security on that one, but let’s ditch the practicality for just a second and think outside the box. You can shoot me down later.)
What about having a public, trusted service that provides known-object-to-JSON conversion? Something that knows how to proxy requests for certain known resource types and return the results in a JavaScript-interpretable format? If you did it right, you could ensure that the JSON object had any offensive script filtered out so you’d be reasonably safe.
How about this - let XMLHttpRequest make external requests for data but build into the JavaScript interpreter some way to flag the contents of the response so a person can’t just “eval” it because it’s not marked safe. If you really want to evaluate the response as script, you’d have to somehow copy the data to another variable or perform some other overt action, at which point it’s your own fault for being insecure.
Maybe you could be allowed to make requests to external sources, but only ones that return a valid XML document. Limiting, but not quite as limiting as what we’ve got today.
Or is AJAX just overrated? By the time I get my safe JSON object proxy, will we be back to storing everything on the server because the client is too bloated?