Thursday, February 15, 2007

Osterblogging

I'm in Austria this week attending the IASTED conference on Parallel and Distributed Computing and Networks and presenting my Williams senior thesis work. My presentation was on Monday, and went as well as I could have hoped.

Probably the nicest thing about presenting Monday is that it freed up Tuesday for some skiing on the Stubai Glacier. All of my skiing experience has been in New England, so this was quite a step up. Excellent conditions (-4° C and fresh snow a day before) made for a really wonderful time.

My co-presenter and thesis advisor Jim Teresco keeps a very nice picture site with some great pictures of the trip here, there are even more pictures of our ski trip, including some really nice shots of the alps.

The rest of today will likely be catching up on some Cosmo work and checking out a couple talks. I'll be posting about any interesting talks I see, so hopefully this won't be my last post from Austria.

Wednesday, February 7, 2007

Problem with Firebug and HTTP Authentication in XMLHttpRequests

We've been trying for a while to figure out the best way to authenticate XMLHttpRequest calls to the Cosmo Management Protocol in the Cosmo web ui. The solution we're using for 0.6 is to manually insert the "Authorization" header with the correct value, a base 64 encoded version of the string "username:password". This works like a charm, except for one thing: to put the username and password into this header, we need to persist the username and password on the client side.

We've come up with a couple approaches, all of them relying at some level on keeping a username and password in a cookie. Unfortunately, all of them are vulnerable to cross site scripting hacks. Worse, this kind of hack would give an interloper the user's password.

Fortunately, it looks like there is a better option. Paul James has demonstrated a way to use HTTP authentication from Javascript without relying on the browser affordances, and Berend de Boer has wrapped up many of the details.

The first time I tested Paul's solution, however, it didn't work. Safari seemed to perform exactly as expected, but Firefox was a no-go.

To make a long story short, it turns out this is actually a bug in Firebug. In order to do the slick XMLHttpRequest monitoring Firebug provides, it wraps calls to XMLHttpRequest.open(). Unfortunately, it doesn't know about the username and password parameters that can be passed to open(), so having Firebug installed means you can't pass these parameters along.

I've filed a bug with a patch that should do the trick, so hopefully this will be resolved soon.

Monday, February 5, 2007

Cosmo 0.6 almost ready.. looking forward

With 0.6 winding down, I wanted to take a second to list things I'd like to see happen for 0.7. So, in no particular order:
  • Complete transition to Dojo-based package management. Move all code to appropriate and sensible homes within the code
  • Formalization of Javascript data structures in model.js
  • Move to static css. Get rid of dynamic styling for initial page layout as much as possible.
  • Make page resizing craziness work correctly
    • Only resize calendar on page resize
    • Work with PPD on edge cases (very small, very big)
  • Move all pages (pim, admin, etc) to unified page layout (right now, we have separate logic for creating the admin page nav bar and the pim nav bar).
  • Shore up CMP security situation:
    • Don't store password in a cookie (duh). Instead, store something that will allow us to get the password given either a) a time-based nonce from the server side or b) some details about the user's current execution environment that XSS attackers could not grab
    • Only store password in cookie between page loads using window.onunload. This should guard against XSS attacks.
    • Shore up security on server side? Right now, once we figure out the password on the client side, we send the password in plain text (cause it's Basic auth). Could we avoid this?
  • Cool error messages a-la-Enso