Brian Arnold created a fun sample drum machine simulator using HTML5 <audio>.

That's not all Brian is working on:

I'm also working on something like the ToneMatrix or Tenori-on (Flash and actual devices, respectively) in pure HTML/JS. It works too, but the sounds aren't exactly designed to be great together (it's currently working on a C scale) and so if you're careful, you can get some decent sound but otherwise, it'll hurt your ears.

by Dion Almaer at July 03, 2009 01:11 PM

Alex MacCaw has released Machsend, a Yahoo! Browser Plus plugin that enables P2P file transfers from inside the browser.

It showcases what can be done with a BP plugin, leaving you wish cross browser functionality.

I guess it is kinda fun to hack the browser :)

by Dion Almaer at July 03, 2009 10:52 AM

2009-07-03: W3C launched a new Device APIs and Policy Working Group, co-Chaired by Robin Berjon (Vodafone) and Frederick Hirsch (Nokia). The group's mission is to create client-side APIs that enable the development of Web Applications and Web Widgets that interact with devices services such as Calendar, Contacts, and Camera. Additionally, the group will produce a framework for the expression of security policies that govern access to security-critical APIs (such as the APIs listed previously). Per its charter, this group will conduct its work in public. Learn more about the Device APIs and Policy Working Group. (Permalink)

July 03, 2009 12:00 AM

2009-07-03: The Rule Interchange Format (RIF) Working Group has published six Last Call Working Drafts. Together, they allow systems using a variety of rule languages and rule-based technologies to interoperate with each other and with other Semantic Web technologies. Three of the drafts define XML formats with formal semantics for storing and transmitting rules:

July 03, 2009 12:00 AM

John Gunther has released GChart 2.5, a client-side library that adds a new canvas-rendering option for sharper, better looking, alpha-transparent, pie, line, and area charts.

John told us:

Canvas-rendering corrects GChart's most serious visual quality limitations (including the most often mentioned problem by its users: the banded-filled pie slice).

Coupled with its existing feature set and ease of GWT integration, the canvas-rendering option makes GChart an excellent choice for those who want to add basic charts to a GWT application without a lot of fuss.

To access these features, you'll need to plug an external canvas library into GChart (GWTCanvas in the gwt-incubator is reccommended) as described in detail in the setCanvasFactory method.

With the external canvas in place, the next step is to tell GChart you want a curve to be "continuously filled" by invoking setFillSpacing(0).

With each such continuously filled curve, GChart automatically exploits your external canvas library to improved the quality and speed of that curve's rendering. Specifically, banded-filled pie slices become solid filled, dotted connecting lines become continuously connected, and (the biggest stretch) bar charts become area charts. See the setFillSpacing method's javadocs for a detailed description of how each existing symbol type implements this new "continuously-filled", canvas-powered, rendering option.

Note that GChart's previous HTML-only rendering is still available, and is the default rendering mode if you don't bother to plug in an external canvas.

Check out the demo

by Dion Almaer at July 02, 2009 11:44 AM

Paul Baukaus linked to jsescape, a little form that shows escaping and unescaping across a number of encodings.

Andrea Giammarchi had his own post on encodings in a different way.... as he talked about
en-code which you can check out in action here on the page that lets you do simple encodings, especially for source code, in short order.

by Dion Almaer at July 02, 2009 10:03 AM

As preparation for an upcoming tech talk about Placemaker I thought it would be good to take a bit of the pain out of the geolocation service by making an interface for it. Placemaker works the following way: you post some content or a URL to it, it goes through the content or gets the content from the URL and analyzes it. It then finds geographical locations in the text and disambiguates them (for example to skip names like "Jack London" and not consider it the city London). Finally you get it back as XML.

The annoying thing is that Placemaker only support POST request and does not have a JSON output - for now. GeoMaker allows non-developers to enter some text or a URL, filter the results (using YUI datatable) to remove false positives (no system is perfect) and get the embed code for a Yahoo Map or a list of microformatted locations as copy+paste. See the screencast to get the end user experience:

Of course, every time you build something like that, red-blooded developers will ask for an API to do the same thing (and pointing them to Placemaker wasn't enough). So here it is:

http://icant.co.uk/geomaker/api.php takes two parameters: url of the web document to load and output which could be map, kml, microformats, csv, or json (with callback for JSON-P). Using this you can analyze a url in JavaScript and get the data back as an array:

The Ajaxian.com output right now would be:

by Chris Heilmann at July 02, 2009 08:02 AM

Modernizr is a new library that detects various HTML5 and CSS3 features and lets you know so you can use them:

Writing conditional CSS with Modernizr

Now, once your page loads, Modernizr will run and go through all of its tests. It will automatically add all the classes to the <body> element of the page, and these classes will be along the lines of body.feature or body.no-feature, with the former indicating that the current browser supports that specific feature and the latter indicating that the browser does not support the feature.

Additionally, it will create a new JavaScript object in the global scope, called Modernizr. This object will contain properties for each of the features that Modernizr detects for, and their value will be set to TRUE or FALSE depending on the browser's support for it.

What you can do from this point on is write pseudo-IF/ELSE statements in your CSS. Let's look at an example from the Modernizr.com site itself:

PLAIN TEXT

CSS:

1.  
2. .cssgradients #main {
3.     background: -webkit-gradient(linear, left 0, right bottom,
4.         from(rgba(255,255,255, .82)),
5.         to(rgba(255,255,255, 0))) 0 0 no-repeat;
6. }
7.  

In the above example, we're doing an "IF" condition in CSS: IF the browser supports both CSS gradients, THEN apply this background property to the #main element (instead of the original background property).

Writing conditional JavaScript with Modernizr

When leveraging Modernizr in your JavaScript, it's as straight-forward as it can be to do IF-conditions based on what the browser currently supports:

PLAIN TEXT

CSS:

1.  
2. if (Modernizr.cssgradients) {
3.     // perform some actions you only want to
4.     // execute if the browser supports gradients
5. }
6.  

We are seeing a growth in these kinds of tools and shims to get HTML5 features into developers hands. Another great site to help is the new HTML5 Doctor.

by Dion Almaer at July 02, 2009 04:29 AM

2009-07-02: Today the Director announces that when the XHTML 2 Working Group charter expires as scheduled at the end of 2009, the charter will not be renewed. By doing so, and by increasing resources in the HTML Working Group, W3C hopes to accelerate the progress of HTML 5 and clarify W3C's position regarding the future of HTML. A FAQ answers questions about the future of deliverables of the XHTML 2 Working Group, and the status of various discussions related to HTML. Learn more about the HTML Activity. (Permalink)

July 02, 2009 12:00 AM

2009-07-02: W3C has published a summary and full minutes of the Workshop on Speaker biometrics and VoiceXML 3.0, that took place in Menlo Park, California on 5-6 March. Participants from 15 organizations focused discussion on Speaker Identification and Verification (SIV) functionality within VoiceXML 3.0, and identifying and prioritizing directions for the functionality. The major "takeaways" from the Workshop were confirmation that SIV fits into the VoiceXML space and creation of the "Menlo Park Model", a SIV available VoiceXML architecture. The Working Group will continue to discuss how to include the requirements expressed at the Workshop into VoiceXML 3.0 and improve the specification. Learn more about the Voice Browser Activity. (Permalink)

July 02, 2009 12:00 AM

2009-07-02: The SPARQL Working Group has published the First Public Working Draft of SPARQL New Features and Rationale. This document provides an overview of the main new features of SPARQL and their rationale. This is an update to SPARQL adding several new features that have been agreed by the SPARQL WG. These language features were determined based on real applications and user and tool-developer experience. Learn more about the Semantic Web Activity. (Permalink)

July 02, 2009 12:00 AM

Hi, I am Michael Benny, a tester on networking in Internet Explorer. During the Internet Explorer 8 development cycle I was responsible for verifying many of the pieces of Compatibility View. We have discussed earlier about how the Compatibility View feature works and the steps a site author can take to ensure the Compatibility View button never displays for IE8 users visiting your site. There is another scenario that we have not yet covered, if my site was already added by an End-user to their Compatibility View list before my site was updated, and now it's ready, how would I get the site off of that user's list? I wanted to share one particular feature that we haven't blogged about before "“ the ability to "trim"� domains from a user's Compatibility View list.

As a quick refresher on Compatibility View, Internet Explorer 8 uses its most standards-compliant rendering behavior by default. This configuration may cause problems with websites that expect the older, less interoperable behavior from IE. As a site administrator, you have a number of tools at your disposal to ensure IE8 clients have a compatible experience with your website "“ taking advantage of the standards improvements in IE8 or using the X-UA-Compatible header to tell IE8 "display content as IE7 would have"� being the two most common options site authors have requested.

End-users also have a way to mitigate compatibility issues they may encounter in the course of normal browsing on sites that do not have the X-UA-Compatible option explicitly set. They can choose to view a site in Compatibility View, an IE7 emulation mode, by toggling a button on the browser's address bar. Internet Explorer 8 remembers Compatibility Button presses on a per-domain basis in order to provide a more seamless return-visit experience. These domains are stored in a registry location on the client at HKCU\Software\Microsoft\Internet Explorer\Browser Emulation.

When a site is in a user's Compatibility View list, the default document rendering behavior will be set to IE7 Emulation mode and it will affect the User Agent String used to request pages. As a site admin, you are always in control of how your site is displayed. Using the X-UA-Compatible tag, you can override Compatibility View on the client and dictate the exact rendering mode your site should be displayed in. Site admins also have the option to deploy the X-UA-Compatible header for a large section of pages as an HTTP header (Example: IIS and Apache). You can take this one step further by using the X-UA-Compatible to also remove your domain's entry from the user's Compatibility View list. Here's how"¦

For a domain to be trimmed, the End-user must first land on a page with the X-UA-Compatible Meta tag or HTTP Header. The presence of an IE8 <META> tag does indeed trigger the list clean-up process, but that's not all there is to it. The next step is to look for a file called "˜IEStandards.xml' placed at the domain root. IE will first make an HTTP HEAD request for this file looking for its presence. Absence of the file means that the domain remains in the user list. If the HEAD request is returned successfully, then IE will perform an HTTP GET request for the file. In the file, a tag called "˜IE8StandardsMode' signals the list entry is really ready to be trimmed. Here is an example of the correct server configuration for "˜example.com':

1. Set the page X-UA-Compatible header set to a value indicating IE8 mode
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8">
2. Place a file at the root of the domain "˜example.com'
   http://example.com/iestandards.xml
3. The file should have a root XML element called IE8StandardsMode:
   <IE8StandardsMode/>

Site admins should be aware that this affects all sub-domains. So if a user visits a page at "˜support.example.com', which is configured as shown here, but there is another sub-domain like "˜mail.example.com', which would still like to respect the user's choice to put the site into Compatibility View, then the "˜mail' sub-domain will use IE8 Standards mode rendering.

The entries on the Compatibility View list reflect an entire domain, example: "˜example.com', rather than subdomains like "˜mail.example.com' and "˜support.example.com'. IE must process the request to trim the domain entry from a source that represents the entire domain, otherwise side effects to subdomains may occur. As an example, suppose the entire "˜example.com' domain is on the user's Compatibility View list. Later, "˜support.example.com' does great work to update their site to support IE8 and includes a HTTP header / <META> tag indicating that portion of the site is best viewed in IE8 Standards Mode. "˜example.com' and "˜mail.example.com' have still not been updated. If IE were to remove the entry for "˜example.com' from the user's list based solely on the presence of the HTTP header / <META> tag value found at "˜support.example.com', the user could encounter a compatibility failure when they visit non-updated content at "˜example.com' or "˜mail.example.com'. Checking for the "˜IE8StandardsMode' file at the root domain level solves this case by requiring that someone "authoritative"� for the domain signal list cleanup. That way, IE users can be assured of a consistent compatibility experience on the domain.

Getting the IESettings.xml file follows a very similar model to how IE will request favorite icons for domains, but we wanted to address the issue of server overhead. To avoid IE8 making multiple and unnecessary requests to a server for this file on every page navigation with the X-UA-Compatible option set, there exists a 30 day timeout period since the last request. This 30 day timeout period is also set when a user adds a domain to their user list, so do not be alarmed if you still see IE8 Compatibility View requests after deploying the file to the domain root.

Thanks,
Michael Benny
IE Test

by ieblog at July 01, 2009 09:31 PM

A couple of releases related to unit testing and JavaScript came out on the same day.

First, the JScript team posted a set of ECMAScript 5 tests.... 900 to be exact, and the focus on features that are new to ECMAScript 5.

All of the tests are released under New BSD.

Then, the V8 team announced Sputnik, a series of of 5000 tests, also under BSD. These tests aren't for the shiny ECMAScript 5 world, but are for ECMA 262, or edition 3.

Nice to see a lot of tests out there, all under liberal open source licensing.

by Dion Almaer at July 01, 2009 12:42 PM

2009-07-01: Browse W3C presentations and events also available as an RSS channel. (Permalink)

July 01, 2009 12:00 AM

It is great to feel the good vibes at Mozilla HQ today as we launch Firefox 3.5! It is always an interesting ride to see a browser develop, and realize how complex and large the work is.

Congrats to the browser developers out there who are working hard to make the Web better. With final versions of Firefox 3.5, Safari 4, and Chrome 2 out in the wild.... things are picking up nicely.

The Firefox 3.5 release is exciting for me because it really benefits the developers. We get Open Video, @font-face, cross site XHR, Geo Location APIs, CSS Media Queries, Native JSON, Offline support, Web Workers, and so much more.

And, the world keeps moving. I have seen some very cool things in the nightly tree, and look forward to beign around as the team works on the next great Firefox.

Updates

Steve Souders has posted on Firefox 3.5 getting 10 out of 11 in his UA Profiler tests.

Watch the downloads come in with this cool download tracker that uses Canvas and SVG, all thanks to Justin Scott. The stats so far show that if the current rate trends hold we will beat the Firefox 3.0 download day, which is a surprise to all.

Sean Martell has created a nice wallpaper and persona to commemorate!

by Dion Almaer at June 30, 2009 03:35 PM

Kyle Simpson has developed LABjs, a library that lets you define your JavaScript file dependencies, and then loads them as efficiently as possible.

Kyle told us:

This project is a simple little tool (1.6k compressed!) for being able to load javascript files dynamically. It's like a lot of similar projects where the goal is to improve the speed of page load by allowing scripts to load in parallel. The thing it does slightly differently than most others like it is it allows you to "block", which is to say, load one or more scripts in parallel, then wait for them to finish, before going on to something else, like loading more scripts.

What I wanted was a pattern where I could load scripts in parallel, just like with script tags, but also block and wait if there was an explicit ordering dependency that required it.

What most loaders fail to do well is let you define "dependencies" simply based on loading order. With regular script tags, the browser blocks for you, so you can make sure for instance that jquery.js loads before jqueryui.js. But imagine you've got 3 scripts that can download in parallel (not dependent on each other), and then two more that need to wait for those 3 to load. You can't do that with script tags, and you also can't do that very easily with a lot of the script loaders/frameworks that I've found.

Most of them rely on intrusive concepts to do "dependency" management. For instance, each child script has to "signal" (callback) that it's done loading, to the parent page. Or the parent script and child scripts have to explicitly declare dependencies using some framework or conventions. Also, some other loader libraries rely on attaching a single load callback handler for EACH script. This makes it awkward or difficult to wait for several to load at a time, before proceeding, since you as the author have to keep track of what has loaded yourself.

jsLAB lets you load pretty much any script file, whether you control it or not, with no intrusion or convention for dependencies, other than the order and blocking that you define. It keeps track of what you've asked for and what has downloaded, only loads a unique script filename once, and lets you only define your handler once for a set of scripts that will load together in parallel. The API style (with chaining) makes is very easy to convert a set of script tags in your page into code to load them, without having to worry that race conditions will cause issues for scripts loading in the wrong order if there are implicit dependencies involved.

Example

Old:

New:

In the above example, "jquery.ui.js" and "myplugin.jquery.js" can load in parallel because there's no dependencies, but they will wait for "jquery.js" to load first, since they depend on it, and then "initpage.js" will wait for all of them to load before it runs, to it makes sure all code it will call is in place, similar to a $document.ready(...) concept.

The page link above also shows a few other variations on the .script(...) signature. For instance, you don't have to do a single script() call for each file (though I think it makes thing more readable). You can pass as many scripts singularly as parameters to one script() call. You can also pass an array of scripts, and it will loop through them and load them in the same way. Lastly, you can pass in an object instead of string, and the object literal can contain "src", "type", and "language" specifications, if you want to override the defaults of "text/javascript" and "Javascript", for some reason.

by Dion Almaer at June 30, 2009 11:16 AM

2009-06-30: The Cascading Style Sheets (CSS) Working Group has published a Last Call Working Draft of CSS3 module: Multi-column layout. This module describes multi-column layout in CSS. It builds on the CSS3 Box model module and adds functionality to flow the content of an element into multiple columns. Comments are welcome through 01 October. Learn more about the Style Activity. (Permalink)

June 30, 2009 12:00 AM

2009-06-30: The Service Modeling Language Working Group has published two Working Group Notes: The SML XLink Reference Scheme and Framework for SML EPR-Based Reference Schemes. The Service Modeling Language specification extends the Extensible Mark-up Language and XML Schema with a mechanism for incorporating into XML documents references to other documents or document fragments. The first note addresses the construction of an SML reference scheme based on the XML Linking Language. The second addresses the construction of SML reference schemes for document or document fragment references that employ WS-Addressing endpoint references (EPRs). Learn more about the Extensible Markup Language (XML) Activity. (Permalink)

June 30, 2009 12:00 AM

For those of you who manage your organization's desktops using Windows Server Update Services (WSUS) Internet Explorer 8 will be made available via this technology starting August 25, 2009.  Internet Explorer 8 will be made available as an "Update rollup"� and will be applicable to all supported languages.

Is my organization affected?

If your organization uses WSUS and has it configured to auto-approve Update rollup packages, upon acceptance of the Internet Explorer 8 End User License Agreement (EULA) by the WSUS administrator, Internet Explorer 8 will install automatically on computers running Internet Explorer 6 or 7 on supported operating systems.

What should I do if I auto-approve Update rollups but want to control when I deploy Internet Explorer 8?

To give you control over how and when Internet Explorer 8 is deployed in your environment, perform the following steps:

Before August 25, 2009:

1. Turn off auto-approve for "Update rollup"� packages in WSUS, and approve the updates manually.  Note: Even if Auto-Approve for "Update rollup"� is on, you will still be required to approve the Internet Explorer 8 EULA before Internet Explorer 8 is deployed to downstream clients.

After August 25, 2009:

1. Synchronize your WSUS server.
2. Decline the Internet Explorer 8 update packages.
3. If you typically auto-approve update rollup packages, you can re-enable automatic approval for "Update rollups."�

What other Internet Explorer 8 updates will be available via WSUS?

Cumulative security updates for Internet Explorer 8 and Internet Explorer 8 Compatibility View List updates will also be released via WSUS as they become available.

To deploy Internet Explorer 8 today, visit the Internet Explorer TechNet Center "“ among other useful resources you'll find an Internet Explorer Deployment Guide and information about the Internet Explorer Administration Kit which explains how to generate a MSI installer and distribute it using Systems Management Server or Group Policy.

Eric Hebenstreit
Lead Program Manager

by ieblog at June 29, 2009 08:01 PM

Summer is right around the corner - so before you make any vacation plans here's one quick action item to cross off your to-do list: Register now to lock in exclusive $300 savings for The Ajax Experience conference, September 14-16 in Boston, MA.

It's only been two weeks since we announced open registration for The Ajax Experience with the promise of additional sessions being added to the web site over the next few weeks. And while a number of your peers have already applied and taken advantage of the $300 early-bird discount (which expires at the end of next month), we've already added more sessions to our agenda, including:

• 'Cappuccino Web Framework' with Ross Boucher, Co-founder of 280 North
• 'Even Faster Web Sites' with Steve Souders, Performance Engineer at Google and author of Even Faster Web Sites
• 'Testing the Testers: YUI Unit versus QUnit' with Ted Husted, Author of JUnit in Action, Struts in Action and more.  Others from Ted: 'Testing Ajax Applications' and 'API Doc Smackdown: YUI Doc Versus JS Doc Toolkit'
• 'Advanced Web Application Security' with Joe Walker, Creator of DWR
• 'Building Accessible User Interfaces with jQuery and Fluid Infusion' with Colin Clark, Co-founder of Fluid and Contributor to jQuery UI
• 'Designing for the Mobile Web with JavaScript' with Brian LeRoux, Co-creator of XUI and a Contributor to the PhoneGap project
• Panel: 'ES5: ECMAScript Standards for a Better Web' led by Allen Wirfs-Brock, ECMAScript Language Architect, Microsoft
• Panel: Secure Mashups: Getting to Safe Web Plugins led by Douglas Crockford, Author of JavaScript: The Good Parts
• And more!

The speakers and attendees at The Ajax Experience are working with the most advanced technologies today, building Ajax and rich Web front ends, as well as figuring out new ways to make response time still faster. And if security, performance, and SOA are important to you, you've come to the right place.

Your $300 discount expires the end of July - register now

If you have any questions about registration, traveling to Boston or bringing a team, please contact your Delegate Relations Manager, Jackie Anderson at janderson@techtarget.com or 781-657-1380. She's more than happy to assist you.

See you at The Ajax Experience!

by tberardi at June 29, 2009 05:25 PM

The W3C recently announced an exciting new incubator group - The Open Web Education Alliance (OWEA) - that is certain to have a significant impact on helping web standards and best practices find their way into classrooms around the world. The mission of OWEA is to bring together companies, schools, and organizations involved in shaping the education of Web professionals to explore the issues around the topic of Web development education and create solutions for improving it.

Many organizations like Opera, Adobe, Yahoo, WOW, and WaSP InterAct have been diligently working to develop curricula and outreach programs to help schools better prepare their students for a career on the Web. OWEA will bring many education initiatives together in a broad collaborative.

“ The mission of the Open Web Education Alliance Incubator Group, part of the Incubator Activity, is to help enhance and standardize the architecture of the World Wide Web by facilitating the highest quality standards and best practice based education for future generations of Web professionals through such activities as:

• fostering open communication channels for knowledge transfer
• curriculum sharing between corporate entities, educational institutions, Web professionals, and students ”

- The Open Web Education Alliance Charter

OWEA’s origins can be traced back to Web Directions North in Denver in February, where WaSP emeritus and CSS Samuri John Allsopp brought together educators, industry experts, and representatives of the W3C to explore ways of uniting the various education efforts already underway. Four months later, OWEA has transformed from a collection of ideas at a meeting to a W3C incubator group. The Web Standards Project has a strong representation in OWEA, and will be contributing content from InterAct to the initiative.

This is a huge step towards improving web education! Want to stay informed? Subscribe to the WaSP InterAct Twitter feed.

by awalter at June 29, 2009 12:49 PM

As I announced earlier the Fronteers 2009 conference will be held in Amsterdam on the 5th and 6th of November. Today we announce two speakers, and we also have extended the early bird period by one week (ends 10th of July instead of 3rd). The conference will be held entirely in English.

June 29, 2009 11:39 AM

Developers tend to tease MySpace for its look, but the insiders are incredibly impressed by some of the engineering behind the scenes (e.g. their internal monitoring tools are said to be second to none).

They have surprised us again with their new tool MSFast which is "a browser plugin that help developers to improve their code performance by capturing and measuring possible bottlenecks on their web pages."

The IE 8 tools are getting better, but in general no one has been able to touch Firebug (and the new WebKit Inspector improvements) but this tool is actually plugin for IE! It captures a lot:

• Measure the CPU hit and memory footprint of your pages as they render on the client's browser
• Review screen shots of the page while it renders
• Review the rendered HTML on each point of the page's lifecycle
• Measure and show estimates of the time it takes to render each section of the page in different connection speeds
• Validate the content of your page against a set of proven "best practice"� rules of web development
  Review downloaded files and show download time estimation on different bandwidths

That is some impressive data, and great to be able to test on IE where it has been SO hard to do so in the past.

by Dion Almaer at June 29, 2009 10:21 AM

We are pleased to announce the availability of Internet Explorer 8 on Windows XP for 5 additional languages today.  These languages were tagged as "Coming Soon"� in our blog post early June. Please visit our World wide sites page to download Internet Explorer in your preferred locale/ language.

Languages newly available on Windows XP:

• Telugu
• Malayalam
• Punjabi (India)
• Kannada
• Bengali (India)

For reference, here's a table with the full list of IE8 availability:

Thanks,
Vishwac Sena Kannan,
International Program Manager | Internet Explorer.

by ieblog at June 26, 2009 09:27 PM

Zach Johnson is at it again, this time giving us a fun Friday treat with CSS text shadow, all via:

by Dion Almaer at June 26, 2009 04:26 PM

Thomas Fuchs has been working in the open on scripty2 for a bit, and now the website has launched.

It even comes with nice documentation and fun demos:

What's new in scripty2? It is a complete rewrite, and comes packaged in three parts:

scripty2 core contains the main namespace and an area for extensions to be added. It also contains helpers and the like.

scripty2 fx: The scripty2 effects framework provides for time-based transformations of DOM elements and arbitrary JavaScript objects. This is at the core of scripty2 and presents a refinement of the visual effects framework of script.aculo.us 1.X.

scripty2 ui currently has one submodule: Utility functions for CSS parsing, color normalization and tweening.

We are doing more and more on the client, requiring nice programming models to do cool effects. Great to see one of the granddaddies of them all get a new coat.

by Dion Almaer at June 26, 2009 05:14 AM

2009-06-26: As of 30 June, Steven R. Bratt will step down from his role as W3C CEO in order to pursue full-time the role of CEO of the World Wide Web Foundation. The Web Foundation was announced in September 2008 with a mission to advance the Web, connect humanity, and empower people. Steve has been part-time CEO of the Web Foundation since then.

June 26, 2009 12:00 AM

2009-06-26: W3C announces the French Authorized Translation of Web Content Accessibility Guidelines (WCAG) 2.0, Règles pour l'accessibilité des contenus Web (WCAG) 2.0. It is the first of several planned WCAG 2.0 Translations: Brazilian Portuguese, Catalan, Chinese, Czech, Danish, Dutch, German, Hindi, Hungarian, Italian, Japanese, Korean, Portuguese, Russian, Spanish, Swedish, and other languages. Translations are listed on the WCAG 2.0 Translations page and announced via the WAI Interest Group mailing list and WAI RSS feed. Learn more about translating W3C documents, Policy for Authorized W3C Translations, WCAG 2.0, and the Web Accessibility Initiative (WAI). (Permalink)

June 26, 2009 12:00 AM

Recently, a number of people have asked me what I think about Mozilla's Content Security Policy draft spec.  Back in January, I went on record as being someone who thinks that CSP is a good idea. 

CSP is a mechanism for declarative security, whereby a site communicates its intent and leaves it up to the user-agent to determine how to enforce it.

There are a number of benefits to declarative security mechanisms:

1. Reduced compatibility risks. Because sites must opt-in and declare what, if any, restrictions they want, new security features may be added to the user-agent with decreased compatibility fallout.
2. Clear intent. By plainly declaring which restrictions are desired, browsers need not try to "guess"� the site's intent.  For instance, when explaining that frame-breaking JavaScript cannot be relied upon to prevent ClickJacking, Kymberlee noted:
   

   If you don't design something to prevent a security vulnerability, odds are that it doesn't do a very good job of doing it.
   
   Because declarative security features are designed solely to mitigate security threats, browsers may implement the restrictions however they want, and can patch any holes found in the restrictions without unexpectedly breaking unrelated functionality.

3. Usability. By allowing a site to declare its security policy, browsers can make some security decisions on the user's behalf.
4. Auditability. It is straightforward to build tools that scan content for policies and determine if they meet the publishing organization's expectations.

Internet Explorer has a rich history in this space: HTTPOnly, SECURITY=RESTRICTED frames, X-Content-Type-Options, X-Download-Options, X-Frame-Options are all declarative security mechanisms first implemented in IE, and now supported by other browsers to varying degrees. 

The ideas behind the CSP draft are not new, and it is but one of many proposals for declarative security, from BEEP to HTML5 sandboxing.  In some respects it overlaps with other mechanisms for restricting script, although if CSP is successful, new directives will likely be created to provide uniform specification of the available policies.

While valuable, declarative security mechanisms are not without their challenges:

1. Plugins. Unless plugins have been blocked outright, they must be aware of, and enforce, the declared security policies.  Because plugins are provided by many different vendors, this requirement may prove challenging in real-world deployments.
2. Misconfiguration.  CSP is only as valuable as the policies configured by the developer or administrator, and a number of major sites have suffered breaches due to misconfiguration of security policy files. Ira Winkler claims [p143] that government studies indicate that 70% of computer intrusions are a result of configuration problems.
3. New attack surface. The very mechanisms used to implement CSP will be probed by hackers, and comprehensive fuzzing and penetration testing will be required to help mitigate the attack surface added.  Furthermore, if a hole is found that enables an attacker to circumvent a given policy within a given user-agent, that user-agent's reputation may be harmed-- even if other user-agents do not attempt to support that policy.
4. Debuggability. Web developers already face significant challenges in developing their pages, and introducing new security policies will require that tools be updated to clearly indicate when content has been blocked due to security policies. Sites might inadvertently set overly restrictive policies and failure to catch mistakes via comprehensive testing could lead to a confusing user experience.
5. Dynamic content. It may prove difficult to author workable policies for some dynamic-content scenarios (e.g. email composition, blog authoring, etc) because the user may herself add content to a given page from origins unknown to the web developer.
6. Adoption. Perhaps the biggest challenge for CSP and competing proposals is related to the fact that they offer "off-by-default"� security.  While this is great for compatibility, it's not-so-great for protecting sites and users, because benefits are only attained after web developers update their sites.  To succeed, CSP must balance power/flexibility against simplicity/understandability.

No security technology is a panacea, and for comprehensive protection, I think browsers need to offer both:

1. Rich security APIs that enable sites to prevent XSS attacks.
2. Automated protections to shield sites that can't/won't update their code immediately / ever.

To combat XSS attacks, IE8 introduced a number of attack-surface-reductions, a few new APIs, as well as the declarative security mechanisms (X-* headers) mentioned above. But we knew that sites wouldn't immediately adopt these APIs and declarative security features, so we built the XSS Filter, an on-by-default, no-questions-asked, no-code-changes required mechanism which helps mitigate the most common types of XSS attacks in the wild today.

I'm eager to see the progress on CSP, which I believe is a promising approach to helping websites secure themselves against the growing alphabet soup of web threats.  You can provide feedback on the CSP draft spec using Mozilla's Talk page.

-Eric Lawrence

by ieblog at June 25, 2009 06:45 PM

Congrats to the YUI team for releasing their first beta of YUI 3:

We've spent a lot of time in this release cycle refining the core elements of YUI 3 "” YUI, Node, and Event "” to ensure that we have the right API going forward. Performance is improved, and we've refined our module/submodule structure. In some cases we've added significant new features, including intrinsic support for event delegation in the Event package; however, the focus is on moving the base library to production quality.

Several YUI 2.x components make their YUI 3 debut in this release:

1. DataSource: YUI's data abstraction layer provides a standard interface into data sets, regardless of the data's origin (local, XHR, XSS, etc.) and format (JSON, XML, CSV, etc.);
2. ImageLoader: ImageLoader allows you to defer the loading of images that aren't in the viewport when the page paints, throttling bandwidth usage and improving performance;
3. History: The History component gives you control of the brower's back button within the context of a single-page web application;
4. StyleSheet: StyleSheet makes it easy to create and modify CSS rules on the fly, allowing you to dynamically style page elements with fewer repaints.

As part of the more granular packaging in the new codeline, we've created separate YUI 3 modules to house functionality that in YUI 2 was bundled with other components. Cache, DataType and DataSchema debut in this release; each of these used to be a part of DataSource.

To keep up to date, check out the roadmap and dashboard that the team keeps up to date.

by Dion Almaer at June 25, 2009 11:52 AM