At the welcome note, Ben and Dion showed their favorite YouTube videos, stuff like Darth Vader being a Smartass and Darth Vader Blues. I arrived that late that I missed that actual stuff they were talking about. Oh well…
The first session that I attended was by Kevin Hoyt from Adobe about the Adobe Integrated Runtime (AIR). AIR provides a browser-like runtime with Desktop integration, giving you the chance to use your web-application skills to build desktop applications.
AIR uses Webkit, which is also the basis for Apple’s Safari 3, as its HTML rendering engine. I asked Kevin about that after the talk, and according to him, Adobe actually ported Webkit to Windows to be able to use it for AIR. My conclusion for that: We have Safari 3 on Windows because Adobe ported Webit to Windows. Would be nice if someone could verify that.
The good stuff that Kevin demonstrated was: Clipboard support (copy & paste), drag & drop support to/from the desktop (or other applications), a File API for reading and writing files from and to the local file system, and also uploading them to the web and a socket API for detecting if some target server is readable or not. He also showed how to set “chrome” to “none”. Actually he should have explained what chrome is, but his demo made it pretty clear: Disabling it removes all the usual window stuff, like the title bar with the close button etc. The Ext guys used that to render a desktop application.
According to Kevin there a still a few problems to solve to improve Ext on AIR. Ext uses eval() a lot, and AIR restricts that heavily due to security issues. You don’t want to mix XSS with access to the local file system. So to be able to run Ext in AIR, currently they have to create an iframe that emulates the usual browser sandbox. Inside that sandbox, Ext can use eval() as much as necessary. Kevin said that they are working together with Ext to smoothen those problems to provide easier integration.
Surprisingly, the current beta also doesn’t support Flash content. But that should be available in the next beta release.
In the next session, Ajax Security, Douglas Crockford gave an overview of security issues. He didn’t try to point out actual issues, but rather where issues are, especially in respect to Mashups, which he considers the most important inovation since 20 years. He concluded with a somewhat pessimistic perspective: Either we fix the web by virtually replacing every technologie we rely on, cause they are all way to unsafe, or the web will be replaced by other new platforms for building applications.
Joe Walker, author of DWR, gave a more fine-grained view of actual problems in his Web Application Security session. His slides give a pretty good impression of alle the problems we should be dealing with, and some good directions on how to deal with them, like filtering based on content-type (you shouldn’t accept HTML for a name field) and restrictive whitelisting (specifying whats allowed, opposed to blacklisting – specifying whats not allowed).
One of the really scaring exploits is Anti-DNS pinning. Basically its an exploit that allows the attacker to get access to intranet websites, scrape them and send it back to the attacker. If you’ve nevered heard of that before and are interested in security topics, take a look at Joe’s slides.
Later I ended in a talk by Alex Shvedoff from Isomorphic about Infrastructure Inversion. I missed the start, what I saw was a live demo of SmartClient, the AJAX application framework Isomorphic is selling. From a functional viewpoint, SmartClient is great stuff, unfortunately it looks rather ugly.
Anyway, he also showed their data grid component, which has a very interesting implementation for paging. It doesn’t page at all, instead it simply doesn’t render the actual rows all at once. For example, in a grid with 500 total rows and 25 rows displayed at once, it would render a container high enough for 500 rows, putting it into a container high enough for 25 rows and scrollbars. So the scrollbars represent how much the user can really scroll there. When the grid is loaded, only 130% of one page are rendered (here: 33 rows). When the user scrolls down, more rows are rendered. If he scrolls slowly, he won’t notice at all, if he hops to the end, he’ll notice a flash of content.
In the example Alex showed, all rows were loaded into memory and just the rendering was delayed. That could be modified to load only one or two pages initially, and the request more from the server.
The pattern here was later picked up in a slightly modified way by Aya Raskin in his “Don’t make me click” keynote (link coming soon), as the “Infinite scrolling” pattern.
Interesting was that Douglas is part of the ECMAScript commitee for Yahoo, among Microsoft, Mozilla, Opera and Adobe. He recommends that everyone takes a look at the current whitepaper about ECMAScript 4 and then posts his opinion about it on the public mailing list.
To give you an idea what browsers can do to help us without introducing new problems or implementing new syntax that we can’t use:
- Provide a programming model for secure mashups – there is a whitepaper from the OpenAjax allicance about that
Afterwards I got invited by John to join him and some guys from Boston and some more jQuery guys to get drinks at a nearby bar.
Some time later, while getting something to drink at a nearby Dunkin Donuts, while waiting on the next bus, I realized an interesting fact: No smoking!
And I don’t mean “Don’t smoke!”. Literally, there is no smoking. I can’t remember seeing even one smoker since Monday. Maybe they are hiding somewhere.
Related to that are air conditioners: They are (in contrast to smokers) everywhere, which can be annoying. It was quite cold in some of the conference rooms. But I like the fact that I could go to a bar and while it was really full and lout, the air was really good. In a similar bar somewhere in Cologne, half the people would have been smoking, there would have have been no effective air conditioner and the air would be hot and smoky and burning in my eyes. I like the fresh-air one better.