Archive for March, 2002



Break out your broadband connection and your Flash plugin. The San Francisco Symphony Kids web site makes it all worthwhile.

I clearly haven’t been paying enough attention to web sites built for kids. Until now, the only one I ever looked at was Webmonkey for Kids. Sites like SFS Kids and the BBC‘s CBeebies are just great fun! A whole world that I haven’t explored. I wonder if Google will come up with a kids version, like Yahoo! did with Yahooligans!


Thanks, Sun!

I like to read stories like this. Sun donated some hardware to A big thank you to Sun!

On a similar token, Pair, the hosting service that I use for this very site, donated hosting to The Perl Review. One of the reasons that I like to use Pair.


PKE revisited

An interesting thread on the NANOG list: 1024-bit RSA keys in danger of compromise (the message that kicked it off was first posted in Bugtraq). This may be a good time to point to a little something I wrote a year or so ago, a “Brief Introduction to Digital Signatures.” Just cuz you may find it a useful introduction. I keep finding people who look at me funny when I ask if they use PGP.


Digest authentication broken in IE & IIS

Great. Just frelling great. IE‘s digest authentication mechanism is incompatible with Apache’s. By the same token, IIS’s is incompatible with any browser but IE. I am not normally one for Microsoft conspiracy theories, but considering Microsoft’s lukewarm response (“the nature of this particular issue does not put customer data at risk or pose a known security threat, so the fix will be prioritized accordingly”), I have to wonder whether this is a mistake or a strategy. I’m sorry, but passing passwords in the clear does indeed “put customer data at risk”!!

A while back I spent an evening digging through the Apache source code to figure out how they implement digest authentication. I’ve read the RFC. It is not so hard that it should confound the crack programmers at Microsoft.

Since Mozilla finally supports digest authentication (since 0.9.7, which you may recall surprised me since I had assumed Mozilla already did support something this basic), I was all set to start using it as a matter of course. I already do use it in certain circumstances, with Apache and Mozilla. But now…what? How many more years do we have to wait before we can expect even this rudimentary security?



OK, this time I mean it. I’m moving this weekend, no weblogging for me for a few days. Enjoy the weekend, folks.


disturbing search requests

I’m always amused by the search requests that turn up in my referrer logs. Today’s odd one, “What do you do if dog scratches all the time,” although neither disturbing nor a bad question to ask, somehow reminded me of Disturbing Search Requests, which I hadn’t visited in a while. Pity that so many of those have to do with sex. How dull. I really like this one:

“A person decides to shake hands with six different people on a certain day. The next day, each of the six people will shake hands with six different people . The process continues until every person in the United States has shaken someone’s hand. How many days will it take until everyone in the United States has shaken hands once? Assume that once a person shakes hands with six different people, he or she does not shake hands again%2”



<motd>Don’t think you’re special just because you’re the only one left out.</motd>


You go, Tim!

Tim O’Reilly weighs in again: Disingenuous Comments from Michael Eisner.

“These entertainment and publishing industry executives are either being disingenuous or are ignorant of both technology and history. The software industry faces exactly the same conditions that the entertainment industry fears will destroy its markets. Software is digital, easily and perfectly copyable, and pirated copies are in fact available through a variety of illicit channels, but that hasn’t kept companies like Microsoft from going on to become among the largest and most successful in the world. What’s more, copy protection was widely explored by software companies in the 1980’s, and what they learned was that consumers avoided copy-protected products.”


JavaScript links

If all my dire warnings the other day didn’t scare you off, and after careful consideration you’ve found yourself with a compelling enough reason to open a new window — compelling enough that your users will expect a window to open, which I think is quite a rare situation — please don’t use the old HTML target="_blank" attribute. Use JavaScript.

For one thing, the target attribute is not available in XHTML (you are using XHTML, right?) because it is not structural: it is behavioral. Page behavior should be controlled (or influenced, at least) with means other than markup, e.g. JavaScript or CSS. The one exception is framesets, where target does have a structural meaning and so is included in the XHTML 1.0 Frameset DTD. But you’re not using frames, are you?

If you find yourself in a position where you have no choice but to open a new window, please don’t do this:

<a href="javascript:openWindow('new.html')">DO NOT DO THIS</a>

do this instead:

<a href="new.html" onclick="openWindow(this.href); return false;">new window</a>

(This assumes that you’ve defined an openWindow() function.)

The second way, even those user agents with JavaScript disabled or unavailable can still access the page to which you’re sending them. Too, those of us who follow links by dragging them to another window or using contextual menus to open new windows or tabs can follow the link using our preferred method.

Thank you. You’ve just made the Web a better place.

You’d make it an even better place if you never opened new windows in the first place.

Update: Paul Sowden wrote to point out although Mozilla allows the blocking of target="_blank", it’s harder to block links using the JavaScript technique that I suggest. Using JavaScript, he argues, reduces the user’s control. Perhaps, but this is an issue that needs to be resolved by Mozilla’s developers.

Remember, in XHTML, JavaScript is the only way to open a new window. I agree wholeheartedly that opening new windows is something that you should studiously avoid, but sometimes you just can’t help it. Perhaps your boss or your kidnapper is staring over your shoulder until you comply with her demands. In that case, I humbly request that you write your JavaScript code in a way that allows for the greatest amount of freedom and control for the end user.

I’ve thrown together a quick demonstration of how it works. Disable JavaScript, play with your browser preferences, see how it all comes together. If you have improvements, please share.

It’s possible to disable all window-opening behavior in Mozilla, by the way. Add this line to your user preferences file:


You’ll still be able to open windows if you want to, but it won’t happen without your permission.

This and other goodies are documented on or near the end-user documentation on the Mozilla site (Customizing Mozilla, Hidden Mozilla Prefs).

I hope that before long, disabling “Open a link in a new window” in the Mozilla GUI-defined preferences also applies to JavaScript-opened windows.


UI Design

The other day in a web accessibility training session, I admitted that I hate it when a link on a web page automatically opens a new window. I want to be the one who decides when a window’s opened. At this point, a couple people in the group rolled their eyes, no doubt thinking “oh give me a break, you control freak!”

So I got to thinking: why do I care?

I used to browse with several windows open at a time, dragging links from one to another, reading one page while another one or two loaded. Even then, with five or six browser windows on my desktop, a new window popping open unexpectedly was a little irrititation. Just as irritating as pop-up or pop-under ads.

Then tabbed browsing appeared in Mozilla (hit control-T and you’ll see what I mean), and my browsing habits changed: I still read several pages at a time, but now on different tabs within the same window. Now it annoys me even more when designers take it upon themselves to control my browsing habits. Thankfully, with every milestone release it gets easier to configure Mozilla to prohibit that sort of nastiness.

Still, though, why does it bother me so much? It’s a relatively minor thing, right? The key, I think, is that a window popping open is an unexpected behavior. There are times when I expect a window to open: when I click a link to enter my ZIP/postal code to customize site content; when I click a link on a television program title, expecting to get a brief description of the episode. In those cases I expect a new window to open — to provide or allow me to input a short bit of information — so it’s perfectly fine that it does. The web page behaves in a predictable way. No surprises.

Yesterday I read Joel Spolsky‘s User Interface Design for Programmers, and the reason for this became clear: it is an important principle of UI design that (I quote Joel here) “A user interface is well-designed when the program behaves exactly how the user thought it would.” I’m irritated by windows popping open when I don’t think they will, but don’t give it a second thought when I expect them to.

If you’re going to do something so unusual as to open a new window, you’d better have an extremely compelling reason. If your reason is compelling enough, the user should expect the window to open.

Back to the book. I highly recommend it. It’s a quick read, it’s entertaining, and it’s packed with lots of good stuff. Through most of the book, I kept excitedly jabbing my finger at the page, exclaiming, “yes! yes! He’s right on!” For every situation he describes, I can think of a real-world scenario that matches up. I learned a whole lot in just a couple hours. And now I feel ready for that next meeting about button text. <shudder />

Next »