afongen

Great. Just frelling great. IE‘s digest authentication mechanism is incompatible with Apache’s. By the same token, IIS’s is incompatible with any browser but IE. I am not normally one for Microsoft conspiracy theories, but considering Microsoft’s lukewarm response (“the nature of this particular issue does not put customer data at risk or pose a known security threat, so the fix will be prioritized accordingly”), I have to wonder whether this is a mistake or a strategy. I’m sorry, but passing passwords in the clear does indeed “put customer data at risk”!!

A while back I spent an evening digging through the Apache source code to figure out how they implement digest authentication. I’ve read the RFC. It is not so hard that it should confound the crack programmers at Microsoft.

Since Mozilla finally supports digest authentication (since 0.9.7, which you may recall surprised me since I had assumed Mozilla already did support something this basic), I was all set to start using it as a matter of course. I already do use it in certain circumstances, with Apache and Mozilla. But now…what? How many more years do we have to wait before we can expect even this rudimentary security?

OK, this time I mean it. I’m moving this weekend, no weblogging for me for a few days. Enjoy the weekend, folks.

I’m always amused by the search requests that turn up in my referrer logs. Today’s odd one, “What do you do if dog scratches all the time,” although neither disturbing nor a bad question to ask, somehow reminded me of Disturbing Search Requests, which I hadn’t visited in a while. Pity that so many of those have to do with sex. How dull. I really like this one:

“A person decides to shake hands with six different people on a certain day. The next day, each of the six people will shake hands with six different people . The process continues until every person in the United States has shaken someone’s hand. How many days will it take until everyone in the United States has shaken hands once? Assume that once a person shakes hands with six different people, he or she does not shake hands again%2”

<motd>Don’t think you’re special just because you’re the only one left out.</motd>

Tim O’Reilly weighs in again: Disingenuous Comments from Michael Eisner.

“These entertainment and publishing industry executives are either being disingenuous or are ignorant of both technology and history. The software industry faces exactly the same conditions that the entertainment industry fears will destroy its markets. Software is digital, easily and perfectly copyable, and pirated copies are in fact available through a variety of illicit channels, but that hasn’t kept companies like Microsoft from going on to become among the largest and most successful in the world. What’s more, copy protection was widely explored by software companies in the 1980’s, and what they learned was that consumers avoided copy-protected products.”

If all my dire warnings the other day didn’t scare you off, and after careful consideration you’ve found yourself with a compelling enough reason to open a new window — compelling enough that your users will expect a window to open, which I think is quite a rare situation — please don’t use the old HTML target="_blank" attribute. Use JavaScript.

For one thing, the target attribute is not available in XHTML (you are using XHTML, right?) because it is not structural: it is behavioral. Page behavior should be controlled (or influenced, at least) with means other than markup, e.g. JavaScript or CSS. The one exception is framesets, where target does have a structural meaning and so is included in the XHTML 1.0 Frameset DTD. But you’re not using frames, are you?

If you find yourself in a position where you have no choice but to open a new window, please don’t do this:

<a href="javascript:openWindow('new.html')">DO NOT DO THIS</a>

do this instead:

<a href="new.html" onclick="openWindow(this.href); return false;">new window</a>

(This assumes that you’ve defined an openWindow() function.)

The second way, even those user agents with JavaScript disabled or unavailable can still access the page to which you’re sending them. Too, those of us who follow links by dragging them to another window or using contextual menus to open new windows or tabs can follow the link using our preferred method.

Thank you. You’ve just made the Web a better place.

You’d make it an even better place if you never opened new windows in the first place.

Update: Paul Sowden wrote to point out although Mozilla allows the blocking of target="_blank", it’s harder to block links using the JavaScript technique that I suggest. Using JavaScript, he argues, reduces the user’s control. Perhaps, but this is an issue that needs to be resolved by Mozilla’s developers.

Remember, in XHTML, JavaScript is the only way to open a new window. I agree wholeheartedly that opening new windows is something that you should studiously avoid, but sometimes you just can’t help it. Perhaps your boss or your kidnapper is staring over your shoulder until you comply with her demands. In that case, I humbly request that you write your JavaScript code in a way that allows for the greatest amount of freedom and control for the end user.

I’ve thrown together a quick demonstration of how it works. Disable JavaScript, play with your browser preferences, see how it all comes together. If you have improvements, please share.

It’s possible to disable all window-opening behavior in Mozilla, by the way. Add this line to your user preferences file:

user_pref("capability.policy.default.Window.open","noAccess");

You’ll still be able to open windows if you want to, but it won’t happen without your permission.

This and other goodies are documented on or near the end-user documentation on the Mozilla site (Customizing Mozilla, Hidden Mozilla Prefs).

I hope that before long, disabling “Open a link in a new window” in the Mozilla GUI-defined preferences also applies to JavaScript-opened windows.

The other day in a web accessibility training session, I admitted that I hate it when a link on a web page automatically opens a new window. I want to be the one who decides when a window’s opened. At this point, a couple people in the group rolled their eyes, no doubt thinking “oh give me a break, you control freak!”

So I got to thinking: why do I care?

I used to browse with several windows open at a time, dragging links from one to another, reading one page while another one or two loaded. Even then, with five or six browser windows on my desktop, a new window popping open unexpectedly was a little irrititation. Just as irritating as pop-up or pop-under ads.

Then tabbed browsing appeared in Mozilla (hit control-T and you’ll see what I mean), and my browsing habits changed: I still read several pages at a time, but now on different tabs within the same window. Now it annoys me even more when designers take it upon themselves to control my browsing habits. Thankfully, with every milestone release it gets easier to configure Mozilla to prohibit that sort of nastiness.

Still, though, why does it bother me so much? It’s a relatively minor thing, right? The key, I think, is that a window popping open is an unexpected behavior. There are times when I expect a window to open: when I click a link to enter my ZIP/postal code to customize site content; when I click a link on a television program title, expecting to get a brief description of the episode. In those cases I expect a new window to open — to provide or allow me to input a short bit of information — so it’s perfectly fine that it does. The web page behaves in a predictable way. No surprises.

Yesterday I read Joel Spolsky‘s User Interface Design for Programmers, and the reason for this became clear: it is an important principle of UI design that (I quote Joel here) “A user interface is well-designed when the program behaves exactly how the user thought it would.” I’m irritated by windows popping open when I don’t think they will, but don’t give it a second thought when I expect them to.

If you’re going to do something so unusual as to open a new window, you’d better have an extremely compelling reason. If your reason is compelling enough, the user should expect the window to open.

Back to the book. I highly recommend it. It’s a quick read, it’s entertaining, and it’s packed with lots of good stuff. Through most of the book, I kept excitedly jabbing my finger at the page, exclaiming, “yes! yes! He’s right on!” For every situation he describes, I can think of a real-world scenario that matches up. I learned a whole lot in just a couple hours. And now I feel ready for that next meeting about button text. <shudder />

You may have read it. It’s classic: Web Pages aren’t Printed on Paper. Every now and then I come across an article that either shakes to the core my way of thinking, or that I think everyone should read because I hope it’ll have that effect on them. Something that sums up so well what I’ve been trying to say for a long time. This is one of those.

One of the major issues in accessibility is also one of the broader topic of usability: you have to give up the idea of having control over the page, break down your assumptions about how your users are experiencing your page. Because I can guarantee you that someone’s doing something that you didn’t expect that will break your carefully constructed design. It may turn out that something that you’ve done is breaking their experience, making it impossible for them to access your content.

The Web accessibility training session that I helped lead today got me thinking about this.

The training went well, I think. We spent more time than I expected going over what I thought was some pretty basic stuff with CSS. Still, there was some good discussion. I am continually amazed/dismayed by the level of resistance from faculty that my campus-based cohorts face in attempting to address accessibility concerns in online instructional materials. Somehow making web pages accessible to students with disabilities becomes an issue of academic freedom. Disgusting.

Was the same argument raised with regard to wheelchair ramps? We’ve changed our physical architecture to ensure that the disabled/impaired have access, now we’re turning our attention to our electronic, information architecture. It’s the same damn thing.

If nothing else, MnSCU has a new set of accessibility guidelines. Right now I consider them in version 0.9. With some changes that I’ll make over the next week, we’ll get to version 1.0.

My friend Jim pointed out to me that I’d incorrectly stated the other day that -30 degrees Fahrenheit is -1 Celsius. I should have known better, but foolishly trusted the online conversion tool that I used. I should have just done the math: -30F == -34.4C.

At long last, Mozilla 0.9.9 has been released. New stuff includes SOAP support.

Use a Mozilla mirror site to download.