hackademix.net

For xB Browser, for users running XeroBank, we’ve removed noscript and replaces it with SPP. That allows users to protect against cross-site scripting, and false certificates, without dealing with NoScript issues.

Does anybody know what this XeroBank guy is talking about?

SPP can’t obviously stand for Site Pecurity Policy. It wouldn’t make sense (spelling and grammar aside) because SSP is not meant and not going to replace NoScript anytime soon. The SSP we know does not allow “users to protect against” anything, it just allows compliant web sites to protect their own users (which is great, anyway).

So, any hint about this SPP supposed NoScript killer?

Although all the source code of Firefox is public and can be scrutinized during development at any time, a Tipping Point Security Advisory has been announced right in the middle of the Firefox 3 download day.
A unlucky coincidence, of course: only a conspiracy theorist could suspect that the timing had been chosen in order to maximize the hype effect for the Zero Day Initiative.

However Mozilla developers are working around the clock, and there’s already a patch being privately tested. All the information publicly available so far is that this vulnerability allows a malicious web page to trigger the execution of arbitrary code on the client side, and affects Firefox 2, 3 and likely all the products based on the same rendering engines. Technical details and exploitation proof of concepts are being kept private by Tipping Point as well until the patch is shipped, therefore Mozilla users should be relatively safe: after all we can be 99.99% sure every browser out there is vulnerable to something; we just hope that the bad guys don’t know the details yet.

I can add that, even in this case, NoScript users are the safest.

References:

• about:robots
• Gort! Klaatu barada nikto!

What is Database Connectivity for JavaScript?

IBM® Database Connectivity for JavaScript™ is middleware that enables Web clients to directly access server-side relational data without compromising enterprise security.

“Directly access” without compromising “enterprise security”, yeah…

On the client, IBM Database Connectivity for JavaScript consists of a JavaScript API and library that can be used by Web applications without special browser plug-ins. On the server, the IBM Database Connectivity for JavaScript gateway, written in PHP, is an adaptor layer that mediates between IBM Database Connectivity for JavaScript and relational databases and provides functions such as operation forwarding and security. Web 2.0 applications can thus use IBM Database Connectivity for JavaScript to access relational data as a first-class construct instead of through ad hoc protocols.

Before you start wondering (like I did) what “operation forwarding” and “security” mean in this context, I’ll tell you since I bothered to read the source code: it’s just a thin layer with a JDBC-like API which allows JavaScript code to compose and submit SQL statements from the client side!
Security, if any, needs to be enforced at the database level, and access credentials are sent from the client side as well.

IBM Database Connectivity for JavaScript supports the trend for Web applications to be dynamically composed in a Web browser — so-called “Web 2.0″ applications — instead of being completely composed on the server (”Web 1.0″).

First “enterprise”, now “Web 2.0″…

IBM Database Connectivity for JavaScript is specifically geared toward enabling the potential Web 2.0 benefits of increased application responsiveness and the ability to flexibly combine information from various sources on the client. Web 2.0 access to server-side data, however, is currently characterized by Representational State Transfer (REST)-like APIs, which are typically application specific.

Bah, those old-fashioned resource mappings which (try to) expose only the data subsets relevant to the application front-end…
But now we can unleash the full power of SQL: free queries to all our databases for everyone in the fantastic world of Web 2.0!

ODBC is powerful — allowing any SQL statement to be executed — and simple, in the sense that developers are required to understand only a few abstractions. IBM Database Connectivity for JavaScript can be thought of as an “ODBC for Web clients,” enabling Web developers to benefit from a general-purpose API for accessing relational data.

Great work IBM! Now please convince some of your many banking customers to deploy this fantastic technology on their Internet-facing web servers, and we’ll be happy to “benefit from a general purpose API for accessing relational data” directly from Firebug, thanks!

Looks like I’m helping Obama’s campaign in an unexpected way :)

Update

Let’s help Google doing its part too: John McCain, John McCain, John McCain, John McCain, John McCain, John McCain, John McCain, John McCain, John McCain…