I recently created a file hosting and url shortening service for myself: ablu.us. Now as a pet project, i’m starting to get some feature creep action going on. Case in point: I just wrote a chrome extension to use this service.

NOTE: I am never going to release this to the gallery, as I don’t want THAT much attention to this thing, it’s just sweet for me to have for myself. In all actuality, I might do something else with this url eventually, so releasing this out into the world would probably be a bad idea.

That said, here is a link to download it if you actually want it:

INSTALL ablu.crx.

CHANGELOG :

version 0.2 now includes using fizl.us.

version 0.2.1 fixed an initial settings bug

It’ll ask you if you really trust me, and to continue. And that’s it.

I won’t get into the nitty gritty details of HOW TO create your own chrome extension quite yet, but expect a blog post about it soon. Also, Google has a bunch of getting started tutorials that helped me so well it only took me about 2 hours to write this extension from scratch.

Some interesting things are as follows:

These babies are written in javascript

This was news to me. I knew Firefox plugins are written in XUL, which is similar to javascript. Chrome extensions are written in plain, vanilla javascript. Not only that, the part that gets displayed is literally an html page that you can do whatever you want with. If you want to include jQuery, you can (mine does not). Any other library? yup. It also means that you can use any of the HTML 5 capabilities Chrome offers: local storage, canvas, image rotation.

This strikes me as a bit excessive as you can load an unlimited number of scripts from anywhere. Seems to me that this could be abused.

Chrome allows copying to clipboard

That’s right. You can copy things to clipboard just like in IE with

document.execCommand('Copy')

This is exactly how similar URL Shortening extensions work. After seeing how awesome this is, I have to wonder… why doesn’t Firefox support this? I don’t see it being a security risk more than copying profanity into the clipboard. Whatever, it’s nifty that chrome has it.

Autoupdating is scary

Hoo dangle is it scary. What happens if the dev’s life suddenly tanks and decides he wants to have your browser randomly redirect to a porn site at random intervals? If you have a previously installed extension of his and he decides to update this new functionality, he can (there are some caveats to this, like what permissions the extension already has). This could be problematic as it would be difficult to track down exactly what’s causing this browser behavior. This has the potential to turn any previously useful and non-porn-redirecting extension into a very messy thing to be a part of.

If you are in the market for (another) url shortening extension, give it a try. Let me know what you think. It could probably use a much better logo, so if  you want to help drop me a line at hello () andrebluehs [] net.

I work at a company. They handle information that may or may not be sensitive. Some of the information they deem sensitive is a customer profile that is indexed by search engines. However, once at the profile, nothing can be highlighted, right clicked, firebug‘d, web developer toolbar‘d (that’s a lie, more on that later).

The only thing I can assume is that some of the information on the profile is copyrighted by the customer. So they take certain precautions to ensure that you CANNOT under any circumstances get a hold of the text on that page. Anyone who knows anything about how websites and security works knows this is virtually impossible. Especially with Google Cache, or saving a page, or Web Developer Toolbar.

Let me first say that I am mildly impressed with their initial attempt at thwarting “copyright infringement”. You cannot highlight anything, so “select all” + copy + paste is out. left and right clicking is captured (a pop up appears only in internet explorer) so again, highlighting is out. Aaaaaand that’s where security ends.

If you really want the text, just do Edit > Page Source (in firefox). There ya go. Done. Now, if you want to do other things, it’s as simple as saving the page to your computer and editing the html page. Remove the JAVASCRIPT security measures and everything goes away. You can click, highlight, do what you will.

Um, no. Try again

This raises a bigger question of “security” with javascript. Never ever ever use javascript for ANY kind of validation. Everything should be validated on the server side. Ok, that’s not completely true. If you want to do fancy, javascript-y validation that updates immediately, that’s fine. But make sure you validate it on the server side as well.

If you server-side validate, theres a much much much greater chance that they won’t be able to bypass it. You can do things like log in checking for whatever you’re doing. If their data doesn’t check out, kick them out.

Unfortunately, some web developers don’t (or don’t know they have to) do this. This leads to really really insecure websites. Or at least unnecessarily “secure” websites.

Recently, I have been doing some work with php and having users log in. One of the projects I’m working on is something where we’re pretty much rolling our own mini-CMS. We have users log in, manage sessions, check timeouts, etc. In php, security is pretty easy to do well (for my example… i’m being very general here). The rest of this post will skip over explaining how redirections and sessions work in php.

This is the easiest way to prevent someone who is not logged in from viewing the current page:

if (!isset($_SESSION['user_id'])) header("Location: login.php");

What executes is if the user is not logged in (or has timed out and $_SESSION['user_id'] has been unset()). Then the user is redirected to login.php or any appropriate page.

However, what happens when you run into something like an indexing or archiving bot that ignores headers? You run into this tdwtf problem. That article also tackles deletion-by-href instead of deletion-by-form. That’s a whole different beast. What can you do about this problem? Is there a more secure alternative to using headers?

Headers are just dandy

What most people (including me up until recently) assume is that after sending the header, all things stop. For a bot, this is not the case, it goes on it’s merry way executing the rest of the code. In the case of the above article, with dire consequences. But fret not! There is a simple solution.

exit();

By putting exit(); at the end of that line of code, the script stops executing, and while the bot may not be redirected, disaster is averted. So, your code will now look like:

if (!isset($_SESSION['user_id'])){
header("Location: login.php");
exit();
}

Hope this helps stave off any disaster.