• Amy Hoy @amyhoy
• Thomas Fuchs @thomasfuchs

Sites:

• http://mir.aculo.us
• http://slash7.com/about/

photo credit: Chris Shiflett

A quote from Thomas Fuchs’ site… “You’re using my work every day, even if you’re not aware of it”. Thomas is the author of http://script.aculo.us and working group member of prototype.  Funnily enough williegoosen.com uses mootools, which uses prototype.  Amy has also made some rather cool tweet walls http://twistori.com/ and more recently http://letsfreckle.com/ a time sheeting app.

So I knew there were some tricks, having spent some time with ySlow in the weeks before, but was enlightened by the simple techniques that make a lot of difference.  Amy and Thomas did a great job of tag teaming through a rather dry subject and made it rather interesting, with one of the team walking through the slides and the other answering questions on a chat room style back-channel.

The talk started off with one of the rules being “only fix it if you need to” which i suppose makes a lot of sense. Tweaking performance can be a real fickle business, but if the users aren’t happy you have to fix it quick!

Test, don’t guess. benchmark. Make sure you can quantify the issue before you attempt any fixes so you can measure your improvement.

In some cases it will just be impossible to please your users but there are ways to keep people engaged and let them feel you are not ignoring them, while doing the heavy lifting in the background.

Main areas of focus
Loading -  connecting/spinning wheel, back-end speed, dns, latency * easiest win*.
Rendering - white screen of death, you can see items still loading in the status bar.
Execution - site stops responding after is completely rendered.

But to be honest there were just so many “oooh I should be doing that”, “woops shouldn’t be doing that” moments I will try and capture a bunch of them. Non-techy people can stop reading here.

Do’s

• Simple html = simple dom = faster rendering.
• Use yslow and dommonster to identify issues.
• JS scripts at the bottom of your pages.
• Keep external assets to a minimum.
• Set content expiry time frames correctly in the headers.
• Yuicompressor + gzip to reduce .js .css .html size x5 smaller http://refresh-sf.com/yui/.
• Merge .js files into a single .min.js file see http://getsprockets.org/ and http://dailyjs.com/2010/01/27/pro-practices-1/.
• Reduce image size with http://smush.it 30% size reduction no loss.
• Far future cache-headers (resolve updates issues by replacing with new file names).
• Multiple asset hosts – assets on separate hosts than HTML allows for concurrent downloading.
• Focus on whats important to users, webapps(gmail) focus on executing where as static pages (google search) focus on loading/rendering real fast.
• Only HTML and maybe analytics JS should be load in subsequent loads rest should be cached.

Dont’s

• JS in the middle of a page will block the execution of the whole page until its finished running, and can leave the user looking at an unrendered page.
• 404 requests really hurt.
• Avoid slow external assets \ 3rd party libs.
• Watch out for weight of frameworks, try microframeworks instead see underscore.js and emile.js.
• Frameworks and widgets are frowned upon but if you have to script.aculo.us and jquery were mentioned

Interesting

• Cool animation on how browser renders components does multiple sweeps over content to do the layout see http://en.boose.gr/gecko-reflow/.
• Other open tabs can affect your sites performance or crash the whole browser.
• -webkit-transforms are fast and very cool 2/3d stuff at 30-60fps for used on iphone and some android phones similar in jquery animation would be 5-10 fps.
• If it takes long in real life to do something you could get away with a bit of lag, moving between forms and search should be instant.
• Too many page assets becomes a performance hit conciser 3-5 streams for asset downloads being the default in a browser and will require cueing if more assest are required.
• Dynatrace http://ajax.dynatrace.com/ IE tool for testing page loading.

“Silence of more than four seconds become embarrassing because that implies a breaking of the thread of communication.” RB Miller(1968)

And if the conversations is still not happening after all the tuning, then its time to fake it!

• Perception is critical.
• Tell people how long it will take – visual indication of progress can increase patience up to 5x.
• User should feel like they are heard and their input is being considered.
• Instant reaction even if action takes longer for action to complete.
• Never leave the user bored.

photo credit: drewm

Second day of workshops at Webstock 2010 was first time i had a look at jQuery, i have had a play with script.aculo.us and mootools in the past, so jumped at the thought of a workshop with a creator of such a frame work, as they make JavaScript sooo much more bearable, especially for someone with a Java background.

My respect only grew for John as he did a 3 hr live demo of jQuery  and jQuery UI, with only one minor hiccup which he fixed within minutes….. a true JavaScript ninja.

In essence jQuery it looked as simple as this:

• Find object
• Do something with the set

Couple of bits that got me interested:

• Lots of people agree jQuery is awesome, its used by Microsoft, Google, Mozilla, IBM, Amazon, HP, Intel, Ruby on Rails, WordPress, Django
• Selectors uses CSS like syntax
• Good looking, easy to read documentation that has recently been reviewed
• Fails gracefully, if you layer jQuery over and already functioning website
• Big community and plugins(use with care)

My rough notes on the presentation on the points that stood out to me, for the full presentation see the link at the bottom of the page.

Finding things

• CSS Selectors with some special selectors like :first :hidden etc
• jQuery Methods
• Both are methods used for traversing the DOM
• Can be chained together 
  

  $("div").hide().css("color","blue");

• Chained Traversal ( pretty cool )

  $("button")
    .parent().css("border", "3px solid red")
    .siblings().css("border", "3px solid green");

Doing Things

• Manipulation
• Event handling(normally user actions)
• Live Events for current and future elements(ajax)
• Effects .animate ( pretty nice )
• Helpers to load xml,  json or html with ajax

Plugins

• Strong Community
• Recomended ones were
  • jQuery UI
  • Validation
  • Ajax Form
  • jqGrid
  • jQuery Tools
• Themeroller – mechanism to style jQuery UI

Tips

• Write in HTML first then layer jQuery over the top
• Apply your jQuery to a fully functional site, this way if JavaScript fails your site is still fully functional
• “return false” Disables the default old behavior
• With server-side code, add conditional to check it the “ajax” header is present, if so strip off header and footer code and only display id=content, to reduce server traffic
• Look at using jquery off CDN minimised and gziped optimized – on Google’s CDN, if its good enough

As a round up I would definitely consider using jQuery on my next project, as with all frameworks im sure there will be some limitations as this kind of ease of use doesn’t come without trade-offs.

The full presentation can be found here http://ejohn.org/apps/workshop/intro/

photo credit: Chris Shiflett

Security is always a hot topic, and in today’s world it’s always good to have a fresh look at web security on the first day of the Webstock 2010 workshops. Chris Shiflett is currently part of a web development co-op Analog and has a keen interest in PHP and web security.  He is also a webstock veteran and author of Essential PHP Security.

At risk of missing any of the important points, please check out the full presentation at the end of my notes.

Fundamentals

• Defense in depth, use all safeguards available, use owasp.org.
• Least privilege, lock the system down as much as possible.
• Least complicated, complexity allows mistakes to happen.

Golden Rule, ok more like a golden acronym – FI EO

• Filter input – ensure any inputs are what you expect and no more.
• Escape output – ensure data going out is not misinterpreted.

List of common exploits

• Cross-Site Scripting – an XSS flaw occurs whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites and possibly introduce worms.
• Cross-Site Request Forgeries – a CSRF attack forces a logged-on victim’s browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim’s browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
• SQL Injection – injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.
• Session Fixation – attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person’s session identifier.
• Session Hijacking – session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users’ identities.
• Email Injection – similar to SQL injection.
• Remote Code Injection – similar to SQL injection.

In a lot of  these attacks it is rather trivial to get the basics right by following the golden acronym FIEO, but all posible defences should be used for defence in depth.  The full presentaion goes into the ways to “Stop It”. Also do your own research to pick up on latest trends.  A rather concise resource was mentioned by @nzrob see www.owasp.org Top 10 vulnerabilities which gives large amount option to protect your application.

The full presentation can be found here,  http://shiflett.org/evolution-of-web-security.pdf.

Tips

• Specify character encoding and make sure it is consistant from front to back end.
• Get users to reconfirm password for important actions like changing password.
• Good understanding of http and session management helps with prevention.
• Keep source code short and concise.  Complexity breeds flaws.
• Human peception can also lead to perceved security breaches – see SmugMug example.
• Host static files on separate subdomain to limit session token exposure.

Final thoughs were around trending of user behaviour to identifying abnormalities and maybe using something like https://panopticlick.eff.org/ for uniquely identifying users from bots.

Chris did an excellent job in presenting the information in an easily ledgible format and good concrete examples. I am gutted I prioritised another talk over his “Security-Centered Design” talk at the Webstock conference but I’ll be sure to catch up on it when the video is available and post the link here if I remember.

Be Safe :)