- Why are cross-domain policy files necessary?
-
As with similar browser plug-ins, Silverlight applications are not allowed to communicate with 3rd-party domains by default. That is, an app loaded from http://fabrikam.com cannot make web requests to http://contoso.com. Contoso can declaratively enable this scenario by publishing a cross-domain policy file—generally either a CrossDomain.xml or ClientAccessPolicy.xml file served at the root of the domain.
Why is this necessary? Couldn’t the Fabrikam application just run a proxy on fabrikam.com that sends requests to contoso.com on behalf of the client?
There are a few specific reasons allowing cross-domain connections from the client is bad:
- Cookies. If an HTTP request is made from the browser to contoso.com, this would carry along with it all the user’s cookies for contoso.com. If the user has an active session cookie with contoso, the server will trust this request as being part of a legitimate session.
- HTTP Authentication. A user may be authenticated to contoso via HTTP auth. Again, this traffic will be sent in the context of the authenticated user – something the Fabrikam server would not be able to do on its own.
- Physical topology. The client may simply have access to network nodes the attacker does not. For example, many consumer routers have web interfaces that are only accessible from within the LAN. Or, an attacker may be able to talk to other machines on the user’s company’s network – machines the attacker would normally be prevented from communicating with (because of firewalls, NATs, etc)
- Repudiation. If Fabrikam attacks Contoso directly, Contoso can tell where those requests are coming from (by looking at the TCP/IP headers). By using the user as an intermediary, Fabrikam can make it much harder to tell where the attack is coming from. Ideally a server could check the referer header to see who’s really behind the request, but the referer header isn’t always sent reliably.
There may be more reasons, but these are very good ones themselves.
- Why does WinDBG run so slowly?
-
I've subconciously been avoiding using windbg because it seems to load DLLs so much more slowly than cdb. I could never quite figure it out. Until today.
WinDBG has been loading symbols for all those DLLs automatically, which I kinda figured, but didn't know why. Turns out I had some breakpoints set. You know that dialog that pops up and asks you if you want to save information for that workspace? I never knew what that meant, but I'm thinking one of the things it probably does is save your breakpoints. Now, in order to see if the next DLL windbg loads has the breakpoint you want, it has to load symbols for every one and scan for your bp.
And it was never a problem in CDB, because it doesn't offer to save your workspace.
Problem solved. Good day.
- On the Web's deny-read policy
-
Eric Lawrence tackles the often-misunderstood details of the "deny-read" part of the same-origin policy:
http://blogs.msdn.com/ieinternals/archive/2009/08/28/Explaining-Same-Origin-Policy-Part-1-Deny-Read.aspx
I've never heard it called "deny-read" before. But I like it.
As Eric points out in the comments, Silverlight has logic in the runtime to prevent applications from using the WriteableBitmap class to read cross-domain content.
- Your app is terrible and completely unintuitive
-
I recently had the experience of taking a home-grown app I've been writing and using for a while, and having other people start using it.
Sure, of course it has some rough edges. But the people I work with are smart, they'll figure a way around it, right?
No. Your app is terrible and completely unintuitive.
What a developer percieves to be a "rough edge" can often be a downright "blocker" to a user. "oh, I forgot you have to run that as admin." "oh, you need to have X installed" "oh, I haven't tested it on Win7."
For every little stumble, you, the developer, recover quickly. But for someome else it can take *hours* of beating their head against the keyboard before they finally figure out what's wrong in the debugger or come ask you. Multiply that by however many people are trying to get up and running. Add to that the time you've spent tripping over it yourself.
If you try and use a tool, and discover three problems with it, it's really really hard to have any faith in that tool.
Get rid of the rough edges. Print good errors. Recover gracefully. Save yourself and your teammates some time and frustration.
- Joel on Setting the Right Priorities -- Quality Matters
-
http://www.inc.com/magazine/20090901/joel-spolsky-setting-the-right-priorities.html
Joel talks about some of the lessons he learned while starting Fog Creek and getting CityDesk off the ground.
The moral of the story is: quality matters. FogCreek initially spent too much time tinkering at the edges. They were distracted by marketing, piracy prevention, and affiliate programs. It wasn't until they focused on delighting their customers that they saw a significant increase in sales.
Who's your customer? Are you focusing on things that will make them happy?
- Why doesn't my XAP load on a cross-domain page?
-
Why doesn't my XAP load on a cross-domain page? Probably because you're not setting the mime-type of the XAP to "application/x-silverlight-app".
What's the point of this restriction? Well, we found during the development of Silverlight 2 that threats involving a Bad Guy loading a good XAP on his own domain were a bit subtle and non-obvious. It's common to use the HTML bridge (HtmlPage class) to chat back and forth with JavaScript. As a developer does this, she's rarely thinking about what might happen if the page is malicious. Yes, this is somewhat mitigated by the ExternalCallersFromCrossDomain attribute, but this only protects against the bad JavaScript calling into the XAP directly. There's still the problem of the XAP calling out to a JavaScript function with potentially sensitive information. So, we demand to see a special mime-type on the XAP to ensure that's what the author intended.
We were also worried that sites allowing users to upload arbitrary content would now need to check for files that look like XAP. We really wanted to make sure that web developers and webmasters don't need to read all about Silverlight just to make sure it can't attack their site, even if they never plan to use it. By demanding to see the mime-type, Silverlight knows that the web server knows what a Silverlight application is.
There's more info here.
- Blackhat resources online
-
http://blackhat.com/html/bh-usa-09/bh-usa-09-archives.html
I'm watching the Dowd presentation on how browser components attack each other, looks like good stuff.
- Thanks Reddit: MIT Videos about Multicore Programming
-
Why not...
http://ocw.mit.edu/OcwWeb/Electrical-Engineering-and-Computer-Science/6-189January--IAP--2007/CourseHome/index.htm
- On the Strangler Pattern
-
I listened to this week's "Hanselminutes" last night, to hear him interveriew Michael Feathers (author of Working Effectively with Legacy Code).
He shared some interesting patterns he had come across when dealing with legacy code. One was called the "Strangler Pattern". The idea here is that when you need to change the behavior of a fragile system, you create a parallel system alongside the legacy system. The new system siphons off some input that would have gone to the old system, and handles it directly. Over time, if more and more changes are required, the strangler system grows and the legacy system becomes more and more irrelevant.
I think I've accidentally used this pattern a few times-- it can be very useful if used the right way on the right project. Obviously not all systems would be well suited for this, but it's a good trick to have in your toolbelt in case you need it.
- On Learning Styles and Development Methodologies
-
http://www.greatmanagement.org/articles/520/1/What-Great-Managers-Do/Page1.html:
The "Analyzer" -- Emphasizes preparation. Learning occurs before performance. Picks apart tasks into their compontents. Good at planning
The "Doer" -- Learning occurs *during* performance. Trial and error is how most learning happens
The "Watcher" -- Learns through emulation. Needs to see the complete picture before things make sense
I wonder how each of these folks would do under different development methodologies?
The Analyzer sounds most at home in a waterfall. Analyzers tend to be good at making detailed plans up front.
The Doer sounds like a good candidate for a spiral or iterative model, where "trial and error" are built into the development process.
The Watcher... OK, maybe the watcher doesn't map to any particular methodology.
I myself can remember plenty of times where I sat down to plan something, focused on doing it "the right way" and allowing for lots of planning, only to get completely stymied. In every case I can recall, I was able to get past this roadblock only by firing up the IDE and trying some things out. I don't know if this is common or not, but it sounds like I'm a "doer".
- How to Debug LCIE with windbg
-
Internet Explorer 8 has a new feature called "loosely-coupled IE" (LCIE). IE introduces some process isolation between tabs to improve reliability. Now if one tab crashes, it won't bring down all the other tabs. (as I understand it, there isn't necessarily a 1:1 relationship between tabs and processes).
Anyway, the first time you try to debug LCIE you may have the jarring experience of the process exiting, or simply not lining up with what you expect to see in the debugger. You're probably debugging the wrong process!
If you're using windbg (or cdb, etc) you can just use the "-o" flag which will allow you to debug all the child processes as well. Use the "|" to switch between processes ("|1s" to set the context to the first child process).
Happy debugging!
- Security Research & Defense
-
I'm embarassed that I've only recently stumbled across Microsoft's "Security Reserach & Defense" blog: http://blogs.technet.com/srd/
It has some great information for what kinds of fixes are being shipped in updates and why. For example, this post discusses a fix IE took to help mitigate the Safari carpetbombing vulnerability. I wasn't aware of this change at all--it looks like a great example of reducing attack surface and doing the right thing for customers.
- I'm a Luser
-
CodingHorror announces the beta release of "server fault": http://www.codinghorror.com/blog/archives/001269.html
The only answer I got right was Mark Russinovich, but according to Jeff that's enough to pass. I've been lurking on StackOverflow for a while-- hopefully ServerFault will be useful as well. Seems like I'm in the lab a lot these days, I'm sure I could pick up some useful tips.
- Because I'm too lazy to learn powershell
-
Batch scripting for fun and profit?
I need to get a value in an xml file from a batch script. I could use cscript, or maybe grab or write an exe to parse it out for me.
But sometimes it's more fun to try and do it in the batch script. In this case the xml node is on a line by itself, which makes things a little easier... something like this:
<root>
...
<ChangeNum>123456</ChangeNum>
</root>
Anyway, here's my respose to this pop quiz:
for /f "tokens=3 delims=^<^>" %%i in ('findstr -i "ChangeNum" test.xml') do echo %%i
I feel a little dirty. This is fragile and hard to read. But at least I get some batchgeek points?
- Silverlight security guidance document has been released
-
http://www.microsoft.com/downloads/details.aspx?FamilyID=7cef15a8-8ae6-48eb-9621-ee35c2547773&displaylang=en
