Archive for July, 2009

Firefox 3.5 and http access control – the nightmare

Wednesday, July 8th, 2009

I updated Firefox to version 3.5 code-named Shiretoko. I then discovered that I had some problems with one of my WordPress installations. The problem was that I could not add a new category. I clicked the damn button over and over again and… nothing. It seemed that it didn’t even perform the request so I obviously went to my firebug to see if any request was made. And it was – an OPTIONS request. And that’s when the sad story began…

Some of you might not know or remember that http is more than GET and POST. Some of you might brag about HEAD, PUT or DELETE. But there’s also an OPTIONS method in the http protocol. And just to be prepared for future sad surprises like the one I just had you should also note TRACE and CONNECT. You might wonder who uses them but some day you might see that someone got an idea of putting them to hard work. So far dear old Mozilla has decided that we should remember the good old OPTIONS and got a very good idea of how to make it useful in Firefox 3.5

To continue my story I began my little research on the web trying to find out more about the OPTIONS request method and particularly about why and how Firefox has decided to make use of it in 3.5. I soon discovered one of the great new features in Firefox 3.5: http access control. If you read the document describing it you will basically find that they use some headers in conjunction with the OPTIONS method in order to provide some kind of cross-site http access control. Apparently this functionality is already standardized (not just a Mozilla innovation).

Standardized as it is it prevented my WordPress installation from working. The trouble is that Shiretoko sends an OPTIONS request together with Origin, Access-Control-Request-Method and Access-Control-Request-Headers headers. This is what they call a “preflighted request”. It expects in return the following headers: Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers. None of these is ever sent in my lighttpd’s response. Lighttpd just sends a 200 response with some common headers and he’s happy thinking that everything should be alright since it is a 200 after all. Well, Mozilla decided that it wasn’t.

What’s even more interesting is how I got Firefox to make such a request. This “improvement” was for cross-site requests, remember? Why in the world would adding a category in wordpress be a cross-site request? Simply because I redirect my wordpress login page to https while I keep the “official” site url to be http. So every page that has a relative path should go through https after the login while other pages apparently have absolute paths with the configured url – which is http. The difference in protocol means for Shiretoko that this is a cross-site request even if it is the same domain (no subdomain used in any of the requests). This seams a little bit excessive to me; it seems more like a bug than a feature.

After I found the mystery behind all this I started wondering. I wonder if Apache would respond well to these requests. I didn’t have time to try and frankly I don’t really want to. I was very happy with lighttpd – it gives me the lite-ness that I desperately need. I wonder if they got rid of the absolute paths in a newer version of WordPress although I doubt it. I also wonder if we really need these new “features”.

This story reminded me of the days when Internet Explorer was making the law: they came with any crazy idea they had overnight and put it in their browser. Then some MS fans quickly picked up the “feature” and used it in their website just because it was “the latest news” or “trendy” or just for some fluffy eye-candy-ness. The result was that the (very) few users that didn’t want to use Internet Explorer just couldn’t see that particular website properly. It seems to be a similar story here: we try to enable people with more functionality but in fact we disable what we already have. Standardized as it is it just doesn’t seem right. It’s true that I don’t have the latest WordPress and it’s true that I don’t have the latest lighttpd but they are both the latest versions from the latest stable branch of Debian. I don’t see why people with the latest version of Firefox shouldn’t be able to properly use my website. Debian is a very common distribution, wordpress is also very common package and lighttpd is pretty common as well. Firefox used to be common too but it just started to feel too “elite” for me. Perhaps I should go back to the good old Opera – it has never let me down.

Michael Jackson has 3 friends

Tuesday, July 7th, 2009

Has he really? At least that’s what MySpace is telling us:

Michael Jackson has 3 friends

I wonder who Tom might be since he is one of Michael’s very few friends. We also find out that there’s nothing to say “About Michael Jackson” (who is he anyway?) and that Michael has just recently became a MySpace fan: he’s been a member since 6/25/2009. He probably registered just before he died. But wait! There’s more… Everybody knows that Elvis is still alive (and he always will) but apparently Michael hasn’t died either: if you read carefully you’ll see that Michael’s last login was on 6/27/2009. I kind of always had the feeling that this would be the case. Michael couldn’t have died – at least not in our hearts.

This is the Myspace Michael Jackson Memorial Page with Javascript disabled. It’s funny how much the web has come to depend on Javascript, Flash and more eye-candy byte-consuming traffic-making technology. The web used to be a way of linking information and some images perhaps. Then it became pretty. Now the prettiness has taken over our lives: we are required to use the “pretty” technologies in order to access the services. Somehow this doesn’t seem right.

Neither does the template that conquers our lives: Michael had to fit in the Myspace template and he just didn’t fit in just right. I’m sure he has millions or maybe billions of friends apart from Tom and I’m sure that they all wish they had been more friendly to him when he was alive – when he needed them the most. We somehow forgot during the last few years about what was good about Michael Jackson and now we’re just feeding an always-hungry industry (long live Sony – and they probably will).