Friday, January 30, 2009

[Gd] Open redirect URLs: Is your site being abused?

| More

Official Google Webmaster Central Blog: Open redirect URLs: Is your site being abused?

No one wants malware or spammy URLs inserted onto their domain, which is why we all try to follow good security practices. But what if there were a way for spammers to take advantage of your site, without ever setting a virtual foot in your server?

There is, by abusing open redirect URLs.

Webmasters face a number of situations where it's helpful to redirect users to another page. Unfortunately, redirects left open to any arbitrary destination can be abused. This is a particularly onerous form of abuse because it takes advantage of your site's functionality rather than exploiting a simple bug or security flaw. Spammers hope to use your domain as a temporary "landing page" to trick email users, searchers and search engines into following links which appear to be pointing to your site, but actually redirect to their spammy site.

We at Google are working hard to keep the abused URLs out of our index, but it's important for you to make sure your site is not being used in this way. Chances are you don't want users finding URLs on your domain that push them to a screen full of unwanted porn, nasty viruses and malware, or phishing attempts. Spammers will generate links to make the redirects appear in search results, and these links tend to come from bad neighborhoods you don't want to be associated with.

This sort of abuse has become relatively common lately so we wanted to get the word out to you and your fellow webmasters. First we'll give some examples of redirects that are actively being abused, then we'll talk about how to find out if your site is being abused and what to do about it.

Redirects being abused by spammers

We have noticed spammers going after a wide range of websites, from large well-known companies to small local government agencies. The list below is a sample of the kinds of redirect we have seen used. These are all perfectly legitimate techniques, but if they're used on your site you should watch out for abuse.

  • Scripts that redirect users to a file on the server—such as a PDF document—can sometimes be vulnerable. If you use a content management system (CMS) that allows you to upload files, you might want to make sure the links go straight to the file, rather than going through a redirect. This includes any redirects you might have in the downloads section of your site. Watch out for links like this:

  • Internal site search result pages sometimes have automatic redirect options that could be vulnerable. Look for patterns like this, where users are automatically sent to any page after the "url=" parameter:

  • Systems to track clicks for affiliate programs, ad programs, or site statistics might be open as well. Some example URLs include:

  • Proxy sites, though not always technically redirects, are designed to send users through to other sites and therefore can be vulnerable to this abuse. This includes those used by schools and libraries. For example:

  • In some cases, login pages will redirect users back to the page they were trying to access. Look out for URL parameters like this:

  • Scripts that put up an interstitial page when users leave a site can be abused. Lots of educational, government, and large corporate web sites do this to let users know that information found on outgoing links isn't under their control. Look for URLs following patterns like this:

Is my site being abused?

Even if none of the patterns above look familiar, your site may have open redirects to keep an eye on. There are a number of ways to see if you are vulnerable, even if you are not a developer yourself.

  • Check if abused URLs are showing up in Google. Try a site: search on your site to see if anything unfamiliar shows up in Google's results for your site. You can add words to the query that are unlikely to appear in your content, such as commercial terms or adult language. If the query [ viagra] isn't supposed to return any pages on your site and it does, that could be a problem. You can even automate these searches with Google Alerts.

  • You can also watch out for strange queries showing up in the Top search queries section of Webmaster Tools. If you have a site dedicated to the genealogy of the landed gentry, a large number of queries for porn, pills, or casinos might be a red flag. On the other hand, if you have a drug info site, you might not expect to see celebrities in your top queries. Keep an eye on the Message Center in Webmaster Tools for any messages from Google.

  • Check your server logs or web analytics package for unfamiliar URL parameters (like "=http:" or "=//") or spikes in traffic to redirect URLs on your site. You can also check the pages with external links in Webmaster Tools.

  • Watch out for user complaints about content or malware that you know for sure can not be found on your site. Your users may have seen your domain in the URL before being redirected and assumed they were still on your site.

What you can do

Unfortunately there is no one easy way to make sure that your redirects aren't exploited. An open redirect isn't a bug or a security flaw in and of itself—for some uses they have to be left fairly open. But there are a few things you can do to prevent your redirects from being abused or at least to make them less attractive targets. Some of these aren't trivial; you may need to write some custom code or talk to your vendor about releasing a patch.

  • Change the redirect code to check the referer, since in most cases everyone coming to your redirect script legitimately should come from your site, not a search engine or elsewhere. You may need to be permissive, since some users' browsers may not report a referer, but if you know a user is coming from an external site you can stop or warn them.

  • If your script should only ever send users to an internal page or file (for example, on a page with file downloads), you should specifically disallow off-site redirects.

  • Consider using a whitelist of safe destinations. In this case your code would keep a record of all outgoing links, and then check to make sure the redirect is a legitimate destination before forwarding the user on.

  • Consider signing your redirects. If your website does have a genuine need to provide URL redirects, you can properly hash the destination URL and then include that cryptographic signature as another parameter when doing the redirect. That allows your own site to do URL redirection without opening your URL redirector to the general public.

  • If your site is really not using it, just disable or remove the redirect. We have noticed a large number of sites where the only use of the redirect is by spammers—it's probably just a feature left turned on by default.

  • Use robots.txt to exclude search engines from the redirect scripts on your site. This won't solve the problem completely, as attackers could still use your domain in email spam. Your site will be less attractive to attackers, though, and users won't get tricked via web search results. If your redirect scripts reside in a subfolder with other scripts that don't need to appear in search results, excluding the entire subfolder may even make it harder for spammers to find redirect scripts in the first place.

Open redirect abuse is a big issue right now but we think that the more webmasters know about it, the harder it will be for the bad guys to take advantage of unwary sites. Please feel free to leave any helpful tips in the comments below or discuss in our Webmaster Help Forum.

Written by Jason Morrison, Search Quality Team

[Gd] OpenSocial events, past, present, and future

| More

OpenSocial API Blog: OpenSocial events, past, present, and future

Mahatma Gandhi once observed that "man is a social being," that "without inter-relation with society, he cannot realize his oneness with the universe."

While, of course, the universe is much bigger than OpenSocial, one way to realize your "oneness" with the OpenSocial community is by planning and attending events with other developers who share your passion for OpenSocial development. With this in mind, we have added an events page to the OpenSocial wiki which features, among other things, a planning guide for new events. This guide provides step-by-step instructions for organizing, marketing, and executing OpenSocial-themed meetups and hackathons and makes coordination as simple as following a checklist. Plus, the planning guide is "wikified," so as you hold events, please feel free to share your lessons learned with the community.

A number of OpenSocial events have already been held in the past weeks. For example, a group of over 100 self-proclaimed OpenSocial enthusiasts gathered in Pune, India in late December for a full day of speaker tracks and application demos. And two weeks ago, around 20 developers who were new to the API gathered in Dallas, Texas, walked through the tutorial together, and even had a break-out session about implementing OpenSocial on their own sites before ending the day with some drinks.

New events are already in the pipeline:
  • The Silicon Valley Google Technology User Group (GTUG) is scheduled to discuss Java development with OpenSocial at their February 4th meetup. Two developer advocates from Google will present on the Java flavor of Shindig, as well as the Java client library which allows developers to interact with OpenSocial containers from Java-based apps.
  • WeekendApps is a three-day "codefest" starting February 20th at the Google's headquarters in Mountain View, California. Developers and general social enthusiasts will form teams, brainstorm new concepts for social applications, and then design and build these apps over the weekend. On the evening of the 22nd, the teams will demo their apps and those with the most popular apps will score prizes and publicity.

Even as the community organizes great events, OpenSocial containers are bringing developers together as well:
  • A MySpace DevJam is scheduled for February 5th in San Francisco. The event will be focused on monetizing applications via virtual currency and is being sponsored by Offerpal, which is providing up to four developers in attendance the opportunity to have their applications reviewed by Offerpal's consultant team.

Social events make communities stronger and closer. Start using the planning guide today so you and fellow OpenSocial developers can begin realizing your "oneness" with the community.

Posted by Jason Cooper, Developer Programs

Updated January 30th for clarification

[Gd] Google Code Jam's Ranking Library Released

| More

Google App Engine Blog: Google Code Jam's Ranking Library Released

Posted by Bartholomew Furrow and Sebastian Kanthak, Google Code Jam Team

At Google, we like to use our own projects for internal development. Following that philosophy, one of the first apps ever made for Google App Engine was the contest platform for Google Code Jam. The application was a good fit: a rich web interface, real-time user interaction, and a heavily parallel design. But we faced one major challenge, which was how to handle the huge scoreboard -- in the first round, we had over 11,000 contestants.

While App Engine's datastore allows you to sort entities by score, it doesn't have a built-in mechanism to answer the following two requests:

  1. Given a user, what is his or her rank on the scoreboard? In other words, for some arbitrary row in that scoreboard, what is its position amongst the 11,000 spots? This is useful for showing your own rank, as well as the ranks of your friends.

  2. Give me all users on the n-th page of the scoreboard. While it is possible to get all users in sorted order, datastore queries don't allow you to start at page n, and iterating over all of the users on the first n pages takes too much time.

To solve these issues, we came up with a library that maintains a data structure to efficiently support these use cases. We imagine that other applications will have similar problems (e.g., a high-score list in a game), and so we're happy to release our work as the "google-appengine-ranklist" library.

The library supports three different operations:

  1. Setting the score of a given user.

  2. Given a score, what's the rank of a user with this score? This is used to answer the "What's the rank of person U?" use case.

  3. Given a rank, what's the score S for this rank? This can be used to solve the paging problem, by constructing a query that returns the first few users with a score less than or equal to S, in sorted order

If you think this library could be useful for you, take a look at the documentation and at the example application. We'd love to hear from you in our Google Group.


Thursday, January 29, 2009

[Gd] Next IRC Office Hours: Wednesday, Feb. 4th, 1:00 - 3:00pm PST

| More

YouTube API Blog: Next IRC Office Hours: Wednesday, Feb. 4th, 1:00 - 3:00pm PST

Posted by Stephanie Liu, YouTube APIs and Tools Team

Last week, we had a grand ol' time troubleshooting some issues, chatting about the player, making some new friends, and salivating over a Dark Chocolate Bacon Cupcakes recipe. So, we'll be holding office hours again next week, same bat time, same bat channel.

When: Wednesday, February 4th, 1:00 - 3:00 pm PST
Who: Look for xirzec, stephliu, and jh_youtube

Let us know if you'd prefer a different time for future office hours, or just post your questions in our discussion forum.

[Gd] Post-Commit Web Hooks for Google Code Project Hosting

| More

Google Code Blog: Post-Commit Web Hooks for Google Code Project Hosting

By Mike Parent, Google Code

We love to create building blocks that fuel user's imaginations. Today we are announcing Post-Commit Web Hooks for Project Hosting on Google Code, allow web services to receive repository commit notifications. Projects can use this feature to integrate with all kinds of external tools, including continuous build systems, bug trackers, project metrics, and social networks. The notification follows the Web Hooks model, and is delivered as an HTTP POST request containing a JSON commit description.

To help get you started, we've created an example application that performs various tests that are useful for managing documentation. You can find the source code in the contenthooks open source project.

We would love to hear feedback about new and interesting uses of Post-Commit Web Hooks!

[Gd] ClickJacking

| More

Chromium Blog: ClickJacking

Although the term "ClickJacking" is new, the underlying issue has been known for years. ClickJacking attacks affect all Web browsers because the attacks rely on standard browser features to trick the user into clicking on a dangerous spot on another Web page. A few months ago, Jeremiah Grossman and Robert Hansen sparked renewed interest in ClickJacking by demonstrating a clever application of the technique against Flash Player. Unfortunately, there is no "silver bullet" solution to all ClickJacking attacks. To find the best long-term solution, we're collaborating with other browser vendors and the standards community. If you're interested in ClickJacking solutions, I'd recommend reading Mark Pilgrim's summary of recent ClickJacking discussion in the HTML 5 working group and joining in the discussion.

Posted by Adam Barth, Software Engineer

[Gd] Bringing OpenID and OAuth Together

| More

Official Google Data APIs Blog: Bringing OpenID and OAuth Together

Posted by Yariv Adan, Google Security Team

We are happy to announce an important enhancement to our recently launched OpenID endpoint. Google now supports the "Hybrid Protocol", combining OpenID federated login together with OAuth access authorization. Websites can now ask Google to sign-in a user using their Google Account, and at the same time request access to information available via OAuth-enabled APIs such as the Google Data APIs.

For example, the website is an early adopter of the new service and has already released a beta version supporting it for some of its new users. Plaxo's UI provides both a richer sign-in offering, using the Federated Login OpenID API, and a simple and secure way to import their Google Contacts using OAuth. In the past, sign-in required multiple redirects between Plaxo and Google, and more importantly, multiple user approval pages, one for OpenID during sign-in and another for the OAuth access authorization request. No more!

The Hybrid Protocol allows Plaxo to encapsulate their OAuth authorization request inside the OpenID authentication request, letting Google know that the user wants to use both APIs. Google can now display a single approval page for both requests. Here is how the new user experience looks:

In their sign in page, Plaxo offers their users the option to sign in using their Google Account and import their Gmail Contacts.

The user is then redirected to the Google website and asked to confirm both sign in and access authorization requests.

Finally, the user is redirected back to Plaxo, where she is already signed in and her Google contacts are available. If it's the first time the user signed-in using the Federated Login API, an additional instructive window will be displayed to ensure that the next sign-in experience will be as easy and successful as the first.

Not only does the protocol allows a much better user experience as shown above, it also reduces the total number of browser redirects and roundtrips, reducing overall latency.
To learn more about this new API see To make it easier for you to use the new API, we created a collaborative Open Source project together with other major vendors where you can download open source implementations for your Relying Party component. You are invited to contribute your own code and suggested best practices to this website.

The Hybrid Protocol is a result of the ongoing effort by the OpenID and OAuth communities to make these protocols more useful for users and websites. Google is working together with the OpenID community to standardize the new protocol as a formal OpenID extension. If you want to help further these efforts and have an impact on what the next advancements are, you are welcome to join the OpenID and OAuth mailing lists.

If you're interested in looking at some code, check out our working sample using the Google Data PHP client library. The source code is available here.

[Gd] Case Study: JE Dunn Construction

| More

Official Google SketchUp Blog: Case Study: JE Dunn Construction

Every project JE Dunn undertakes involves a multitude of moving parts – equipment commissioning, delivery scheduling, construction process coordination, safety planning, and others. From project start through project completion, JE Dunn's Engineering Services Group consisting of in-house designers and engineers strives to ensure building quality.

Necessity is a driving force for innovation. JE Dunn's need to communicate critical information led them to the use of Google SketchUp as a way to deliver information in an efficient, clear and meaningful way. During a project building envelope coordination meeting, the JE Dunn team found it difficult to communicate the complexity and overall project scope to the various teams involved in its construction. The coordination between the teams in the installation process was particularly important as they needed to ensure a water-tight product.

The JE Dunn team turned to SketchUp to virtually mock up complex parts of the project, such as the window installation, into 3D SketchUp models. These 3D models were then presented at the job site enabling the participants to visualize the complexity of the install and understand the sequencing of parts.

For all involved, it was as though a light bulb had been turned on. JE Dunn had used SketchUp to drive a much deeper level of collaboration. The results were an improved way to pro-actively identify and address project issues, generate better solutions as a collective team and, in the end, the production of a high-quality product with stakeholder sign-off.

Coming out of this success, JE Dunn began using SketchUp on other projects, eventually standardizing the way it uses SketchUp to drive quality improvements and lower costs, and even mandating the use of virtual 3D building envelope mock-ups on projects costing $20 million or more.

Today, JE Dunn uses SketchUp throughout the planning and building process. With SketchUp, the company and its subcontractors rapidly prototype and compare design options. Using SketchUp, JE Dunn precisely and efficiently develops building skin installation sequences.

With LayOut, the 2D design documentation feature of SketchUp Pro, JE Dunn is able to combine traditional 2D information with their 3D model information into coherent and useful documentation for teams to use in the field. "LayOut helps formalize how we put the information together. It becomes the glue that brings it all together in an organized fashion" says Rodd Merchant, Vice President of JE Dunn's Rocky Mountain Engineering Services Group.

In combination with Google Earth, the company uses SketchUp to plan project logistics, from fencing to deliveries to construction site traffic flows. It is used to help clients visualize and better understand the status of projects, and how and why clients will have to make temporary adjustments to their workplace and workplace processes in order to accommodate for different phases of construction (for example, when a project will require the temporary closure of one wing of a client’s building).

"The productivity of JE Dunn employees has been impacted by SketchUp as many can now help drive critical processes they wouldn’t have been capable of contributing to in the past" says Merchant. JE Dunn uses SketchUp to communicate and get buy-in from everyone involved on its projects – from property owners, developers and designers to subcontractors, field employees and other stakeholders. “SketchUp is a great visual aid,” says Rodd Merchant. “It’s absolutely made us better, more intelligent builders. We’re more confident and more productive – and just as important, we’re dramatically reducing our risk.”

The complete case study is posted on our website and you can also view additional models from JE Dunn.

Posted by Chris Dizon, SketchUp Sales Team

Wednesday, January 28, 2009

[Gd] Stable, Beta update: Yahoo! Mail and Security Fixes

| More

Google Chrome Releases: Stable, Beta update: Yahoo! Mail and Security Fixes

Google Chrome's Beta and Stable channels have been updated to (Note, we won't have a different release for the Beta channel until we have something Beta-worthy come out of the Dev channel in February.)

This release fixes issues with two popular webmail providers:
  • Sending mail from Yahoo! Mail works again.
  • Windows Live Hotmail now works. While the Hotmail team works on a proper fix, we're deploying a workaround that changes the user agent string that Google Chrome sends when requesting URLs that end with

    If you've been using the --user-agent switch to use Hotmail, you can remove the switch from your shortcuts with this release.

This release also includes two security updates. The
release notes have the full list of changes.

Security Updates
Work around for "Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability"
CVE: CVE-2007-0048, CVE-2007-0045
Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.

Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.
Credit: Thanks to Michael Schmidt for reporting this responsibly to Google.

Javascript Same-Origin Bypass
CVE: CVE-2009-0276
A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.

Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.
Credit: Found internally by Google.

--Mark Larson, Google Chrome Program Manager

[Gd] Synchro: 4D scheduling software for SketchUp

| More

Official Google SketchUp Blog: Synchro: 4D scheduling software for SketchUp

In terms of representation, the first dimension is characterized by a line. A square is two-dimensional, and an extruded square – a cube – is 3D. So what the heck is 4D? Time.

Synchro Project Constructor is a 4D application that lets you manage a 3D model in time. It's a scheduling tool for visualizing how construction projects will occur. Basically, different parts of your model exist at different points on a timeline, and you can show and hide those parts depending on when you are. Pretty neat.

Even neater is the fact that Synchro Project Constructor is specifically designed to work with SketchUp models. It's a lower-cost, standalone application that anyone with SketchUp can use to add a temporal dimension to their project planning and design.

Posted by Aidan Chopra, SketchUp Evangelist

[Gd] Synchro: 4D scheduling software for SketchUp

| More

Official Google SketchUp Blog: Synchro: 4D scheduling software for SketchUp

In terms of representation, the first dimension is characterized by a line. A square is two-dimensional, and an extruded square – a cube – is 3D. So what the heck is 4D? Time.

Synchro Project Constructor is a 4D application that lets you manage a 3D model in time. It's a scheduling tool for visualizing how construction projects will occur. Basically, different parts of your model exist at different points on a timeline, and you can show and hide those parts depending on when you are. Pretty neat.

Even neater is the fact that Synchro Project Constructor is specifically designed to work with SketchUp models. It's a lower-cost, standalone application that anyone with SketchUp can use to add a temporal dimension to their project planning and design.

Posted by Aidan Chopra, SketchUp Evangelist

Tuesday, January 27, 2009

[Gd] 3D printing from SketchUp with CADspan: Now even better

| More

Official Google SketchUp Blog: 3D printing from SketchUp with CADspan: Now even better

You might remember reading about a nifty 3D printing-from-SketchUp plugin called CADspan that we blogged about a few months ago. It would appear that the folks over at LGM (who make CADspan) have been busy since then. They've released a new version of the plugin, and here's some of what's new:
  • CADspan is now available for both Windows and Mac
  • It now supports SketchUp 7 (which we released in November)
  • File processing times are about 10x faster
  • The system is much more reliable (hooray for beta testing!)
Here's a video that explains more:

In related news, there's now a Pro version of CADspan that provides some extra benefits. Check out the Pro page on their websites for all the details.

A couple of SketchUp models that were eventually printed in 3D

Posted by Aidan Chopra, SketchUp Evangelist

[Gd] Open source from the get-go

| More

Google Desktop APIs: Open source from the get-go

In the past few weeks, we launched the YouTube, Calendar, and Google Docs gadgets, making them open source from the very beginning. We also wrote a short story on the Google Open Source blog about our experiences with these projects and how open sourcing benefits the developer community. Once again, we'd like to encourage everyone to open source your gadgets and share your code. If you're new to Desktop gadgets, looking at open sourced gadgets is a great way to learn.

Posted by James Yum, Developer Programs Engineer (Google Desktop Team)

[Gd] Google I/O 2009, Developer Conference

| More

Google Code Blog: Google I/O 2009, Developer Conference

By Azhar Hashem, Google Developer Programs

I'm excited to announce Google I/O 2009, our two-day developer event that will take place May 27-28, at the Moscone Center in San Francisco. Last year, over 3,000 developers participated in I/O and they attended 90+ sessions across all of our developer products. This year, much of our content will feature Android, App Engine, Chrome, GWT, AJAX APIs and more. To give you an idea, here are a few of the sessions:

  • App Engine, Offline processing on App Engine: a look ahead
  • Android, Supporting multiple devices with one binary
  • Chrome, Developing extensions for Google Chrome
  • GWT, The Story of your Compile: reading the tea leaves of the GWT compiler for an optimized future
  • AJAX APIs, Using AJAX/RESTful APIs on Mobile Native Apps
  • OpenSocial, Building a Business with Social Apps
  • Geo APIs, Building scalable Geo applications

We've published a selection of the session abstracts but check back as we'll be adding more sessions over the next couple months.

At I/O, you'll have a chance to interact directly with the engineering teams who work on our APIs and developer products. There will be dozens of in-depth technical sessions that focus on how to write better applications using Google and open technologies. For developers who are working on business applications, we've expanded our sessions and demos on those topics as well. And we'll have plenty of opportunities for the developer community to demo apps that use the latest web and mobile technologies.

We're working hard to make this event insightful, useful, and fun! Visit the Google I/O website to learn more and register. Space is limited so make sure you reserve your spot early. As a bonus, you'll get a hard copy of the Google Chrome Comic book if you register by May 1.

Like last year, Google I/O will be followed by Developer Days that will take place in various countries around the world. Keep an eye out for an announcement with details on dates and locations.

Looking forward to seeing you at I/O!

[Gd] Dev update: Bug fixes and scrolling improvements

| More

Google Chrome Releases: Dev update: Bug fixes and scrolling improvements

Google Chrome's Dev channel has been updated to The main changes to highlight are:
  • Improved scrolling on pages with multiple plugins.
  • Fixed (mostly) the problem of tabs suddenly going to the smallest size.
  • Fixed downloads going to the wrong folder.
  • Fixed Gears not loading sometimes.
  • Removed the option to import bookmarks from Google bookmarks. We think we can improve this feature, so we're pulling it out until we come up with something better.
  • Added a way to remove sites from the 'Never remember passwords' list. Go to Options > Minor Tweaks > Passwords and click Exceptions.
Find about the Dev channel and how to subscribe at

The complete list of changes is available in the release notes.

--Mark Larson, Google Chrome Program Manager

Monday, January 26, 2009

[Gd] Google Chrome User Experience Research

| More

Chromium Blog: Google Chrome User Experience Research

Why are the buttons where they are instead of where I want them to be? What's up with bookmarks? Why does the Google Chrome UI look and operate the way it does? These are probably questions that some, many or even all you have about Google Chrome. We explained how we came to some of those decisions in a previous post:
"To achieve the streamlined feel we were after … we had our own intuitions about what was and wasn't useful in current browsers, we had no idea how those ideas matched to reality. So in typical Google fashion, we turned to data; we ran long studies of the browsing habits of thousands of volunteers, compiled giant charts of what features people did and didn't use, argued over and incorporated that data into our designs and prototypes, ran experiments, watched how our test users reacted, listened to their feedback, and then repeated the cycle over and over and over again."
To provide some more insight into this process, I should explain what we mean by "data." The data we turn to is both quantitative and qualitative. Usage logs provide statistics such how many users have tried a feature and how frequently a feature gets used. These logs are collected only from people who have chosen to share usage statistics with us. This quantitative data tells us the "how" and the "when" but not the "why." For that, we use qualitative data gathered through research methods like surveys, interviews and contextual inquiry which involves observing people in their home or work environments. Often we bring people to one of our usability labs where we can observe their interactions and collect feedback on a new feature we are working on. Many times we employ an eye tracker where we can find out what exactly people are looking at on our user interface. By incorporating data from all these sources into our design process, we hope to provide a user experience that satisfies the needs of the many Google Chrome users out there.

In the future, we are planning on releasing some of our research on this blog and the on the UX Site to show how the data we are collecting is impacting the Chrome experience.

All of our research data comes from studying and observing people. But what kind of "people" do I mean? Probably someone just like you. So if you are interested in becoming a potential participant in a research study on Chrome or one of the many other Google products, I encourage you to sign up at

Posted by David Choi, User Experience Researcher

[Gd] Playing Around with Google AJAX and Data APIs

| More

Official Google Data APIs Blog: Playing Around with Google AJAX and Data APIs

Posted by Monsur Hossain, Google Data APIs Team

Ben Lisbakken of the Google AJAX APIs team just launched the AJAX API Playground, which offers an intuitive interface for playing around with JavaScript code and immediately seeing the results. The playground features over 170 examples of how to use the various JavaScript APIs across Google, including examples using our Google Data JavaScript client to access data from Blogger and Calendar. The samples include retrieving posts from Blogger, listing events from a calendar, and running queries to grab a subset of data. Enjoy!

[Gd] Google Visualization API interactive samples in the AJAX APIs Playground

| More

Google Code Blog: Google Visualization API interactive samples in the AJAX APIs Playground

By Nir Bar-Lev, Google Developer Programs

We all know that writing code based on existing code snippets is faster and quicker than starting from scratch. It's also a great way to ramp up on new tools or APIs you may be less familiar with.

That's way we decided to provide a whole bunch of interactive code samples for the Google Visualization API in Google's recently launched AJAX APIs Playground.

These code samples run the gamut from specific visualizations like for the Motion ChartAnnotated Time Line (used in Google Finance) or Geo Map to covering specific Visualization API topics like event handling and placing data source requests.

The Playground enables you to change the sample code, re-run it, and see the results in real time. You can export your code, save it, and also get a full HTML source. In fact, for most of your programming needs, this tool is all you'll ever need to write, debug and integrate visualizations from the Visualization API into your web pages.

We hope you enjoy the added productivity and wish you happy visualizing!