Friday, May 7, 2010

[Gd] The future of O3D

| More

Chromium Blog: The future of O3D

We launched the O3D API about a year ago to start a discussion within the web community about establishing a new standard for 3D graphics on the web. Since then, we’ve also helped develop WebGL, a 3D graphics API based on OpenGL ES 2.0 that has gradually emerged as a standard, and is supported by other browser and hardware vendors like Mozilla, Apple and Opera.

At Google, we’re deeply committed to implementing and advancing standards, so as of today, the O3D project is changing direction, evolving from its current plug-in implementation into a JavaScript library that runs on top of WebGL. Users and developers will still be able to download the O3D plug-in and source code for at least one year, but other than a maintenance release, we plan to stop developing O3D as a plug-in and focus on improving WebGL and O3D as a JavaScript library.

We did not take this decision lightly. In initial discussions we had about WebGL, we were concerned that JavaScript would be too slow to drive a low-level API like OpenGL and we were convinced that a higher level approach like the O3D scene graph would yield better results. We were also cognizant of the lack of installed OpenGL drivers on many Windows machines, and that this could hamper WebGL’s adoption.

Since then, JavaScript has become a lot faster. We've been very impressed by the demos that developers have created with WebGL, and with the ANGLE project, we believe that Chromium will be able to run WebGL content on Windows computers without having to rely on installed OpenGL drivers.

The JavaScript implementation of O3D is still in its infancy, but you can find a copy of it on the O3D project site and see it running some of the O3D samples from a WebGL enabled browser (alas, no Beach Demo yet). Because browsers lack some requisite functionality like compressed asset loading, not all the features of O3D can be implemented purely in JavaScript. We plan to work to give the browser this functionality, and all capabilities necessary for delivering high-quality 3D content.

We’d like to thank the developers who have contributed to O3D by delivering valuable feedback, submitting changes to the plugin and developing applications. To help you convert your application to the new WebGL implementation of O3D, we will keep our discussion group open where our engineering team will answer your questions and provide you with technical advice. For those of you concerned about support for Internet Explorer, we’ll recommend using Google Chrome Frame once it supports WebGL, and hope to see IE implement WebGL natively someday. We hope you will continue working with us and the rest of the WebGL community on moving 3D on the web forward.


Posted by Matt Papakipos, Engineering Director, and Vangelis Kokkevis, Software Engineer
URL: http://blog.chromium.org/2010/05/future-of-o3d.html

Thursday, May 6, 2010

[Gd] Globetrotting with Google Chrome Extensions and HTML5

| More

Chromium Blog: Globetrotting with Google Chrome Extensions and HTML5

The Google Chrome Developer Relations team has been working hard to spread the word about Google Chrome’s extensions platform and support for HTML5. Besides speaking at developer events around Silicon Valley, we’ve made it a priority to connect with developers in other locations in and out of the United States.

Following our trips last year to the Czech Republic, Russia, and Argentina, we spent a good chunk of the past few months on the road meeting with hundreds of developers and Google Technology User Groups.



For starters, Brian Kennish spoke about advanced extensions at Google DevFest in Tokyo, Japan and Google’s South by Southwest Interactive booth in Austin, Texas. You can check out a video of Brian’s DevFest session.

Next, Ernest Delgado, Jeremy Orlow, and Arne Roomann-Kurrik presented extensions and HTML5 to developers in London, England. Both presentations were actually implemented using HTML5 — the extensions deck as an extension and the HTML5 deck as a webpage.

Ernest and Arne went on to deliver this content to developers in Spain, Germany, and the Czech Republic. Here’s a video of the talk they gave to the Brno, Czech Republic Google User Group.



We love to help developers get their “hands dirty” with code too, so the team organized several hackathons during these trips. Brian led a hackathon in Sydney, Australia and another in Austin, where developers built lots of great extensions. Meanwhile, Ernest and Arne led students through building extensions at universities in Madrid and Brno.

We’re keen to continue connecting with developer communities around the world. If we haven’t visited a location near you yet, we hope the resources above come in handy. And for those of you who want the thrill of a hackathon experience, our friends at Twilio recently launched an online extensions hackathon with awesome prizes. We look forward to trying out what you create.

Keep an eye on this blog for future announcements and event plans. We won’t be traveling for the next couple weeks as we prepare new content for Google I/O, but perhaps some of you will be making trips of your own to see us there!


Posted by Arne Roomann-Kurrik and Brian Kennish, Developer Advocates
URL: http://blog.chromium.org/2010/05/globetrotting-with-google-chrome.html

[Gd] Dev Channel Update

| More

Google Chrome Releases: Dev Channel Update

The Dev channel has been updated to 5.0.396.0 for Windows, Mac, and Linux platforms

All
  • The toolbar, omnibox and other UI changes reverted for Chrome 5 have been restored in this build.
  • Fixed bug related to scheme stripping that could cause URLs of the form "http://ftp.foo.com" to be misnavigated, by not stripping the scheme in this case.
  • Many bugs fixed relating to stripping "http://" and its interaction with the clipboard. Chrome should now prepend schemes onto the pasted text in a variety of situations.
Mac
  • Continual polish to main frame UI, including the bookmark bar
Linux
  • Bookmark bar icons should no longer be cropped under some GTK themes
    (particularly, the new ones in Ubuntu Lucid).
  • Flash content when using nspluginwrapper should be clickable again.
Security
  • Linux: Fixed a crash caused by a premature application data record in the middle of an SSL handshake (Issue: 42538)
Known Issues More details about additional changes are available in the svn log of all revision. 

You can find out about getting on the Dev channel here: http://dev.chromium.org/getting-involved/dev-channel.

If you find new issues, please let us know by filing a bug at http://code.google.com/p/chromium/issues/entry
URL: http://googlechromereleases.blogspot.com/2010/05/dev-channel-update.html

[Gd] Get ready to wave at Google I/O

| More

Google Code Blog: Get ready to wave at Google I/O

Since unveiling Google Wave at I/O last year, we've seen a number of conferences (even entirely virtual ones) use Google Wave to facilitate discussions, note-taking, and conversations amongst the attendees. We want to bring this experience to Google I/O as well, so we've coded up some nifty robots and gadgets using the Google Wave APIs, and used those to generate interactive waves for each session. Attendees will be able "live wave:" view live notes, ask questions via a Google Moderator gadget, and discuss content. For more details, check out the screencast below and read the Google Wave at I/O overview.





If you are new to Google Wave, you can start by reading the Getting Started Guide and watching our video tutorials. For those of you who don't yet have a Google Wave account, please request an invitation to Google Wave.

Happy Waving and see you at Google I/O!


Posted By Amanda Surya, Google Wave Team
URL: http://googlecode.blogspot.com/2010/05/get-ready-to-wave-at-google-io.html

[Gd] New AdWords ID Data in Google Analytics API

| More

AdWords API Blog: New AdWords ID Data in Google Analytics API

Cross posted from the Google Analytics Blog.

Google Analytics helps marketers measure the performance of their ad campaigns. By linking Google Analytics and AdWords accounts, advertisers get a detailed picture of the performance of their ad creatives and keywords. Manually optimizing campaigns works well for the top 100 or 1000 keywords, but can be a challenge for the 1000+ keywords in the long tail.
To help advertisers, we are releasing 5 new dimensions through the Google Analytics API that correlate to the AdWords API IDs.
  • ga:adwordsCustomerID
  • ga:adwordsCampaignID
  • ga:adwordsAdGroupID
  • ga:adwordsCriteriaID
  • ga:adwordsCreativeID

This allows advertisers to gain new insight by by combining data from Google Analytics and Google AdWords data sets.


Image of table showing new AdWords IDs

Likewise, clients can increase their efficiency by automating reporting using applications. For example, a developer could write an application that ranks all the ad and keyword combinations by bounce rate for the top 50 landing pages, making it easy to identify which ad creatives could be optimized. Running such a report at night would allow an analyst to spend their day focused on optimizing ad creatives to yield real outcomes.

To help you get started quickly, we wrote an article that walks through the steps of joining data from both sources. We also provided the sample application that produces the table above. Here's a sample Java code snippet that shows exactly how to insert the IDs from Google Analytics into a Google AdWords API filter:


public AdGroupCriterionIdFilter[] getCriterionFilters(DataFeed
analyticsData) {

int numFilters = analyticsData.getEntries().size();
AdGroupCriterionIdFilter[] critFilters = new
AdGroupCriterionIdFilter[numFilters];

for (int i = 0; i < numFilters; i++) {

DataEntry entry = analyticsData.getEntries().get(i);
Long groupID =
Long.parseLong(entry.stringValueOf("ga:adwordsAdGroupID"));
Long critID =
Long.parseLong(entry.stringValueOf("ga:adwordsCriteriaID"));

AdGroupCriterionIdFilter critFilter = new AdGroupCriterionIdFilter();
critFilter.setAdGroupId(groupID);
critFilter.setCriterionId(critID);
critFilters[i] = critFilter;
}
return critFilters;
}

Please keep in mind that all applications that combine data with the AdWords API must follow the AdWords API terms and conditions.

We're really excited about the new possibilities this data allows. We look forward to hearing how you use it to improve your ad campaigns!

Thanks!
Alex Lucas, Google Analytics API Team

URL: http://adwordsapi.blogspot.com/2010/05/new-adwords-id-data-in-google-analytics.html

[Gd] Top Search Queries is now Search Queries with Average Position and Stars

| More

Official Google Webmaster Central Blog: Top Search Queries is now Search Queries with Average Position and Stars

Webmaster Level: All

Since we released the latest version of Top Search Queries in Webmaster Tools we've gotten a bunch of feedback, most of which was overwhelmingly positive. Today, we're happy to bring even more improvements to Top Search Queries that we've implemented as a direct result of your feedback. First of all we've shortened "Top Search Queries" to be just "Search Queries" to better reflect all of the data provided by this feature. In addition to the name change you'll notice that Search Queries has several new updates. As requested by many of you, we're now showing an "Average position" column right on the main Search Queries page. This provides a quick at-a-glance way to see where your site is showing in the search results for specific queries. The other change you'll notice is that we're showing a "Displaying" number for Impressions and Clicks. This number represents a total count of the data displayed in the Search Queries table. The number in bold appearing just above it is a total count of all queries including the "long tail" of queries which are not displayed in the Search Queries table. When the "Displaying" number is not visible, such as when you select a specific country from the "All countries" drop-down menu, then the bold number is the total count of the data displayed in the Search Queries table.



We've also added an Average position column to the Search Queries download.



The other addition we've made to Search Queries is a "Starred" tab. Next to each Query on the Search Queries page there is now a clickable star icon. You can click the star icon for all of the queries that are of most interest to you. All of the queries that you "star" will be consolidated under the Starred tab providing a super easy way to view just the queries you care about.



We hope that this update makes Search Queries even more useful. If you've got feedback or suggestions for Search Queries please let us know in the Webmaster Help Forum.

Written by Jonathan Simon, Webmaster Trends Analyst
URL: http://googlewebmastercentral.blogspot.com/2010/05/top-search-queries-is-now-search.html

[Gd] Live, from Google I/O!

| More

Google Code Blog: Live, from Google I/O!

More than 4,000 developers will be joining us at Google I/O on May 19-20, and if we had the capacity, we’d host many more. In order to give the entire developer community a chance to participate live, we're happy to announce that both keynote presentations will be streamed live. To watch, just go to http://www.youtube.com/GoogleDevelopers at the start of the keynotes each day. We recommend watching on a high-speed connection for the best quality.

Here’s the schedule for the keynotes at I/O — it’s also available on our agenda page:
  • Day 1 Keynote: Wednesday, May 19, 9:00 -10:30am PT
  • Day 2 Keynote: Thursday, May 20, 8:30-10:00am PT
Both keynote sessions feature exciting new technologies, so be sure to mark your calendars!

by Christine Tsai, Google Developer Team
URL: http://googlecode.blogspot.com/2010/05/live-from-google-io.html

[Gd] Be Careful With Content Providers

| More

Android Developers Blog: Be Careful With Content Providers

The notion of a Content Provider is central to getting things done in an Android application. This is the mechanism used to expose many of a device's data resources for retrieval and update: Contacts, media store, bookmarks, phone-call log, and so on. It’s hard to find an interesting Android app that doesn’t either use or implement (or both) a Content Provider.

There’s nothing magical or terribly surprising about Content Providers - you address them by Url, query them with SQL, and iterate them with a Cursor. They do what they say they do and get out of the way and they’re easy to create and use. But there’s a common anti-pattern, a way to misuse them that can potentially get your app into trouble, and maybe we’ve made it a little too easy.

The Content Providers that the Android framework gives you are described in the SDK’s android.provider package summary. For many of them, the framework provides helper classes of one sort or another, to help automate common chores and provide symbolic names for useful constants.

The problem is, there are more Content Providers in the system than are documented in that package, and while you can use them, you probably shouldn’t. They’re there because some of the Google-provided apps use them internally to access their own data resources. Because Android is an open-source project, it’s easy enough to find them just by running shell commands like find and grep over the source tree.

(By the way, searching the source tree like this is an excellent idea, something that probably every serious developer does regularly. Not 100% sure of the best way to write code to display a record from the Contacts database? Go ahead, have a look at how the built-in app does it; even better, steal some code; it’s perfectly legal.)

Back to Content Providers. For example, there’s one inside the built-in Messaging (A.K.A. texting or SMS) app that it uses to display and search your history. Just because it’s there doesn’t mean you should use it. The Android team isn’t promising that it’ll be the same in the next release or even that it’ll be there in the next release.

It’s worse than that; someone could ship an Android device based on the current SDK that follows all the rules but has its own enhanced messaging application that doesn’t happen to have such a Content Provider. Your app will break on such a device and it’ll be your fault.

So, go ahead and look at the undocumented Content Providers; the code is full of good ideas to learn from. But don’t use them. And if you do, when bad things happen you’re pretty well on your own.

URL: http://android-developers.blogspot.com/2010/05/be-careful-with-content-providers.html

[Gd] Do Know Evil

| More

Google Testing Blog: Do Know Evil

Do Know Evil

Web Application Exploits and Defenses

by Bruce Leban in Google Kirkland

http://jarlsberg.appspot.com

If you want your application to be as secure as possible, you need to learn how Evil People think. And you'll want to use that knowledge to do penetration testing: attacking your own application to try to find bugs.

To help you understand how applications can be attacked and how to protect them from attack, we've created the “Web Application Exploits and Defenses” codelab. The codelab uses Jarlsberg, a small, cheesy, web application that is full of real world bugs.

In the codelab, you'll learn how to:

  • Attack a web application to find and exploit common web security vulnerabilities.

  • Avoid and fix these common bugs.

Jarlsberg is chock full of cool features, and the more features an application has the larger the attack surface. Your application probably has features just like these:

Can you match each feature to the vulnerability that it exposes and the exploit it enables?



Feature

New template language
HTML allowed in snippets
File upload capability
AJAX
Web-based admin console


Vulnerability

Cross Site Scripting (XSS)
Cross Site Request Forgery (XSRF)
Cross Site Script Inclusion (XSSI)
Path traversal
Client-state manipulation


Exploit

Information disclosure
Elevation of privilege
Denial of Service (DoS)
Spoofing
Code execution

Ha! Tricked you! Each of these features introduces multiple vulnerabilities. And each vulnerability can be exploited in multiple ways. The codelab walks you step by step through each vulnerability, with progressive hints guiding you on how to find them, how to exploit them and how to avoid them.

Here are some examples of fictitious attacks against Google applications. Do you recognize them? (answers below)

http://www.gmail.com/?search=in:spam+%3Cscript%3EmoveToInbox(selectAll())%3C/script%3E
http://www.blogger.com/delete-blog.g
http://www.picasa.com/../../../../../../../etc/passwd
http://www.youtube.com/admin?v=Vr0oK3gMzK&action=rickroll
http://checkout.google.com/buy?order=4815162342&total=0.01

Are you sure that your application isn't vulnerable to similar attacks!?










Check out the Toilet-Friendly Version for the answers

URL: http://googletesting.blogspot.com/2010/05/do-know-evil.html

Wednesday, May 5, 2010

[Gd] Google Analytics releases 38 features...

| More

Google Code Blog: Google Analytics releases 38 features...

It’s only been a year since we launched the Google Analytics Data Export API and developer programs. To celebrate we are highlighting some of the exciting solutions that extend Google Analytics in our new Google Analytics Application Gallery!

Here are just a few of the exciting applications in the gallery:





AnalyticsApp is an app for Google Analytics on the iPad!





The Referrer Flow visualization shows you what sites link to you and which content works best. The Keyword visualization displays the most frequently used search keywords and how they are used together.





BTBuckets is a free segmentation and optimization webapp that allows sites to create user segments and take actions upon them in real time.






CallTrackID allows telephone enquiries to be tracked from various traffic routes, including direct, organic, PPC ad, affiliate and offline straight into Google Analytics.



ShufflePoint Studio allows you to associate PowerPoint text, table, and chart placeholders with refreshable Google Analytics data.

The App Gallery makes it easy for customers to find 3rd party solutions that extend Google Analytics in new and useful ways. We also think it’s a great way for developers to find new users and attract more customers. If you’re a developer and you’d like to have your application listed in the gallery, we've created a simple submission form to get your app added.

Finally, if you’re interested in learning more about how you can integrate with Google Analytics, join us for our presentation: Google Analytics: End-to-End on May 20th at Google IO.

Thanks!

Posted by Nick Mihailovksi, Google Analytics API Team
URL: http://googlecode.blogspot.com/2010/05/google-analytics-releases-38-features.html

[Gd] Call for webspam reports in Thai, Indonesian, Romanian, Czech and Farsi

| More

Official Google Webmaster Central Blog: Call for webspam reports in Thai, Indonesian, Romanian, Czech and Farsi

Webmaster Level: All

We pay attention to dozens of different languages in our spam fighting, but sometimes we really want to drill down and concentrate on a small number of languages. We’d like to ask for your help to identify webspam in Thai, Indonesian, Romanian, Czech and Farsi. If you know of sites that violate our webmaster guidelines in these languages, please send us a spam report. We use this information not only to look at the sites listed in reports, but also to improve our effectiveness in the rest of your language on the web.

Thanks in advance for any data you send our way about spam in these languages. Of course, you’re always welcome to submit spam reports in other languages too!

Written by Viktor Nebehaj and Matt Cutts, Search Quality Team
URL: http://googlewebmastercentral.blogspot.com/2010/05/call-for-webspam-reports-in-thai.html

Tuesday, May 4, 2010

[Gd] Taking the Android Show on the Road

| More

Android Developers Blog: Taking the Android Show on the Road

[This spring, the Android Developer Relations team (where I work, too) went on the road round the world with boxes of phones, their laptops bulging with slide-ware. Here we’ve combined write-ups from Billy Rutledge (who leads the Android evangelism team at Google HQ) and Reto Meier, who has a desk in London and wrote the book on Android. Featuring Europe is a little unfair, there are a ton of stories from Asia and North America too, but we wanted to keep this reasonably short. - Tim Bray]

Introduction

Billy: The Android Developer Lab (ADL) events are sponsored by Google to help drive developer interest in the Android platform and increase the quality, as well as quantity of creative, innovative applications in Android Market. This Android Developer Relations tour covered 18 locations around the world; we met with over five thousand enthusiastic Android developers and were thrilled to see the energy and creativity behind your applications.

Reto: The European leg of the Android Developer Lab World Tour consisted of me, Billy, and intrepid local volunteers covering eight labs in eleven days across six countries.

Some of the venues weren't like some of the others.

The goal of the tour was to meet and support local Android communities around the world, get developers excited about Android, and inspire them to create the next generation of innovative mobile applications.

Billy: In these sessions, we tried to help new and experienced developers move forward with their application plans. The core topics included:

  • Status of the Mobile Web

  • Android Opportunity for Developers

  • Android Market Overview

  • Android SDK Key Features

  • Code Labs ranging from HelloWorld to Threads to LiveWallpaper

Reto: The odyssey began in the London Google office, three labs over two days that played host to nearly 200 developers. Our surprise gifts arrived minutes after our first session started - a close enough call that our “there’s a package you need to sign for - any idea what it is?” charade was unscripted and only partially contrived. The heart palpitations were entirely real. London is home to some great Android developers including the teams behind ADC2 winners PlinkArt and BuzzDeck.

After London we battled ice and snow in Stockholm, where Anders Bond told us why Android is a good match for Spotify, and enjoyed the sound of 100 Swedes spontaneously erupting in applause.

In Paris 200 experienced community members joined us for two events at La Cantine. Speakers from FRAndroid, Sfeif, and Diotasoft covered everything from OpenGL development using the SDK to using AppEngine to create scalablends for your Android apps.

The Berlin event was huge, with over 150 developers travelling in from all across Germany. We saw demos including multi-touch pong, a Live Wallpaper of the changing Berlin skyline, and an app that showed us where to find (and rate!) the nearest public toilets. The night ended (in the small hours) with a private tour of c-base, an experience not to be missed.

Universidad Rey Juan Carlos made us feel very welcome in Madrid. Over 200 developers from across Spain (and Portugal) were in attendance including more winners of ADC1 (Biowallet) and ADC2 (SweetDreams).

Lessons Learned

Billy: Developers have matured to the point where they don't need to be convinced, they hunger for more technical details. While the intro level topics were well received, most developers have advanced beyond this point and seek guidance on more in-depth topics.

Reto:

  • It’s possible for one person to carry up to four boxes each containing ten Nexus Ones at a time.

  • You should not try to carry more than three boxes of Nexus Ones if the conditions are icy. Right Billy?

    Billy: Absolutely!!! :)

  • Announcing free smartphones to a room of developers always results in a spontaneous round of applause.

  • European mobile developers are smart, enthusiastic, and already building the next generation of epic apps for Android.

Billy: Post event series, we opened a volunteer survey to help us guide future efforts:

  • 78% of developers rated the event 4+ stars (of 5 stars)

  • 79% of developers say having Google engineers on hand is "extremely important"

  • 69% of developers say it is "extremely important" to see more test devices at future events

Looking Forward

[These are still at the planning stage, nothing here is a promise. - Tim]

Billy: The Android Developer Relations team plans to lead future Android Developer Lab events in 2010, building on the feedback from the February events. These future events will focus on deeper technical subjects, expecting the attendees to have a basic understanding of the Android platform. We will post the beginner material on-line as a prerequisite.

While it's impossible for us to reach all locations, we'll look to cover the key locations where Android devices are available.

Reto: I hadn’t even made it back to London when the requests started to roll in. Given the success of this tour I don’t imagine it will be too long.

It’s always a great experience meeting the Android developer community, we look forward to seeing you again soon!

URL: http://android-developers.blogspot.com/2010/05/taking-android-show-on-road.html

[Gd] AdWords Downtime: May 8th, 10am-2pm PDT

| More

AdWords API Blog: AdWords Downtime: May 8th, 10am-2pm PDT

We'll be performing routine system maintenance on Saturday, May 8th from approximately 10:00am to 2:00pm PDT. You won't be able to access AdWords or the API during this time frame, but your ads will continue to run as normal.

Best,
- Eric Koleda, AdWords API Team
URL: http://adwordsapi.blogspot.com/2010/05/adwords-downtime-may-8th-10am-2pm-pdt.html

[Gd] Beta Channel Update

| More

Google Chrome Releases: Beta Channel Update

Google Chrome 5.0.375.29 has been released to the Beta channel on Linux, Mac, and Windows.

Some key features from this release include:
  • HTML5 Features: Geolocation, App Cache, web sockets, file drag-and-drop.
  • Integrated Flash Player Plugin
  • V8 performance improvements
  • Preferences synchronization
  • NaCl behind a flag
The changes in Google Chrome 5.0 Beta are explained in more detail on the Google Chrome Blog.

To get on the Beta channel, you can download Google Chrome from
If you find issues, please let us know: http://code.google.com/p/chromium/issues/entry

Anthony Laforge
Google Chrome Team
URL: http://googlechromereleases.blogspot.com/2010/05/beta-channel-update.html

[Gd] Do know evil

| More

Official Google Webmaster Central Blog: Do know evil

(Cross-posted on the Google Online Security Blog)

We want Googlers to have a firm understanding of the threats our services face, as well as how to help protect against those threats. We work toward these goals in a variety of ways, including security training for new engineers, technical presentations about security, and other types of documentation. We also use codelabs — interactive programming tutorials that walk participants through specific programming tasks.

One codelab in particular teaches developers about common types of web application vulnerabilities. In the spirit of the thinking that "it takes a hacker to catch a hacker," the codelab also demonstrates how an attacker could exploit such vulnerabilities.

We're releasing this codelab, entitled "Web Application Exploits and Defenses," today in coordination with Google Code University and Google Labs to help software developers better recognize, fix, and avoid similar flaws in their own applications. The codelab is built around Jarlsberg, a small yet full-featured microblogging application designed to contain lots of security bugs. The vulnerabilities covered by the lab include cross-site scripting (XSS), cross-site request forgery (XSRF) and cross-site script inclusion (XSSI), as well as client-state manipulation, path traversal and AJAX and configuration vulnerabilities. It also shows how simple bugs can lead to information disclosure, denial-of-service and remote code execution.

The maxim, "given enough eyeballs, all bugs are shallow" is only true if the eyeballs know what to look for. To that end, the security bugs in Jarlsberg are real bugs — just like those in many other applications. The Jarlsberg source code is published under a Creative Commons license and is available for use in whitebox hacking exercises or in computer science classes covering security, software engineering or general software development.

To get started, visit http://jarlsberg.appspot.com. An instructor's guide for using the codelab in classrooms will be available on Google Code University.

Posted by Bruce Leban, Software Engineer
URL: http://googlewebmastercentral.blogspot.com/2010/05/do-know-evil.html

Monday, May 3, 2010

[Gd] Variable Substitution and getMsg

| More

iGoogle Developer Blog: Variable Substitution and getMsg

Gadgets use messages, stored in messagebundles, for internationalization. The most common way to access the messages your gadget has is with variable substitution. For example, a message called north can be specified as
<msg name="north">Nord</msg>
and accessed by using __MSG_north__ your code. The copious underscores lead to the affectionate term “hangman variables” for this substitution notation. Before your code runs, the exact text __MSG_north__ is replaced everywhere with the appropriate value from the messagebundle. In this example it will be “Nord” (French for North, no quotes). This happens in the appropriate places in the XML of your gadget spec as well. So your enum values can be replaced before the controls are made that will show them and everything works as expected. But suppose you have some text in your code that uses a message, something like
dirbox.innerHTML = '__MSG_north__';
This will work fine as well because the substitution happens before the code runs. Now let’s take another message
<msg name="dinername">Chez Sophie</msg>
And some similar Javascript
dinersign.innerHTML = '__MSG_dinername__';
Everything works fine until we add the English translation
<msg name="dinername">Sophie's Place</msg>
And the code the gadget tries to run is
dinersign.innerHTML = 'Sophie's Place';
where of course the string ends early and the browser will correctly emit some odd error on seeing the first s after the apostrophe. This could be cited as an unterminated string literal, a missing semicolon or an illegal character (if you get a different character for your apostrophe).

The gadgets.Prefs.getMsg() function will correctly read the dinername as the string which it’s meant to be.

var init = function () {
var prefs = new gadgets.Prefs();
dinersign = document.getElementById("dinersign");
dinersign.innerHTML = prefs.getMsg("dinername");
};

gadgets.util.registerOnLoadHandler(init);

The getMsg function should help make more reliable, robust gadgets in many cases and it might help resolve some of those errors your users get using languages translations that you don’t use so often.
URL: http://igoogledeveloper.blogspot.com/2010/05/variable-substitution-and-getmsg.html

[Gd] Learning from the experience of four extensions developers

| More

Chromium Blog: Learning from the experience of four extensions developers

Since our launch last December, all of us on the Google Chrome Extensions team have been excited to see a steady stream of new developers trying out our platform. Besides reading our documentation, Twitter account and our blog posts, a great way for an interested developer to get up to speed has been to participate in the extensions community. For example, in our discussion group, experienced developers often provide advice and answer questions for those working on their first extensions.

We wanted to take this community knowledge sharing process a step further. We reached out to our friends at Aviary, Zemanta, Web of Trust and Glue and had them discuss their experiences with Chrome extensions on camera. In the videos below, you’ll learn some of the innovative approaches developers from these companies used to create their extensions. You’ll also hear about the technical challenges they faced, the techniques they used to make their extensions more popular, and some of their upcoming plans:



We’re sure that these short videos did not answer all the questions you have, so if you’re attending the Google I/O conference on May 19th, make sure to stop by the sandbox area and meet the Zemanta, Aviary, Web of Trust and Glue teams in person. They’ll be happy to share the benefit of their experiences with anyone looking to write a Google Chrome extension. If you can’t attend, make sure to get involved with the community and we’ll get you on your way to making an excellent Google Chrome extension.


Posted by Arne Roomann-Kurrik, Developer Advocate and Christos Apartoglou, Product Marketing Manager
URL: http://blog.chromium.org/2010/05/learning-from-experience-of-four.html

[Gd] URL removal explained, Part IV: Tracking your requests & what not to remove

| More

Official Google Webmaster Central Blog: URL removal explained, Part IV: Tracking your requests & what not to remove

Webmaster Level: All

In this final installation in our URL removal series, let's talk about following up on your removal requests, as well as when not to use Google's URL removal tool. If you haven't already, I recommend reading the previous posts in this series:
Part I: Removing URLs & directories
Part II: Removing & updating cached content
Part III: Removing content you don't own
Companion post: Managing what information is available about you online

Understanding the status of your requests

Once you've submitted a removal request, it will appear in your list of requests. You can check the status of your requests at any time to see whether the content has been removed, or whether the request is still or pending or was denied.

screenshot of removal requests and their status

If a request was denied, you should see a "Learn more" link next to it explaining why that particular request was denied. Since different types of removals have different requirements, the reason why a particular request was denied can vary. The "Learn more" link should help you figure out what you need to change in order to make your request successful. For example, you may need to change the URL in question so that it meets the requirements for the type of removal you requested; or, if you can't do that, you may need to request a different type of removal (one whose requirements your URL currently meets).

If a request has been marked "Removed" but you still see that content in search results, check the following:
  • Is the URL that's appearing in search results the exact same URL that you submitted for removal? It's fairly common for the same, or similar, content to appear on multiple URLs on a site. You may have successfully removed one URL, but still see others containing that same content.
       Solution: Request removal of the other URL(s) in question. See this article for help.

  • Keep in mind that URLs are case sensitive, so requesting removal of http://www.example.com/embarrassingstuff.html is not the same as requesting removal of http://www.example.com/EmbarrassingStuff.html
       Solution: Request removal of the exact URL(s) that appear in search results, including the same capitalization. See this article for help.

  • When a request is marked "Removed," that can mean different things depending on what type of request you submitted. If you requested removal of an entire URL, then "Removed" should mean that that entire URL no longer appears in our search results. If you requested removal of the cached copy of a URL, "Removed" means that the cached copy has been removed and will no longer appear in search results; but the URL itself may still appear.
       Solution: Double-check what type of removal you requested by looking at the "Removal Type" column. If you requested a cache removal but you want the entire URL gone, make sure the URL meets the requirements for complete removal and then file a new request for complete removal of the URL.
When not to use the URL removal tool
  • To clean up cruft, like old pages that 404.
    The tool is intended for URLs that urgently need to be removed, such as confidential data that was accidentally exposed. If you recently made changes to your site and just have some outdated URLs in the index, Google's crawlers will see this as we recrawl your URLs, and those pages will naturally drop out of our search results over time. There's no need to request an urgent removal through this tool.

  • To remove crawl errors from your Webmaster Tools account.
    The removal tool removes URLs from Google's search results, not from your Webmaster Tools account. There's currently no way for you to manually remove URLs from this report; they will drop out naturally over time as we stop crawling URLs that repeatedly 404.

  • To "start from scratch" with your site.
    If you're worried that your site may have a penalty, or you want to "start from scratch" after purchasing a domain from someone else, we don't recommend trying to use the URL removal tool to remove your entire site and then "start over." Search engines gather a lot of information from other sites (such as who links to you, or what words they use to describe your site) and use this to help understand your site. Even if we could remove everything we currently know about your site, a lot of it would come back exactly the same once we'd recrawled all the other sites that help us understand your site and put it in context. If you're worried that your domain has some bad history, we recommend filing a reconsideration request letting us know what you're worried about and what has changed (such as that you've acquired the domain from someone else, or that you've changed certain aspects of your site).

  • To take your site "offline" after hacking.
    If your site was hacked and you want to get rid of bad URLs that got indexed, you can use the URL removal tool to remove any new URLs that the hacker created, e.g., http://www.example.com/buy-cheap-cialis-skq3w598.html. But we don't recommend removing your entire site, or removing URLs that you'll eventually want indexed; instead, simply clean up the hacking and let us recrawl your site so that we can reindex the new, cleaned-up content as soon as possible. This article contains more details on how to deal with hacking.

  • To get the right "version" of your site indexed.
    When a request to remove https://www.example.com/tattoo.html is accepted, http://www.example.com/tattoo.html is also removed. The same is true of the www and non-www versions of your URL or site. This is because the same content is often available at each of these URLs and we realize that most webmasters and searchers don't want these duplicates appearing in search results. In short, the URL removal tool should not be used as a canonicalization tool. It won't keep your favorite version, it'll remove all versions (http/https and www/non-www) of a URL.
We hope this series has answered your questions about removing content from Google's search results, and helped you troubleshoot any issues that may arise. Join us in our Help Forum if you still have questions.

Posted by Susan Moskwa, Webmaster Trends Analyst
URL: http://googlewebmastercentral.blogspot.com/2010/05/url-removal-explained-part-iv-tracking.html

Sunday, May 2, 2010

[Gd] You and site performance, sitting in a tree...

| More

Official Google Webmaster Central Blog: You and site performance, sitting in a tree...

Webmaster Level: Beginner to Intermediate

...k, i, s, s, i, n, g! Perhaps you heard our announcement that speed is a signal in rankings, but didn’t know where to start. We’d like to help foster a lasting relationship between you and a responsive experience for your users. Last week I filmed my updated presentation from "The Need For Speed: Google Says It Matters" which includes three first steps to understanding site performance. So grab headphones and some popcorn, then verify ownership of your website and download a plugin, and we’ll all be comfy with site performance in no time.



Just curious about the Q&A? No problem! Here you go:

Is it possible to check my server response time from different areas around the world?
Yes. WebPagetest.org can test performance from the United States (both East and West Coast—go West Coast! :), United Kingdom, China, and New Zealand.
What's a good response time to aim for?
First, if your competition is fast, they may provide a better user experience than your site for your same audience. In that case, you may want to make your site better, stronger, faster...

Otherwise, studies by Akamai claim 2 seconds as the threshold for ecommerce site "acceptability." Just as an FYI, at Google we aim for under a half-second.
Does progressive rendering help users?
Definitely! Progressive rendering is when a browser can display content as it’s available incrementally rather than waiting for all the content to display at once. This provides users faster visual feedback and helps them feel more in control. Bing experimented with progressive rendering by sending users their visual header (like the logo and searchbox) quickly, then the results/ads once they were available. Bing found a 0.7% increase in satisfaction with progressive rendering. They commented that this improvement compared with full feature rollout.

How can you implement progressive rendering techniques on your site? Put stylesheets at the top of the page. This allows a browser to start displaying content ASAP.

Page speed plugin, videos, articles, and help forum are all found at code.google.com/speed/.

Written by Maile Ohye, Developer Programs Tech Lead
URL: http://googlewebmastercentral.blogspot.com/2010/05/you-and-site-performance-sitting-in.html