Older blog entries for connolly (starting at number 84)

Putting the HTML5 genie back in the bottle in the name of web security?

There's a lot of wisdom in what Crockford continues to say about HTML5 and web security:

The HTML5 proposal does not attempt to correct the XSS problem and actually makes it worse... The fundamental mistake in HTML5 was one of prioritization. It should have tackled the browser's most important problem first. Once the platform was secured, then shiny new features could be carefully added.
It makes a lot of sense in theory, but I doubted the practicality of it in a Dec 2008 item:
after wrestling with the patchwork of javascript security policies in browsers in the past few weeks, the capability approach in adsafe looks simple and elegant by comparison. Is there any chance we can move the state-of-the-art that far? ... it seems an impossibly high bar to reach, given the worse-is-better tendency in software deployment...
He acknowledges the difficulty, to some extent:

HTML5 has a lot of momentum and appears to be doomed to succeed.

He goes on to recommend to suspend the current HTML5 activity now:
I think the wiser course is to get it right first. We have learned the hard way that once an error gets into a web standard, it is really hard to get it out.
Would that standards had so much impact. It's true that once a W3C Working Group is in motion, it's difficult for the organization to decide to stop it. But that's really only tangentially related to the heart of the problem: shipping code. Much of the web development community and many of the users have their fingers on the shiny new features; who's going to go first in taking them away?

Syndicated 2010-09-29 15:44:00 (Updated 2010-09-29 15:44:22) from Dan Connolly

18 Sep 2010 (updated 9 May 2011 at 21:10 UTC) »

Ditch cable TV? Yes. Build an HD DVR out of old PC parts? Maybe not.

This item was supposed to be entitled Ditching cable for netflix/wii, broadcast HDTV, and a DIY PVR. After watching the digital media marketplace and technology for years, I convinced my family it was time to go for it this summer. We're close, but due to one critical breakdown in my research, we're not quite there.

  1. Cancel TV part of double play TV+Internet subscription, reducing it by ~$60/month.

    We never did go for their triple play with phone service; I signed up for VoIP with
    ViaTalk when we moved houses a couple years ago, and we've been pretty happy with it. While only the cable company can do on-screen caller-id, I'd rather have stuff like email and SMS notification for messages, for less money. Try it, and tell 'em Dan sent you (referral code 47340A17).
  2. Set up TV for broadcast HD TV.

    The salesperson at Best Buy recommended a $60 active antenna, but we went for the $30 RCA ANT1400 Multi-Directional Digital Flat Passive Home Theater Antenna (White) and it works just fine, even in the basement.
  3. Subscribe to Netflix.

     I wondered about the quality of streaming movies, and the first one we tried was pretty bad. We were planning to buy a Roku box, but first we tried it on my laptop, a MacBook Air, hooked up to the TV. Big mistake. Turns out these things have a well-known cooling problem, and "The problem is aggravated by system-intensive tasks such as video playback". Then we remembered Netflix started supporting streaming to Wii consoles, and we have one of those. It seemed too good to be true, but it's not. It's just like watching a DVD, as far as I can tell. We may or may not ever get a Roku.
  4. Cobble together a PVR out of old PC parts.

    My wife misses some cable-network-only shows, but for the price of a new HD capture card (around $80) it looks like we should be able to timeshift broadcast favorites such as Survivor and Big Bang Theory.
    That was the theory, anyway.
I thought the hard part was video capture, encoding, and recording. Sucking in HD video through a USB gizmo seemed too good to be true; plus, the norm with USB gizmos is that half the smarts is in a proprietary, Windows-only driver.