I’ve been listening to the new Girl Talk album Feed the Animals more, it really does take 3 or 4 listens to start to become acceptable to your ear and then I think it’s really growing on me. Initially it sounds like someone with extreme ADHD switching radio stations, but after a while the talent and time that had gone into the production over come that and I have to say I’m starting to love it.

Finding this video (via Last.fm), is the final straw. It’s the original videos from the songs that were sample, all spliced together. So now it’s like watching someone with extreme ADHD watching MTV while time traveling.

Ok, so we've been working mostly on trunk in the past days. The rewrite of the backends is going well, we just have to finish the database portion of the code, and then we will be able to start rewriting the backends to work with JSON-RPC. We are focusing on security as one of the goals of the rewrite, and I will use penetration testing tools once the rewrite is complete (I've been reading a lot about pentesting in the past month). Hopefully we can find the courage to finish some of the stuff that needs to be done in the 1.0 branch :).

Steven has finished our new site design, it's just a matter of passing it off to me so that I can write the HTML/CSS for it, and intergrate it with the new site. If things go as planned, the new site should be done in a few weeks.

Lastly, we've been thinking of changing our 1.0 release to the 0.9 release. The rewriting of the backends using Zend has opened our eyes to how our backends were put together with duct-tape and chewing gum, and we really don't want that in the 1.0 version. The 1.1 release would be changed to the 1.0 release if this were to happen.

That's about it. If you have any other questions, ask us in our IRC room, or leave a comment to this post.

As part of Mozilla Corporation’s ongoing stability and security update process, Thunderbird 2.0.0.16 is now available for Windows, Mac, and Linux as a free download from www.getthunderbird.com.

Due to the security fixes, we strongly recommend that all Thunderbird users upgrade to this latest release.

If you already have Thunderbird 2.0.0.x, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.

For a list of changes and more information, please review the Thunderbird 2.0.0.16 Release Notes.

Please note: If you’re still using Thunderbird 1.5.0.x, this version is no longer supported and contains known security vulnerabilities. Please upgrade to Thunderbird 2 by downloading Thunderbird 2.0.0.16 from www.getthunderbird.com.

I’ve been in Portland since Saturday, first attending FLOSS Foundations meeting which was very productive, and now attending meetings and tutorials and such. I’ve been a bit disconnected from the rest of the world due to The Conference Effect, but Nikolai from Uxebu gave me a heads-up that today they’ve announced a new Dojo + Django integration project called Dojango. A lot of the Dojo community thinks the Django guys have done a lot of things right, so this kind of integration makes tons of sense. I can’t wait to see how it evolves.

While here I also got wind that Sun has quietly announced a new version of the Java Communication Suite with a rich, Dojo-based web interface. I don’t know if it’s running publicly anywhere, but it looks like an impressive win for Sun’s Communication Suite customers.

If you’re in Portland, I hope you’ll join us for tonight’s dojo.dinner(), 6:30pm at the Chesterfield (and RSVP for it by by sendng us mail).

UPDATE:

The details for the evening are:

Wed, July 23rd --
Chesterfield / 1101 SE Burnside
6:30pm

map available:
http://maps.google.com/maps?ie=UTF8&oe=utf-8&client=firefox-a&q=chesterf...

(just a few blocks (+/-10?) directly south of the Lloyd Center Max station)

or in a more dojo'y way:

dojo.mixin(dojo,{
    dinner: function(){
       return {
          date:"2008-07-23",
          time:"6:30pm, PST",
          place:"Chesterfield PDX",
          address:"1101 SE Burnside"
       }
    }
});
console.dir(dojo.dinner());

Looking forward to seeing everyone!

This is just an update for my original post:
http://dojotoolkit.org/2008/07/17/ddd-4-5-portland-oregon

The Persevere server is an open source JSON application and storage server. Persevere pairs well with Dojo; the Dojo Data paradigm has a strong correlation to Persevere’s data storage structure. Virtually everything you can create or action you can perform with Dojo Data can be persisted in Persevere’s data storage including subobjects, arrays, circular references, and functions. Combining Persevere with Dojo allows you to rapidly develop simple database applications with create, read, update, and delete (CRUD) capabilities with minimal effort.

To get Persevere running, first download the latest version of Persevere. Next, unzip the Persevere zip file into the directory you want to use for Persevere. Finally, go to the directory where you unzipped Persevere and run:

java -jar start.jar

Persevere should start up as long as Java is installed on your system. You can now access Persevere in your web browser by visiting http://localhost:8080/.

The basic container for storage in Persevere is a class; analogous to a table in relational databases. A Persevere class holds object instances, and class style structures can be defined for the object instances including methods and type definitions for the object properties. To create a Persevere class, first open the object browser at http://localhost:8080/browser.html?id=root. The object browser allows you to browse and navigate the objects in Persevere. To create a class, click the button (make sure no object is selected). A dialog will ask you for the name of your class and what class to extend. We will call the class “Product” and we will accept the default base class of “Object”. You now have data storage structure which can hold Product object instances.

Persevere is compliant with the HTTP/REST protocol, so the JsonRestStore is very effective with Persevere. However, dojox.data.PersevereStore is an extension of JsonRestStore specifically designed to simplify connecting to Persevere and take advantage of extra features of Persevere. This architecture is designed for a data store instance per server table. With the PersevereStore we can easily get a set of data stores corresponding to the server tables/classes:

dojo.require("dojox.data.PersevereStore");
var deferred = dojox.data.PersevereStore.getStores();

This deferred object will provide an object map of the stores when finished. We can get the data store for our Product table:

deferred.addCallback(function(stores){
	productStore = stores.Product;
});

The data store can be used with various widgets that support data stores. For example to use this table with the Dojo Grid:

grid.setStore(productStore)

or you can set the productStore as the store in the constructor. For example:

grid = new dojox.grid.Grid({
	store: productStore,
	query: "",
}, dojo.byId("gridId"));

With the ability to define any type of object structure, a Persevere data store can be used with virtually any widget. With the referencing capabilities it can be used hierarchically, so it is also well suited for use with the Tree widget.

Via Dojo, interacting with Persevere can be done directly with the Dojo Data API. To create our first object instance in the Product table:

paintballGun = productStore.newItem({name:"Paintball Gun",price:129.99});
productStore.save();

We can easily read properties using directy property access or the Dojo Data API:

paintballGun.price -> 129.99
productStore.getValue(paintballGun,"price") -> 129.99

We can update properties:

productStore.setValue(paintballGun,"price",119.99);
productStore.save();

Note that we do not need to define any type of schema, columns, or structure for a table ahead of time, we can simply dynamically create properties on objects that we create.

And delete the objects as well:

productStore.deleteItem(paintballGun);

One of the powerful aspects of Persevere is that you can dynamically persist a large variety of data structures. For example, we could save a sub object with manufacturer information:

productStore.setValue(paintballGun,"manufacturer",{
	name:"HotShots",
	rating:4,
	started: new Date(Date.parse("Jul 09 2002")),
	topProduct:paintballGun
});

In this example, we are saving an object as a value, and even including Dates, and a circular reference (back to the product object). Virtually anything you can create with JavaScript can be persisted to Persevere.

An essential aspect of database interaction is querying. Here we can use the standard query-object convention used by Dojo Data to search for objects. A query object is an object with name-values corresponding to the search filters to apply (and wildcards are supported). For example to find all the objects with a name that starts with “Paintball”:

productStore.fetch({
	query: {name: "Paintball*"},
	onComplete: function(results){
		results[0] -> paintballGun
	}
});

We can also utilize sorting and paging as well. To sort by price (lowest to highest) and return items 20-29:

productStore.fetch({
	query: {name: "*"},
	sort: [{attribute:"price",descending:false}],
	start: 20,
	count: 10,
	onComplete: function(results){
		...
	}
});

Persevere also supports JSONPath/JSONQuery queries, which have a much greater level of expressibility and can be used for more sophisticated queries. For example to search for all the items with a price less than $100 or a rating greater than 3:

productStore.fetch({
	query: "[?price<100 | manufacturer.rating > 3]",
	onComplete: function(results){
		...
	}
});

Dojo and Persevere support HTTP Channels which allows for addition of live data updates through Comet notifications. Adding Comet capability is simple, just add the HttpChannels module after the PersevereStore has been loaded:

dojo.require("dojox.data.PersevereStore");
dojo.require("dojox.cometd.HttpChannels");

This is all that is necessary. Dojo will automatically subscribe to all data that is accessed, notifications will be delivered to the client, and the notifications will result in cached data updates and Dojo Data API notifications (which will update the user interface on notification aware widgets like the Grid). No additional coding is necessary to utilize live data updates.

Out of the box, security is disabled in Persevere to make it easier to begin development. However, security is a key feature of Persevere, allowing Persevere to be safely used directly on the web, accessible from your JavaScript environment. Prior to deployment you should of course enable security, and it is also enabled once the first user account is created. To create a user account, go to the object browser (http://localhost:8080/browser.html?id=root), click on the sign in button , and choose to create a new user. This first user is given the administrative privileges for the system. All data is accessible to this user, but is read only by default for all other users and public access. Additional users may be created by the same process (or programmatically), but subsequent users must be granted access to data.

To enable higher level access for the public or other created users, you can select an object or table and click on the grant access button in the object browser. You can then enter “public” for public access, or a user name to enable write access to the data.

You can see these simple data interaction techniques in sample code in the customers example included in the Persevere download (which can be viewed locally at http://localhost:8080/examples/customer.html) There are numerous other important capabilities of Persevere including server side JavaScript execution through JSON-RPC, schema definition, prototype objects, cross-site referencing, accessing existing SQL databases, and more that are described in the Persevere documentation and we will explore in future tutorials. You should now have enough information to get a quick start to building database applications with Persevere using the oft-used create, read, update, delete, and querying operations, and easily plugging into Dojo widgets, with support for live data updates. You can start building applications almost instantly; no need to create schemas or table definitions ahead of time, simply start creating and building dynamic persistent objects in your data stores, and connect them to widgets for display. You can build your entire application, client and server, in JavaScript.

Just finishing my talk with Andrew Hyde on Startup Weekends. Links to the slides and some resources here: oscon2008.html

In this issue…

• Mark Surman and the Mozilla Foundation
• Air Mozilla, this Wednesday
• Mozilla Labs Meetup, this Thursday
• Firefox screencast contest winners
• Control-Tab: A new (future) feature for Firefox
• Firefox 3.1: Support for text attributes and spell checking
• Mozilla Community Calendar
• Firefox 3.0.1 released
• Firefox 2.0.0.16 released
• SeaMonkey 1.1.11 security release
• Developer calendar
• Subscribe to the email newsletter

Mark Surman and the Mozilla Foundation
Mitchell Baker writes, “I’m thrilled to report that we’ve identified the person we believe should lead the Mozilla Foundation into a new stage of activity. That person is Mark Surman, the role is Mozilla Foundation Executive Director. The Mozilla Foundation Board of Directors and Mark would like the Mozilla community and Mark to meet before we make a final decision. We’re inviting interested parties to talk with Mark about the Mozilla Foundation and the Executive Director role, to develop a feel for how well Mark and the Mozilla project fit together.” More information is available at Mitchell’s weblog.

Air Mozilla, this Wednesday
Asa Dotzler will be hosting another exciting edition of Air Mozilla Live on Wednesday July 23rd at 11:00am Pacific time. The guests this week will be Mitchell Baker and Mark Surman. The Air Mozilla broadcast is your opportunity to meet Mark and ask questions about the Mozilla Foundation and the Executive Director role he is currently slated to fill. If you can’t make it to the live broadcast, you can still send your questions in ahead of time by email. More details are available at Asa’s weblog.

Mozilla Labs Meetup, this Thursday
It’s time for another Mozilla Labs Monthly Meetup. This month’s meetup will be held this Thursday, July 24th, 6pm at Mozilla’s office — 1981 Landings Drive, bldg K in Mountain View, California. There will be informal lightning talks and progress updates on the various Labs projects, as well as plenty of opportunity for discussion and hacking. We will be streaming the evening out to the Labs site. If you are in the Bay Area and would like to attend, please take a moment to RSVP by leaving a comment on the Mozilla Labs blog post.

Firefox screencast contest winners
The Firefox screencast contest is over, and there are now 50 new videos to accompany the articles in the SUMO Knowledge Base. The contest team is very happy with the result and is excited to finally announce the winners. For his work on “How to customize the toolbar,” the contest judges chose Cameron Roy as the grand prize winner. Other winners (one for the best sceencast for each article) will be contacted shortly about their prizes. Thank you to everyone who participated in the contest — you’ve helped improve the knowledge base immesurably, and your work will have a lasting impact on Firefox’s 180+ million users. Check out the SUMO weblog post for more information.

Control-Tab: A new (future) feature for Firefox
Jennifer Boriss writes, “Dao Gottwald has been working for a while on his Ctrl-Tab Firefox add-on. Ctrl-Tab has two parts: a filmstrip that allows the user to quickly jump to recently used tabs, and a tab preview mode. These features have been widely used, and lately we at Mozilla have been working to give them a home as a Firefox feature. We’re happy to announce the filmstrip of recently-viewed tabs landed today and will show up in tomorrow’s nightlies as a new Firefox feature.” It is currently expected that this feature will first appear in Firefox 3.1, and there’s lots more information about this new feature and how it will affect Firefox users’ workflow at Jennifer’s weblog.

Firefox 3.1: Support for text attributes and spell checking
Marco Zehe writes, “Friday’s nightly build will include one big new feature in accessibility for Firefox 3.1: Text attributes and spell checking support.” This means that assistive technologies will now be able to get information about the font-family, font-weight, underline style, style, color, and background color of text, and also the language that the text is in, among other things. Additionally, when editing, if a word is misspelled, that word will now include an “invalid:misspelling” attribute. These new features will be fine-tuned over the next few weeks, but the team is looking for feedback if you’re able to help. For more details, please see Marco’s weblog post.

Mozilla Community Calendar
Deb Richardson is putting together a comprehensive list of weekly/regular public project meetings and other events. The wiki page for it is “Community Calendar” on the Mozilla public wiki. The plan is to eventually publish a consolidated version as a shared public calendar that everyone can subscribe to. Please check the wiki page and make any changes or additions necessary.

Firefox 3.0.1 released
As a part of Mozilla Corporation’s ongoing stability and security update process, Firefox 3.0.1 is now available for Windows, Mac, and Linux as a free download from getfirefox.com. It is strongly recommended that all Firefox users upgrade to this latest release. If you already have Firefox 3, you will receive an automated update notification shortly. For more information, including a list of changes, please see the Mozilla Developer News weblog.

Firefox 2.0.0.16 released
In addition to the release of Firefox 3.0.1, Firefox 2 has also been updated, and Firefox 2.0.0.16 is now available for Windows, Mac, and Linux as a free download from http://www.mozilla.com/firefox/all-older.html. It is strongly recommended that all Firefox 2 users upgrade to this latest release. If you already have Firefox 2, you will receive an automated update notification. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.

Please note that 2.0.0.x will be maintained with security and stability updates until mid-December 2008. All users are encouraged to upgrade to Firefox 3.

SeaMonkey 1.1.11 security release
SeaMonkey Project News reports that the SeaMonkey project released a new version of its all-in-one internet suite on July 15th, 2008. “SeaMonkey 1.1.11 closes several security vulnerabilities and fixes several smaller problems found in previous versions. With that, SeaMonkey stays at the same level of security as its sibling Firefox 2, which is issuing updates for the same problems this week as well.” The SeaMonkey team urges users of older SeaMonkey versions to upgrade to this latest release. For more information, see the SeaMonkey Project News page.

Developer calendar
For an up-to-date list of the coming week’s Mozilla project meetings and events, please see the Mozilla Community Calendar wiki page.

Subscribe to the email newsletter
If you would like to get this newsletter by email, just head on over to the about:mozilla newsletter subscription form. Fresh news, every Tuesday, right to your inbox.

The window.name transport is a new technique for secure cross-domain browser based data transfer, and can be utilized for creating secure mashups with untrusted sources. window.name is implemented in Dojo in the new dojox.io.windowName module, and it is very easy to make web services available through the window.name protocol. window.name works by loading a cross-domain HTML file in an iframe. The HTML file then sets its window.name to the string content that should be delivered to the requester. The requester can then retrieve the window.name value as the response. The requested resource never has access to the requester’s environment (JavaScript variables, cookies, and DOM).

To use the window.name transport, you can use dojox.io.windowName’s single function, send, with an API very similar to dojo.xhr:

dojox.io.windowName.send(method, args);

The method parameter can be GET or POST. The args parameter is an object that provides the target URL and other information per the Dojo ioArgs API. When you call dojox.io.windowName.send, it will send the specified request and return a dojo.Deferred object, which you can listen to for the response. For example:

var deferred = dojox.io.windowName.send("GET", {url:"http://somesite.com/resource"});
deferred.addCallback(function(result){
  alert("The request returned " + result);
});

In order to implement window.name with web services (REST or RPC), the server should simply look for requests that include a parameter windowname. If the windowname parameter is included, the server should respond to the request with an HTML document that sets its window.name to the string that is to be delivered to the client. For example, if a client makes a window.name request like:

http://othersite.com/greeting?windowname=true

And if the server wants to respond to the client with Hello, it should return an html page:

<html>
<script type="text/javascript">
window.name="Hello";
</script>
</html>

The value returned to the client will be Hello. One can easily transfer JSON data as well:

<html>
<script type="text/javascript">
window.name='{"foo":"bar"}';
</script>
</html>

The client will than receive the JSON data as a string which can then be parsed with a JSON parser like dojo.fromJson. On the client side, it is highly recommended you use a JSON or secure JavaScript validator if you want to prevent arbitrary code execution and unrestrained access to your environment from the target web service data. To securely parse the JSON, you can test the JSON with the dojox.secure.capability validator prior to calling fromJson:

var deferred = dojox.io.windowName.send("GET", {url:"http://somesite.com/resource"});
deferred.addCallback(function(result){
  // capability.validate will throw an error 
  // if there is unsafe script code in the JSON
  dojox.secure.capability.validate(result,[],{});
  console.log("received object", dojo.fromJson(result));
});

Writing extensive multi-line JSON objects in a quoted string can be rather difficult and error-prone if you are manually creating resources. You can use this template HTML to easily create JSON data that will be delivered as a JSON string without having to manually escape the JSON as a string:

<html>
<script type="\'text/javascript\'">
  window.name = document.getElementsByTagName("script")[0]
    .innerHTML.match(/temp\s*=([\w\W]*)/)[1];
  temp= {foo:"bar", // put json data here
 
 
 
 	baz:"foo"}
</script>
</html>

Likewise, if you want to deliver HTML/XML data, here is a template for doing so without manually putting all the data in a string:

<html>
<body>
<p id="content">
some <strong>html/xml-style</strong>data
</p>
</body>
<script type="\'text/javascript\'">
 window.name = document.getElementById("content").innerHTML;
</script>
</html>

This module has been tested on Firefox 2 and 3, Safari 3, IE 6 and 7, and Opera 9. You can see a simple test/demo page that loads data using the window.name protocol. By default, this demo loads data from our Persevere server, which now supports this protocol.

This technique has several advantages over other cross-domain transports:

• It is secure, JSONP is not. That is, it is as secure as other frame based secure transports like fragment identifier messaging (FIM), and Subspace. (I)Frames also have their own security issues because frames can change other frames locations, but that is quite a different security exploit, and generally far less serious.
• It is much faster than FIM, because it doesn’t have to deal with small packet size of a fragment identifier, and it doesn’t have as many “machine gun” sound effects on IE. It is also faster than Subspace. Subspace requires two iframes and two local HTML files to be loaded to do a request. window.name only requires one iframe and one local file.
• It is simpler and more secure than Subspace and FIM. FIM is somewhat complicated, and Subspace is very complicated. Subspace also has a number of extra restrictions and setup requirements, like declaring all of the target hosts in advance and having DNS entries for a number of different particular hosts. window.name is very simple and easy to use.
• It does not require any plugins (like Flash) or alternate technologies (like Java).

Of course you can use the new windowName module without understanding how it works, but since this is a tool for protecting against miscreant web services, you may wish to understand how it provides protection. name is a property of the global/window object in the browser environment, and the value of the name property remains the same as new pages are navigated for the frame. By loading a resource in an iframe where the target page will set the name property for its frame, this name property value can be retrieved to access the information sent by the web service. The name property is only accessible for frames that are in the same domain. This means that Dojo must navigate the frame back to the origin domain after the remote web service page has been loaded, in order to access the name property. This same-origin policy also protects against other frames from accessing the name property while Dojo is retrieving the value. Once the name property is retrieved, the frame is destroyed.

At the top level, the name property is not secure, any information put in the name property is available for all subsequent pages. However, the windowName module always loads resources in an iframe. The iframe is destroyed once the data is retrieved, or when you navigate to a new page at the top level, so other pages never have access to the window.name property.

The principle vector of attack is for other frames to attempt to access the loading frame and navigate that frame to their own domain in order to access the name property (using the same technique that Dojo does). However, navigating frames that are not child or parent frames is not permitted in most browsers, and therefore the third party frames are blocked from this action by the browser. Only the main frame that is loading the resources can access this information. Unfortunately, Firefox 2 does not block this action. Consequently, the windowName module uses a set of three nested frames, where 1st frame blocks all frame traversal to the 2nd frame using dynamically installed getters that return null. This means that third party frames can never traverse the frames to get a reference to the 2nd or 3rd frames, and consequently can never induce navigation of the target frame (the 3rd frame) in order to access the name property. Same-origin security prevents the third party frame from removing the installed getter that protects access to the inner frames as well. These measures protect against attacks and ensure that data can be delivered securely.

The idea for the window.name transport is based Thomas Franke’s library for doing session variables with window.name, but this obviously has a completely different goal.

The next generation of browsers will most likely include native capabilities for securely accessing resources from other sites, however it is extremely valuable to have a safe, efficient means for loading data from other domains with current browsers, in order to build secure mashups. The window.name transport provides an efficient secure mechanism for loading data and can play an important role as a foundation for client-side mashups for current and legacy browser technology. The new Dojo windowName module is an easy to use tool for leveraging this transport, and handles the cross-browser issues and protects against the different attack vectors so you can safely utilize this protocol. The Dojo windowName module is available in nightly Dojo builds, and will be available with Dojo 1.2.

As discussed for the past two weeks in our usual developer meetings, we’ve frozen the mozilla-central repository as of 23:59 PDT in order to prepare Firefox 3.1 Alpha 1 for delivery. The tree will be held frozen to allow several build cycles to run through our automatic tests, and the build team will begin the process of tagging and building tomorrow morning at 09:00 PDT. Once tagging is complete, the repository will re-open.

• Isn't a laundry list of bullet points
• Is one or two sentences long
• Doesn't constrain the web from growing in the future (i.e. that it's expansive enough that it's not just defending the status quo but can adapt to new innovations)

• If Adobe were to open source Flex/Flash, or Microsoft Silverlight, would that be the Open Web? If so, why? If not, why not?
• Why should developers care about the Open Web? How about users?
• How would you define the web itself, again in a way that doesn't constrain it from future growth and development (i.e. "It's a place to publish a bunch of documents" doesn't allow room for deploying applications, as we are seeing with Ajax today).

Hi! It’s Bill Hill here again, still fighting the good fight to make typography on the Web as good as we’re used to seeing in print. We made significant progress this week, when one of the USA’s most prestigious font companies announced its support for the Embedded OpenType format for font embedding on the Web, and launched a new website to promote other browsers to support it in addition to Internet Explorer (which has had EOT support built-in since 1996).

At the same time, Ascender Corporation and its collaborators in the typographic community also warned of the legal dangers of using the Font Linking mechanism currently supported by other browsers.

Read the announcement in full or visit the new Ascender site for further details.

Font Embedding with EOT

Embedded OpenType (EOT) is currently before the W3C in a submission to make it an open Web Standard. The format was previously proprietary to Microsoft. We created it to enable font embedding within Microsoft Word documents in the early 1990s, and it was later extended for use on the Web by Internet Explorer.

In its introduction to the technologies of font embedding on the Web, Ascender says, ”Fonts play a critical role in the display, printing and manipulation of text-based information and content. Font embedding is a broad and complex topic, and we hope this website becomes a valuable resource for everyone who creates or uses fonts to learn more about proper font usage and licensing.”

The website has sections covering issues such as:

• Fonts and the Law
• Document Font Embedding
• Fonts and the Web (a comparison of the various embedding technologies)
• Shipping Fonts with Applications, Digital Content, and Devices

In the section on Fonts and the Web, Ascender compares EOT, sIFR and Font Linking, and welcomes the move by Microsoft and Monotype Imaging to propose EOT as a W3C standard (Monotype Imaging, another prestige font company, developed MicroType® Express compression to reduce the size of EOT files). The proposal has been with W3C for several months.

“EOT offers several advantages for type designers, and web designers. For type designers EOT creation tools must respect the embedding permissions built-into their fonts and EOTs are bound to a specific web page or site. For web designers an EOT can contain a subset of the glyphs, and it can be compressed – both of these features can shrink EOT file sizes to reduce download times and improve performance,” says Ascender.

Font Linking, in which raw font files are stored on a server and downloaded using the @font-face mechanism, falls outside the realm of fonts embedded in documents, Ascender warns. ”Web page designers should be very careful to avoid violating commercial font EULAs (end-user licensing agreements) by placing fonts on Web servers”. Ascender’s own EULA, for instance, prohibits installing fonts on servers without purchasing an extended license.

In concluding its comparison, the website continues, “Ascender believes that although not perfect, EOT represents the best current solution for type designers and font foundries to protect their Intellectual Property. It is the only web font embedding solution that respects font embedding permissions, uses an industry-proven subsetting and compression mechanism, and ties embedded fonts to specific web sites. Ascender hopes that other web browsers will make it a priority to support EOT once it becomes a W3C standard.”

The site also has some free fonts to promote the technology, and the first Web-based EOT creation tool.

This endorsement prompted me to go back and start playing around with font embedding, since I hadn’t looked at it in some time. I started by downloading WEFT, the Windows Embedding Font Tool, from the Microsoft website.

Before you try to use the tool in earnest, it’s really worthwhile going through the tutorial on the same page, which has some code samples. There’s also more good information in the “Troubleshooting and Testing” section on the WEFT page.

Don’t expect the tool to do all the work, though. It’s great at creating EOT files and the CSS Font Declarations used to link your pages to them. But - depending on the complexity of the source files for your pages - you may have to do some manual coding to get them to work properly.

Give it a Try, with a Caveat 

Here, I have to do a huge mea culpa.

Creating a set of pages using EOT allowed me to experiment with what a blog, for instance, might look like if it was designed for readability. But I’m a type and font guy – not a Web code jockey. I just wanted to see, quickly, what readable pages might look like. This was an experiment. I didn’t want to start hand-crafting pages. So I took the easy route, and used a publishing application with which I’m very familiar to generate the multicolumn pages.

This is “throwaway code”. It’s verbose, arcane and in lots of places it’s proprietary. A real Web guru like Chris Wilson takes one look, and you just know he’s controlling the urge to scream. The W3C HTML Validator, though, doesn’t manage to control the urge to scream: “85 coding errors, you moron! Starting with no <Doc Type>!”

My pages offended Chris so much, he immediately made a start at re-coding them so they’ll validate and meet Web standards. If I was a sensitive soul I’d be offended, but like I said, I’m no coder. And what a great way to recruit a very busy guy to do some coding for you. My pages are like a crooked picture on a wall which Chris passes every day – if he doesn’t straighten it, it’ll drive him mad…

Just his first pass at making a “legitimate” version of the first page took its size down to only 25% of the original. And even I can tell the code’s a lot better. We’ll work to get “legitimate versions” of the pages posted. We’d have preferred to do this before this blog post, but Chris said something about wanting to spend the weekend with his family or something :), and I wanted to highlight the Ascender announcement while it was timely."

Anyway, if you’re going to blame anyone for the code, blame me.

With that huge caveat, you’ll find my pages at:

http://billhillsite.com

They’re definitely a work in progress, so expect the odd glitch. For example, one or two people have reported mild clipping issues on some displays. I’ll need to investigate.

They were designed to be viewed on a 1400 x 900 display, and should be viewed using the F11 key to make Internet Explorer go FullScreen, to get rid of menus, address bars and anything else that distracts from reading. I’ve got into the habit of toggling F11 to go from my personal “reading” mode to “browsing” mode – where I want all those menus and toolbars…

I had to manually tidy up and paste the @font-family declarations, which look like this:

<style>
   @font-face {
   font-family: Cambria;
   font-style: normal;
   font-weight: normal;
   src: url(CAMBRIA2.eot);
   }

I’ve given feedback on these issues to the team, and we’re working out what can be done to reduce the need for manual tweaking.

Of course, since we’ve opened up the EOT format, we hope other tools will soon be generating EOTs as well, such as the Ascender site. Since the W3C submission includes sample code, it would be great if the tools you use to author pages would integrate EOT generation into the process. Then the code would be more tightly integrated as well.

The good news is that if you have to do some manual tweaking, once you’ve got it right for one page, the code can be easily copied and pasted into your other pages. Even better, you can put it in a Style Sheet, and have all the pages reference it.

Working with WEFT and EOT

One performance tip for embedding fonts in your pages is to use the subsetting capability available in the WEFT tool to generate the font objects with only the characters you need. They’ll be smaller, and faster to download.

For instance, if you write in English, then you’re unlikely to use the Cyrillic or Greek characters, and you could use “language-based” subsetting. There are seven subsetting options in the tool, including “per page” and “per site”. Since my test site’s a blog which should be frequently updated, I opted at first for “no subsetting”, which creates the largest font objects - but means I’ll never need to update them whatever new content I create in future.

However, on reflection, I thought this might be overkill, and tried language-based subsetting, and got a huge performance improvement!

Calibri and Cambria, for instance, are big fonts with four true weights each, all of them painstakingly hinted for maximum readability at small sizes. The four weights ended up as font objects of ~175K each without subsetting. With language-based subsetting, they were only one-third the size of the original EOTs and the page rendered just the same – only a lot faster.

Nice thing is, as long as I made sure the names of the objects for each font and style remained the same, I was able to just swap out the objects in the root directory of my site, without having to change the code in any of my pages.

Another production tip from my experience which can save you a lot of time: WEFT will let you analyze pages on your Web server – but you can tell it to create the font objects on your local hard drive. Generating the objects on the Web can take a loooong time. Using your local machine it’s very quick, and you can then FTP them to your site.

Font embedding is critical not just to allow designers to make distinctive pages, but for readability. Building fonts that work for text at normal reading sizes of 11 and 12 points requires a lot of work. It could take a designer anywhere from a year to three or more years to develop a full character set, hint it properly to work at screen resolution, and so on.

However, anyone who has a copy of Windows Vista, Office 2007 or Mac Office 2008 already has a great set of fonts they can embed in Web pages. They’re called the C* fonts (because they were optimized for ClearType, and thus all given names which began with “C” J): Calibri, Candara, Consolas (a monospaced font for coding), Cambria (which also contains a set of 4000 Math characters), Constantia and Corbel.

I know personally how much effort went into creating them, because at the time I was managing the group which ran the project. Outside designers created the outlines from their winning entries for a competition we ran, and then the fonts were hinted by the best in the business.

The project took a long time and cost a lot of money – which is why we don’t just give these fonts away. They add a lot of value to the applications (and operating systems) which ship them. But they all have Embedding permissions set to “Editable”, which means you can freely embed them using EOT, as long as you bought one of the products in which they shipped – although you are not allowed to just copy the .TTF font files to a server.

My absolute favorites for reading on screen are Cambria and Calibri. I use them for body text at 12point because I sit a little farther away from the screen than I would read from paper (where the optimum size is 11point). The faces also all have true italics, bold, and bold italics – none of your ugly, synthetic, machine-generated rubbish! A true italic face has unique characters, which are not just a skewed regular or Roman…

The Future of EOT

Remember, these pages will work only in Internet Explorer right now, because it’s the only browser which supports EOT font embedding. EOT was a great idea for Word back in the 1990s, and it was a great idea for the Web in 1995. But because Netscape at that time adopted another standard, and we kept EOT proprietary, no-one used either.

That’s why, last year, I gathered a group of folks together and began a campaign to make EOT an open standard and put a full proposal in front of the W3C.

I really hope it will become a standard, and other browsers will also implement it, because it’s a much-needed solution to the problem of using fonts on the Web that meets the needs not only of end-users and Web designers (who get to use the commercial fonts they already know), but also commercial font creators, more of whom will start enabling embedding as a result.

We have to solve the issue of fonts on the Web in a way that’s fair to everyone in the ecosystem.

Try experimenting with EOT embedding. I’d love to see some samples from people who actually know what they’re doing…

Bill Hill
Program Manager

edit: added two additional headers for readibility

This week I've been trying to integrate the GridContainer into the form creator, so users can create forms with multiple columns. Unfortunately, it hasn't been an easy drop-in replacement, and I've discovered some bugs. #7217 turned out to be a "mini flub", easily fixed once I found the faulty code. I think #7218 will be another simple fix (fingers crossed) as soon as I figure out what event to hook into.

But there's still some bigger problems that I'm not sure how to fix yet. I have a not-pretty-or-working demo to see them in action:

• can't move elements across columns
• the container loses track of an element if you pull it outside the column; watch the target box disappear
• dragged elements fly back to their original position, instead of dropping onto a new spot

Whether these are problems with my code or the GridContainer is still to be determined, but since the SoC is quickly coming to a close, I'm going to turn my attention to other bugs for now.

The first minor update to Mozilla Firefox 3 has been released. Firefox 3.0.1 fixes three critical security vulnerabilities, improves stability and resolves a handful of other small bugs.

The security fixes are detailed in the Firefox 3.0.1 section of the Security Advisories for Firefox 3.0 page. Two of the issues — one related to how Firefox handles command-line URLs to open multiple tabs and another allowing remote code execution by overflowing a CSS reference counter — were also present in Firefox 2 and fixed in Tuesday's Firefox 2.0.0.16 release. Security improvements in Firefox 3 mean that it's not vulnerable to some of the Firefox 2 variants of the command-line multiple tab exploit but it can still be compromised by combining the attack with a script injection flaw.

The final flaw only affects Mac OS X and allows an attacker to crash Firefox with a malformed GIF file, potentially gaining the ability to execute arbitrary code on the victim's computer. This vulnerability is not present in Firefox 2.

The non-security fixes include an issue where the phishing and malware database did not update on first launch and a problem that could cause Firefox to not save the security certificate exceptions list properly. A bug that could result in missing output when printing a selection from a page (bug 433373) was resolved and a Linux issue causing Firefox to always start in offline mode when using a PPP connection (bug 424626) was also fixed. The Public Suffix list has also been updated (bug 438585).

The Firefox 3.0.1 Release Notes have more details about the fixes in this minor upgrade. The new version can be downloaded from the Firefox product page or the Firefox 3.0.1 directory on releases.mozilla.org but most Firefox 3 users are expected to get it via the software update feature built in to the browser or their own operating system's update facility.

Talkback

Mozilla Firefox 2.0.0.16 was released this week. The stability and security update to Firefox 2 fixes two security bugs, which are detailed in the Firefox 2.0.0.16 section of the Security Advisories for Firefox 2.0 page. Both are rated Critical, the highest of the four ratings.

One flaw is related to how Firefox handles command-line URLs to open multiple tabs and allows an attacker to open potentially malicious URLs in Firefox from another application. One variant of this attack exploits the widely-reported Safari carpet-bombing vulnerability but others also exist. Somewhat ironically, the exploit relies on Firefox not being open at the time of the attack.

The other vulnerability allows an attacker to crash and run arbitrary code on a victim's computer by overflowing a CSS object reference counter. The detailed bug reports for both issues are currently access-restricted to avoid assisting attackers but will be fully opened after users have had some time to install Firefox 2.0.0.16.

Although Firefox 3 was released in June and all users are encouraged to upgrade, Firefox 2 will be maintained with security and stability upgrades until mid-December 2008, according to the Mozilla Developer News weblog, which reported on the release of Firefox 2.0.0.16 on Tuesday. Version 2.0.0.16 is the second Firefox 2 update to be released since the launch of Firefox 3 and follows on from Firefox 2.0.0.15, which fixed twelve security issues.

Existing Firefox 2 users will be offered 2.0.0.16 via the browser's built-in software update feature if enabled. It can also be downloaded from the older Firefox releases page or the Firefox 2.0.0.16 directory on releases.mozilla.org, where it is available in over forty localizations for Windows, Mac OS X and Linux. The Firefox 2.0.0.16 Release Notes contain more general information about the upgrade.

Talkback

The official Mozilla Blog has confirmation that Mozilla Firefox 3 now holds the official Guinness World Record for the largest number of software downloads in twenty-four hours. On Download Day, there were 8,002,530 downloads of Firefox 3 between 6:16pm UTC/GMT on Tuesday 17th June 2008 and 6:16pm UTC/GMT on Wednesday 17th June 2008.

Gareth Deaves, Records Manager for Internet and Technology at Guinness World Records, presented the official Guinness World Record certificate to Mozilla Europe President Tristan Nitot at a ceremony in London on Wednesday 9th July. While this official certificate is held by Mozilla, anyone who contributed to the record attempt can download their own personalized Firefox 3 Download Day certificate from Spread Firefox.

In a weblog post, Gervase Markham explains that the actual Download Day figure should be 8,002,529, as a Guinness World Records representative downloaded Firefox 3 during the twenty-four period, which cannot count as he is an official. Meanwhile, Mary Colvig has posted some details about the behind-the-scenes efforts that went into organizing Download Day and Asa Dotzler has published responses to some criticisms of the Guinness World Record attempt.

Talkback

I’m leaving tomorrow for my yearly trek to Portland for OSCON. If you’re going, don’t hesitate to drop me a line if you want to catch up or RSVP for the Dojo meetup/dinner on Wed evening.

Speaking as a member of the OSCON program committee, I’m very happy about the quality of the talks in the web-ish tracks this year. There’s even a Dojo talk – even though for the first time in a long while, I won’t be giving any talks. The inimitable Matthew Russell, author of ORA’s Dojo: TDG will be giving an awesome talk on 2D drawing with Dojo’s GFX system. I know he’s got some awesome demos worked up, so I can’t wait to see the talk. Gavin Doughtie, occasional contributor to the GFX system, is also giving several talks that you’ll find me in. Should be a lot of fun.

On a more macro scale, though, I’ve started to become concerned that “Open Source” as a brand has lost its way. Those who would speak for Open Source have focused narrowly on licensing and have largely ignored the other social processes and artifacts that define what it means to contribute to OSS projects and how those artifacts lead to success or failure of projects, and therefore, of the movement such as it is. There’s a huge disconnect between what the letter of the Open Source law dictates (the licenses) and the social and process constraints that are required to build high-quality, trustable communities that ensure 100 point OSS products, and many businesses have struck on these differences as a way to use the Open Source brand to imply or insinuate that users should trust their products more than is warranted. OSI’s failure to address this brand erosion has had some troubling effects in the small JavaScript corner of the OSS world of late, and I know we’re not alone. OSI has also proven completely impotent in preventing license proliferation, further eroding the Open Source brand. There are, of course, lots of folks who are also concerned about these thing, and so I’m excited to see David Recordon (of OpenID, etc. fame) giving a talk which looks to talk about some of the community aspects. I tend to blow off “community” talks at conferences, but given David’s use of the phrase “Open Web” and his unique perspective, I’ll be interested to see what he says. I’ll also be curious to see if and how any of this is discussed at the FLOSSCON meeting of OSS Foundation leaders tomorrow and Sunday.

If you’ll be in Portland next week, don’t hesitate to join us for the dojo.dinner() on Wed. I’m looking forward to seeing everyone again and talking though the issues. Should be a great time.