Menu Search
Jump to the content X X
Smashing Conf San Francisco

We use ad-blockers as well, you know. We gotta keep those servers running though. Did you know that we publish useful books and run friendly conferences — crafted for pros like yourself? E.g. upcoming SmashingConf San Francisco, dedicated to smart front-end techniques and design patterns.

Web Development Reading List #171: Leaks, SHA-1 Collision, And Brotli

Phew, what a week! Due to an HTML-parsing bug, Cloudflare experienced a major data leak, and the first practical collision for SHA-1 was revealed as well. We should take these events as an occasion to reconsider if a centralized front-end load balancer that modifies your traffic is a good idea after all. And it’s definitely time to upgrade your TLS-certificate if you still serve SHA-1, too. Here’s what else happened this week.

Further Reading on SmashingMag: Link

News Link

General Link

Tools & Workflows Link

  • Joseph Zimmerman introduces us to Webpack10. What I really like about this article is that it’s not another article sharing pre-built sets of configurations but that it explains every detail step-by-step.
  • Oh shit, git!11 Don’t be afraid of git anymore thanks to this emergency guide that helps you solve the most common problems with the versioning system.
Oh shit, git!12
Something went wrong in Git, but you don’t know how to get yourself out of the mess? “Oh shit, git!13” has got your back.

Security Link

  • Mitigating Cross-Site Request Forgery attacks has never been easy. Luckily, it seems that we now got a proper solution for it: Same-Site Cookies14. The only thing you need to do to make it work is adding SameSite to your existing Set-Cookie header. Of course, you should know how same-site cookies differ from “normal” cookies, but for most sites this should be easy to implement.
  • A joint-venture of five journalists researched how the private security industry works and what price we as citizens pay for our security15.

Privacy Link

  • It’s not your computer that is the most vulnerable device, it’s your smartphone. In fact, for a small amount of money, everyone can easily buy spyware16 that works on most Android phones. For iOS, things look a bit better unless the device is jailbroken. But this doesn’t necessarily mean that spyware doesn’t exist for that system as well.

Web Performance Link

Brotli support18
With support for Chrome, Firefox, Opera and the Android browser, Brotli does a better job at compressing resources19 than its predecessor Gzip.

JavaScript Link

Going Beyond… Link

AirInk23
Turn something ugly into something beautiful: A team at the MIT Media Lab developed artist’s ink made from air pollution. (Image credit24)

And with that, I’ll close for this week. If you like what I write each week, please support me with a donation25 or share this resource with other people. You can learn more about the costs of the project here26. It’s available via email, RSS and online.

— Anselm

Footnotes Link

  1. 1 https://www.smashingmagazine.com/2016/10/next-generation-server-compression-with-brotli/
  2. 2 https://www.smashingmagazine.com/2015/12/making-accessibility-simpler/
  3. 3 https://www.smashingmagazine.com/2014/05/team-collaboration-closing-efficiency-gaps-responsive-design/
  4. 4 https://www.smashingmagazine.com/2015/07/development-to-deployment-workflow/
  5. 5 https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
  6. 6 https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
  7. 7 https://webkit.org/blog/7423/release-notes-for-safari-technology-preview-24/
  8. 8 https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/
  9. 9 https://ana-balica.github.io/2017/02/21/code-review-checklist/
  10. 10 https://www.smashingmagazine.com/2017/02/a-detailed-introduction-to-webpack/
  11. 11 http://ohshitgit.com/
  12. 12 http://ohshitgit.com/
  13. 13 http://ohshitgit.com/
  14. 14 https://scotthelme.co.uk/csrf-is-dead/
  15. 15 https://thecorrespondent.com/10221/security-for-sale-the-price-we-pay-to-protect-europeans
  16. 16 https://motherboard.vice.com/en_us/article/i-tracked-myself-with-dollar170-smartphone-spyware-that-anyone-can-buy
  17. 17 https://www.voorhoede.nl/en/blog/static-site-implosion-with-brotli-and-gzip/
  18. 18 https://www.voorhoede.nl/en/blog/static-site-implosion-with-brotli-and-gzip/
  19. 19 https://www.voorhoede.nl/en/blog/static-site-implosion-with-brotli-and-gzip/
  20. 20 https://medium.com/@matuzo/writing-javascript-with-accessibility-in-mind-a1f6a5f467b9
  21. 21 https://www.kickstarter.com/projects/1295587226/air-ink-the-worlds-first-ink-made-out-of-air-pollu
  22. 22 http://transit.iee.ucsb.edu/research/computing/projects
  23. 23 https://www.kickstarter.com/projects/1295587226/air-ink-the-worlds-first-ink-made-out-of-air-pollu
  24. 24 https://www.kickstarter.com/projects/1295587226/air-ink-the-worlds-first-ink-made-out-of-air-pollu
  25. 25 https://wdrl.info/donate
  26. 26 https://wdrl.info/costs/

↑ Back to top Tweet itShare on Facebook

is a freelance front-end developer and architect and cares about sustainable front-end experiences and ethical choices in life. He curates the WDRL, a weekly handcrafted web development newsletter that thousands of developers love, subscribe to, and donate for.

  1. 1

    Thank you for the article Anselm,

    But I have some feedback to add re; “How does your team review code?”

    Using the following link will ensure that your code is 100% compliant:

    WRC Markup Validator

    There is however one downside that you can only scan 1 page at a time.

    If there is another website where you can check multiple pages at a time please let me know.

    Kind regards,
    Ryan

    1
  2. 2

    Really liked that article on serving static Brotli content. As a fan of SSGs, this seems like the perfect execution. Sadly I’m currently hosted with Github Pages and can’t make use of these server-level optimizations right now. :/

    0

Leave a Comment

You may use simple HTML to add links or lists to your comment. Also, use <pre><code class="language-*">...</code></pre> to mark up code snippets. We support -js, -markup and -css for comments.

↑ Back to top