?

Log in

Previous Entry | Next Entry

11 advices about HTML5

An article just hit the /. front page, claiming to tell us 11 hard truths about HTML5. Parts of the article are written in an extremely fear-positive tone. The article also implies that the problems it describes are specific to HTML5 when, first of all, they are really largely specific to AJAX, and secondly, they exist only for programming teams that simply don't bother to think about security.

It's probably worth reading the article, but I have a couple of observations to make about it from a programmer's perspective, and also a bit of lampooning to do.

Truth 1: Your Web API must be secure.

The security interface for your web service has to be on the web server. Any security checks you are depending on your javascript code to do will be bypassed. So your javascript code can't check to see what your privileges are before doing a RESTful query: the server-side implementation of the RESTful query has to check to see what your privileges are.

Truth 2: Data stored on the device is not persistent.

Duh. Persistent just means the data will be there until it's deleted. You can't control when it's deleted. The user might connect from somewhere else. Tag your data, notice that it's not there, and refresh it. Keep the official version on the server. If your app can modify the data offline, you need to have a strategy for syncing when the app comes online, and that strategy needs to account for the possibility of conflicting edits. If you're familiar with CVS, you already know this problem, and know basically how to deal with it.

Truth 3: Don't put security tokens in the local data.

Duh. If you can't rely on the javascript on the browser to be secure, you can't rely on the data on the browser to be secure either. So don't. See figure 1.

Truth 4: You have to support offline syncing.

I already covered this in 2.

Truth 5: I'm not going to tell you this one.

The article I'm lampooning gets this right, so it would be wrong of me to simply quote it here. Go read the article. Executive summary:
So I tell you - Thus shall ye think of all this fleeting world:
A star at dawn, a bubble in a stream;
A flash of lightning in a summer cloud,
A flickering lamp, a phantom, and a dream. 

Truth 6: Google Plus made a lot of bad missteps.

Can't argue with this one. Again, RTFA. Executive summary: what's old is new again.

Truth 7: The javascript scheduler sucks.

Truth 8: Media format support is not guaranteed

Truth 9: A foolish consistency is the hobgoblin of small minds.

Actually, consistency would be nice, but there'd be fewer geek jobs, so I guess there's a bright side.

Truth 10: Touch screens are not mice.

Truth 11: It's a jungle out there.

Man...
Who trusted God was love indeed
And love Creation's final law --
Tho' Nature, red in tooth and claw
With ravine, shrieked against his creed.
  --Alfred, Lord Tennyson