Dylan Schiemann

A number of random JavaScript musings from recent events, none of which are meaty enough to constitute a blog post.

First off, congrats to Jack Slocum on launching ext and Dean Edwards on unleashing base2. It’s great to see solid work pushing things forward in the JavaScript world.

Coach Wei of Nexaweb wrote an insightful, sad, yet accurate account of Dojo and Ajax performance and bloat. Dojo 0.9 base and core should help a lot with this. Stay tuned for more details on our early summer release of Dojo that will have significant performance improvements and much less code bloat by default. But the other point he raises is that which we have attempted to resolve with a JS Linker. Through significant efforts were made last summer to bring this project to alpha quality, we do not currently have a module owner or anyone actively contributing towards this effort. If this is the sort of project that interests you, please let us know.

Fortify put a paper out about the vulnerabilities of JavaScript Hijacking. For anyone curious of the Dojo response to this, it goes as follows: We worked with Fortify prior to the release of their paper to help them better assess the exposure and to implement remediation in Dojo. However, the most important steps to take with regards to this problem are server-side. Dojo can’t help or hurt your application’s security posture, but we will encourage you to do the right thing. Patches advising users to consider alternate transport methods are scheduled for 0.4.3 and are already available. Also, we’ve offered to coordinate industry consensus on a protocol to make these fixes canonical, but no one has taken us up on it so far.

Finally, we’ll be in London and Paris at the end of May for a Dojo Training Course and the Grails eXchange conference. If anyone wants to meetup, please drop me a line.