Ben Summers’ blog

Strategies for implementing Content Security Policy

Content Security Policy (CSP) is a feature of modern web browsers which helps mitigate some content injection vulnerabilities in web applications. While it’s no substitute for writing a secure application, it’s useful in minimising the effect of these vulnerabilities.

I recently implemented a strict CSP in a reasonably old web application. As coding started in 2006, it used a few techniques which are a little out of date, and needed some work to cope with a CSP which was strict enough to be worth using.

I found I only needed to use a few strategies in making the required changes, and once I had the strategies in mind, converting old code to be CSP-compatible was pretty much a mechanical task. While a little dull, it was a welcome opportunity to review my old code and improve it.


Avoiding the blurs: web font icon rendering

In The Making of Octicons the chaps at GitHub shared their secrets for making crisp and resolution independent icons for web applications.

As I’m working on a system for rendering icons for my application, I followed their recipe to experiment. However, I found that in their discussion of anti-aliasing in the final “Fine Tuning” section, they omitted to mention that these icons looked a bit blurred in Firefox and Internet Explorer.

Take a look at a random repo in Firefox. The directory and file icons have blurred edges compared to their sharp look in Safari or Chrome.

Safari: sharp Firefox: blurry IE9: unsurprisingly disappointing

There must be a better way.


Converting simple svn repositories to fossil

I’ve been meaning to move from Subversion for some time, to get better merging and the benefits of a distributed version control system. While the most common choice is the unfortunately named git, it does have a lot of complexity, and in my opinion, too many choices over how it should be used.

Looking around, I’ve decided to try fossil. It looks like it has a nicer model for my purposes, and with ‘autosync’ mode, is a nice middle ground between a DVCS and a centralised system like subversion.


Adventures in IPv6

As the familiar ‘dotted-quad’ IPv4 addresses are running out, increasing use of IPv6 is probably inevitable. But before IPv6 enabling my services in the datacentres, I thought it would be a good idea to use it on the office network first. I’d like to find out all the problems before deploying it to my clients, for obvious reasons.

So when I decided to change our ADSL provider last year, I chose one which offered native IPv6 access as well as the normal IPv4. Having actually used it for a few months, I’ve got concerns about the reliability of real-world IPv6 deployments and the privacy implications.


How to convert Keynote to PowerPoint without the ugliness

All Keynote users dread the words “can I have a copy of your PowerPoint so I can load it on the presentation laptop?”

You just know the export is going to put all the text in the wrong place and make your carefully constructed graphics look crude. And then you find all the text is in Arial.

Fortunately, there’s a quick way you can preserve the Keynote look and still get a .ppt file. There is a slight limitation in that you lose all your builds and fancy effects, but hopefully your presentation doesn’t depend on them. I prefer a very simple style, so this works well for me.


Using an iPad to show software at networking events

When you’re describing your software to someone who’s never heard of it before, it can be very difficult for them to visualise what it is and what it does. It’s especially difficult at networking events, where you’re meeting lots of people from different backgrounds and have less than a minute to talk about your product.

How could you show software in a situation like this? A laptop is impractical, and printed pieces of paper are cumbersome and totally unlike a computer screen.


JRuby in Practice: Increasing Performance While Reducing Complexity

Engine Yard, who employ the majority of the JRuby development team, asked me if I would write a short article for their newsletter about how my company uses JRuby in production. Naturally, I was delighted to oblige.

Their newsletter and the Engine Yard Blog are well worth reading for some interesting technical info on JRuby and, of course, Ruby on Rails.

Here’s my article on how JRuby and the JVM allowed us to dramatically speed up our application:


Themes from the 2nd London Linked Data Meetup

Yesterday I joined about 200 other developers, librarians, information architects, journalists and project managers at the 2nd London Linked Data Meetup.

Although there were as many perspectives on this new field as there were attendees, there were some strong common themes running throughout all the talks, workshops and conversations.


Multiple users and the iPad

I promised myself I wouldn’t write a blog post about the iPad. But I’ve been thinking about who would use it, and something’s been puzzling me.

How do multiple users share an iPad?


What’s the equivalent of Twitter’s 140 character limit for non-Latin character sets?

Everyone on Twitter has the same 140 character limit. But if you don’t use English, can you get more into those 140 characters? This weekend, I did some Real Science to find out.

If you speak Japanese (日本語), each character you type is equivalent to several English characters, or even an entire word. For other non-Latin languages, like Russian or Thai, it’s less clear if there’s an inherent advantage.

To get some numbers, I hooked up Twitter’s API to Google’s AJAX Translate API to fetch some tweets, translate them, and measure the equivalent length in English. And so the Tweet Measurer was born, allowing anyone to perform dubious calculations of Tweet Length from the comfort of their own web browser.


Implementing a simple URL shortener with Apache’s mod_rewrite

While there are lots of problems with URL shorteners, they do appear to be here to stay. The popularity of long meaningful URLs (which are thought to prompt search engines to rank the pages higher) combined with the popularity of messaging services like Twitter (which restrict the number of characters) means there’s a need for these short URLs.

A reasonable solution is to run your own shortener for your web site, and hope people use it. For this blog, I’m using a few lines of Apache configuration and a script which generates a mapping file. This is how it’s done using mod_rewrite:


Control untrusted processes with Solaris SMF

If you’re writing a web application which handles files uploaded by your users and does anything more than storing them for download later, then you need to think about security on the server. Even insignificant processing relies on libraries which have bugs, which can range from infinite loops to execution of arbitrary code on the server.

To pick one example, here’s some past security flaws with libpng. No library is going to be bug free, especially if it deals with complicated file formats. Since you’re not going to be the first to know about the bugs, you need to take precautions.



Hello, I’m Ben.

I’m the Technical Director of Haplo Services, an open source platform for information management.


About this blog


Twitter: @bensummers



Jobs at Haplo
Come and work with me!