PlanetHolt.com

An apparent defect in how IE handled our OAuth consent flow at work turned out to be an interesting difference in how Firefox and IE (Firefox 6 and IE8, in this case) handle content loaded via a 302 HTTP response.

After one of our UI developers beautified our OAuth consent page (where the user authorizes a client application to use data on his or her behalf), one of our testers pointed out that the overall flow stopped working in Internet Explorer. It still worked in Firefox, though, and she told us that if she permanently authorized the client in Firefox, the flow still worked in Internet Explorer.

We allow OAuth clients to provide an image that will be displayed when we ask users for consent. However, it’s not required, and so occasionally on the consent page the IMG tag would have an empty SRC attribute: <img src="" alt="client Logo"/>.

When the SRC attribute is empty, the browser loads the page URI instead. (So, it’s a self-reference, like the . entry on a filesystem.) This is where the difference between Firefox and IE comes in.

When a user accesses our site, he or she needs an OAuth access token for the site to work, and so Spring issues a 302 redirect from whatever URI was originally being accessed to the consent page. For example, if the user requests / (the home page), they’ll be redirected to /consentToUseOfData?oauth_token={tokenId}. (In the background, Spring obtains an OAuth request token from the OAuth provider, and replaces {tokenId} with the request token.)

As a result, the URI for the page had two wrinkles. The original URI for the page being loaded was /, but this was temporarily redirected to /consentToUseOfData?oauth_token={tokenId}. When the self-referring IMG tag is encountered, IE uses the original URI while Firefox uses the redirected URI.

While everyone loves to hate on Internet Explorer, initially I didn’t disagree with their approach here. The HTTP spec says, Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. I thought the request triggered by the IMG should be considered a “future request,” meaning Internet Explorer’s behavior would be correct.

However, I did a little more digging. The HTML4 spec for IMG (The choice of HTML4 was admittedly arbitrary, since we’re using the essentially spec-less HTML5.) says the SRC attribute is a URI: Relative URIs are resolved to full URIs using a base URI. … For more information about base URIs, please consult the section on base URIs in the chapter on links.

The relevant section states,

12.4.1 Resolving relative URIs

User agents must calculate the base URI for resolving relative URIs according to [RFC1808], section 3. The following describes how [RFC1808] applies specifically to HTML.

User agents must calculate the base URI according to the following precedences (highest priority to lowest):

1. The base URI is set by the BASE element.
2. The base URI is given by meta data discovered during a protocol interaction, such as an HTTP header (see [RFC2616]).
3. By default, the base URI is that of the current document. Not all HTML documents have a base URI (e.g., a valid HTML document may appear in an email and may not be designated by a URI). Such HTML documents are considered erroneous if they contain relative URIs and rely on a default base URI.

We define no BASE element, nor does the response contain a Content-Location header (per RFC2616, this is how HTTP defines a Base URI), so the following section of RFC1808 applies:

3.3. Base URL from the Retrieval URL

If no base URL is embedded and the document is not encapsulated within some other entity (e.g., the top level of a composite entity), then, if a URL was used to retrieve the base document, that URL shall be considered the base URL. Note that if the retrieval was the result of a redirected request, the last URL used (i.e., that which resulted in he actual retrieval of the document) is the base URL.[emphasis added]

So, as usual, Firefox appears to be following the relevant spec and Internet Explorer is not. This one is pretty esoteric, though, so I’m tempted to forgive them.

Ultimately, we resolved the problem by removing the IMG tag when no image is provided. The fact that it was loading a broken image was a defect itself, of course.

We've been in San Diego for a couple days and have been enjoying the beaches (especially the surf). Tom picked me up from the airport yesterday, and after stopping for lunch (Chicago and New York style pizza) and to change at the hotel, we met up with the rest of the family at Torrey Pines State Beach. 

After much deliberation, I finally decided to go through with my trip to Florida for the launch of Space Shuttle Endeavor on STS-134. The launch (originally scheduled for yesterday (Well, originally originally scheduled for a number of earlier dates, but we’ll go with yesterday being “originally” for the purposes of this blog.)) ended up being scrubbed until at least Monday, May 2, due to technical issues with auxiliary power units. The APUs are required to run heaters that prevent hydraulic lines from freezing in orbit or upon reentry. If the lines froze, it could mean loss of control (since the hydraulics, in effect, steer the shuttle) or the risk of explosion. We should know in a few hours whether or not another attempt on Monday is feasible, as NASA engineers are investigating as I write this.

The scrub was disappointing for a number of reasons, but I think my travel plans will be flexible enough to allow me to be there for the next attempt. The couple sitting next to me at Kennedy Space Center won’t be so lucky—they are from Nottingham, England, and were on a two week trip based around the earlier April 19 launch date. They flew home today, and won’t be able to make it back for another try. President Obama and his family were also scheduled to see the launch, and while they toured the Kennedy Space Center facility and met with the crew of STS-134, the scrubbed launch was a missed opportunity to inspire the president and demonstrate the value of manned space exploration.

My visit to Kennedy Space Center was my second time there, having visited with my family when we made a trip to Disney World and the surrounding area growing up. I remember the trip from Orlando taking much longer than it did this time, and the rockets of the rocket garden being much bigger, but the awe I felt was not diminished. I felt giddy as I passed by the first car checkpoint and began to cross the causeway to Merritt Island, on which KSC is located. It was great fun to sit in the crowds of people eagerly awaiting the launch, watching NASA TV on the large screens set up, and paying close attention to each update. People cheered when veteran astronauts appeared on screen to take questions from another site, and applauded their efforts when they left.

Welcome to 2011! The month of December was pretty crazy, but I’m happy 2011 is here now. I had a great holiday break, but I’ve started my new position at Deere and recently found out that the offer I put in on a house was accepted.

So first, I am buying a new house as part of my previously-announced relocation to the Des Moines area. I found a house in Johnston, Iowa, that met all my criteria. It’s a new construction, finished shortly before I started looking, which will be a new experience for me.

Since I was house hunting from out of town, I decided to record walk-through videos as I viewed houses with my realtor—mainly to help me remember the details. I think the first day we saw something like fifteen houses, which is way too many to keep straight. As a side benefit, I’ve been able to use the videos to show family and friends prior to putting in the offer, to get feedback from them, and now I can show it to you! The house was a model home for the neighborhood, so the video shows the model furniture, but it will be bare when I take possession.

While watching Illinois embarrass Northwestern’s run defense Saturday, I cooked my first turkey at home. (Technically, it was a turkey breast, but it was still delicious.) Since my oven doesn’t has never worked, I roasted it on the grill, which I’ve not seen anyone in my family do before. Of course I also had to make stuffing and mashed potatoes, too.

After thawing the turkey in the fridge for a couple days, I prepared it with an herb rub from Ina Garten, with lots of thyme, rosemary, and sage. (This was actually probably the weakest part of the dinner—I thought the herbs overpowered the turkey.) After applying the rub, I ran the turkey through with four skewers, in order to successfully place it on the grill. My grill surface is set up such that I would not have been able to collect the drippings if I had just placed the turkey on the grill, so I removed the middle grate and placed a homemade drip pan in its place. Then I rolled up some aluminum foil to lift the skewer base up a little bit, and lit the flames for preheating. I only lit the outer two flames because I wanted indirect heat for the bird.

I haven’t been able to say anything until recently, but I can now confirm that I accepted a new job as a Senior Software Developer (tech lead) at Deere’s Intelligent Solutions Group in Urbandale, Iowa. I can’t say much about the actual job, but suffice it to say that I’m very excited about the position (although maybe a little less excited about moving to Des Moines). 

It was way back at the end of September when I interviewed for the position, and I knew that the other applicants were also very qualified. In fact, my good friend Jason VanGundy also applied for the job, so I was a little concerned about it being awkward if one of us got the job. Luckily, though, it turned out that the hiring manager actually needed two people, and we both were hired. Our mutual friend Matt Travi has been on the team for at least a year now, so it will be great working with those guys.

Living in Des Moines will be a change. I definitely won’t be able to make it to as many Illini basketball and football games, since the drive to Des Moines will add about six hours to the round trip. I’ll miss having Mom and Dad nearby, too. But I have family out there, too, and a number of friends, and Illinois looks pretty good in HD.

As I weighed the pros and cons of accepting the offer, I was pretty surprised as how hard it was to make the decision. I knew the position would be great but I just wasn’t sure I wanted to move. It occurred to me that I hadn’t struggled with a decision like that since deciding to go to Ireland in college, so hopefully this turns out just as well as that did.

Well, clearly I haven’t written anything for the blog in some time. It’s been a busy couple months between work during the week and Illini football (significantly exceeding my expectations, even if this week’s Michigan game was a setback), a little Illini basketball, and the general social agenda overall. 

Anyway, I have some big news that I’ll be posting in the next few days, but until then, check out these pictures from the Illinois basketball Orange & Blue Scrimmage.

While Illinois football has been much more enjoyable to watch this season, I’m really excited about basketball season. Watching the Orange & Blue Scrimmage and two exhibition games (Lewis in person), it has been frustrating at times, but there are sparks of potential that bode well for the future. Watching our freshmen Meyers Leonard, Crandall Head, and Jereme Richmond work their way into the rotation and contribute to the team’s success should be a lot of fun.