|
Mr. Wynand posted:You know HTTPS is supported out of the box with S3 right? I wasn't, that's fair, that should address at least the assets portion of it, thanks! I'm actually now wondering if I HAVE to use a custom SSL cert for the static site, given that S3 provides their own. $600/mo is quite a bit for something I might not even need. It's been a while, but I can't think of a reason off the top of my head why I'd want a specific SSL cert there, rather than a random one.
|
#
?
Sep 5, 2013 21:24
|
|
|
|
| # ? May 8, 2024 22:23 |
|
|
DreadCthulhu posted:I wasn't, that's fair, that should address at least the assets portion of it, thanks! If your current SSL cert is working for everything but the S3 poo poo, no, you don't. The images will use their own valid cert (from amazon) and everything else will use whatever it was using so far and it's all valid and secure and browsers won't yell at you.
|
|
#
?
Sep 5, 2013 21:53
|
|
|
DholmbladRU posted:0 down vote favorite Add woff as a mine type to IIS. (.woff, application/font-woff)
|
|
#
?
Sep 5, 2013 22:05
|
|
|
Mr. Wynand posted:If your current SSL cert is working for everything but the S3 poo poo, no, you don't. The images will use their own valid cert (from amazon) and everything else will use whatever it was using so far and it's all valid and secure and browsers won't yell at you. That's fair, thanks. I think the only situation where things could go wrong is if I were using some form of cert pinning, but I don't see myself doing that for anything but the API. That and I don't think browsers actually support that functionality. Actually, derp, I wouldn't be able to serve a site over https if the CNAMEs don't match, so that's a no go for S3 afaik? DreadCthulhu fucked around with this message at 22:43 on Sep 5, 2013 |
|
#
?
Sep 5, 2013 22:13
|
|
|
How do you use something like Jcrop with the Jasny Bootstrap file upload? Looking at the source, there doesn't seem to be an event exposed so I know when to call .Jcrop on the preview image? Am I supposed to poll the DOM for changes or what? edit: how come something like this doesn't work? code:fletcher fucked around with this message at 22:45 on Sep 5, 2013 |
|
#
?
Sep 5, 2013 22:35
|
|
|
Lumpy posted:Are you me? Ha, that was my last job except mine was a million times worse. Aside from a couple periods where I was working on one big design project (re-branding company, designing/building new website), my job got so spread out and random that I couldn't really do anything effectively and no one could tell me what my job title/description was). I was a designer, Photoshop monkey, office drone, web developer, code monkey (I coded a useful thing in C once), webmaster, blog editor/contributor, social media guru, PR/media person, field tester, and one time I was asked to go fix a tractor. Spreading yourself too thin is no good. I'd much rather do a few things very well than a bunch of stuff half-assed. Where I am right now, I'm doing a lot of things, but it's pretty manageable because it's all vertical integration - I design a thing, build the thing, and then integrate the thing (just on the front-end). I don't have to lead/manage projects (yet...  ) or do any back-end or heavy JS stuff. I guess I like that it's a straightforward progression from concept to a working feature. I'm finding that I'm enjoying the development side of things a lot too. If we pick up a front-end developer, I'd still develop my poo poo in a sandbox and stop at the integration part. And I'd rather just skip the Balsamiq/Photoshop stage of mocking up and go straight from whiteboard/paper drawings to HTML/CSS sandbox because it takes me way less time to code up a cool new form than it would for me to make a some wireframe in some program and then still have to code it anyway.
|
|
#
?
Sep 5, 2013 22:48
|
|
|
Authentic You posted:Where I am right now, I'm doing a lot of things, but it's pretty manageable because it's all vertical integration - I design a thing, build the thing, and then integrate the thing (just on the front-end). I don't have to lead/manage projects (yet... This is basically what I do as well. I got hired as a graphic designer / UI guy with knowledge of html/css/js and have now evolved into the lead (and only) front-end developer after a year. It has its perks but it really sucks when there are multiple big projects and they all have to funnel through me to get them finalized. Currently I'm working on I believe 6-7 projects ranging from just straight HTML/CSS, some massive JS applications, and some graphic design here and there.
|
|
#
?
Sep 6, 2013 01:30
|
|
|
Funking Giblet posted:Add woff as a mine type to IIS. (.woff, application/font-woff) I will try that. Thank you for the suggestion. Two things; does IE use EOT format, and it worked using fully qualified domain from the server why would it work here if I didnt have proper mime types set?
|
|
#
?
Sep 6, 2013 02:54
|
|
|
I've never had to implement email confirmation and password reset before, so I want to run this by you to make sure I don't pointlessly implement everything by hand if there's a tool for it out there already. For email confirmation, do you create a "tracking" code of some sort on the backend and send the user an email with Mandrill or SES (or whatever other system) with a link? The link would make the browser do a GET against a route that checks that url-encoded param and makes sure the system is aware of it? For password reset, similarly to the above, create a tracking code on the backend, and send a link that will allow to overwrite the password for only that one user with a new bcrypted version? It's not much work besides a couple of routes and tables, but I'm still curious if there's a better way of doing this, perhaps with a SaaS solution of some sort.
|
|
#
?
Sep 6, 2013 09:23
|
|
|
Are you using a framework for this? Or building from scratch. This is a very common thing so for most frameworks I'd imagine there's a plugin that does exactly what you want to do.
|
|
#
?
Sep 6, 2013 09:41
|
|
|
NtotheTC posted:Are you using a framework for this? Or building from scratch. This is a very common thing so for most frameworks I'd imagine there's a plugin that does exactly what you want to do. It's going to have to be done from scratch: there's no actual framework and it's too niche of a language to have these niceties.
|
|
#
?
Sep 6, 2013 09:43
|
|
|
Well the flow for the plugin I typically use is: - User signs up, their "account" record is created in the db (with active=false) as well as an "activation" record that has an FK link to that account and contains an activation_key field with a randomly generated key in it e.g. 3eadab4aa0766b619a08ab5b047bdb0365131ee0. - Email sent to that user that includes a url with that key, e.g. https://www.your-domain.com/activate/3eadab4aa0766b619a08ab5b047bdb0365131ee0/ - When they click the url it finds the activation record, sets the account it links to to active=true You obviously need to limit the actions the user can perform if they're not activated, be that logging in or viewing certain areas etc. For password resets I imagine you can have a similar system, create a "password_change" record, fk-link it to the user's account, then send them a unique link using the generated key that allows them to reset their password. I'm not sure whether it's better to delete "spent" activation/password reset records or keep them for posterity, maybe someone else can chime in on that front.
|
|
#
?
Sep 6, 2013 10:38
|
|
|
NtotheTC posted:Well the flow for the plugin I typically use is: Whatever you do, you don't want the activation/password reset records to be re-usable. In the same transaction as you set the account to active or apply the new password, you should set the linking record to inactive or populate a date field with the date used and the IP used from. This can be useful auditing information. You can, for example, see that 900 users were activated from the same IP address in 2 hours.
|
|
#
?
Sep 6, 2013 13:15
|
|
|
Dietrich posted:Whatever you do, you don't want the activation/password reset records to be re-usable. In the same transaction as you set the account to active or apply the new password, you should set the linking record to inactive or populate a date field with the date used and the IP used from. This can be useful auditing information. You can, for example, see that 900 users were activated from the same IP address in 2 hours. Yes, sorry I forgot to mention that the key gets overwritten/deleted once used. You might also want to set a timeout on them somehow (so that an activation link/reset password link becomes unusable after 24 hours say, prompting them to ask for a new one).
|
|
#
?
Sep 6, 2013 13:49
|
|
|
Funking Giblet posted:Add woff as a mine type to IIS. (.woff, application/font-woff) Hm, that didnt seem to work. I added .woff to the iis and restarted. I also change my browser to ask me when fonts are downloaded. I am promtped by IE to download the fonts, but they are not reflected. Using fiddler I can see that IE8 is downloading .svg fonts which are the first ones defined in my @font-face. Why would the browser download a font it cant use?... After adding 'local' to the fonts, it worked accross all browsers. code:DholmbladRU fucked around with this message at 16:12 on Sep 6, 2013 |
|
#
?
Sep 6, 2013 15:14
|
|
|
Set the .eot file as your first line in the second src list, maybe IE will download that first instead.
|
|
#
?
Sep 6, 2013 15:51
|
|
|
Bognar posted:Set the .eot file as your first line in the second src list, maybe IE will download that first instead. thanks for the help, I am a 'novice' web developer. So most javascript/css things take me longer than normal to figure out. But I noticed with fiddler it was not downloading the correct font.
|
|
#
?
Sep 6, 2013 16:14
|
|
|
DreadCthulhu posted:It's going to have to be done from scratch: there's no actual framework and it's too niche of a language to have these niceties. What language?
|
|
#
?
Sep 6, 2013 16:17
|
|
|
Dietrich posted:Whatever you do, you don't want the activation/password reset records to be re-usable. In the same transaction as you set the account to active or apply the new password, you should set the linking record to inactive or populate a date field with the date used and the IP used from. This can be useful auditing information. You can, for example, see that 900 users were activated from the same IP address in 2 hours. Are there any obvious security practices besides that one that I should make sure to have in place? Couldn't find anything specific on OWASP etc, maybe security stack exchange will have more. Oh My Science posted:What language? The api is 100% Clojure with the FE being a separate static Backbone site. The latter is something I'm actually regretting a bit, I'll need to implement server-side html generation soon, as having to update 2 codebases and ferry data in JSON blobs every single time is a pain in the rear end when you might want something quick and dirty and purely internal.. Folks in the community do tend to err on the side of re-implementing things from scratch if they're small and simple e.g. signup / auth is most of the time homebrew on top of existing modules that do cookie auth and bcrypt etc, as opposed to an end-to-end plugin like Rails' Devise. Auth is actually being looked into, as most people would agree that rolling your own is generally a bad idea, but the alternative (cemerick's friend module) is way more feature-full than most people need.
|
|
#
?
Sep 6, 2013 19:13
|
|
|
DreadCthulhu posted:Are there any obvious security practices besides that one that I should make sure to have in place? Couldn't find anything specific on OWASP etc, maybe security stack exchange will have more. 1) If you have a pending activation or password change out there and they request a new one, disable the previous one first and you should probably tell them to check their spam folder before sending out another one. 2) Don't deactivate the account because they used the password reset link. 3) Don't let them specify an e-mail address to send the reset link to, it should be the one on their account that they activated from. There is some debate on if you should tell the user which e-mail you sent the password to if you're using a Login+Pass or Login/Email+Pass system rather than an Email+Pass system. The concern is that if the Login is the same as a displayed name on your site, people can request a password reset and then see the victim user's email address. So consider that. 4) All reset and activation requests should only be valid for a fixed period of time, generally a short one. Probably more, but those are the obvious ones.
|
|
#
?
Sep 6, 2013 19:55
|
|
|
fletcher posted:
Because load doesn't bubble, you can use event capturing though for a similar effect.
|
|
#
?
Sep 6, 2013 20:37
|
|
|
Sorry if this is amateur hour stuff, but I'm having trouble deciding what I should do for a mobile version of a site. It's a pretty simple site but I just need to take out one of those full body backgrounds because it looks weird on different phones depending on browser, and there's some minor issues on tablets. Basically I want to know if I should try to load different stylesheets like some sites say, or just do a quick http://m.thesiteimmaking.com or whatever. And what is the best detection method for mobile users? Thanks.
|
|
#
?
Sep 6, 2013 21:17
|
|
|
Rubies posted:Sorry if this is amateur hour stuff, but I'm having trouble deciding what I should do for a mobile version of a site. It's a pretty simple site but I just need to take out one of those full body backgrounds because it looks weird on different phones depending on browser, and there's some minor issues on tablets. Basically I want to know if I should try to load different stylesheets like some sites say, or just do a quick [url]http://[/url]m.thesiteimmaking.com or whatever. And what is the best detection method for mobile users? Thanks. Use media queries and adjust for mobile in the same style sheet: CSS code:
|
|
#
?
Sep 6, 2013 21:42
|
|
|
Funking Giblet posted:Because load doesn't bubble, you can use event capturing though for a similar effect. Interesting! What do you mean by event capturing?
|
|
#
?
Sep 6, 2013 22:05
|
|
|
In event capturing, the event triggers and then proceeds through the dom until it reaches it's target, which is opposite to bubbling, where the events traverse up the tree to the document element unless propagation is stopped. You can use addEventListener('load',function(){},true) to an outer dom element to capture all load events within that element. (true sets the listener to capture, rather than wait for the event to bubble). This will not work in all browsers, IE8 for example, but load will not bubble in any browser, so it's better. Image errors are the same. Funking Giblet fucked around with this message at 00:16 on Sep 7, 2013 |
|
#
?
Sep 7, 2013 00:13
|
|
|
Hypothetical REST / MVC question: say I'm creating a "employee" resource with its corresponding model. Say that when I create an employee, I also have to create a bajillion other related resources like "equipment", "promotions", "hr_violations" etc. I could start that process from an /employees POST, but then I'd be screwing myself out of the option to create JUST the employee resource one day (and I hate complex branches in my controllers, there's enough going on already for me to add extra branches based on request params), so I'm considering instead having a wrapper resource like /employee-accounts which clearly indicates that you're creating an employee account, not just an employee resource. Is that the right way to think about REST or am I smoking something?
|
|
#
?
Sep 7, 2013 02:05
|
|
|
DreadCthulhu posted:Hypothetical REST / MVC question: say I'm creating a "employee" resource with its corresponding model. Say that when I create an employee, I also have to create a bajillion other related resources like "equipment", "promotions", "hr_violations" etc. I could start that process from an /employees POST, but then I'd be screwing myself out of the option to create JUST the employee resource one day (and I hate complex branches in my controllers, there's enough going on already for me to add extra branches based on request params), so I'm considering instead having a wrapper resource like /employee-accounts which clearly indicates that you're creating an employee account, not just an employee resource. The thing about REST is that it's not nearly as rigours or rigid as it seems at first glance. There are actually very few well defined properties of "resources" and even fewer that are demonstrably useful in most cases. I really think for the most part you could sum up REST as "use HTTP the way it was intended", which is a fine idea for making HTTP-based APIs, but HTTP was not necessarily created with APIs in mind either, so that should not be seen as a measure of platonic goodness or anything. Also, a great deal of REST/HTTP allows for fairly broad interpretation in terms of use, so what this all comes down to is: never let "RESTfull-ness" of a service get in the way of more immediate and obvious design concerns. Ok so with that in mind, presenting "/employee-accounts" as a distinct resource may not be worth it when the only thing you can do is POST to it. Having a POST-heavy REST API is pretty much indistinguishable from an RPC-style API. Pretty much all the stuff that sets REST apart have to do with non-POST operations. The "more RESTful" approach is probably to just do it all via POST /employees - it just accepts more then one type of request body. This is of course explicitly supported by HTTP via the Content-Type request header, which can in theory be abused to describe not just the format of the request but also the structure - e.g. "application/vnd.employee+json" and "application/vnd.employee-account+json". But are these really differently structured document types or just the same document structure with more or less optional data available? Also, should you even use "+json" like that? Only xml is explicitly supposed to do that sort of crap. This is the "broad interpretation" i was talking about... It is almost certainly not worth bothering with (and there are many drawbacks beyond just complexity with it, like tool support and having to make everything talk your silly custom MIME types), but hey, there ya go, it's like maximum RESTfull! Just do POST/employees with application/json (or whatever your format). If it's easy enough to support the optional bits in the same interface, do that, if not, yeah, provide just another endpoint (putting it underneath "/employees" is probably better though just to hint at the fact that you're still creating the same sort of "employee" resource" - e.g. "POST /employees/full-accounts" or some poo poo).
|
|
#
?
Sep 7, 2013 21:56
|
|
|
That's fair, those are all good things to think about. On one end I wish there was a "kosher" way of doing things, on the other I can appreciate the flexibility, albeit you do get plenty of rope to hang yourself with. I've been looking for examples of great REST-style APIs out there and could use a link or two. I stumbled upon the StackExchange one for example, and would love to know if that one is good for reference as I'm building my own? It's always great to have a solid role model until you gain enough experience to break out of it.
|
|
#
?
Sep 8, 2013 00:23
|
|
|
Having some issues with font-awesome (via bootstrap) and firefox. Here are some screenshots: Chrome:   Firefox:   Any suggestions are welcome!
|
|
#
?
Sep 10, 2013 18:13
|
|
|
Firefox uses WOFF files. Does your @font-face declaration point to a .woff file? The correct .woff file? Is your server set up with the correct MIME type for .woff (application/font-woff)?
|
|
#
?
Sep 10, 2013 20:54
|
|
|
Bognar posted:Firefox uses WOFF files. Does your @font-face declaration point to a .woff file? The correct .woff file? Is your server set up with the correct MIME type for .woff (application/font-woff)? Maybe not: quote:Resource interpreted as Font but transferred with MIME type application/octet-stream: "http://XXX/*.woff" Is this fixable?
|
|
#
?
Sep 10, 2013 21:42
|
|
|
I'm looking for the most economic and hassle free way to host and manage multiple wordpress sites. Right now a client of mine uses godaddy for everything and I would like to move away as many services as possible. Domains are probably fine staying at godaddy, but I may be able to push them into using gandi. Email is hosted at godaddy right now and could also stay but I am worried about them being blacklisted. Hosting is also currently done through godaddy but the wordpress performance is awful and according to my 10 min research has been for some time. --- So far I'm leaning towards a VPS with a wordpress multi-site install, but only because I'm not a huge fan of shared hosting.
|
|
#
?
Sep 11, 2013 02:38
|
|
|
Look in to openshift. I'd say more, but my phone is being dumb.
|
|
#
?
Sep 11, 2013 02:57
|
|
|
Thermopyle posted:Look in to openshift. I'd say more, but my phone is being dumb. I like the idea but was hoping to use a service like http://getflywheel.com/ I signed up for the beta and tossed them an email, but if there are alternatives I would like to look at them as well.
|
|
#
?
Sep 11, 2013 03:51
|
|
|
Does anyone know of a reference to look up viewport widths based on mobile device and browser? Edit: thought of a better query and found this which is only a half year out of date 
Munkeymon fucked around with this message at 16:08 on Sep 11, 2013 |
|
#
?
Sep 11, 2013 15:49
|
|
|
Oh My Science posted:I'm looking for the most economic and hassle free way to host and manage multiple wordpress sites. Right now a client of mine uses godaddy for everything and I would like to move away as many services as possible. http://wpengine.com/ was one of the first sites that offered that kind of service and I remember it having great reviews.
|
|
#
?
Sep 11, 2013 16:43
|
|
|
I'm actually fairly impressed with Flywheel, if anyone wants to give it a shot I snagged some extra beta codes. CODES MOVED TO TOP OF NEXT PAGE. Please indicate which code you take so I can cross them off when taken. Oh My Science fucked around with this message at 23:17 on Sep 11, 2013 |
|
#
?
Sep 11, 2013 19:57
|
|
|
Oh My Science posted:I'm actually fairly impressed with Flywheel, if anyone wants to give it a shot I snagged some extra beta codes. Perfect timing, as I may pick up some freelance gigs pooping out WP sites. I used 9w7r9. Thanks!
|
|
#
?
Sep 11, 2013 20:02
|
|
|
Oh My Science posted:I'm actually fairly impressed with Flywheel, if anyone wants to give it a shot I snagged some extra beta codes. This looks pretty neat, I snagged 'evgcv', thanks!
|
|
#
?
Sep 11, 2013 20:39
|
|
|
|
| # ? May 8, 2024 22:23 |
|
|
Oh My Science posted:I'm actually fairly impressed with Flywheel, if anyone wants to give it a shot I snagged some extra beta codes. Looks interesting, thanks.  I used this one: wbpvd edit: heads up: they don't let you do anything before entering credit card details. e2: prices. Tiny $15.00 / Month 5,000 Monthly Visitors 5 GB of Storage 250 GB Bandwidth Professional $30.00 / Month 25,000 Monthly Visitors 10 GB of Storage 500 GB Bandwidth Business $75.00 / Month 100,000 Monthly Visitors 20 GB of Storage 1 TB Bandwidth And note each site has to be paid for separately. I'm not convinced those prices justify the benefits tbh. It is pretty slick though. But maybe only for people who aren't comfortable dealing with hosting directly. fuf fucked around with this message at 20:55 on Sep 11, 2013 |
|
#
?
Sep 11, 2013 20:43
|
|
