Finally!

I have been having the latest version of dasBlog on my local system for a long time.  I had pretty much finished content migration, which is actually very easy, and also fixing some few template things that I wanted.  For the last few days, I was also running a parallel URL where I had uploaded the entire site.

Finally, there is a new look and feel with a lot of good things I wanted on the blog. 

My categories are all screwed up because I had chosen not to use the feature earlier - I will start using it more diligently from now.  I am also looking at hacking into the content and changing the categories for older posts - but that will have to wait for another day.

Also, I changed the home page of thinkingMS.com to a better looking one.  Courtesy some Expression Design and some quick notepad work.  Not the best of home pages, but better than what existed.  Check it out.

If you are reading this from a RSS reader, you might want to update your RSS feed (I know it has a little bug right now) and also want to visit the site once to see the new look and feel.  Click here to see it.

A couple of different threads that triggered in the past two days prompted this post. 

One involved a Silverlight enthusiast who has been using the BrowserHttpWebRequest class (a new class, similar to the System.Net.HttpWebRequest class in .NET, introduced in the Silverlight .NET libraries that makes use of the underlying browser stack to make web requests) to make requests to a web service in a different domain. 

Result: An exception that says "Cross domain calls are not supported by BrowserHttpWebRequest".

The other involved an AJAX developer trying to call a web service from JavaScript from another domain.  Again a similar cross-domain script error raised in the browser with a "Access denied" message.

The standard paradigm on the Internet is NOT to allow cross-domain scripting.  Cross-domain scripting is nothing new - it has been there ever since JavaScript has been around.  It is dangerous in that it allows a malicious user to inject code into a page from a different domain.  

There are few basic rules when JavaScript executes on a web page:

• Any JavaScript code that runs within a page runs within the context of THAT page.  Which means that the JavaScript running on a page also gets to call back the same server from which the page loaded, be able to modify DOM elements of the page, be able to get to all the user input, headers, cookies, form fields, etc. on that page.
• JavaScript included from a seperate JS file is only physically seperate.  When the page loads and a SCRIPT SRC is encountered, the JavaScript file is requested for, downloaded and then the code is included as part of the entire JavaScript.  In fact, execution of the script starts as soon as the file is downloaded completely.

Now having stated the above - let us assume we allowed cross-site scripting.  That would mean a user would be able to include (say as part of a blog's comments) a SCRIPT SRC pointing to a JS file on a different domain.  This part is actually allowed by the browser.  However when the remotely loaded script tries accessing or posting back any of the data on the page (that has loaded from a different domain), it is disallowed and an Access Denied message occurs.  This basically protects the script from stealing any data and posting it back to a different server without the knowledge of the user.

Check the Wikipedia article on Cross-Site Scripting (XSS) at http://en.wikipedia.org/wiki/XSS and go through some of the famous exploits mentioned there.

But I want to build mashups!

Sure, you still want to make use of all the power of AJAX or Silverlight and get services from multiple domains mashed up on the browser.  The solution is quite simple.  Use a bridge pattern to access the third-party services.  This basically means a "proxy" service sits on the same server (as the page on which the JavaScript/Silverlight component is loaded) and any callbacks happen to a service on the same server.   This service can then make a server-to-server call to other web services on third-party domains.  Once the data is received, it can be sent back to the client.

This is a standard pattern for accessing cross-domain services.  The Silverlight team is also working on a solution to make cross-domain posts safely possible in Silverlight 1.1 - but that is something that is only going to be in the future (hopefully).  Currently, Silverlight too blocks cross-domain calls. 

If you think the above makes sense, you are all set to write your code.  If you are the type that likes to see some reference code, try this article: http://dotnetslackers.com/columns/ajax/MashitUpwithASPNETAJAX.aspx

A good explanation is also available at the Yahoo! developer website: http://developer.yahoo.com/javascript/howto-proxy.html

TechMela 2007 just got over.  The closing keynote had Tarun Gulati, GM-DPE, announce the date for the next TechMela as well - Feb 27 2008.

We had several firsts at TechMela this year.  TechMela itself was a confluence of events - the four big events at Microsoft India - TechEd, IndiMIX, ITPC and MEDC came together under one roof.  From initial feedback, I think we had the participants enjoying the connected experience - seeing the whole gamut of Microsoft technologies at one place.  We also had a scenario showcase that showed how Microsoft touched the lives of people across the 3 screens - Television, Mobile and PC - across home, on-the-road and work.

I had great fun being part of the TechMela team that put together the event as well as being able to talk about Microsoft Silverlight.

I did two keynote demos - one for the TechMela Business event on the 13th and one for the TechMela Technology event on the 14th.  In both keynotes, I demo'ed the application we are building for Yash Raj Films for the promotion of Jhoom Barabar Jhoom.

I also extended my hand into a few talks at the UX Track on Day 1 - talking about Expression Web, Expression Blend and an impromptu XAML-101 session.  TechMela Day 2 had me in the Web Track - which was all about Silverlight.  I did 4 sessions on Silverlight and Gaurav Khanna, who had flown down from the US just for TechMela, did a couple of deep internal sessions on the CLR inside Silverlight.  We had a packed audience for the Silverlight sessions - and a wonderful audience as well - with very interesting questions and interesting discussions.  I hope the audience had as much fun as I had.

We will be putting out the session material out soon and specifically on the Silverlight sessions, I will be doing a series of blogs with more in-depth details.

If you were part of TechMela and attended my sessions, I would love to hear feedback - either through email, or through the blog or in-person!

Our blogs have been down for quite some time now and it had been quite frustrating.

We switched hosters and the new hosting company pulled off support for ASP.NET Full Trust permissions - which is required by the current version of dasBlog that we are using.   There seem to be only few people who have managed to remove the full trust dependencies of dasBlog and even those aren't full solutions.  A hack here and a hack there. 

When it did feel challenging to try and see if dasBlog can be modified, or if the content can be ported via BlogML to some other engine, I couldn't quite find too much time to work on it  - the reason? - TechMela 2007.

At Microsoft India, we are very excited about this new event format - branded as TechMela - which will combine all the four erstwhile annual events - TechEd, IndiMIX, MEDC and ITPC.   All of these will be under one roof and it is going to be the first time ever that you will get to see a unified and connected view of all Microsoft offerings.

Check out the agenda at www.techmela.com to give you a sense of how different, varied and advanced topics we are looking at covering during TechMela.

TechMela is going to be in Mumbai in less than 7 days from now and we sure hope you will try to attend it in person or virtually. 

I am doing a couple of demos at the keynote and am super-excited about it.  I will be showcasing WPF and a really cool Silverlight application that we are building for one of India's largest film production houses.  I will also be doing several breakouts - mainly in the UX track (demo'ing Expression suite of products) and the Rich Internet Applications track.

In the RIA track, I will be doing sessions on Silverlight.  For those who know Gaurav Khanna, he is flying in to do a couple more deep-dive tracks on Silverlight on the same day and I am looking forward to that as well.

Overall, it will be a fun event.  And we hope to see you there!