Subresource Integrity Script Attributes

I discovered something new so I thought I would write it down (I retain knowledge better after I write it down.) I was reading up on “Bootstrap,” a Javascript framework for creating responsive web sites. (Someone in my Twitter timeline said they were learning to use it while going through Freecodecamp courses.) I had never heard of it before, but then I’m not always up on the latest, greatest programming thing, especially when it comes to Javascript.

It’s not terribly clear what Bootstrap *is* just from reading the web site, so I downloaded the zip file so I could open it up and look at it. It’s apparently a framework–a CSS file and a Javavscript file, in case you were wondering. It’s a bit similar in concept to jQuery, except where jQuery is a completely generic set of tools, Bootstrap is apparently a specific framework for developing a particular kind of web site. (Presumably, the popular kind.)

Anyway, that’s not the point of this post. The point is, I looked at the source for their “Bootstrap Starter Template,” as one does when figuring out something new. Down at the bottom of the source, where the javascript is loaded, I found this curious <script> line:

<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js"
integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN"
crossorigin="anonymous"></script>

I had never seen “integrity” or “crossorigin” attributes before. From the context and the “sha384” it was fairly easy to deduce that it’s a hash value to verify the script hasn’t been tampered with. It seemed like a good idea, which was notable because I don’t often see good ideas in the HTML or Javascript development space. (Zing!)

I looked to verify that the template was HTML5. (You can tell because of “<!DOCTYPE html>”–one of the rare instances in computer science when the newer specification is simpler than the older specification.) I’m not familiar with every little thing in HTML5 so I thought maybe script verification was a new feature. I did a Google search.

It turns out it’s not an HTML5 feature, it’s a W3C recommendation called Subresource Integrity. It’s exactly what I thought it was: A way to verify the integrity of script resources (or really any third-party resources). It’s a good idea, though probably a pain to implement given the need to generate hashes for every reference and insert them into your HTML and maintain them.

I was curious how many browsers actually support Subresource Integrity (SRI), since there’s not much point in using it if browsers don’t enforce it. According to Wikipedia, Firefox, Chrome, and Opera support, and Safari support looks to be coming soon. That means essentially everybody but Microsoft Edge and of course Internet Explorer.

ThinkServer Ready For Action

On impulse, I bought a Lenovo ThinkServer at NewEgg. It’s a dinky little Xeon E3-1225 server in a mini-tower case. (I don’t keep up with processors anymore, so I have no idea where the Xeon E3-1225 fits on the spectrum of processors, but considering the whole box was only $369, I assume near the bottom.)

Lenovo ThinkServer
Server seen here in on the floor of my customarily sterile computing environment with vintage 17″ square LCD monitor.

Why would I buy a ThinkServer you ask? I was using my gaming PC to experiment with some MSDN software that I’d installed on a VirtualBox image of Windows 2012 R2, and I just didn’t have the computing oomph to handle it. My gaming PC can play some mean games, but it’s crap at virtualization. So I saw this ThinkServer sitting on NewEgg with decent reviews and clicked right on that Buy button. (I also bought 16GB of memory to go with it.)

If I’m not mistaken, this is quite literally the first time I’ve ever bought a pre-built [desktop] Windows PC. Every single time I’ve upgraded a PC before, I’ve bought parts and installed them myself, because it’s a lot cheaper to do it that way. This time I was delighted to simply pull the ThinkServer out of the shipping box, plug in the peripherals, and turn it on.

Then of course I discovered I had no way to burn an image of Windows Server 2012 R2 onto a DVD. I only have a DVD burner in my clunky 17″ laptop, so I wrestled it over to an outlet (because the battery was dead) and discovered that 2012 R2 is too big for a regular old DVD. Then I had to dig up an old 80GB USB hard drive to install it on.

Anyway now I have a new installation of Windows Server 2012 R2 ready for action. I’m thinking about taking some Microsoft exams so I needed a place to practice. Now to see if I can figure out how to use Windows Hyper-V.

Netflix Makes Passwords Hard

Because Netflix forced me to change my password into something that was easy to enter with a remote control into a television interface–since my television invariably asks me to re-enter said password every month for no apparent reason–I have now forgotten what my Netflix password is, and apparently LastPass never updated when I changed it. I’ve now been waiting about ten minutes for them to send me the password reset email. Come on Netflix. This is basic IT functionality here.

UPDATE: Oh, and the reason I need a password is because I am attempting to log into my account on my Android phone, because the Netflix app for the iPad is so terrible that it almost never actually plays videos.

Although it could always be Verizon blocking Netflix video, because of that whole Net Neutrality thing we don’t have anymore. Thanks Verizon. Glad you’re at the forefront of making U.S. Broadband Access so terrible compared to the rest of the world.

Symbols in Passwords

Can anyone give me a technical explanation for why so many web sites these days do not accept certain symbols such as parentheses ( ) or brackets [ ] in their passwords? It’s rather annoying and I can’t think of a single reason to prevent using them.

Throwing Away Batteries

So at work I have a stack of dead laptop batteries from a handful of old Dell Lattitude laptops that I rescued before someone threw them away. In retrospect, I should not have rescued them, because they are about 99.99% useless unless I ever have a need to run Doom on an old installation of DOS. (Okay, they aren’t *that* old, but close.)

One day, someone asked me, “Hey why do you have a stack of batteries on your desk?” I said, “Oh, they’re all dead.” This person then asked, “Why don’t you throw them away?” And I of course said, because everyone knows, “You can’t just throw away batteries.” “Why not?” Um. Well, that was a good question actually. I didn’t really have an answer, except a vague sense of hearing somewhere that you shouldn’t throw away batteries.

So I decided to throw caution to the wind and throw the batteries away. The next morning, when I came in, the trash pickup people had carefully removed the batteries and put them back on my desk. Apparently you *can’t* just throw away batteries.

I did some Googling and discovered that, in Virginia, localities can indeed prohibit throwing away rechargable batteries as long as they provide a recycling program (http://leg1.state.va.us/cgi-bin/legp504.exe?000+cod+10.1-1425.39). I can’t tell if the locality of my workplace has a recycling program or not, but I assume they do.

It seems that these batteries are going to sit on my desk, decaying, emiting toxic, corrosive, and possibly explosive chemicals into the air, for the forseeable future.

GIFs In The News Again

_67754134_steve_wilhite
Steve Wilhite, inventor of GIF, at the 2013 Webbies. Picture stolen from the BBC. Sorry.

So how about those Animated GIFs?

Yeah, they are just as annoying now as they were in the 90s. I’m surprised that web browsers still bother to support it. (It would have been better for mankind if they didn’t.)

Speaking of GIFs, the debate over how to pronounce it is back in the tech news again. There was a rather long discussion of it on The 404 recently, and it was mentioned at The Webbies. Personally, I’ve never understood why it isn’t obvious to anyone with a small amount of English literacy.

Besides the well-documented evidence that the author of the format pronounced it JIF, the reason I picked JIF is easy: According to the laws of English pronunciation  a “G” followed by an “i” makes a soft G sound. In fact, G followed by “i”, “e”, or “y” is always pronounced like a “J.” Just like Giraffe is pronounced “Jiraffe” and Gerbil is pronounced “Jerbil.” Giraffe, Gerbil, Gelatin, German, Gyrate, Gif.

So all you people with your memes that say “It’s Gif, not Jif.” To a literate person, it reads, “It’s Jif, not Jif.”

(The words Gift and Girl are _exceptions_. Their etymology is German, as opposed to the others which are French.)

(Incidentally, as I’m writing this, I am realizing for the very first time that people may have read GIF like a short version of GIFT. Shockingly, I have never before made the connection between those two words. If that’s the case, it kind of makes sense that people would, you know, get it wrong.)

If it was supposed to be pronounced as a hard G sound, they should have abbreviated it GRIF.

I know what you’re saying. It’s not a word, it’s an acronym! So English rules don’t apply. And G stands for Graphics which is a hard G sound.

Well, explain this, then, smarty pants. Look at the acronym ASAP. As Soon As Possible. If GIF is supposed to be pronounced like the words it stands for, then ASAP should be pronounced ASS-APP. But it’s not. It’s pronounced AY-SAP. (Please God let there be a consensus on that pronunciation.) So there.

All that being said, if I’m in a group and unsure how it will be pronounced, I default to silence or using a hard G because that’s the “hip” way that the youngsters say it. I only say JIF if I hear someone else say it like that, or if I’m the only computer literate person in the room.

Android Calendar Date Entry Sucks

calendarSo I was entering an event into my Android calendar, which reminded me of something about Android that really annoys me. In what world is it easy to enter a month and day using these stupid radial spin dials that you have to flick through?

It reminds me of every kitchen timer you see now. You only get “up” and “down” buttons to enter a time. You never see timers with a keypad anymore, because some bean counter won’t let their manufacturer put 10 buttons on a device when you can get away with 2.

Does that linear model really have to extend to the Android calendar too? It doesn’t cost anything extra to put a keypad with buttons labeled 0-9 on a screen! Imagine a world where you can enter a date into a calendar app by going *taptaptap* and done! instead of *flick* *flick* *flick* *flick* *flick* damn overshot it *flick* *flick* damn missed again *flick* damn didn’t register my flick *flick* okay month entered, now for the day…

On Feedly

This is another followup on my search for a news reader. I want to like Feedly. I really do. But I just can’t get a grip on this interface. It seems like something completely random happens whenever I hit buttons I think should do predictable things. It’s usually when I click on the > button, which I think is going to show me the next page of fresh items to read, after I have marked the current page as read. Sometimes it does that. Other times it takes me to one random feed from which it’s hard to get away. Other times it does nothing. Other times it goes to an empty front page with items on the side. There’s too much confusion! Up is white! Black is down!