Slightly Interesting Javascript Benchmark

I have an Asus CG5275 desktop, and decided to try out the Mandelbrot JavaScript benchmark at http://alexey.radul.name/ideas/2013/cleverness-of-compilers/ with the three browsers I use most, Chrome 29.0.1547.57, Firefox 23.0, and Opera 12.16. I expected Opera to be the slowest, and was not disappointed.

The mild surprise was that Firefox was almost four times as fast as Chrome. Here are my timings on the Asus with the above-mentioned URL and browsers:

Browser             Size    Time      Relative

Chrome 29.0.1547.57 500x500  9562 ms  3.86

Firefox 23.0        500x500  2478 ms  1

Opera 12.16         500x500 19464 ms  7.85

Opera took just about twice as long as Chrome, and Firefox was almost 4 times as fast as Chrome. This is on an Intel i5 at 3.2 GHz running Linux Mint 15, Mate, kernel 3.8.0-29-generic. It's a 4-core machine, which makes me curious about the almost 4x speedup of Firefox vs.. Chrome.

[ Note added about 15 minutes after original posting: Mate's System Monitor makes it appear that all three versions use just a single core. No real surprise--this is JavaScript, after all. ]

Improve Your Hosts File for Christmas

Opera has a nice feature that one can selectively block advertising. When I do my daily once-over of web sites I visit, I do it in Opera, and then delete all private data. However, for whatever reason, ads from bannerfarm.ace.advertising.com regularly escape Opera's block content feature. However, this site violates my if it moves or makes noise, kill it policy. Adding this to the hosts file does the trick:

127.0.0.1 bannerfarm.ace.advertising.com

127.0.0.1 ace.advertising.com

127.0.0.1 advertising.com

127.0.0.1 www.advertising.com

127.0.0.1 advertising.vip.aol.com

127.0.0.1 advertising-vip.egslb.aol.com

Opera Address Bar Tip

There is a user interface design flaw in Opera 12.02 where, by default, the full URL of a web site is not shown. Here's an example:

Now suppose I want to select and paste this address, and click at the right edge of the displayed "URL." This is the result:

As can be easily seen in the image, if as user is not careful, a critical portion of the URL is lost. Even an attentive user still must repeat the select operation. Either way, time and effort are wasted.

Fortunately, though this is a bad UI decision, there is an option to force Opera to correctly display the URL correctly. Navigate to Opera|Settings|Advanced|Browsing. The penultimate checkbox under this tab is Show full web address in address field. Check this and the address bar will function correctly:

Similarly, Firefox no longer displays URLs correctly. The fix is here.

Chrome: Blocking HTML Referer [sic]

It's easy to block HTML referrers in  Firefox: visit about:config and set network.http.sendRefererHeader to zero.

It's easy to block referrers in Opera: Make sure "Send Referrer Information" is unchecked at Opera | Settings | Quick Preferences

So how about Chrome? The man page is incomplete, not saying how to do this.

Googling sent me to a a Chrome extension. I have no reason to trust the author of that extension, so I looked a little more.

The answer is, surprise, in the Chrome help forum,  http://www.google.com/support/forum/p/Chrome/thread?tid=63a866565ba8664f&hl=en

The thing is, I don't usually start Chrome from the command line, and I don't recommend doing so. If Chrome (or Firefox, or Evince, etc.) are given a command shell, they dump gobs of junk to, probably, stderr. So it's necessary to change the shortcut from which Chrome starts. Gnome instructions follow; Windows instructions, untested, are here. [ Note added 2012-09-10: I think the following is incorrect and that Firefox does require an extension to block referers. Bad Firefox, bad. Original text: I do not endorse their method of blocking referrers in Firefox, as it is simply not necessary to install an extension to do this. ]

In System | Preferences | Main Menu | Internet (your system may vary) right-click on Google Chrome. Add --no-referrers to the end of the command line. Kill Chrome. Restart Chrome through the updated shortcut.

On referrers: this is from a time when the Internet was a less dangerous place. I have trouble seeing how this was ever a good idea, but now it is simply an invasion of privacy. It isn't likely that any subsequent version of HTML will drop this, but it would be nice if browsers would default to not sending referrer information.

A note on the misspelling 'referer': the word was misspelled in RFC 1945 (!996 Berners-Lee, Fielding, Frystyk), which is a bit odd since they spelled 'referred' correctly. Wikipedia says the misspelling originated in a different document, by a different author. Fielding says that neither 'referer' nor 'referrer' were in the UNIX spell program at the time. I thought by 1990 everyone was using ispell or aspell; okay I never actually thought that. Paper dictionaries weren't available at the time? I'm just happy to not have my name as prominently associated with a dumb little mistake like this. Of course, it is just a dumb little mistake.

Security on the Client Side

Common--and good--advice is to not trust the client. If an organization has no control over the client, as is the case in web-based client-server applications, the client is not trustworthy. The Milwaukee Journal-Sentinel's Packer Insider is a very good low-stakes example of a site that has gotten this wrong. The Packer Insider is intended to be a subscription-only service, but I was reading it for a while, perhaps a long while, before I realized I was reading for-pay content.

If I visit http://www.jsonline.com/sports/packers/ in Firefox I get full access. If I visit it with Opera or Chrome, and click one of the Insider links, I get a login screen. What's the difference?

The difference is NoScript, an indispensable Firefox tool. NoScript is not intended to circumvent security, but rather to enhance client-side security. The idea is that if I let any given web site execute any script it wants on my machine, my personal data and the integrity of my machine are at risk. NoScript also helps me limit more obnoxious advertising by selectively shutting off Flash, JavaScript, Java, etc. NoScript uses a default-deny model, meaning that sites are not allowed to run client-side scripts unless I assent. NoScript is not for everyone because it does cause problems with some sites and it does require some effort on the part of the user, but it does provide a much safer browsing environment.

So, if I disable scripting, I get a much cleaner, more pleasurable view of the Journal Sentinel's Packer pages. As a side effect, I also get access to the Packer Insider materials. This is due entirely to poor security architecture at the Journal Sentinel's site, and, IMHO, strong evidence that the design was not done by an experienced professional. OTOH, there may have been other constraints making this desirable, and they may not actually care. If I were to lose access to these pages, I wouldn't really care because the Green Bay Press Gazette has comparable content that's openly-available.

As an aside, there are those that think it is bad to disable advertisements that support web sites. I have sympathy for this view, but I don't want their scripts running on my machine, eating cycles, providing animations which make it difficult to concentrate on the actual content, and, in extreme cases, making noise or damaging my system. I will aggressively block Flash, animated GIFs, etc., that damage the user experience.

This shows a general advantage of server-side over client-side scripting. Providers have a better idea of what their pages look like on the client side if they use server-side scripting--which is controlled by the provider--rather than client-side scripting, which is controlled by the end user, the browser, malware, etc.

Summary: security must be on the server side.

Browsers

More and more I'm starting to use different browsers for different purposes. Opera is nice because it allows fine control over scripting on a per site basis. For example, at NFL.com, I can shut off most of the advertising but still use most of the site's features. I especially like this for Blackboard, however.

Blackboard is a commercial course management system. Essentially, it's bloatware loaded with features that I can't imagine many people use, but they persist because, apparently, someone uses each. One of the unfortunate features of Blackboard is that when entering data in a text area, it starts a Java application. Yes, an application, not an applet. For some inexplicable reason, Blackboard wants to run an application with full user privileges on my PC. This is even harder to understand, since disallowing execution seems to have no effect on Blackboard functionality. It's probably innocuous, but as a matter of policy, why subject all the data on my PC to Blackboard's whims and bugs? Plus, what, if anything, are the software folks at Blackboard thinking?

Firefox generates a warning, but doesn't remember negative decisions. It allows one to always trust a site, but not to always distrust a site. Strange.

Opera, though, now knows to never run Java at blackboard.umbc.edu. So far, this is causing no problems, and so Opera is now my browser of choice for Blackboard.