Tech News - Web Development

Yesterday, Google announced that it has teamed up with the creator of Robots Exclusion Protocol (REP), Martijn Koster and other webmasters to make the 25 year old protocol an internet standard. The REP, better known as robots.txt, is now submitted to IETF (Internet Engineering Task Force). Google has also open sourced its robots.txt parser and matcher as a C++ library. https://twitter.com/googlewmc/status/1145634145261051906 REP was created back in 1994 by Martijn Koster, a software engineer who is known for his contribution in internet searching. Since its inception, it has been widely adopted by websites to indicate whether web crawlers and other automatic clients are allowed to access the site or not. When any automatic client wants to visit a website it first checks for robots.txt that shows something like this: User-agent: * Disallow: / The User-agent: * statement means that this applies to all robots and Disallow: / means that the robot is not allowed to visit any page of the site. Despite being used widely on the web, it is still not an internet standard. With no set in stone rules, developers have interpreted the “ambiguous de-facto protocol” differently over the years. Also, it has not been updated since its creation to address the modern corner cases. This proposed REP draft is a standardized and extended version of REP that gives publishers fine-grained controls to decide what they like to be crawled on their site and potentially shown to interested users. The following are some of the important updates in the proposed REP: It is no longer limited to HTTP and can be used by any URI-based transfer protocol, for instance, FTP or CoAP. Developers need to at least parse the first 500 kibibytes of a robots.txt. This will ensure that the connections are not open for too long to avoid any unnecessary strain on servers. It defines a new maximum caching time of 24 hours after which crawlers cannot use robots.txt. This allows website owners to update their robots.txt whenever they want and also avoid the overloading robots.txt requests by crawlers. It also defines a provision for cases when a previously accessible robots.txt file becomes inaccessible because of server failures. In such cases the disallowed pages will not be crawled for a reasonably long period of time. This updated REP standard is currently in its draft stage and Google is now seeking feedback from developers. It wrote, “we uploaded the draft to IETF to get feedback from developers who care about the basic building blocks of the internet. As we work to give web creators the controls they need to tell us how much information they want to make available to Googlebot, and by extension, eligible to appear in Search, we have to make sure we get this right.” To know more in detail check out the official announcement by Google. Also, check out the proposed REP draft. Do Google Ads secretly track Stack Overflow users? Curl’s lead developer announces Google’s “plan to reimplement curl in Libcrurl” Google rejects all 13 shareholder proposals at its annual meeting, despite protesting workers

After facing a device fingerprinting bug and security breach, Stack Overflow was again in the news on Thursday. This time it was about its homepage that showcased its new proprietary products while hiding away the primary feature it is widely known for: open, public Q&A. How the updated Stack Overflow homepage looked like? The updated homepage showed the various products Stack Overflow provides. However, it did not show any straightforward way to reach the Q&A site. Here is how the updated UI looked like: Source: Stack Overflow A Stack Overflow user wrote, how he felt when he first saw this homepage: Private Q&A. Oh, this one of those exclusive sites, maybe a forum, where you get to discuss stuff in private, probably need to pay for it, it says coworker, flagship, those are pricey words. Jobs? Oh, this must be like LinkedIn. Probably only professionals and such that only elevate themselves and talk boring stuff. You probably need to pay for exposing your account or something, as you need to on those other job sites to stand a chance. Create an account? And next they'll ask for my credit card, right? No thanks, I'll move on to TechNet or wherever. Other regular users also found this abrupt change frustrating and confusing. A Stack Overflow user compared the updated homepage to that of Facebook and LinkedIn where you require to have an account to post things. He wrote, "Today before I logged in I saw the new home page, and it immediately felt the same to me as going to Facebook or LinkedIn before you have an account. There's a big wall of gibberish that essentially says, "You can't do anything here until you start handing over information about yourself.” It is understandable that Stack Overflow is looking for new avenues for revenues. In 11 years of its existence, it has become much more than a Q&A site with voting and editing functionalities. It provides Stack Overflow for Teams, a private place for your team members to exchange questions and answers about your proprietary software. Another one is, Stack Overflow Talent that helps employers post job listings and discover talents around the globe for their organizations. Stack Overflow for Enterprise provides a platform for building a standalone Q&A community. Despite these new incredible offerings, for most people the Q&A site is what Stack Overflow is, rest all is just an addition to the main product. Hiding the actual feature for which developers visit the site behind a hamburger, while giving the actual screen space to proprietary products is what has turned off many developers. How Stack Overflow responded? After facing backlash, Stack Overflow responded with a workaround for the moment and is currently reviewing the feedback it is getting from the users. Stack Overflow said, “Overall changes in design will not be made at this moment (we are still collecting the feedback you are all posting - thanks for that). And we are carefully reviewing it and will make them later if it's necessary, however, we do want to make it easier to get to the open Q&A as fast as possible, and that means not changing the design right now.” To make it somewhat easier for the users to reach the Q&A section, it has hyperlinked the "open community" in the description. Also, the blue button which was earlier called “Create an account” now goes directly to the Q&A page. Source: Stack Overflow Developers also suggested what Stack Overflow can do to fix this problem, while also showcasing its proprietary products. Here's what a user recommended: “If you're really serious about improving it, then I have some recommendations. 1) reduce the size of the hero banner by ~50%. 2) Remove the "for developers, by developers" section and have the "Developers" button at the top go straight to stackoverflow.com/questions. 3) Remove the section on SO for Teams pricing -- that belongs as a click-through page via the "Private Q&A" link on the "For business by developers" section. On that subject, "Private Q&A" should say "Teams (Private Q&A)". 4) Remove redundant .talent-slope div and .py64 div below it.” Providing teams and enterprises a private area to discuss their coding problems is an incredible idea and there is no wrong in advertising these products to people who love using Stack Overflow. However, it does feel a little overboard to make it the main centerpiece of the homepage, when Stack Overflow is mainly known for its free Q&A feature. Also, considering the huge user base, the whole outcry could have been avoided by a little consultation from the users. Approx. 250 public network users affected during Stack Overflow’s security attack Do Google Ads secretly track Stack Overflow users?

Yesterday, Mozilla announced the first preview of a redesigned version of Firefox for Android, called Firefox Preview. It is powered by the GeckoView rendering engine and will eventually replace the current Firefox app for Android. Why Mozilla is introducing a new Firefox for Android Back in 2016, Mozilla introduced Firefox Focus, a privacy-focused mobile browser for Android and iOS users. It was initially launched as a tracker-blocking application and then was developed into a minimalistic browser app. The team has been putting their efforts into improving the Firefox Focus app. However, the demand for a full-fledged private and secure mobile browsing experience has increased in recent years. The team realized this could be best addressed by launching a new browser app that is similar to Focus, but provides all the "ease and amenities of a full-featured mobile browser." Sharing the idea behind the new browser, Firefox Mobile Team said, "With Firefox Preview, we’re combining the best of what our lightweight Focus application and our current mobile browsers have to offer to create a best in class mobile experience." What features does Firefox Preview come with Unlike some of the major browsers that use the Blink rendering engine, Firefox Preview is backed by GeckoView. This gives Firefox and its users the independence of making decisions for what they want in the browser instead of enforcing whatever Google decides. GeckoView also accounts for “greater flexibility in terms of the types of privacy and security features" Mozilla can offer its mobile users.” Following are some of the features Firefox Preview offers: Up to two times faster: It is up to two times faster as compared to the previous versions of Firefox for Android. Minimalistic design: It comes with a minimalist start screen and bottom navigation bar to enable you get things done faster on the go. Includes Collections, a new take on bookmarks: Its Collections feature allows you to save, organize, and share collections of sites. Tracking Protection on by default: It comes with Tracking Protection on by default giving you freedom from advertising trackers and other bad actors. As a side effect, this also gives a faster browsing experience. This is an early version of the experimental browser for Android users based on GeckoView, which means there are many features like support for ad blocking extensions, Reader Mode is not yet available. You can try it out and provide feedback for improvements to the team via email or on Github. Check out the official announcement by Mozilla to know more. Mozilla introduces Track THIS, a new tool that will create fake browsing history and fool advertisers Mozilla releases Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a zero-day vulnerability, being abused in the wild Mozilla to bring a premium subscription service to Firefox with features like VPN and cloud storage

Looks like Brave has also jumped on the bandwagon of writing or rewriting its components in the Rust programming language. Yesterday, its team announced that they have reimplemented its ad-blocker in Rust that was previously written in C++. As a result, the ad-blocker is now 69x faster as compared to the current engine. The team chose Rust as it is a memory-safe and performant language. The new ad-blocker implementation can be compiled to native code and run within the native browser core. It can also be packaged in a standalone Node.js module. This reimplemented version is available on Brave’s  Dev channel and Nightly channel. How does this new ad-blocking algorithm work? The previous ad-blocking algorithm relied on the observation that most of the requests were passed through without blocking. It used the Bloom filter data structure that tracks fragments of requests that may match and rules out those that do not. The new implementation is based on uBlock Origin and Ghostery’s ad-blocking approach, which is tokenization specific to add-block rule matching against URLs and rule evaluation optimized to the different kinds of rules. What makes this new algorithm faster is that it quickly eliminates any rules that are not likely to match a request from search. “To organize filters in a way that speeds up their matching, we observe that any alphanumeric (letters and numbers) substring that is part of a filter needs to be contained in any matching URL as well,” the team explained. All these substrings are hashed to a single number that results in a number of tokens. The tokens make matching much easier and faster when a URL is tokenized in the same way. The team further wrote, “Even though by nature of hashing algorithms multiple different strings could hash to the same number (a hash collision), we use them to limit rule evaluation to only those that could possibly match.” If a rule has a specific hostname, it is tokenized too. If a rule contains a single domain option, the entire domain is hashed as another token. Performance gains made by the reimplementation For the performance evaluation, the team has used the dataset published with the Ghostery ad-blocker performance study that includes 242,945 requests across 500 popular websites. The new ad-blocker was tested against this dataset with different ad-block rule lists including the biggest one: EasyList and EasyPrivacy combined.  The team performed all the benchmarks on the adblock-rust 0.1.21 library. They used a 2018 MacBook Pro laptop with 2.6 GHz Intel Core i7 CPU and 32GB RAM. Following are performance gains this new ad-blocker showed: The new algorithm with its optimized set of rules is 69x faster on average as compared to the current engine. When tested with the popular filter list combination of EasyList and EasyPrivacy, it gave a “class-leading performance of spending only 5.7μs on average per request.” It already supports most of the filter rule syntax that has evolved beyond the original specification. This will enable the team to handle web compatibility issues better and faster. The browser does some of the work that can be helpful to the ad-blocker. This further reduces the overheads resulting in an ad-blocker with the best in class performance. Head over to Brave’s official website to know more in detail. Edge, Chrome, Brave share updates on upcoming releases, recent milestones, and more at State of Browsers event Brave introduces Brave Ads that share 70% revenue with users for viewing ads Chromium-based Brave browser shows 22% faster page load time than its Muon-based counterpart  

Update: A day after a user found a bug on Stack Overflow’s devtools website, Nick Craver, the Architecture Lead for Stack Overflow, has updated users on their working. He says that the fingerprinting issue has emerged from the ads relayed through 3rd party providers. Stack Overflow has been reaching out to experts and the Google Chrome security team and has also filed a bug in the Chrome tracker. Stack Overflow has contacted Google, their ad server for assistance and are testing deployment of Safe Frame to all ads. The Safe Frame API will configure if all ads on the page should be forced to be rendered using a SafeFrame container. Stack Overflow is also trying to deploy the Feature-Policy header to block access to most browser features from all components in the page. Craver has also specified in the update that Stack Overflow has decided not to turn off these ad campaigns swiftly, as they need the repro to fix these issues. A user by the name greggman has discovered a bug on Stack Overflow’s devtools website. Today, while working on his browser's devtools website, he noticed the following message: Image source: Stack Overflow Meta website  greggman then raised the query “Why is Stack Overflow trying to start audio?” on the Stack Overflow Meta website, which is intended for bugs, features, and discussion of Stack Overflow for its users. He then found out that the above message appears whenever a particular ad is appearing on the website. The ad is from Microsoft via Google.  Image source: Stack Overflow Meta Website  Later another user, TylerH did an investigation and revealed some intriguing information about the identified bug. He found out that the Google Ad is employing the audio API, to collect information from the users’ browser, in an attempt to fingerprint it.   He says that “This isn't general speculation, I've spent the last half hour going though the source code linked above, and it goes to considerable lengths to de-anonymize viewers. Your browser may be blocking this particular API, but it's not blocking most of the data.”  TylerH claims that this fingerprint tracking of users is definitely not done for legitimate feature detection. He adds that this technique is done in aggregate to generate a user fingerprint, which is included along with the advertising ID, while recording analytics for the publisher. This is done to detect the following : Users’ system resolution and accessibility settings The audio API capabilities, supported by the users’ browser The mobile browser-specific APIs, supported by the users’ browser TylerH states that this bug can detect many other details about the user, without the users’ consent. Hence he issues a warning to all Stack Overflow users to “Use an Ad blocker!” As both these findings gained momentum on the Stack Overflow Meta website, Nick Craver,  the Architecture Lead for Stack Overflow replied to greggman and TylerH, “Thanks for letting us know about this. We are aware of it. We are not okay with it.” Craver also mentioned that Stack Overflow has reached out to Google, to obtain their support. He also notified users that “This is not related to ads being tested on the network and is a distinctly separate issue. Programmatic ads are not being tested on Stack Overflow at all.” Users are annoyed at this response by Craver. Many are not ready to believe that the Architecture Lead for Stack Overflow did not have any idea about this and is now going to work on it. A user on Hacker News comments that this response from Craver “encapsulates the entire problem with the current state of digital advertising in 1 simple sentence.” Few users feel like this is not surprising at all, as all websites use ads as tracking mechanisms. A HN user says that “Audio feature detection isn't even a novel technique. I've seen trackers look at download stream patterns to detect whether or not BBR congestion control is used, I have seen mouse latency based on the difference between mouse ups and downs in double clocks and I have seen speed-of-interaction checks in mouse movements.”  Another comment reads, “I think ad blocking is a misnomer. What people are trying to do when blocking ads is prevent marketing people from spying on them. And the performance and resource consumption that comes from that. Personal opinion: Laws are needed to make what advertisers are doing illegal. Advertisers are spying on people to the extent where if the government did it they'd need a warrant.” While there is another user, who thinks that the situation is not that bad, with Stack Overflow at least taking responsibility of this bug. The user on Hacker News wrote, “Let's be adults here. This is SO, and I imagine you've used and enjoyed the use of their services just like the rest of us. Support them by letting passive ads sit on the edge of the page, and appreciate that they are actually trying to solve this issue.” Approx. 250 public network users affected during Stack Overflow’s security attack Stack Overflow confirms production systems hacked Facebook again, caught tracking Stack Overflow user activity and data

Yesterday, Vivaldi released the latest version of their browser, Vivaldi 2.6, with two striking features - privacy and customization. These features will allow users to block abusive ads and feel safe on the web. Also, Vivaldi 2.6 provides users with many customization options for creating multiple personalities of users without logging into a different operating system. There are also other improvements such as filter saved passwords, visually enhanced search field and more. Vivaldi 2.6 is available as a free download for Windows, Mac, and Linux. Users can also import data from a variety of browsers, including Opera, Chrome, Edge, Internet Explorer and -- via HTML export -- Firefox. Browse safely with no abusive ads Vivaldi’s new functionality allows users to block adverts that use abusive technologies such as fake messages, misleading site behavior, etc. Users can use this feature to stop ads from sites, that are causing problems like, pop-ups that prevent them from leaving the site. Vivaldi 2.6’s built-in ad-blocker, will have an enabled-by-default blocklist, which can be switched off in the Privacy section of the Settings menu. This list is hosted by Vivaldi’s servers and is updated automatically and applied to intrusive websites so that users don't have to contact the server each time. This blocklist is hosted on its end-to-end encrypted servers. Here’s how to manually enable or disable abusive ad blocking: Select Vivaldi Menu > Tools > Settings, or use Alt-P to open the Preferences using the shortcut. Switch to the Privacy section. Remove the checkmark from Block ads on abusive violating sites. This turns the functionality off in the Vivaldi browser. In a statement to Packt, Vivaldi CEO, Jon von Tetzchner said, “We try to keep our users safe and will continue to look at more options to protect them. The way that we’ve implemented this functionality is an interesting step in the direction of relying less on third-party services.” Image source: Vivaldi More personality to User Profiles In March this year, Vivaldi had introduced support for User profiles which had different set of extensions, bookmarks, speed dials, cookies, history, and more. With this update, Vivaldi has brought in more customization options for users. Users can now create multiple “users” without logging into a different operating system, user account, or maintain multiple standalone installations of Vivaldi. This update brings a more personal touch for non-synced profiles, with the following additions : Update the avatars Add and delete profiles in the popup Edit avatar within the popup Image source: Vivaldi Other improvements Filter saved passwords: Users can find their saved passwords by filtering either through account names or websites. Keep a tab on unread tabs in the Window Panel: When a link is opened on a background tab, users will be notified in the Window Panel if it is unread. The unread tab counter will inform precisely the number of tabs unattended. Navigate faster with ‘Find in Page’ : Users can find a specific word or a term in a lengthy article with ‘Find in Page’ option. Visually enhanced Search Field: The magnifying glass on the Search Field on the right side of the Address Bar of Vivaldi now displays the favicon of the active search engine, helping users to easily identify the search engine. Support for headphone: A highly requested feature by users - Vivaldi will support headphone devices. Performance improvement: Vivaldi 2.6 has increased its performance to help users working with multiple tabs. Now, a user can easily tile tabs into split-screen views or move tabs to new windows. Opening, closing, and resizing of Panels in the sidebar is also much snappier. The privacy feature of Vivaldi comes at a time when many browsers are being cornered for having privacy issues. Earlier this month, Chrome had made it clear that its ad blocking extensions will only be available for enterprise users. This move by Google had garnered much criticism. Vivaldi, on the other hand, is getting praised for its new privacy-centric features. It also comes with DuckDuckGo search engine as default, which doesn’t track or profile users. https://twitter.com/rankbrite/status/1141726875728908288 A user on Hacker News states that “I'm seriously thinking of switching to Vivaldi now as my default development browser. It has incredible keyboard support and feature wise closest to the old Opera browser, which till date is the first browser I feel in love with.” Another user on Hacker News says that “I changed to Vivaldi about a year ago and it's the first browser ever which isn't constantly slowing down with time and I'm not constantly thinking should I change again.” Also, questions are being raised on Vivaldi, for linking ‘abusive ads’ to Google's guidelines for abusive ads. A user on Hacker News comments that “The "abusive ads" text links to Google's guidelines for abusive ads: is this what Vivaldi is using to determine what's "abusive"?” There are others who prefer Firefox over Vivaldi due to the latter’s slow-moving nature. A user explains that “I switched from Chrome to Vivaldi and back to Firefox for two reasons: 1) Vivaldi rendering performance is the worst I've ever seen in a browser. No idea how they managed that using webkit, but some sites would make tabs crash on a high end system. 2) The web developer tools are unusable due to bugs. 3) Fixing simple but impactful bugs takes too long. I really like their useful and plenty settings for everything, but 1) and 2) make it a no go for me.” For more information read Vivaldi’s blog. Mozilla puts “people’s privacy first” in its browser with updates to Enhanced Tracking Protection, Firefox Lockwise and Firefox Monitor Tor Browser 8.5, the first stable version for Android, is now available on Google Play Store! All about Browser Fingerprinting, the privacy nightmare that keeps web developers awake at night

Last week, HAProxy 2.0 was released with critical features of cloud-native and containerized environments. This is an LTS (Long-term support) release, which includes a powerful set of core features such as Layer 7 retries, Cloud-Native threading and logging, polyglot extensibility, gRPC support and more, and will improve the seamless support for integration into modern architectures. In conjunction with this release, the HAProxy team has also introduced the HAProxy Kubernetes Ingress Controller and the HAProxy Data Plane API. The founder of HAProxy Technologies, Willy Tarreau, has said that these developments will come with HAProxy 2.1 version. The HAProxy project has also opened up issue submissions on its HAProxy GitHub account. Some features of HAProxy 2.0 Cloud-Native Threading and Logging HAProxy can now scale to accommodate any environment with less manual configuration. This will enable the number of worker threads to match the machine’s number of available CPU cores. The process setting is no longer required, thus simplifying the bind line. Two new build parameters have been added: MAX_THREADS and MAX_PROCS, which avoids allocating huge structs. Logging has been made easier for containerized environments. Direct logging to stdout and stderr, or to a file descriptor is now possible. Kubernetes Ingress Controller The HAProxy Kubernetes Ingress Controller provides a high-performance ingress for the Kubernetes-hosted applications. It supports TLS offloading, Layer 7 routing, rate limiting, whitelisting. Ingresses can be configured through either ConfigMap resources or annotations. The Ingress Controller gives users the ability to : Use only one IP address and port and direct requests to the correct pod based on the Host header and request path Secure communication with built-in SSL termination Apply rate limits for clients while optionally whitelisting IP addresses Select from among any of HAProxy's load-balancing algorithms Get superior Layer 7 observability with the HAProxy Stats page and Prometheus metrics Set maximum connection limits to backend servers to prevent overloading services Layer 7 Retries With HAProxy 2.0, it will be possible to retry from another server at Layer 7 for failed HTTP requests. The new configuration directive, retry-on, can be used in defaults, listen, or backend section. The number of attempts at retrying can be specified using the retries directive. The full list of retry-on options is given on the HAProxy blog. HAProxy 2.0 also introduces a new http-request action called disable-l7-retry. It allows the user to disable any attempt to retry the request if it fails for any reason other than a connection failure. This can be useful to make sure that POST requests aren’t retried. Polyglot Extensibility The Stream Processing Offload Engine (SPOE) and Stream Processing Offload Protocol (SPOP) were introduced in HAProxy 1.7. It aimed to create the extension points necessary to build upon HAProxy using any programming language. From HAProxy 2.0, the following libraries and examples will be available in the following languages and platforms: C .NET Core Golang Lua Python gRPC HAProxy 2.0 delivers full support for the open-source RPC framework, gRPC. This allows bidirectional streaming of data, detection of gRPC messages, and logging gRPC traffic. Two new converters, protobuf and ungrpc, have been introduced, to extract the raw Protocol Buffer messages. Using Protocol Buffers, gRPC enables users to serialize messages into a binary format that’s compact and potentially more efficient than JSON. Users need to set up a standard end-to-end HTTP/2 configuration, to start using gRPC in HAProxy. HTTP Representation (HTX) The Native HTTP Representation (HTX) was introduced with HAProxy 1.9. Starting from 2.0, it will be enabled by default. HTX creates strongly typed, well-delineated header fields and allows for gaps and out-of-order fields. It also allows HAProxy to maintain consistent semantics from end-to-end and provides higher performance when translating HTTP/2 to HTTP/1.1 or vice versa. LTS Support for 1.9 Features HAProxy 2.0 bring LTS support for many features that were introduced or improved upon during the 1.9 release. Some are them are specified below: Small Object Cache with an increased caching size up to 2GB, set with the max-object-size directive. The total-max-size setting determines the total size of the cache and can be increased up to 4095MB. New fetches like date_us, cpu_calls and more have been included which will report either an internal state or from layer 4, 5, 6, and 7. New converters like strcmp, concat and more allow to transform data within HAProxy Server Queue Priority Control, lets the users to prioritize some queued connections over others. This is helpful to deliver JavaScript or CSS files before images. The resolvers section supports using resolv.conf by specifying parse-resolv-conf. The HAProxy team has planned to build HAProxy 2.1 with features like UDP Support, OpenTracing and Dynamic SSL Certificate Updates. The HAProxy inaugural community conference, HAProxyConf is scheduled to take place in Amsterdam, Netherlands on November 12-13, 2019. A user on Hacker News comments, “HAProxy is probably the best proxy server I had to deal with ever. It's performance is exceptional, it does not interfere with L7 data unless you tell it to and it's extremely straightforward to configure reading the manual.” While some are busy comparing HAProxy with the nginx web server. A user says that “In my previous company we used to use HAProxy, and it was a hassle. Yes, it is powerful. However, nginx is way easier to configure and set up, and performance wise is a contender for most usual applications people needed. nginx just fulfills most people's requirements for reverse proxy and has solid HTTP/2 support (and other features) for way longer.” Another user states that “Big difference is that haproxy did not used to support ssl without using something external like stunnel -- nginx basically did it all out of the box and I haven't had a need for haproxy in quite some time now.” While others suggest that HAProxy is trying hard to stay equipped with the latest features in this release. https://twitter.com/garthk/status/1140366975819849728 A user on Hacker News agrees by saying that “These days I think HAProxy and nginx have grown a lot closer together on capabilities.” Visit the HAProxy blog for more details about HAProxy 2.0. HAProxy introduces stick tables for server persistence, threat detection, and collecting metrics MariaDB announces the release of MariaDB Enterprise Server 10.4 Businesses need to learn how to manage cloud costs to get real value from serverless and machine learning-as-a-service

Yesterday, the team behind PrimeNG, a collection of rich UI components for Angular, announced the release of PrimeNG 8.0.0. This release comes with Angular 8.0 support, a new feature called FocusTrap, and other quality improvements. Here are some of the updates in PrimeNG 8.0.0: Compatibility with Angular 8 The main focus behind this release was to support Angular 8. Currently, PrimeNG 8.0.0 does not come with Ivy support as there are various breaking changes for the team to tackle in 8.x. “It is easier to use Ivy although initially there are no significant gains, for library authors such as ourselves there are challenges ahead to fully support Ivy,” the team wrote in the announcement. This compiler is opt-in right now but in the future release, probably in v9, we can expect it to become the default. Currently, there are “no real gains” of using it, however, you can give it a whirl to check whether your app works right with Ivy. You can enable it by adding "enableIvy": true in your angularCompilerOptions, and restart your application. Another issue that you need to keep in mind is Angular 8’s web animations regression that breaks your application if you add import 'web-animations-js'; into polyfills.ts. PrimeNG 8.0.0 users are recommended to use a fork of web-animations until the issue is fixed. Other new features and enhancements A new feature called FocusTrap is introduced, which is a new directive that keeps focus within a certain DOM element while tabbing. Spinner now has the decimalSeperator and thousandSeperator props. A formatInput prop is added to Spinner that formats input numbers according to localSeperators. The FileUpload component uses HttpClient that works with interceptors. This is why the team has removed onBeforeSend and added onSend. Headers prop for FileUpload are introduced to define HttpHeaders for the post request. The ‘rows’ of Table now supports two-way binding. Read more about PrimeNG 8.0 on its official website. Angular 8.0 releases with major updates to framework, Angular Material, and the CLI 5 useful Visual Studio Code extensions for Angular developers Ionic Framework 4.0 has just been released, now backed by Web Components, not Angular

Yesterday, Google released Chrome 76 beta with number of features which includes blocking Flash by default, a dark mode, and making it harder for sites to detect when you’re using Incognito Mode to get around paywalls. https://twitter.com/GoogleChromeDev/status/1139246837024509952 Blocks Flash by default The Chrome 76 beta by default blocks Flash in the browser. Users still have the option to switch back to the current “Ask first” option in [chrome://settings/content/flash]. Per this option, explicit permission is required for each site after every browser restart. Changes to Payments API Chrome 76 has released a fix in the FilesystemsAPI to address how websites are able to detect if you’re using Incognito to get around a paywall. FileSystem API is updated so that “detect private mode” scripts can no longer take advantage of that indicator. Chrome 76 Beta now also makes it easier to use the payments APIs for self-signed certificates on the local development environment. https://twitter.com/paul_irish/status/1138471166115368960   Additionally, PaymentRequestEvent has a new method called changePaymentMethod() and the PaymentRequest object now supports an event handler called paymentmethodchange. You can use both to notify a merchant when the user changes payment instruments. The former returns a promise that resolves with a new PaymentRequest instance. Improvements for Progressive Web Apps Chrome 76 Beta makes it easier for users to install Progressive Web Apps on the desktop by adding an install button to the omnibox. On mobile, developers can now replace Chrome’s Add to Home Screen mini-infobar with their own prompt. PWAs will also check for updates more frequently starting with Chrome 76 - checking every day, instead of every three days. New Dark mode Chrome 76 Beta also adds the Dark Mode. Websites can now automatically enable dark modes and respect user preference by adding a little bit of extra code in the prefers-color-scheme media query. Other improvements Browsers prevent calls to abusable APIs (like popup, fullscreen, vibrate, etc.) unless the user activates the page through direct interactions. However, not all interactions trigger user activation. Going forward, the escape key is no longer treated as a user activation. Chrome 76 beta introduces a new HTTP request header that sends additional metadata about a request's provenance to the server to allow it to make security decisions. Lazyload feature policy has been removed. This policy was intended to allow developers to selectively control the lazyload attribute on the iframe and img tags to provide more control over loading delay for embedded content and images on a per origin basis. The stable release of Chrome 76 is tentatively scheduled for July 30th. You can read about additional changes on Google’s Chromium blog post. Is it time to ditch Chrome? Ad blocking extensions will now only be for enterprise users. Google Chrome will soon support LazyLoad, a solution to lazily load below-the-fold images and iframes. Mozilla puts “people’s privacy first” in its browser with updates to Enhanced Tracking Protection, Firefox Lockwise and Monitor

On Monday, the team behind NgRx, a platform that provides reactive libraries for Angular, announced the release of NgRx 8. This release includes the NgRx Data package, creator functions, four run-time checks, mock selectors, and much more. Following are some of the updates in NgRx 8: NgRx Data integrated into the NgRx platform In this release, the team has integrated the angular-ngrx-data library by John Papa and Ward Bell directly into the NgRx platform as a first-party package. Using NgRx in your Angular applications properly requires a deeper understanding and a lot of boilerplate code. This package gives you a “gentle introduction” to NgRx without the boilerplate code and simplifies entity data management. Redesigned creator functions NgRx 8 comes with two new creator functions: createAction: Previously, while creating an action you had to create an action type, create a class, and lastly, create an action union. The new createAction function allows you to create actions in a less verbose way. createReducer: With this function, you will be able to create a reducer without a switch statement. It takes the initial state as the first parameter and any number of ‘on’ functions. Four new runtime checks To help developers better follow the NgRx core concepts and best practices, this release comes with four runtime checks. These are introduced to “shorten the feedback loop of easy-to-make mistakes when you’re starting to use NgRx, or even a well-seasoned developer might make.” The four runtime checks that have been added are: The strictStateImmutability check verifies whether a developer is trying to modify the state object. The strictActionImmutability check verifies that actions are not modified. The strictStateSerializability check verifies if the state is serializable. The strictActionSerializability check verifies if the action is serializable. All of these checks are opt-in and will be disabled automatically in production builds. Mock selectors for isolated unit testing NgRx 7 came with MockStore, a simpler way to condition NgRx state in unit tests. But, it does not allow isolated unit testing on its own. NgRx 8 combines mock selectors and MockStore to make this possible. You can use these mock selectors by importing @ngrx/store/testing. To know more in detail, check out the official announcement on Medium. ng-conf 2018 highlights, the popular angular conference Angular 8.0 releases with major updates to framework, Angular Material, and the CLI 5 useful Visual Studio Code extensions for Angular developers

Last week, Mozilla, in an interview with German media outlet T3N, revealed its plan of launching paid subscription services in Firefox by October. By subscribing to this service, users will be able to access “premium” features like VPN and secure cloud storage. In the interview, Chris Beard, Mozilla’s CEO did not go much into details about the cost or new premium services and features that we may see in Firefox. However, he did mention two services: VPN and cloud storage. He said, “You can imagine we'll offer a solution that gives us all a certain amount of free VPN Bandwidth and then offer a premium level over a monthly subscription.” He further clarified that no costs will be charged for the currently free service. Mozilla started testing the waters last year by introducing a few paid subscription services. In October, it partnered with ProtonVPN to introduce a paid VPN service. This service was offered to a randomly-selected small group of US users at $10 per month. In February this year, it partnered with Scroll, a news subscription service that allows you to read your favorite news websites by paying a monthly fee. Now, the company is expanding its catalog to offer more subscription services in Firefox. “We want to add more subscription services to our mix and focus more on the relationship with the user to become more resilient in business issues,” said Chris Beard. Explaining the vision behind this paid offering, Dave Camp, senior vice president of Firefox, said in a statement, “A high-performing, free and private-by-default Firefox browser will continue to be central to our core service offerings. We also recognize that there are consumers who want access to premium offerings, and we can serve those users too without compromising the development and reach of the existing products and services that Firefox users know and love.” This news triggered a discussion on Hacker News. Going by the thread, we can say that many users are happy that Mozilla is upfront about this new business model. Several other users also commented about the list of features and services they would want in Firefox before they are convinced enough to pay for the subscription. One of the users commented: “Can confirm, I would pay for a version of Firefox with just four "features": - No Pocket anywhere in the code - No telemetry/experiments/ Normandy anywhere in the code - No network connections to third party hosts (other than websites I'm viewing) - No "discovery" feed / whatever they're calling the activity stream sponsored content thing now anywhere in the code Just let me monthly subscribe via Paypal or whatever, and give me a private build server link and tar.gz of the source.” You can read the entire interview on T3N’s official website. Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features Mozilla’s updated policies will ban extensions with obfuscated code Mozilla puts “people’s privacy first” in its browser with updates to Enhanced Tracking Protection, Firefox Lockwise and Firefox Monitor

Yesterday, at JSConfEU '19, the team behind Entropic announced Entropic, a federated package registry with a new CLI that works smoothly with the network.  Entropic is also Apache 2 licensed and is federated. It mirrors all packages that users install from the legacy package manager. Entropic offers a new file-centric API and a content-addressable storage system that minimizes the amount of data that should be retrieved over a network. This file-centric approach also applies to the publication API. https://www.youtube.com/watch?v=xdLMbvEc2zk C J Silverio, Principal Engineer at Eaze said during the announcement, “I actually believe in open source despite everything I think it's good for us as human beings to give things away to each other but I think it's important. It's going to be plenty for my work so Chris tickets in news isn't it making out Twitter moment now Christensen and I have the natural we would like to give something away to you all right now.” https://twitter.com/kosamari/status/1134876898604048384 https://twitter.com/i/moments/1135060936216272896 https://twitter.com/colestrode/status/1135320460072296449 Features of Entropic Package specifications All the Entropic packages are namespaced, and a full Entropic package spec includes the hostname of its registry. The package specifications are also fully qualified with a namespace, hostname, and package name. They appear to be: namespace@example.com/pkg-name. For example, the ds cli is specified by chris@entropic.dev/ds. If a user publishes a package to their local registry that depends on packages from other registries, then the local instance will mirror all the packages on which the user’s package depend on. The team aims to keep each instance entirely self-sufficient, so installs aren’t dependent on a resource that might vanish. And the abandoned packages are moved to the abandonware namespace. The packages can be easily updated by any user in the package's namespace and can also have a list of maintainers. The ds cli Entropic requires a new command-line client known as ds or "entropy delta". According to the Entropic team, the cli doesn't have a very sensible shell for running commands yet. Currently, if users want to install packages using ds then they can now run ds build in a directory with a Package.toml to produce a ds/node_modules directory. The GitHub page reads, “This is a temporary situation!” But Entropic appears to be more like an alternative to npm as it seeks to address the limitations of the ownership model of npm.Inc. It aims to shift from centralized ownership to federated ownership, to restore power back to the commons. https://twitter.com/deluxee/status/1135489151627870209 To know more about this news, check out the GitHub page. GitHub announces beta version of GitHub Package Registry, its new package management service npm Inc. announces npm Enterprise, the first management code registry for organizations Using the Registry and xlswriter modules

Yesterday, the developers at Salesforce open sourced Lightning Web Components framework, a new JavaScript framework that leverages the web standards breakthroughs of the last five years. This will allow developers to contribute to the roadmap and also use the framework irrespective if they are building applications on Salesforce or on any other platform. The Lightning Web Components was first introduced in December 2018. The developers in their official blog post mention, “The last five years have seen an unprecedented level of innovation in web standards, mostly driven by the W3C/WHATWG and the ECMAScript Technical Committee (TC39): ECMAScript 6, 7, 8, 9 and beyond, Web components, Custom elements, Templates and slots, Shadow DOM, etc.” The introduction of Lightning Web Components framework has lead to a dramatic transformation of the web stack. Many features that required frameworks are now standard.   The framework was “born as a modern framework built on the modern web stack”, developers say. Lightning Web Components framework includes three key parts: The Lightning Web Components framework, the framework’s engine. The Base Lightning Components, which is a set of over 70 UI components all built as custom elements. Salesforce Bindings, a set of specialized services that provide declarative and imperative access to Salesforce data and metadata, data caching, and data synchronization. The Lightning Web Components framework doesn’t have dependencies on the Salesforce platform. However, Salesforce-specific services are built on top of the framework. The layered architecture means that one can now use the Lightning Web Components framework to build web apps that run anywhere. The benefits of this include: You only need to learn a single framework You can share code between apps. As Lightning Web Components is built on the latest web standards, you know you are using a cutting-edge framework based on the latest patterns and best practices. Many users said they are unhappy and that the Lightning Web Components framework is comparatively slow. One user wrote on HackerNews, “the Lightning Experience always felt non-performant compared to the traditional server-rendered pages. Things always took a noticeable amount of time to finish loading. Even though the traditional interface is, by appearance alone, quite traditional, as least it felt fast. I don't know if Lightning's problems were with poor performing front end code, or poor API performance. But I was always underwhelmed when testing the SPA version of Salesforce.” Another user wrote, “One of the bigger mistakes Salesforce made with Lightning is moving from purely transactional model to default-cached-no-way-to-purge model. Without letting a single developer to know that they did it, what are the pitfalls or how to disable it (you can't). WRT Lightning motivation, sounds like a much better option would've been supplement older server-rendered pages with some JS, update the stylesheets and make server language more useable. In fact server language is still there, still heavily used and still lacking expressiveness so badly that it's 10x slower to prototype on it rather than client side JS…” In support of Salesforce, a user on HackerNews explains why this Framework might be slow. He said, “At its core, Salesforce is a platform. As such, our customers expect their code to work for the long run (and backwards compatibility forever). Not owning the framework fundamentally means jeopardizing our business and our customers, since we can't control our future. We believe the best way to future-proof our platform is to align with standards and help push the web platform forward, hence our sugar and take on top of Web Components.” He further added, “about using different frameworks, again as a platform, allowing our customers to trivially include their framework choice of the day, will mean that we might end up having to load seven versions of react, five of Vue, 2 Embers .... You get the idea :) Outside the platform we love all the other frameworks (hence other properties might choose what it fits their use cases) and we had a lot of good discussions with framework owners about how to keep improving things over the last two years. Our goal is to keep contributing to the standards and push all the things to be implemented natively on the platform so we all get faster and better.” To know more about this news visit the Lightning Web Components Framework’s official website. Applying styles to Material-UI components in React [Tutorial] 5 reasons Node.js developers might actually love using Azure [Sponsored by Microsoft] Github Sponsors: Could corporate strategy eat FOSS culture for dinner?

Last week, Mozilla announced the release of Firefox 67, with many performance enhancing features to make Firefox “faster than ever”. On Thursday, Nathan Egge and Christopher Montgomery wrote a blogpost explaining the importance of high performance, royalty free AV1 video decoder, called ‘dav1d’. This feature is now enabled by default on all desktop platforms of Mozilla (Windows, OSX and Linux) for both 32-bit and 64-bit systems. AV1 allows high-quality video experience with very less network usage. It’s files are 30% smaller than today’s most popular web codec VP9. AV1 is also 50% smaller than its widely deployed predecessor H.264. AV1 has the potential to transform how and where we watch videos on the internet. ‘Dav1d’ allows developers to rewrite critical sections in highly-parallelized SIMD assembly allowing higher performance and greater efficiency. This enables smooth playback of AV1 video in the browser with significantly less CPU utilization. In 2018, Matt Frost, head of strategy and partnerships for Chrome Media at Google had predicted that it would take another two years for AV1 to adopt wide scale. He had said, “Hardware support will likely come in 2020, as chip development typically takes two to three years”. However statistics prove that ‘dav1d’ can turn this prediction upside down. In the last few months, Firefox Beta has seen a remarkable growth in video playback after implementing AV1. Firefox Beta latest figures show 11.8% of playback proportion in April 2019, up from 3% in March and 0.85% in February. Looking at this growth, more websites are expected to take advantage of this next-generation video codec AV1. Image Source: Mozilla Hacks With its immense advantages, Mozilla has decided to invest in the future of AV1. Mozilla and Xiph.Org are jointly developing a clean-room encoder named rav1e (the Rust AV1 Encoder). This will help in increasing encoding gains, i.e., reducing the signal-to-noise ratio which in turn will allow software encoding fast enough for real-time applications like WebRTC. Rav1e will develop methods to make AV1 encoding tools 1000x faster by finding new algorithms, rather than simply optimizing existing code. https://twitter.com/waxzce/status/1132924406278307840 A user on Hacker News comments, “AV1's been making good progress in Firefox. A 1080p60 video has gone from being essentially unplayable in AV1 to now being almost perfect on my 5-year old, AVX2 enabled laptop in Firefox 68 beta” Visit the Mozilla Blog to know more about dav1d and rav1e. Firefox 67 will come with faster and reliable JavaScript debugging tools Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Mozilla developers have built BugBug which uses machine learning to triage Firefox bugs

Yesterday, the Tor team announced the release of Tor Browser 8.5, which marks the first stable release for Android. Tor Browser 8.5 was also released for other platforms with more accessible security settings and a revamped look. https://twitter.com/torproject/status/1130891728444121089 The first alpha version of Tor Browser 8.5 for Android came out in September last year. After being in the alpha testing phase for almost 8 months, this version aims to provide phone users the same level of security and privacy as the desktop users enjoy. Announcing the release, the team wrote, “Tor Browser 8.5 is the first stable release for Android. Since we released the first alpha version in September, we've been hard at work making sure we can provide the protections users are already enjoying on the desktop to the Android platform.” The browser ensures security by preventing proxy bypasses. It comes with first-party isolation to protect users from cross-site tracking and fingerprinting defenses to prevent digital fingerprinting. Though the Android version was released with various security features, it does lacks some Desktop features that we will see coming in the subsequent releases. Across all the platforms, this version comes with improved security slider accessibility. Earlier it was behind the Torbutton menu, which made it difficult to access. Along with this change, the Tor Browser also comes with few cosmetic changes. The user interface is similar to that of Firefox’s Photon UI and also has redesigned logos. The team further shared that, the other most popular mobile operating systems, iOS will not be getting Tor Browser any time soon as it is too restrictive. Users can instead use the Onion Browser. Read also: Understand how to access the Dark Web with Tor Browser [Tutorial] You can download Tor Browser 8.5 from the Tor Browser download page and distribution directory. The Android version is also available on the Google Play Store. Read the full announcement on Tor’s official website. Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features Firefox 67 will come with faster and reliable JavaScript debugging tools Mozilla developers have built BugBug which uses machine learning to triage Firefox bugs