CardMeeting Dispatch

Hello CardMeeting users,

Ever since I put that waiting room in, I saw daily logins decline steeply. Earth to Dave: that means there's a bug!

The bug was one of those "50% of your population affected" bugs, and of course, I was in the "50% not-affected" group. Here it was: if you are one of those people that likes to goto www.cardmeeting.com, you wouldn't be allowed to login to a CardMeeting. But, if you have the habit of dropping the "www." and just going to cardmeeting.com, then you could successfully login to a meeting.

I know: bizarre reason, right? Well, the issue lie in my naive coding of JavaScript for the waiting room. As a matter of course, I would prepare a URL to poll the server for the user's waiting room status. That URL would essentially have the current page's URL information with the polling page's information added back in. But, as part of the stripping down of the URL, I would remove the "www." if I saw it.

This wouldn't be a big deal except that I use hidden iframes to communicate with the home server in the waiting room. The iframes request status updates, which typically involve making a javascript call back out to one of the main window's functions. The catch is that if the server name on the iframe's URL doesn't match the main window's URL, that constitutes an attempt at "cross-site scripting" (sometimes called XSS.)

Many a spoofer and spammer and candlestick maker have used XSS tricks as an attack to steal bank passwords and ebay logins, so most browsers now consider that to be a security no no and they disallow it. In my case, if you visited the website via www.cardmeeting.com, the waiting room would fail because an iframe from "cardmeeting.com" was trying to talk to javascript that came from "www.cardmeeting.com". Ahhh, different websites! Shut it down, XSS attack! *SIGH* I wish this stuff wasn't so persnickety!

This experience hammers home that, when bugs shut people out cold from a free (as in beer) software project/product, they don't wave their hands and cry foul and help you fix it. They just go away. I'm the same way; I just figure that someone already told the programmer about the issue and I don't waste my time on it. I'm sure the difference would be if I had a bug tracking system installed - then people would have a structured place to come and describe bugs they've been experiencing and see if someone else reported it. I probably need to look into installing something like that at some point so that I can properly engage my users.

Also, when user roles drop sharply, I think that's a sign that I need to take some corrective action someplace.

Well, that's it. If CardMeeting still isn't working for you, please let me know. You can email me at dave@woldrich.com. Thanks to my good friend Andy for pointing out the XSS snafu.

Stay close,
Dave Woldrich