another weblog

In my last blog post I mentioned how Scribus didn’t conveniently support some advanced features of OpenType, such as discretionary ligatures and alternate glyphs such as small-caps glyphs. Scribus is due to support more OpenType features in coming releases, but I needed a fix now. My immediate reaction was to start reading the Scribus source code, so I’d know where to start constructing the necessary code.

A little bit of thought gave me a much simpler, and higher-quality, workaround.

• TeX is widely considered to be one of the most advanced typesetting programs available. There are many implementations of TeX, many (all?) of which are free and open-source software.
• XeTeX is a version of TeX that merges in OpenType font support.
• The fontspec package, included in XeTeX, provides a very high degree of control over application of OpenType features. (Read the linked manual; it’s quite thorough.)
• Scribus can import vector graphics in PostScript format.

Gist of the workaround is that I do all my type work in TeX, render it out to PostScript, and insert the generated PostScript data into Scribus. (Scribus does have the ability to render TeX documents directly, but it seems to apply some really nasty rasterization filter to the output.) This means I lose the ability to edit text in Scribus, but for the vastly improved typesetting quality, I think it’s a worthwhile tradeoff.

Here’s a comparison shot. The XeTeX-generated output is on the top.
There seems to be a margin issue clipping the capital "J"’s descending stroke, but besides that, I like it a lot better.

EDIT: Actually, there is something that’s bugging me about the XeTeX output, which is that the left margin is (probably) mathematically straight but definitely doesn’t look that way. At least not to my eyes. Look at the “W” starting the second line, and compare it to the “A” in the first line.

I think the typographical term for what I really want here is optical margin alignment (i.e. making it look right vs. making it numerically “right”). There’s a TeX package out there called microtype that claims to calculate and implement, among other things, optical kerning and character protrusion (which I’m going to assume means “optical margin alignment”), but it can’t be easily ported to XeTeX. Poo.

Some of you know that I was assigned to shoot a wedding last week. Some of you know that I was working on a book of photos from that wedding.

Well, here’s a preprint copy for the holidays.

http://photon.ninjawedding.org/wedding-con-2/WeddingCon2-TheBook-preprint.pdf (~10 MB)

Username and password are the artist and title of the song played for the last dance. (Same as the last wedding I went to.)

Images in the PDF were exported at 72dpi and were JPEG-compressed to save space. This PDF is therefore not suitable for print, but if you’d like a printable copy, let me know and I’ll give you a 200dpi losslessly compressed version. (Warning: The print copy hovers around a gigabyte in size.)

There are some adjustments that I’d still like to make, but for a first public draft I think this is okay. One glaring problem that I still need to remedy is that Scribus doesn’t know how to use OpenType substitution glyphs, which means that I’m not really making use of the cute flourishes in my typefaces. (For example, Bembo — the book’s main typeface — has some very nice alternate glyphs for st and ct letter pairs, as well as a full suite of small-caps glyphs which I want to use.) I’ll need to hack Scribus to get that to work.

I am discussing printing and bookbinding options with the Denver Bookbinding Company. My plan is to produce five printed copies of the book; initial estimate is $125/copy for binding, and an still-unknown amount for printing. If you’d like a copy, let me know so I can refine the run length.

Enjoy. Though the book has significant flaws, I think it captures the moments of the wedding well. I hope you’ll agree.

I was reading the Wikipedia entry for Gaia Online. (Needed a break from code.)

Wikipedia links to a online bulletin board post by Gaia Online’s founder, dated sometime back in 2004, which announced that Gaia would be moving towards a social gaming environment.

In 2001, a friend of mine who used the handle dolmant created an online, JRPG-inspired Web-based game called Crescent Island. He started out with a small staff, and attracted a small following.

I started working on Crescent Island sometime in 2002 or early 2003, working on UI and gradually working on the game backend.

The game had a strong following, or at least strong enough to inspire some fan works.

Crescent Island is now dead, as far as I can tell. I drifted off to other projects; I’m not sure what dolmant did, but I think he may have also lost interest.

We didn’t beat Gaia as far as existence goes — Gaia started in 2000 — but we were likely ahead of them on the social-gaming curve by at least a year. Perhaps even two.
Had we maintained Crescent Island, would we have also caught the gravy train — managed to benefit from the same network effect that feeds Gaia Online? Be all rich and famous in the new Web world? Sell our users out to corporations for cash?

Hard to say. But it’s an entertaining thought.

211 photographs left after culling. Here’s one I’m particularly fond of because its mood changes with rotation angle.

Rotated by -6 degrees, the bride is a blessing for the groom:

But rotate it by 6 degrees and the bride becomes his burden:

I’m not yet sure which one I like better.

Won’t be posting any more pictures for a while; have plans.

I must have not been thinking clearly.

A distressingly growing proportion of photographs are tremendously out of focus — but then a successor photograph will be properly focused. And then back to Blurland. It’s as if I was momentarily stupid and mistook the focus ring for the zoom ring. Or perhaps my fingers were too numb to tell the difference and the viewfinder was too fogged for me to see anything.

I don’t know. Something happened. In any case I’m quite sure that I botched all the critical moments, which is a rather fucking impressive achievement — up there with the NASA unit conversion snafu and Blagojevich managing to stall the application of common sense.

Achievement in the XBox Live sense, obviously.

“Flagged as rejected” counter: 160/659 and increasing.

Firefox’s behavior with regard to sending HTTP cookies doesn’t seem to be fully standards-compliant. I don’t think this has been posted before — a quick search of the Mozilla bug database didn’t turn up anything — but if this has been encountered before I’ve love to know.

On Cookies

HTTP cookies consist of named chunks of data. They’re used as a way to graft session state on top of HTTP. (HTTP is a stateless protocol, which means that any given transaction between a client and server is independent of any other transaction between a client and server.) Cookies are stored client-side (i.e. a Web browser) and are transmitted to the server when necessary.

The implementation of cookies that just about every browser uses is specified in RFC 2965.

Cookies contain several metadata fields that instruct a client when it should consider a cookie “valid” and when it should send a given cookie to the server. For example, a cookie records which domain(s) it should be sent for, its maximum age before it’s considered stale and should be discarded, if it should only be sent to the server in an encrypted channel, and so forth.

The bit of metadata we’re concerned with here is a piece of metadata called the path.

On Cookie Paths

The cookie path, along with the cookie domain, defines a set of URLs for which the cookie should be sent to the server. Section 3.3.4 of RFC 2965, “Sending Cookies to the Origin Server”, states

The user agent applies the following rules to choose applicable
cookie-values to send in Cookie request headers from among all the
cookies it has received.
…
Path Selection
The request-URI MUST path-match the Path attribute of the cookie.

The definition of “path-match” is given in section 1:

For two strings that represent paths, P1 and P2, P1 path-matches P2
if P2 is a prefix of P1 (including the case where P1 and P2 string-
compare equal). Thus, the string /tec/waldo path-matches /tec.

From this definition, we can devise a few examples:

• /foo/bar path-matches /foo
• /foo/bar path-matches /foo/
• /foo does not path-match /foo/ (/foo/ is not a prefix of /foo)

It’s that last example that I want to talk about.

Firefox

I set up a small PHP script at http://tinderbox.ninjawedding.org/cookies/ that just sets cookies. Here’s the full code of the script.

<?php
if ($_COOKIE["set"] == "") {
    setcookie("set", "HAS BEEN SET", 0, "/cookies/", "tinderbox.ninjawedding.org", false, true);
}
echo("The cookie named 'set' has the value " . $_COOKIE['set'] . ".");
?>

Not much to it. The parameters of setcookie, in order, instruct the browser to:

• make a cookie named “set”
• …and stick the value “HAS BEEN SET” into it
• …and only let the cookie stick around until you close your browser (0 means “expire at end of session”)
• …and only send it for URLs path-matching /cookies/
• …and send it if the domain is tinderbox.ninjawedding.org
• …and send it for any type of HTTP connection, encrypted or otherwise
• …and send it only for HTTP connections

If we visit this script once with Firefox 3.0.4, we’ll have the cookie set. So far, so good. If we now go back to http://tinderbox.ninjawedding.org/cookies/, we’ll see "HAS BEEN SET" appear on the screen, meaning that the cookie was sent for http://tinderbox.ninjawedding.org/cookies/.

But now break out a network sniffer — I like Wireshark — and go to http://tinderbox.ninjawedding.org/cookies. My lighttpd configuration on tinderbox will cause an immediate redirection back to http://tinderbox.ninjawedding.org/cookies/, so you’ll see that redirection going on, but there’s something extra in there:

Firefox is sending the “set” cookie for /cookies and /cookies/. I’m pretty sure this isn’t the right thing to do, based on RFC 2965 and the fact that WebKit, or at least recent builds, do not behave like this. If you perform the Wireshark experiment with a WebKit-based browser (like, say, Safari), you will not see the Cookie header being sent for /cookies.

How I Found This

At work, we use CAS, which is a single sign-on system for Web applications. One of our applications using CAS had a small bug that caused it to send a request to cas_base_url instead of cas_base_url/login. This was fixed, but the problem was masked for a while.

The reason why is two-fold:

1. The CAS server protocol specification does specify the behavior of some URLs, such as /login and /logout, but it leaves / (the cas_base_url) unspecified. The CAS server we use treats requests to / as if it were a request to /login.
2. Our CAS server doesn’t redirect to a URL with a trailing slash if a URL without a trailing slash is sent. I think it’s some Apache rewrite rule configuration that’s not quite set up right, but I’m not really sure. At any rate, putting a trailing slash on a CAS URL doesn’t do the right thing in our setup; you want to elide the slash.

Firefox would send the CAS cookies to cas_base_url when the aforementioned application send a request to it. This made the application log in fine under Firefox. But under Safari — which didn’t send the cookies — this didn’t work at all. In fact, in the absence of cookies, the CAS server treated it as if though the user never logged in.

Is This Really A Problem?

I don’t know. From a pure follow-the-standards perspective, I think it is a problem (though, of course, I’d love to be proven wrong, too). From a more pragmatic perspective, though, it’s hard to say.

For example, I can gin up some scenarios in which it could be a security problem — say that http://www.example.com/foo and http://www.example.com/foo/ are owned by different entities, and you only trust one of them — but I’ve never seen that happen in practice.

Conclusion

I think Firefox 3.0.4’s cookie handling is incorrect and should be fixed.

I don’t know if this bug has been reported. As I said at the beginning, one Bugzilla search didn’t turn up anything, but maybe a variation on that search (or a totally different one) would strike gold. Let me know if I’ve missed something.

If nobody can find anything, I guess I’ll report it.