Progressive enhancement FTW
The first talk I'd like to share was everything but disappointing. I already saw Rachel Andrew last year at the Front-end Conference in Zürich — an impressive talk about the CSS Grid Layout — and so I was eager to listen to her again. This time the topic was “The business of front-end development” and covered various themes related to her current work and experience.
So what is front-end development? As she said, it used to be mostly being a browser bugs expert. But as they become more and more focused on standards and keep updating frequently — and even automatically — we can finally focus on the most important: creating a good user experience.
The problem is, we tend to be lazy and installing frameworks and libraries without even thinking about the drawbacks is becoming the standard. As Rachel said, we are for sure gaining time on our sides, making our processes quicker but is it worth it? It might cause accessibility issues or even increase the site loading time and you should probably care about this.
Projects are all different, put your usual tools aside when they don't fit. Think about your visitors' browser, the country they live in and the usual network connection they have. Focus on the core experience and then — and only then — make it shine.
The slides are available on Speaker Deck.
Web security is hard
The second talk that particularly caught my attention was the one from Alex Sexton about “Hacking Front-end Apps”. I knew security on the web was hard, but I really got impressed by his examples of possible hacks.
As he told us, we all have a friend named
<script>alert('Hacked')</script> somewhere in our database but that's just the tip of the iceberg. All the libraries you hot-link from CDNs, the JSONP requests you do, all these flaws could potentially result in external code being executed on your site.
“You cannot detect malicious code”; I totally approve this assertion, myself having been hacked in the past. The upcoming solution therefore totally makes sense: block everything by default and then white-list only what you trust.
“Content Security Policy”, a W3C Candidate Recommendation, is a standard HTTP header designed to allow websites to declare approved sources of content that browsers are allowed to load into the current page.
eval() and any cross-domain resources including images and fonts by default. It even offers the possibility to report violation to your the URL of your choice. Ain't that great?
All you have to do then is to define a white-list of resources you want the browser to load. The support is pretty good and you can read more about it on content-security-policy.com.
Discover a bunch of the most weird front-end hacks in the slides.
But that's not all…
The interactive presentation of Ben Foxall about browser capabilities was fun. Listening to Tom Dale talking about the process behind Glimmer, Ember's rendering engine, was interesting. Also watching James Halliday creating a Twitter-like messaging system based on P2P was pretty impressive. And finally, hearing Mikeal Rogers saying that Node and IO will be together again to release Node 4 under the Node Foundation was reassuring.
This edition of FutureJS was great; especially the venue and the party at the beach. The biggest disappointment was probably the Wi-Fi who was actually worse than the one from the hotel. If anyone from the organizers is reading this, please do something for next year! Full Stack Fest will takes place again for sure but the dates aren't known yet, check the line-up once its released!