Category: Side Notes

Safari 11, Multiline HTTP Headers, and NSPOSIXErrorDomain:100.

I was happy when Mozilla announced that it was going to take a serious stab at the browser market again and released Firefox Quantum, a beta version of Firefox that runs significantly faster than the current stable version. So far I’ve been mostly impressed by it. However, Firefox Quantum has one significant flaw, it hogs the CPU. Even when idling I’ve noticed Firefox Quantum processes taking anywhere from five to 20 percent of the available power on one of my CPU cores. I decide to compare this CPU usage against Chrome and Safari, which lead me down quite the rabbit hole.

It all started when I tried to load my blog in Safari. Previous versions of Safari haven’t had any difficulty loading my site but when I tried to load it in Safari 11 I received the following error:

NSPOSIXErrorDomain:100 is about as useless as an error message can get. Unfortunately, Google didn’t provide me much insight. After a series of Google searches I did come across this article, which discusses some problems previous versions of Safari have had with Content Security Policies (CSP). Since I implemented a CSP for this site, I figured it was a good place to start. Low and behold, when I disabled my CSP the site loaded in Safari again.

This confused me since, as I mentioned earlier, my site, with its current CSP, loaded in previous versions of Safari. I thought that maybe one of the fields in my CSP had been deprecated or was misconfigured, which lead me to testing with a very simple one line CSP. When I tested with the simplified CSP my site loaded again. When I added an additional line to my CSP the site stopped loading again. That lead me to suspect the line feed characters. I split my CSP into multiple lines to make it easier to read and edit so it looked like this:

add_header Content-Security-Policy "default-src 'self';
  script-src 'self' 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com https://s2.wp.com https://stats.wp.com;
  img-src 'self' https://secure.gravatar.com https://s0.wp.com https://s1.wp.com https://s2.wp.com https://chart.googleapis.com;
  style-src 'self' 'unsafe-inline' https://fonts.googleapi.com;
  font-src 'self' data: https://fonts.gstatic.com;
  object-src 'none';
  media-src 'self';
  child-src 'self' https://www.youtube-nocookie.com https://akismet.com;
  form-action 'self';";

I know it looks a little wonky since it includes unrecommended values like ‘unsafe-inline’ and ‘unsafe-eval’ for script-src but those, as well as a few other odd values such as the ‘data:’ font-src value, are needed by WordPress, which was developed before CSPs were a thing. But I digress. I decided to collapse the entire HTTP header value into a single line so it looked like this:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com https://s2.wp.com https://stats.wp.com; img-src 'self' https://secure.gravatar.com https://s0.wp.com https://s1.wp.com https://s2.wp.com https://chart.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapi.com; font-src 'self' data: https://fonts.gstatic.com; object-src 'none'; media-src 'self'; child-src 'self' https://www.youtube-nocookie.com https://akismet.com; form-action 'self';";

After I did that my site loaded in Safari again. Then I reverted my configuration to the original multiline version but changed the standard UNIX new line character \n to the Windows (which is also the standard for the web) \r\n. After I did that my site failed to load again. Safari simply didn’t like new line characters appearing in a header entry.

It seemed that Safari 11 was unhappy with something that every other browser, including its predecessors, are still perfectly happy with. I suspected this was a bug in Safari but decided to do some digging before submitting a bug report. This was a good choice because I was mistaken. Searching for information about multiline headers lead me to this entry on Stack Overflow, which lead me to RFC 7230. Amongst other things, RFC 7230 deprecated multiline header fields:

Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 8.3.1). A sender MUST NOT generate a message that includes line folding (i.e., that has any field-value that contains a match to the obs-fold rule) unless the message is intended for packaging within the message/http media type.

It turns out that Safari 11 is adhering strictly to RFC 7230. And as of this writing it’s the only browser doing so. It also turns out that I’ve been unknowingly writing my CSP against the HTTP standard all along.

The moral of the story is if Safari 11 throws an NSPOSIXErrorDomain:100 error, check your HTTP headers to ensure they don’t contain multiline values.

Oh, and if you’re wondering, Safari 11 uses significantly less CPU power than Firefox Quantum. Chrome also uses significantly less CPU power than Firefox Quantum. But it’s worth noting that Firefox Quantum is beta software and its CPU usage may improve before its final release.

Posing for Rockets and Bombs

Football season has started. I only know this because a bunch of people were once again arguing about the proper way to pose when that Rockets and Bombs song plays before the gladiatorial event commences.

How is this still a thing? How can people bring themselves to care deeply about how somebody else poses for a song? If you want to standup for Rockets and Bombs, then by all means do so. If you want to sit down, then do so. If somebody else doesn’t want to do the same thing as you, it won’t impact your life in any way whatsoever so don’t concern yourself with them.

You Win Some, You Lose Some

I’ve seen a few of my libertarian friends announce that they’re moving away from Google in response to the company firing the engineer who issued that now famous manifesto about gender.

On the one hand, I count this as a win. I’ve been encouraging people to leave Google’s surveillance platform for years now.

On the other hand, I count this as a loss. Apparently the fact that Google makes its money off of spying on its users and often provides the information it has collected to law enforcement (not necessarily by choice) wasn’t enough to dissuade a lot of libertarians from using Google’s services. But the company deciding it no longer wants to associate with an employee? That’s downright unacceptable!

You win some, you lose some.

Nothing to See Here

I spent last night breathing new life into an old Mac Mini. It ended up being more of a hassle than I expected since Amazon sent me a 250GB solid state drive (SSD) instead of the 500GB SSD I ordered. When I returned the drive the replacement they sent was, once again, a 250GB SSD. Thank the gods for Microcenter.

Nothing to See Here

I was at the Sabaton concert last night so I didn’t get anything written for today. If anybody is wondering, Sabaton put on a great show. Battle Beast, another band I enjoy, was one of the opening acts and also put on a good show. In fact, I wish Battle Beast would have had some additional stage time.

Pragmatism is My Least Favorite Philosophy

Pragmatism is my least favorite philosophy. Unfortunately, it seems to be the philosophy a majority of the human race as subscribed to.

The idea behind pragmatism is that policies should be implemented that provide the greatest good to the greatest number of people. On paper that doesn’t sound bad. In practice it has lead to a tremendous amount of death and destruction.

The very foundation of pragmatism is unsound because it never addresses what the greatest good. What qualifies as the greatest good to me may not necessarily qualify as the greatest good to you. Consider the Nazi Party (we’re brining Godwin into this conversation right at the start). The Nazi Party blamed much of the world’s problems on the Jews and decided that the world would be far better without them. This lead to the Holocaust. Now consider the Soviet Union. The Soviet Union believed that the greatest good for humanity was communism. It saw anybody who disagreed with communism as a threat to the future of humanity and, like the Nazi Party, chose to exterminate that perceived threat. Millions of people were slaughtered by those two regimes. Did they provide the greatest good to the greatest number of people? Most people today would say that they didn’t but the people who were running those regimes believed that they were.

Therein lies the biggest problem with pragmatism: anything goes so long as it can be justified as the greatest good for the greatest number of people. If a few million people have to die? Well, you can’t make an omelet without breaking a few million eggs! That’s just the price we have to pay for progress!

A Child in a Third World Country is Wondering What is Wrong with Americans

There is a child in a third world country painting fake mud onto jeans and wondering what the fuck is wrong with Americans:

After it was ridiculed for selling designer rocks at Christmas, Nordstrom may have topped itself with its latest offer.

The department store is offering a pair of jean covered in fake mud for a whopping $425.

Stateside there are farmers, construction workers, miners, and other working professionals who are probably willing to dirty up the jeans you already own for a much more reasonable price. I sense an agorist business opportunity.

Let’s Encrypt

Most of you probably didn’t notice but over the weekend I changed this blog over to Let’s Encrypt. There really aren’t any changes for you but this is a project that I’ve been planning to do for a while now.

Since I changed this site over to HTTPS only, I’ve been using StartSSL certificates. However, when it was announced that StartCom, the owner of StartSSL, was bought by WoSign I was wary to renew my certificates through them. When it was later announced that StartCom and WoSign were backdating certificates to get around the SHA-1 depreciation deadline I knew it was time to move on. The good news is that Let’s Encrypt is far easier than StartSSL was. Setting it up took a bit of time because Nginx support in Let’s Encrypt is still experimental and the other options for pulling certificates without shutting down the server required some server customizations. But once everything was setup it was simple to pull certificates.

While I was changing over my certificates I also took the opportunity to implement a Content Security Policy (CSP). Now when you load my page your browser is given a whitelist of locations content can come from. This reduces the threat of potential code injection attacks. Unfortunately, due to WordPress, I had to enable some unsafe options such as executing inline JavaScript and eval() statements. I’ll be looking for ways to get rid of those in the future though.

So you can breathe easy knowing that you browsing experience is even safer now than it was before.