Improving the Pointer Events Polyfill

Posted on by

Today, we’re excited to announce that Google has transferred its Pointer Events polyfill to the jQuery Foundation. This polyfill was originally written by Google’s Polymer team but since Google has chosen to put their Pointer Event implementation on hold, we engaged to ensure that the polyfill is maintained and continues to be a tool developers can use as a path to the eventual native implementation in all browsers. Many thanks to Google and the Polymer Team for allowing us to build off their work and continue development.

The jQuery Foundation has been, and continues to be a strong proponent of standards and we are specifically strong proponents of the Pointer Events standard because it will simplify the way web developers handle user interactions. Today developers are saddled with two very different event models for mouse and touch, even though they share many similarities. The result is often code that has a myriad of special cases, particularly when the device itself generates “fake” mouse events from touches. The jQuery Foundation hopes to drive developer adoption of this unified event system. Our goal is to have all browsers implement this standard natively.

Just yesterday, the W3C took the Pointer Events specification to the Proposed Recommendation stage. This makes Pointer Events one step closer to a finished standard and gives browsers a solid base on which to implement these APIs. Some browsers have even begun their implementation. Unsurprisingly Internet Explorer, where the first implementation of Pointer Events began before being submitted to the W3C for standardization, has implemented Pointer Events and Firefox has a branch of their code base implementing Pointer Events which they intend to port to all version of Firefox. Both of these implementations recently passed 100% of the Pointer Events test suite so implementation is progressing nicely.

We want to thank Microsoft Open Technologies for their hard work on Pointer Events and their continued support. We also want to thank IBM, Mozilla, Google, Dojo and the many other organizations and individuals that have helped and continue to help make developers lives easier through the creation, fostering and promotion of new standards like Pointer Events. If you want to get involved or just want to start using Pointer Events in your projects, head over to the new Pointer Events repo and check it out.

jQuery.com September 2014 Security Retrospective

Posted on by

During the last two weeks of September, we found our way into the headlines due to a series of attacks on our web servers. Today, we wanted to give everyone a brief update on the status of our websites and a recap of what happened over the last two weeks.

jQuery Under Siege

Early on the morning of September 18th we were hit with a DDoS and went offline. We were down for a couple of hours. The sites were brought back up later that day on September 18th and all seemed well.

Later, during the afternoon of September 18th, we were contacted by a security company named RiskIQ reporting that their crawler had reported malware being served by our content sites. There were never any reports that the jQuery libraries nor the CDN were ever compromised. Immediately upon receiving that report, we completely destroyed and reimaged all of those machines, revoked and reissued all associated SSL certificates, and confirmed that there was no suspicious content being served at that point. Since then, our own team and security folks from Mozilla and MaxCDN have worked to analyze logs and attempt to confirm the impact of this attack.

On September 23rd, RiskIQ went public with their report which picked up steam throughout the day on various media outlets and Twitter. The next morning, September 24th, as DDoS attacks on our properties continued to increase both in frequency and magnitude, CVE-2014-6271, otherwise known as the ShellShock vulnerability, was issued. As we continued to respond to the media discussion and communicate to the community what had happened on September 18th, we were victimized again in a series of much more public attacks involving the repeated defacing of jquery.com.

Investigations into our systems have yet to find the initial attack vector. However, we did take some steps to make ourselves more secure. For instance, some of our WordPress installs were out of date, all of our servers were vulnerable to the recent shell vulnerabilities, NGINX was slightly out of date as well as maybe a few other patches etc. that needed to be made. The infrastructure team dove in and began making those changes and started building new, fully patched and secured servers to host our sites. It appears these changes were effective as the defacing stopped and we have not seen any evidence of intrusion since.

Later on September 24th, a massive and unrelenting DDoS attack began. It seemed as though it would come in waves, but did not stop until late on September 28th. Most of the time on September 26th and 27th was spent trying to implement various products and solutions in order to keep the servers alive. We fought day and night to try to keep the sites up. We have to commend Corey Frang, Adam Ulvi, the rest of the infrastructure team, and others; they worked through the nights and in alternating shifts to try to keep us on the internet. Without their efforts, we would not have had the short amounts of uptime we did. One significantly important step that we took was to reach out to CloudFlare, who generously and rapidly gave us access to their Enterprise service which has helped tremendously in mitigating these attacks.

Moving Forward

jQuery and the jQuery Foundation are important to the web ecosystem, as is evident from the amount of press and the number of concerned individuals and organizations that have reached out to ask questions about this attack. The jQuery Foundation works on a daily basis to maintain and improve our projects and the infrastructure around those projects. The goal of this work is to continue to make web developers’ jobs easier and make sure they have a voice in the world of standards and browsers. However, these objectives take a large quantity of resources. Whether those resources are provided by access to expertise of a company’s employees or services, or through financial support, we would be unable to continue this important work without the support of the open source community and our supporting members.

We have been asked several times throughout this ordeal about why we didn’t have XYZ service in place or why we didn’t have our security team keeping a closer eye on these types of risks. The simple answer is that our budgets are tight and resources are limited. Our infrastructure team, and most of our teams for that matter, are made up of volunteers who give their time for free to make sure things keep running. The Heartbleed and ShellShock vulnerabilities are recent examples of how badly things can go when open source projects are taken for granted and just assumed to be OK. Eventually something is going to fall through the cracks and those cracks become larger and more frequent when people are doing what they can in their spare time.

So how can you help? As an individual, get involved in one of our projects. We can always use help writing code, designing, maintaining servers, working on events and the list goes on. Take a look at contribute.jquery.org or come say hi on IRC in one of our many channels listed on irc.jquery.org. As an organization, we would love to hear about any service you may be willing to donate, any developers or other skilled professionals that you could spare for a few hours a week or if you can help financially. Send us a message at [email protected] and let us know how you can help.

We haven’t wanted to say too much about these attacks as they have been happening because we remain a juicy target in the eyes of hackers who are continuing to attempt to infiltrate our servers even as of this writing. In sharing all of this information with the community now, we’ve tried to balance the need to explain what’s been happening with the potential backlash that could happen as a result of coming out publicly and saying that we believe we have the situation under control.

That said, we do at this point believe that we have the situation under control. For this, a huge thanks is due to the entire jQuery infrastructure team, who rolled up their sleeves and worked tirelessly on these issues to get us back to a good place. We will continue to be vigilant in ensuring the reliability and safety of all of our resources for our community of users.

The (Not Just) jQuery Foundation

Posted on by

The jQuery Foundation’s mission has always been about more than just our namesake projects of jQuery, jQuery UI, and jQuery Mobile. We already host several projects such as Sizzle, QUnit and Globalize that are not dependent on the jQuery library.

This wider web-oriented mission is evident in our jQuery Conferences, which span a wide range of developer concerns beyond jQuery, including Node, CSS, tooling, testing and much more. Over the years we’ve had talks on build tools, accessibility, security, performance, design patterns, and frameworks such as Ember and Angular. At our San Diego conference this past February, for example, Lenny Markus gave a great talk on PayPal’s continuing adoption of Node as they move away from Java and proprietary solutions, Catherine Farman talked about real world responsive design, and John Dimm gave a talk on the HTML5 speech APIs.

The jQuery Foundation is participating in the continuing evolution of the web platform via our memberships in both the W3C and ECMA TC39 (The group standardizing what we know as JavaScript). We feel that it’s essential to have strong representation in those standards groups to ensure they meet the needs of developers. The Foundation provides a platform for developers to have a voice in these standards bodies.

Beyond the technical compatibility between our projects, we also share the open source model and all the benefits it provides. The Foundation adds the benefit of a top-level structure designed to serve the projects, providing the resources they need but letting the contributors decide the best direction for the project based on community input. Any project that joins the Foundation is given the ability to serve their community’s needs rather than be constrained by the goals of a for-profit company.

Though this has been our mission for a long time, we felt we needed to make this clearer. We are excited to start bringing this part of our mission into the light and start actively working toward a more open web accessible to everyone. If you are excited as well, please help us. Contribute your time to Foundation projects. Offer your company’s services. If you or your company have an established open source project that you believe could benefit everyone and flourish by becoming part of the jQuery Foundation, check out our philosophy around projects joining the Foundation and let us know you’re interested. If you would rather just support the existing and future projects of the Foundation through financial support, become a member of the Foundation. Open source projects will only thrive if everyone who benefits from them contributes back in whatever way they can.

Supporting the Cause, Improving the Web

Posted on by

To help the jQuery Foundation accomplish its mission to improve the open web and make it accessible to everyone, we established a membership program where organizations and individuals could join the foundation to help us support our goals. In return, members are recognized both on our websites and at conferences. Since that time, a number of companies, large and small, as well as individuals, have stepped up to support the foundation and continued success of the jQuery projects. A full listing of our members is available on the member page on jquery.org.

Corporate Memberships

Corporate memberships are available in several levels based on support, ranging from Bronze to Platinum. Beyond those levels is our top level membership called our Founding members. Currently, WordPress is our single Founding member at this time and they are a huge part of the jQuery Foundation mission and we would like to say a special thank you to them. We would not be here if it wasn’t for the support of WordPress and our many corporate members at every level.

So what does a member get in return for their support of the Foundation? Depending on the level of support, there are a number of ways we recognize and thank our members. Every member is recognized on the member page. As you progress up through the different levels of membership, more benefits such as conference recognition, free and reduced price conference sponsorship packages, invitations to team meetings to discuss the development and direction of the jQuery projects, and even the ability to host jQuery licensed events of your own. For more information about the corporate membership program, e-mail us at [email protected].

I’m not a Corporation, how can I help?

We’re glad you asked. The jQuery Foundation also has an individual membership program where people can donate smaller amounts to help support the Foundation and in return, we send out some cool jQuery branded gear. When the program started, we offered three levels of membership for individuals. That just got too complicated for both the members joining as well as the folks managing the payment and gift fulfillment. There is now only one level of individual membership at the $400 per year level. If you think about it, that’s really only a little more than $1/day to help keep the jQuery Foundation running. You can see all of our individual members listed on the member page. As new members are added, they will be listed as Heroes until the transition from a 3-tier to 1-tier program is complete and everyone has merged into a single list of Individual Members. If all of this has got you itching to become part of the next wave of individual members, head on over to https://jquery.org/join/ and join our ranks.

Membership may not be an option for everyone, but there are still ways you can support the Foundation’s work. The first way is through donations. The jQuery Foundation accepts donations, both large and small, through PayPal. If that’s an option that interests you, check out our donate page. Another way to help the foundation is by grabbing yourself a nice shirt or some stickers over at DevSwag. We have partnered with DevSwag, as many other open source projects have, to license the sale of official jQuery branded clothing and other items and a portion of the proceeds from those items are donated to the jQuery Foundation.

No matter if you’re a company or an individual, we hope you’ll take the time to consider supporting the jQuery Foundation to keep us working toward making the web accessible to everyone.

One Last Thing …

We thought we would let you know one more time about the upcoming jQuery Conference in San Diego. The conference is February 12-13 and is preceded by Bocoup’s 2 day training conference Roost on February 10-11. Don’t forget to take $50 off your ticket to one or both of these events using discount code jqblog50 at checkout!