I am responding to a rather confrontational comment post by Grzegorz Daniluk in which re responds to Jacob Rus’s post Why Orbited Doesn’t Suck. Here is the post by Grzegorz:

FdAjax allows to send directly to other users a string or a number. Moreover even this option can be disabled. It is up to a developer what he will do with that string. This is completely different from what Jacob Rus claims about FdAjax here in this post.

On Refwell blog there is example chat application which uses direct user to user communication. Mr Jacob Rus, please provide a proof that you can do what you described in you blog post. Otherwise I’ll have to treat your post simply as FUD.

Grzegorz, The authors of the Orbited blog seek only to disseminate facts. We would never intentionally misinform our readers, and I resent the accusation.

I’ve taken a closer look at Grezgor’s FdAjax blog posts, and it seems that Jacob and I have both had some misconceptions about how FdAjax works. I’ve been thinking in terms of Cometd for so long that when I saw some example code from FdAjax, I misunderstood. Specifically, I looked at this code from the blog post titled FdAjax and Mini-chat:

var opt = {
    onSuccess: function(resp) {
        try { eval(resp.responseText); } catch (e) {}
        setTimeout("fdajax.send_request();", 20);
    },
    onFailure: function(req) {
        setTimeout("fdajax.send_request();", 10000);
    },
    method: 'get',
    parameters: "cmd=wait&user_id=" + fdajax.user_id +
                "&win_id=" + fdajax.win_id + "&types=chat"
};

I noticed the eval on the third line and thought it was handling javascript events sent directly from one browser to another. This is on closer inspection not the case — Jacob’s post was written after a quick survey he took of various comet servers, and rereading it neither of us caught this — and I’m sorry for any misunderstanding that resulted. I’ll look more closely at FdAjax and put together a comprehensive review when I get a chance. In the mean time, we retract any suggestion that FdAjax is inherently insecure.

In the future, please simply point out our mistake. No need to additionally impugn our character; we have no intention of misleading readers, and are happy to make corrections when we have erred.

This entry was posted on Saturday, September 1st, 2007 at 8:36 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.