Google began its St Patrick’s celebrations in 2000 with a green logo sporting a jaunty leprechaun’s hat.

Click here to view this gallery.

Top of the morning to you! Today is Saint Patrick’s Day and here at Mashable we’re celebrating with a gallery of all the Doodles Google has ever posted on March 17.

There’s plenty of different shades of green, a good few shamrocks and yes, you guessed it, a leprechaun or two to be spotted in our ultimate Saint Patrick’s Day Google Doodle collection.

SEE ALSO: How to Animate Your Google+ Profile
So, don an oversized green hat, grab yourself a Guinness and take a look through our image gallery. Let us know in the comments below how you’ll be celebrating St. Paddy’s special day this year.

More About: dev and design, features, gallery, Google, google doodles, st patricks day, trending

For more Dev & Design coverage:


1. Helvetica vs. Arial

Can you tell the difference between Helvetica and Arial? This game puts you to the test.

Click here to view this gallery.

We have a treat for font fans with itchy thumbs in this super selection of five fabulous iPhone games that share a typographical theme.

Can you easily identify typefaces? Can you tell Helvetica and Arial apart? Can you spot the serif in a sea of characters? These games will test you on these skills — and more. Best of all, the apps we’re highlighting are all tried, tested and free, so you can give them a go without spending a single cent.

SEE ALSO: Top 10 Accessories for Typography Nuts [PICS]
Take a look through the gallery for our selections. Shout out in the comments below with any other typographical games you enjoy on your iPhone.

More About: apple, dev and design, features, fonts, Gaming, iphone, iphone apps, iPhone games, typography

For more Dev & Design coverage:

1. Tramp – Lowell Fulson

Beautifully paced, and with some great graphic elements, our only complaint with this video is that it’s not longer.

Click here to view this gallery.

If you’re a music lover and a font fan, then a kinetic typography video beats the more traditional genres hands-down. While you’ve no doubt seen a few famous examples, we’ve gathered up some lesser-watched creations for your viewing pleasure.

Although varied in style, these videos all use kinetic typography, or “moving text,” to illustrate the lyrics of a song. We’ve been impressed with how creative people can get with such a simple concept.

SEE ALSO: 10 Stories Beautifully Told with Animated Typography

Take a look through our selection in the slide show. We know there are dozens more great examples in existence, so link us in the comments to any of your favorites we’ve not included.

More About: animation, dev and design, kinetic typography, music videos, typography, videos, YouTube

For more Dev & Design coverage:

Yahoo has launched a new webpage that visualizes what’s happening on the web in near real time — and it’s totally beautiful.

The Content Optimization Relevance Engine (C.O.R.E.) HTML5 site hopes to show users the “behind the scenes” process Yahoo uses to match readers with content on their personalized homepage, using technology developed in a Yahoo research lab a few years ago. While Yahoo’s homepage used to be arranged by editors, it now uses an algorithm to match individual user preferences.

“We can provide users with insights through the lens of the 700 million users that come to our site each month,” Todd Beaupre, Yahoo’s senior director of product management, personalization and social platforms, told Mashable.

The interactive site optimizes content discovery, showing you what’s popular for a variety of user demographics, such as U.S. city, gender, age and interest (news, finance, lifestyle, Yahoo’s entertainment, sports and health). You can also chose a number of these characteristics at once, such as female sports fans in Cleveland or 35- to 44-year-olds in Atlanta.

As far as utility goes, you can think of the site as a tool to provide similar insight to Twitter trending topics or Google trends.

“We’ll see that we put out a sports story, but the human interest angle means that it’s being clicked on by women, more so than men interested in sports,” Beaupre says, noting that Yahoo delivers about 13 million content combinations each day to visitors to its homepage. “We bulit this because we can’t always predict accurately what people are going to click on.”

The C.O.R.E. visualizer features Yahoo’s original content as well as content written by Yahoo’s partners.

For some additional insight, you can click on the “i” logo on the bottom of the site to reveal five HTML5 interactive infographics, which attempt to put the scope of Yahoo’s data into perspective.

Yahoo previously launched a similar tool Mail Visualization that shows emails as they are delivered across the world. You can watch emails delivered across the globe, visualized through circles corresponding the mass of mail delivered. Yahoo says it has two more data visualization projects up its sleeves.

What do you think of Yahoo’s visualization? What insight do you find most useful from its real-time trends? Let us know in the comments.

More About: dev and design, HTML5, Yahoo

For more Dev & Design coverage:

1. Vector RSS Icons

Take your RSS feed to the dark side with these sinister symbols.

Click here to view this gallery.

If you decorate your house for Halloween, why not do the same for your blog? We’ve found eight great collections of social media icons that will add some spook to your site.

From pumpkins to cauldrons, from bats to black cats, these graphic ghouls will transform your site into a veritable Halloween grotto of gruesome.

Take a look through the gallery for our picks. Link us in the comments below to any other spooky icon sets you’ve seen.

More About: dev and design, features, gallery, Halloween, icons

For more Dev & Design coverage:

Mike Shema is the engineering lead for the Qualys web application scanning service. He has authored several books, including Hack Notes: Web Application Security, and he blogs on web security topics at the companion site for his latest book, Seven Deadliest Web Attacks.

It’s astonishing that 10 years of technological progress have produced web application behemoths like Facebook, Twitter, Yahoo! and Google, while the actual technology inside the web browser remained relatively stagnant. Companies have grown to billion-dollar valuations (realistic or not) by figuring out how to shovel HTML over HTTP in ways that make investors, advertisers, and users happy.

The emerging HTML5 standard finally breathes some fresh air into the programming possible inside a browser. Complex UIs used to be the purview of plugins like Flash and Silverlight (and decrepit, insecure ActiveX). The JavaScript renaissance seen in YUI, JQuery, and Prototype significantly improve the browsing experience. HTML5 will bring sanity to some of the clumsiness of these libraries and provide significant extensions.

Here are some of the changes HTML5 will bring and what they mean for web security

Cross-Origin Resource Sharing

An HTML5 feature with possibly the most potential for mistakes is the Cross-Origin Resource Sharing (CORS) that relaxes the fundamental security mechanism of a browser, the Same Origin Rule. CORS isn’t an arbitrary change; it’s a step towards standardizing what developers are already trying to do in order to build higher-performance sites.

Basically, CORS defines a group of client and server headers that enable a site to define origins that are allowed to interact with another origin’s context. It also provides granularity of lifetime and request methods for this site-defined access control. The following headers show how simple this is to implement from a server’s perspective. (Obviously, we’re just showing the HTTP headers and skipping the server-side code to generate and verify these.)

Access-Control-Allow-Origin: http://domain
Access-Control-Max-Age: 86400
Access-Control-Allow-Methods: PUT, DELETE

The first one, Allow-Origin, is where the worst mistakes will happen. We’ll see who the first sites are to use * in this field — thereby allowing sharing with any domain. There’s already precedent for this in Flash crossdomain.xml file vulnerabilities.

The domain of the Origin matters, not its path, as the spec emphasizes in section 3 — Security Considerations: “… only cross-origin security is provided and that therefore using a distinct origin rather than a distinct path is vital for secure client-side web applications.” Woe to developers who implement cross-origin requests without understanding this precaution.

Watch for potential “space invader” attacks in this area. Origin lists are space-delimited. For example, the following URL is intended to produce an Origin header from http://allowed.origin:


But a browser bug might turn this into:

Origin: http://malicious.spoof http://allowed.origin

Or worse, a server-side bug might turn this into an allowed destination for XHR requests if the page for some reason is building dynamic headers from the URL. In this case, the attacker would look for a weakness in the allowed.origin site that would enable CORS with the malicious spoof site. The vulnerable link might be something like this:


That produces an insecure access control header:

Access-Control-Allow-Origin: http://other.allowed.origin http://malicious.spoof

This last bit about space invaders is pretty speculative at the moment, but possibly not too far off considering the history of browser security. Browser hackers will no doubt be targeting their fuzzers to see how well browsers parse and serialize these headers. URLs may be prone to all sorts of errors, from invalid domains, to invalid ports, to IDN characters — the incorrect handling of which might lead to a buffer overflow or security bypass.

Spoofed headers are a serious threat for CORS and have several possible attack vectors. Unencrypted Wi-Fi combined with HTTP are a recipe for disaster (the least of which is spoofed headers). In the past, browser plugins like Flash have been used to spoof headers in order to bypass security restrictions. Browser plugins are notorious for breaking browser assumptions and playing outside their security sandbox.

Web Storage

The push for richer browser-based functionality also brings the desire to store more data in the browser than normally handled by cookies. Cookies have been the historically clumsy method of saving stateful data. The HTML5 Web Storage specification provides a more flexible way for sites to store data in the browser using essentially a key-value database.

Like most security boundaries in the browser, web storage is based on the Same Origin Rule. As the spec itself reminds readers, this means that the more general threats of DNS-based attacks pose a risk to the security of data stored by a domain. The Same Origin Rule is an implementation of the “Vegas principle:” What happens in one domain is supposed to stay in that domain. The browser assumes that content coming from a domain name is always legitimate, but that isn’t always the case if DNS isn’t secure.

The other danger of web storage will be sites that rely too heavily on it for storing a user’s sensitive data. We’ve already seen instances of sites that don’t properly encrypt passwords in their database. Now we may see sites that store sensitive, personal information via web storage APIs. If the site has a cross-site scripting (XSS), then an attacker would be able to trivially extract this information.

Then there’s the threat of malware. A site might be free of XSS vulnerabilities and otherwise secure, but store lots of valuable information in the browser. Many malware payloads already scan disks
for items like financial information and gaming credentials. Now they’ll start searching for data in these browser stores as well. Diligent devs will use this data storage to improve the user experience, but not at the risk of exposing sensitive information.

Speaking of XSS, HTML5 might have some unexpected consequences for validation routines. An XSS filter might be tripped up by new elements and attributes present in HTML5 that didn’t exist in HTML4. Whitelisting-based filters should be more resilient because the new elements won’t be handled. In any case, devs need to be aware that even though <audio> and <video> may be the most popular new tags, they’re not the only new ways XSS could manifest.

Sins of the Past

The most dangerous security problems won’t be due to features of HTML5. Too many experienced people have been working on the specs to leave egregious errors in the design or in browsers’ implementation of it. The worst problems will come from developers who rush into new technologies without remembering sins of the past. It’s far too easy to fall into the trap of trusting data from the browser just because some hefty JavaScript routines have been assumed to perform all sorts of security validation on the data.

Once data leaves the browser, an attacker can modify it in any way before it reaches the server. Trusting the client to always serve well-formed, valid data is the sure path to SQL injection, XSS, and worse vulnerabilities.

HTML5 doesn’t just have security implications for web developers. The browser has become a highly coveted target for malware. With each browser’s implementation of new HTML5 features will come buffer overflows and other coding mistakes that malware will seek out. As the browser’s end user, there’s little you can do on this front other than to keep your software up to date. All of the new HTML5 features will take a while before they’re securely baked into the browser. Attackers will continually look for bugs by pushing different limits in the browser: Cross-origin requests for thousands of origins, deeply nested elements, resource consumption attacks (DoS) using multitudes of Web Worker threads, and so on.

Luckily, browser developers haven’t been lazy this whole time. The last few years have seen laudable forays into better security and privacy protections. Browsers are starting to implement new headers that can protect against broad classes of attacks. For example, cross-site request forgery and clickjacking can be reliably defended against with Origin and X-Frame-Options headers. This stands in stark contrast to problems like cross-site scripting, for which no easy solution has been found.

Browsers have been pushing the privacy front as well with Do Not Track headers and private browsing options. It’s important to keep perspective on the topic of privacy. While the browser can take steps to make your data protection easier, it has no control and little influence on how a web site will use and protect that data. HTML5 briefly touches on privacy issues and security has direct consequences for privacy.

HTML5 is not a security solution. It’s a long-awaited update to the HTML spec. An update that took the time to be more explicit about both security and privacy issues. The new features of HTML5 will lead to exciting, powerful applications delivered through the browser. As such, it’s important for developers to keep in mind a few basic security tenets: Validate all data from the client, prefer whitelisting approaches over blacklisting, use HTTPS wherever possible, and test your site to make sure it’s performing how you intended.

Interested in more Dev & Design resources? Check out Mashable Explore, a new way to discover information on your favorite Mashable topics.

More About: dev and design, HTML5, technology, web security

For more Dev & Design coverage:

Whether you want to improve your existing skills or learn new ones, we’ve provided plenty of web design and development resources in the past year.

Here we recap the best posts that fell into this creative category. These include a wealth of tutorials, resources, galleries, interviews and more.

Have a read below for a look back at Mashable‘s Dev and Design resources from 2010, and be sure to keep coming back next year for more.

Mobile Development Resources

google phones

Whatever mobile platform(s) you favor, we’ve got you covered.

Icon Resources

From minimal to festive, here’s a roundup of great icon galleries.

Resources for Web Developers

PHP tips? Check. Apps for developers? Check. Online resources? Check.

Apple-Related Resources

The iPad made an impact on dev and design this year. Here’s why.

Photoshop Resources

Photoshop is one of the primary tools in the digital designer’s belt. We got you up and running with the imaging software in 2010.

Career Resources

Whatever career path you’re following in the online dev and design world, these articles can help.

Web Design

We’ve offered a wealth of design-related resources this year — dive in!


From iconic designers to icon designers, we’ve talked to some rather interesting folk during the past 12 months.

Fun Resources

It’s not all work, work, work as we add a little fun with these light-hearted articles.