File Uploads + CORS + IE


Supporting Internet Explorer is always kind of a drag, but sometimes you just have to. Adding to the mixture file uploads via AJAX and CORS only make it that much more fun.

When dealing with AJAX file uploads I always seem to keep going back to jQuery File Upload. Making these file uploads work on IE require fallback to using an iframe, which is supposed to work automatically almost right of the box. I encountered some issues, maybe it was the slack of sleep, reading outdated Stack Overflow answers or simply not understanding the documentation that well.

If the origin domain is different than the file upload server domain, CORS comes into play and there are some known limitations and issues on IE 8 and IE 9. In Internet Explorer 8, the XDomainRequest object was introduced to allow safe AJAX cross-origin requests directly by ensuring that HTTP Responses can only be read by the current page if the data source indicates that the response is public. Responses indicate their willingness to allow cross domain access by including the Access-Control-Allow-Origin HTTP response header with value *, or the exact origin of the calling page.This blog post lists and describes the restrictions and reasoning behind them, but these two are the ones that bit me recently.

  • Only text/plain is supported for the request’s Content-Type header – This means that your API endpoint will have to be adjusted to be able to parse whatever data you send in the request. In my case I was returning a JSON response with an application/json content type, but after figuring this out I had to change the content type of that response to text/plain. On the client side that meant manually parsing the response data as JSON using  $.parseJSON.
  • Requests must be targeted to the same scheme as the hosting page – Once I thought I had everything working I was still getting hit by a couple of errors. Turns out I was generating a request from http to an https endpoint on different domain.
  • The target URL must be accessed using only the HTTP methods GET and POST

Now comes jQuery File Upload into play.

File Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads.

Cross-domain file uploads on IE 8 and 9 use the Iframe Transport plugin that requires a redirect back to the origin server to retrieve the upload results. The example implementation includes a result.html that works for this. The repository includes the jQuery XDomainRequest Transport plugin which is required to enable cross-domain AJAX requests in IE 8 and 9. Internet Explorer 10 and above supports CORS using XMLHTTPRequest.

The tricky part here for me was ;“requires a redirect back to the origin server”. I had the results.html file in place but nothing was happening. Taking a look at the sample server implementations I noticed that in order for this to work I had to redirect the response to the location of the results.html including the response JSON I would normally return as a response but as a query parameter. The results.html enables jQuery File Upload to access the results from the iframe.

Here are a couple of excerpts that might help understand.

Photo by John Trainor

Backup OpenPGP keys on paper


Recently I remember I was keeping a backup of my OpenPGP keys on an external hard drive that any day now could just cease to work. After my first attempts with PGP/GPG where I lost my private keys and could no longer revoke them, I wasn’t planning on loosing another one again.

After reading what others did to store their private PGP keys, I figured that the best way to store them was on paper. That’s where paperkey comes along. Paperkey is an OpenPGP key archiver by David Shaw, one of the main GPG developers.

What does paperkey do?

Due to metadata and redundancy, OpenPGP secret keys are significantly larger than just the “secret bits”. In fact, the secret key contains a complete copy of the public key. Since the public key generally doesn’t need to be escrowed (most people have many copies of it on various keyservers, web pages, etc), only extracting the secret parts can be a real advantage.

Paperkey extracts just those secret bytes and prints them. To reconstruct, you re-enter those bytes (whether by hand, OCR, QR code, or the like) and paperkey can use them to transform your existing public key into a secret key.

So to try it out, I installed it via homebrew.

brew install paperkey

Take the secret key in secret-key.gpg and generate a text file my-key-text-file.txt that contains the secret data:

paperkey --secret-key secret-key.gpg --output my-key-text-file.txt

I then printed the resulting text file and stored it somewhere safe.

To reconstruct secret-key.gpg, take the secret key data in my-key-text-file.txt and combine it with public-key.gpg:

paperkey --pubring public-key.gpg --secrets my-key-text-file.txt --output secret-key.gpg

I also stored a digital copy of my secret key on a new USB flash drive.

Bonus: You could also print a QR code of the paperkey output.

brew install qrencode
paperkey --secret-key secret-key.gpg --output-type raw | qrencode -o qr-paperkey.png

By the way, I’m in no way an #expert in PGP/GPG or security in general.

How do you backup your PGP keys?

My talk on JSON Web Tokens at DjangoCon US 2014

I had a great time at DjangoCon US 2014. Lots of first times.

  1. First time at DjangoCon
  2. First time speaking at DjangoCon
  3. First time speaking in front of “large” crowd.
  4. First time visiting the west coast
  5. First time visiting Portland

Special thanks to Blimp for enabling me to do this. Thanks to the DSF’s grant which made the trip financially possible. Thanks Froi and Sasha for coming along, all the support, and making the trip way more fun.

Last but not least thanks to my beautiful fiancée, Ana, for always supporting me and still loving me even though I missed her birthday for the first time because of this trip.

Here’s the video

You can find the slides on Speaker Deck.

We also got a few attendees to help us write down some notes during the event. Check them out.

There also a couple photos I took of the whole trip on Facebook.

Django REST framework Sprint at DjangoCon US 2014


This’ll be my first time attending and speaking at DjangoCon US. I’ll be talking about JSON Web Tokens, Django, and Django REST Framework.

I’ve been talking about working on a Sprint for Django REST Framework with Tom Christie on Twitter. Tom pointed out a list of decent candidates to work on if we get some people together. We’ll have a tagged list of obvious bug candidates before the sprint. He’s also planning on helping us out remotely those days.

It seems like a great idea to celebrate the successful Django REST framework 3 campaign on Kickstarter and with the timing of DjangoCon, “kickstart” the development of upcoming versions.

So, I’m recruiting anyone who’d be interested and available in working together. Everyone’s welcome to join in – if you use Django REST framework and would like to become more familiar with its internals while working together with other developers with various levels of expertise. Sprints will be held Friday and Saturday Sep 5-6.

If you’re interested please send me an email so we can start getting organized. If you know someone who might be interested please share this with them.


Issues have been tagged and include a brief description of how to progress the ticket for the sprint.

Getting started with Go


I’ve been using Python for a quite a few years as my main go-to language for building web apps, RESTful API’s, utilities, and much more. It’s the driving power for most of our backends at our startup: Blimp, Blimp Boards, and FilePreviews. I have very few bad things I could argue about Python, but I won’t.

I’ve recently felt the need to dig into newer programming languages and technologies. One of the languages I’ve been wanting to try out for a while now is Go. So I did, and here’s why and a couple of resources that helped me out. The first thing I did was read up about Go for a few days.

The Go programming language is an open source project to make programmers more productive.

Go is expressive, concise, clean, and efficient. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel type system enables flexible and modular program construction. Go compiles quickly to machine code yet has the convenience of garbage collection and the power of run-time reflection. It’s a fast, statically typed, compiled language that feels like a dynamically typed, interpreted language.

This perfectly describes Go.

  • It’s pretty easy to understand for new developers, fast and with a good toolset for debugging and performance tuning.
  • Statically typed and compiled you end up with fewer bugs
  • Easy to profile for speed and memory leaks
  • Built-in code formatting
  • Small memory footprint
  • Simple language design
  • Natively multithreaded
  • Built for and actively developed by Google
  • And more…

A Tour of Go

A great resource to get started with Go is A Tour of GoThe interactive tour is divided into three sections: basic concepts, methods and interfaces, and concurrency, that can be compiled and ran right from the browser.

Go by Example

Go by Example is a hands-on introduction to Go using annotated example programs by Mark McGranaghan.

Go Tool

Go is a tool for managing Go source code. Available go commands are:

  • build – compiles packages and dependencies
  • clean – removes object files
  • env – prints Go environment information
  • fix – runs go tool fix on packages
  • fmt – runs gofmt on package sources
  • get – downloads and installs packages and dependencies
  • install – compiles and installs packages and dependencies
  • list – lists packages
  • run – compiles and runs Go program
  • test – tests packages
  • tool – runs specified go tool
  • version – prints Go version
  • vet – runs go tool vet on packages


Godoc extracts and generates documentation for Go programs, it parses Go source code and produces documentation as HTML or plain text. After generating your docs you can use GoDoc to host it. You can read more in the Godoc: documenting Go code blog post.

Package Management

With the go get command you can install remote packages directly from version control. One of the things you’ll notice when starting out with Go is that there isn’t a builtin package manager tool like we’d see with package managers like BundlerPip and NPM. There are third party tools for for managing Go packages and their dependencies. The Go project recommends vendoring, taking the 3rd party source code that is referenced in your project and making a copy of that code inside a new folder within the project.

Check out godep, a well-maintained tool for managing vendored dependencies. Some additional resources:


There quite a couple of startups and organizations using Go that blog about or open source packages and tools. A couple of my favorites are:

Useful resources

Discovering projects and packages

Package discovery has been a pain for me. Since there’s no main index, packages can be hosted many different places. You’ll quickly notice that you won’t really need that many external packages, but when you do you’ll be searching around.

  • Awesome GoA curated list of awesome Go frameworks, libraries and software
  • Projects – A list of Go projects
  • Go Search – A search engine specifically designed for Go
  • Go Walker – Displays API documentation for Go projects
  • Sourcegraph – Shows you real examples of how functions and classes are used by other open-source projects.

I’m still learning the best way I know. I’ve already started a new project that I’ll be launching in a few weeks, developed a few packages in the way that I’ll be open sourcing soon.

What resources have you found useful while working with Go? Please share them in the comments below.


Mentioned resources by others.