Milieu Support

Traveller uses the term milieu (plural: milieux) to describe a particular setting or era. Milieu include the Golden Age (described in Classic Traveller and Mongoose Traveller, circa 1105), the Rebellion (described in MegaTraveller, circa 1120), the New Era (circa 1202, 1248), Milieu 0 (from T4, from 0 through 300), Interstellar Wars (from GURPS Traveller: Interstellar Wars), and even alternate settings such as the GURPS Traveller alternate timeline (a.k.a. "Lorenverse").

The Traveller Map defaults to the Golden Age (circa 1105), which is the focus of the T5SS effort. It now offers experimental support for other Milieu. To enable it:

1. Go to the Settings menu (gear)
2. Check "Enable Experiments"
3. A new Experiments menu (flask) will appear
4. From that menu, select a milieu:

You can play with some other experimental features that are there.

The available milieux are currently:

• The Interstellar Wars - featuring only the Solomani Rim as depicted in GURPS Traveller: Interstellar Wars by Drye, Wiseman and Zeigler. Data adapted by adapted by Dom Mooney
• 990 - Solomani Rim War. Features the data from Gateway to Destiny (the Gateway Domain) which is all I have handy for that time period, from Gateway to PDF.
• 1105 - this is the default, with data from T5SS and unofficial contributions
• 1900 - the Galaxiad setting. This is a work in progress with just the Spinward Marches and parts of Gvurrdon, c/o Rob Eaglestone.

Submission of data to flesh out these milieux or start others are welcome!

The API docs are updated to include milieu parameters where supported. Note that the values currently supported are: IW, M990, M1900 - and leave the param off for the default. If data is not present for a sector in a given milieu you'll get 404 Not Found errors.

When generating images, placeholder markers (*) will be shown for systems where default (1105) data has a system.

There are some caveats with the experimental support:

• Search does not consider milieux, so the results won't match what you see.
• Routes do not consider milieux so those results will also be off, too

There are a few more bugs noted in the issue tracker. Additional bug reports welcome.

Ω

Route Finding

How long does it take to get from Regina (SPIN 1910) to Woochiers (SPIN 2207) at Jump-1? A long, long time:

I've added a route finding feature. Hit the route button to the right of the search box.

• Start/end location can be entered as Sector Hex, e.g. Spinward Marches 1910
• T5SS sector abbreviations are okay: SPIN 1910 works too
• Otherwise, the map uses the nearest matching world name. So you can plug in Regina and Woochiers (but it might get confused if there are duplicate world names)

Caveats:

• Not usable on mobile-sized screens yet
• Can't click/tap to set locations
• Can't filter route (e.g. only wilderness refueling, no red zones, prefer Im)

But even given that, it's still fun. Here's Regina to Terra at J-4:

And at J-5:

Route Finding Wish List on the Traveller Map Trello Board

API documentation is up: http://travellermap.com/doc/api#route

I also fixed some routing bugs in Path Finder but that utility is now considered deprecated and no longer linked from the main page. I'll keep it around as it allows route calculations in custom sectors, but it probably won't get more love.

And congratulations to Mongoose Publishing on the new edition of Traveller! Ω

Custom Booklets

Experimental support for custom booklets is up at:

http://travellermap.com/booklet.html

I've tested this in Chrome and Firefox. If it works in IE it will require at least IE9. You can use your own data or pick an existing sector, although for an existing sector it's faster to just use http://travellermap.com/booklet.html?sector=name

A lot of "fancy" script and Web Platform APIs are used, so it may be fragile. To fetch custom images using form within a page requires using the FormData, XMLHttpRequest with response type Blob and FileReader, and since there's a gob of asynchronous processing that needs to go on I bit the bullet and used ECMAScript 6 "Promises" polyfill I had sitting around. If none of that makes sense, you can take away that it's more programming voodoo than usual.

I also had to implement HTTP POST support for the sector data and sector metadata APIs; it's pretty boring - they just parse what you send and spit it back out, but it can be used to parse SEC and get T5 Tab Delimited, or MSEC and get JSON out.

Ω

/go/ links and history

Two tidbits:

First, I added support for /go/ links, which can take the form:

http://travellermap.com/go/sector - e.g. http://travellermap.com/go/deneb

or

http://travellermap.com/go/sector/hex e.g. http://travellermap.com/go/deneb/0406

These are really shortcuts for the ?sector=sector&hex=hex form, but should be easier to type.

Any other such shortcuts you'd like to see?

Second, for those who are bemoaning changes to any of the data, just a reminder that all changes are tracked on Github at https://github.com/inexorabletash/travellermap/commits/master/res/Sectors - you can drill further into a particular file and see the changes over time.

Ω

Zoom

I made a bit of a video:


I wrote a Python script which generated Tile API URLs centered on Regina at various scales. Piped that through to curl to fill a directory with images, then used ffmpeg to assemble them. Once I had the kinks worked out it only took about 10 minutes to render.

(I used the live site rather than my development machine. If you attempt something similar, be gentle and don't request more than one image at a time!)

Ω

Nothing to see here, I hope...

I've rejiggered a bunch of the internal workings of the site in ways that are only of interest to developers. The last 40 or so revisions moved away from serving data and images using "ASPX" pages to HttpHandler. Ideally, there's no change in behavior except that unnecessary cruft isn't running. The best part from a developer perspective is that all URL handling for the services is now done programmatically - no hosted files are necessary to add APIs, just code. The code for that lives in the Global.asax.cs file, if you're curious. As an added bonus, I'm using regular expressions for URL dispatching so it's easier to e.g. distinguish /data/sector/subsector from /data/sector/hex and more possibilities are now available - I should be able to enable named subsector references, for example.

Since there are third party sites and services using the old "aspx" APIs I've carefully added aliases to allow those to continue to work. If you're using them, please try and migrate to the new APIs (/api/...) ASAP.

And of course, if I broke anything, please let me know. I fixed one bug along the way - JumpMaps were not correctly eliding out-sector borders. I can't believe no-one told me about that!




Ω

It's here

The stuff I promised in my last post is now live.

• Cleaned up API URLs and "semantic" URLs
• You can now POST MSEC metadata to the poster/jumpmap APIs 
• A blather of additional support for T5 data.

And perhaps least interesting if you're a user of the site - unless I get run over by a cable car or something - is that the source code to travellermap.com is now up on github.

Also:

• Slipped in a few bug fixes. Probably slipped in a few bugs, too. Let me know.
• Added a ton more tests (unit tests, API tests).
• I still need to post T5 data format documentation. (Writing good documentation is much harder and time consuming than writing code.)
• The old-style SEC data output has been changed to match the column widths from the ancient GEnie data drop. This means names get truncated and all that fun stuff. If this breaks anything that consumes the data I would recommend changing to consume the tab-delimited data, which is inherently more flexible.

Ω

Coming soon: Open Source, T5 Data, RESTful URLs, MSEC parsing

I'm taking a week off from work to catch up on personal projects that require more than the usual 20 minutes a day of unbroken concentration I can scrounge up. For TravellerMap.com my big goal is getting the code open sourced, up on GitHub. As a prelude to that I needed to do some cleanup, such as moving some authentication strings out of the code itself, and general polishing. Don't expect it to be beautiful, though!

A few things got done as part of this process:

• More RESTful URLs will be added, with the ugly SomeAPI.aspx URLs relegated to legacy. For a hint of what this might look like (if you're not familiar with the terminology) look at a COTI thread on RESTful Traveller APIs. 
• Nit: it won't be truly RESTful as the site is stateless, so there's no state to transfer. 
• I've implemented T5 "Second Survey" data parsing and a formal format description. Short answer: column-based, but variable width fields with a header that self-documents field widths.
• I've implemented support for sec2pdf's MSEC file format. Not every feature (like label tweaks) is supported, but it will save you from learning the XML metadata format.
• Added honest-to-goodness unit tests for a handful of things. 
• Converted most of the C# to use System.Linq where possible to make the code more readable.
• Squashed various bugs

Expect shiny things over the next few days, and as always forgive the mess.

Ω

T5 Second Survey Data

As part of an ongoing development process for Traveller 5 the data set for all worlds in the Imperium are getting reviewed. With help from Don McKinney, the latest data is now live on the site. Thanks to everyone who's been contributing nitpicks and reporting errors - this information has been fed back into the process to help make sure the new data set is as high quality as possible.

The following sectors have been updated, baselined at 1105:

• Alpha Crucis
• Antares
• Core
• Corridor
• Dagudashaag
• Daibei
• Delphi
• Deneb
• Diaspora
• Empty Quarter
• Fornast
• Glimmerdrift Reaches
• Gushemege
• Hinterworlds
• Ilelish
• Ley
• Lishun
• Magyar
• Massilia
• Old Expanses
• Reaver's Deep
• Reft
• Solomani Rim
• Spinward Marches
• Trojan Reach
• Verge
• Vland
• Zarushagar

In addition, the following tweaks have been made:

• Added "Reavers' Deep" and "Reavers Deep" as aliases
• IFRAME no longer steals focus (which fixes the API page to not scroll down on load)
• Speaking of the API page, it now links to the correct AotI coverage area
• Fix Egyrn Subsector's name (thanks to Makoto MACHIDA for commenting)

Many of the data changes will be intentional, but obviously with this volume of cleanup there will be further glitches, so start the bug reports coming!

Ω

Client Code Update

I've just pushed a set of updates to the client files - the HTML, JavaScript, and CSS that makes up the pages. This affects the main page, the iframe page, and the touch page. These now all share common logic which will make updates easier. The visible changes are:

• Intermediate levels are used when zooming in with the mouse wheel. This may mean that the "Scale" field in the control panel will go blank, but if you're using the wheel you probably aren't using the drop-down.
• When zooming, the previous image tiles are used until the new tiles load. Combined with the previous, this means zooming is much smoother. 
• The credits display at the bottom of the page (which shows credits, sector data, world data, and one-click generators for LBBs and Posters) now [EDIT: Based on feedback in the comments]  tracks your mouse hover coordinates updates on click/doubleclick/drag rather than just what's centered on the page.
• When you zoom by double-clicking or using the wheel the mouse position is retained, so you can "zoom in" on something that isn't centered.
• Added Facebook and Twitter buttons next to the Google Plus buttons.
• The "you are here" and overlay URL parameters from the iframe API can be used on the main map page. 
• Tweaked the [-] and [+] buttons in the control panel to be the same size. Yay for −

Note: I only tested as far back as IE8. According to analytics, I have a small number of IE7 users. If they report problems I may be able to fix it, but only if they complain. My testing on browsers other than IE,  Chrome and Safari (iOS) has been limited, but Firefox and Opera are usually pretty well behaved.

As always, let me know what I broke and I'll try and fix it quickly.

EDIT: Remember to mention which browser+version and which operating system+version you're using, too.

...

In other news - no progress on the outages. I've found and fixed a couple of bugs with cached state handling but I still see the service going down when usage is high. I have monitoring set up now so that as I make changes I can have a higher confidence that they haven't made things worse.

Ω

Another Non-Update

Nothing to report yet (June got busy!) but I have been doing some behind the scenes work.

The tiled, dragable map display logic used for the main map (and iframe) and the touch version were completely separate code. If you've played with the touch version you know it has some nicer features, such as intermediate zoom levels and using available images while others are loading so zooming in is a much more pleasant process. I've been working to unify the code between these, and it's almost done - I just need to get the overlay and the you are here features for the iframe API ported over and I can push the update.

As a side effect, this will allow devices supporting touch events (iOS, Android, etc) to interact with the main map page, although the interface will still be kludgy. That'll be the next thing to fix, followed by those data updates I was promising. Ω

Macro Routes and Label Cleanup

I've added "macro scale" routes - the Jump-5, Jump-4, and Zhodani Core Routes, visible at low zoom levels. These aren't visible if you zoom out too far because they make the map ugly. They also disappear if you zoom in, well before the micro-scale routes, because they don't line up well. I'll try and fix that - I've already tweaked K'kree Outpost borders in Gn'hk'r/Gelath slightly.

Other changes and bug fixes:

• Polity labels now wrap correctly in PDF Posters (example)
• Added CORS note to API docs - short version: modern browsers make the JSONP hack unnecessary
• Fix glyph layout in the side-bar Legend
• Smaller names at the macro scale (e.g. J-5 Route) now show by default. This changes the map's default option value to 1015. Older permalinks won't have this set, adjust if necessary.

Ω

Cleanup & Border Updates

Mish-mash of updates:

• At some point recently I broke the default state of the flag controlling rendering of local polity names so they should now by default to rendering again.
• I dusted off the border calculation code (doc, demo):
• Added a page that will generate borders for a map sector considering the 8 adjacent sectors. Try it.  Sorry, doesn't work with uploaded sectors yet, but that should be easy to make work.
• Fix border walk termination logic (would leave in a duplicate hex if the polity had a vertical left edge)
• Added heuristic for bridging 1pc gaps in polities
• The SEC API now optionally accepts sx/sy coordinates instead of sector (name) 
• Work around what looks like a Chrome 14 bug with object creation. var o = {}; o.x = 'foo'; was claiming that the property was read only in some cases.
• Updated borders for: Fa Dzaets, Trenchans, Gvurrdon, Tuglikki, Mendan, Amdukan, Deneb, Corridor, Solomani Rim

Ω

Deneb, Ziafrplians, SectorMetaData, bug fixes

A few recent updates, tweaks and fixes:

• Updated data for Ziafrplians from Don McKinney. This is the same data as used for the Zhodani Alien Module recently published by Mongoose, now a canonical part of the OTU. Check out the book for many more details about the sector, of course.
• Updated data for Deneb by Robert Eaglestone, including a few X-boat route tweaks. This is part of the ongoing T5 data cleanup project. Expect the rest of the Domain of Deneb to follow at some point soon.
• A new SectorMetaData API
• Tweaked Candy Style rendering. Now includes UWP at high scales, and scales a little more nicely.
• Fixed behavior of the experimental touch version when moving from "pinch" to "drag" (i.e. letting go of one finger while the other is still touching)

Ω

Bug Fix: Response Content Types

In a recent change I accidentally made the "Data" APIs (Coordinates, Credits, JumpWorlds, Search, Universe) produce JSON instead of XML unless otherwise requested if the default was XML. This has been corrected - the default content types should now be as documented in the API page.

While I don't intent to change the default data format for any API call - to maintain compatibility - new APIs may default to JSON... at least, until the Next Great Format comes along. To be robust, make sure you're requesting a specific format using the HTTP "Accept" header. Currently supported formats are:

• XML: text/xml
  
• JSON: application/json
  

Ω

New Printer-Friendly Style

Based on a handful of requests, I've added a new style, "Print" (a.k.a. "print" in the API) which is better suited for color printing than either "Poster" (which consumes black ink) or "Atlas" (which is grayscale-only).

The colors for routes, borders and bases should be left alone unless they're close to white, in which case a default color will be used, unlike "Atlas" style where fixed colors are used everywhere. This was a bit of a rush job so I may have missed a few cases (where I need to explicitly override a color) or introduced bugs, so let me know if something doesn't look quite right.

Ω

Parameter Update - Styles

Previously, specifying the visual style of the map ("Poster", "Atlas", or "Candy") was done via the options query parameter. To simplify this and allow room for future expansion, a style parameter has been added. This takes one of the values "poster", "atlas" or "candy". Examples:

• http://travellermap.com/?style=atlas
• http://travellermap.com/Poster.aspx?sector=Spinward+Marches&subsector=c&style=candy

Legacy URLs that embed the style via options bits will continue to be supported indefinitely, but new "permalinks" will use the new parameter. The API documentation has been updated to reflect the new usage. Ω

Now Serving PDFs

It's live. (Be gentle!)

The API docs have been updated, but here's the short version:

For Poster.aspx, Tile.aspx or JumpMap.aspx, either pass an HTTP "Accept" header with "application/pdf" or include "accept=application/pdf" in either the query string (GET) or form data (POST).

Since it took a whopping 10 seconds, I also added a checkbox to the post example if you want to generate PDFs from your custom data.

Once any bugs are shaken out of this update I plan to add a link to the bottom of the main map page which offers "give me a printable version" of whatever you're looking at. I could make it either "smart" and offer Charted Space, Domain, Sector, Quadrant or Subsector depending on scale, or "dumb" and spew out exactly what you see on screen but in PDF form. I lean towards "smart". Ω

PDF Generation [SNEAK PEEK]

I'm playing with the PDFSharp library which provides PDF generation capabilities for C# with a liberal license and can be used with ASP.NET handily enough. The library nicely supports using the same rendering primitives to output via GDI+ or PDF, so I can actually just convert the site's entire rendering stack onto PDFSharp (which looks a lot like System.Drawing anyway) and then simply pass it either a bitmap or a PDF into which to render.

After a couple of hours of playing, here's sample output from the Poster API:

http://www.travellermap.com/tmp/spinward_demo.pdf

Warning: don't blithely hit "print" - I'm not doing anything clever with units yet, so I don't know how many pages it will try and span. Examine the print options carefully. :)

This is not live yet - there are several things not working yet and I'm concerned about performance when suddenly have the main map site running through this code. But so far, it looks promising.

When it is live, you'll be able to use the Tile, Poster and JumpMap APIs to generate PDFs by specifying either a Content-Type HTTP header or a query string parameter in the URI (since we can't always control header generation). Ω

JSONP and XSS

Allen Varney asks:

...doesn't this functionality leave the map site open to -- at the very least -- cross-site scripting (XSS) hacks? The whole procedure sounds quite insecure.

Short answer: no (but read on)

But it's an excellent question, so let's analyze the potential security vulnerability.

First off, Wikipedia has a reasonable Cross Site Scripting (XSS) overview.

The short version is that a vulnerability in some site allows an hacker to add content that, when viewed by a victim, executes the hacker's code using the victim's data.

For example, let's say VulnerableForum.com allows evil hacker Eve to post arbitrary script code. When victim Alice visits the site, the web page loads and Eve's code can execute within the context of VulnerableForum.com. That means it could do things like make forum posts in Alice's name, change Alice's password, modify Alice's profile (perhaps to include additional copies of Eve's code, turning this into a viral worm), and so forth.

The Wikipedia article lists several variations of this beyond simple persistent content modification, e.g. Eve sends Alice a URL to VunerableForum.com that includes parameters which induce bugs in the forum software, allowing code injection.

The "classic" form of XSS was what led to the Same Origin Policy (SOP). In the old days, Eve's web site (EvilHacker.com) could load up AlicesBank.com in an IFRAME. If Alice visited EvilHacker.com, the IFRAME would load AlicesBank.com - and possibly log in automatically. The scripts from EvilHacker.com could then reach into the IFRAME and manipulate the now-authenticated bank pages to steal money. In response to this, browser makers implemented the SOP, which means that the scripts can't reach into the IFRAME if the content is from a different site.

This SOP has been extended to all web technology - Flash, AJAX calls, and so forth. Unfortunately, this means that sites that want to cooperate - say, your site and TravellerMap.com - don't have a way to share data. Flash exposes a cross-domain mechanism (where receiving second site can explicitly allow requests from requesting first site). For JavaScript there are some cross-domain-enabling proposals. But for now, JSONP is a workaround. JSONP requires that both sites cooperate – the requesting site must specify a JSONP parameter in a URL request, and the receiving site must understand the JSONP parameter and create an appropriate response.

So…. back to the question of security.

• Does accepting JSONP requests expose TravellerMap.com to XSS attacks? No – the site does not interpret the content of the JSONP parameter beyond %-decoding. It is simply pre-pended (along with "(" prefix and ");" suffix) to the data being returned.

• Does using JSONP requests expose your site to XSS attacks? Ah, there’s the rub. By making JSONP requests you are allowing TravellerMap.com to inject script and data into the execution context of your web pages. Let’s analyze how this could be exploited:

(1) TravellerMap.com could THEORETICALLY add malicious script to the JSONP results. In that case, instead of emitting "callback(…);" the site emits "make_forum_post(…);" or something. Since the script is executed automatically (via the JSONP mechanism) and the data can’t be filtered (it appears as a script tag which executes the content, not data you can deserialize with paranoid JSON parsing code), there is no simple defense against this. If TravellerMap.com is compromised (or I turn to the dark side…) then your site is vulnerable.

Note that this vulnerability is restricted to XSS behavior, that is, users of the site would have code executed in the context of the web site. This doesn’t allow arbitrary code execution on the victim’s machine (it’s still in the web page sandbox), or on the web server (it’s all client-side). So this isn't a "pwn'd your machine" exploit, but it is a (theoretical) "pwn'd your account" exploit.

Also note that sites like Flickr expose JSONP APIs with the same risks, so it’s not a flaw in the design of the TravellerMap.com API. Either you trust the site you’re calling into with JSONP or you don’t.

For the paranoid (i.e. you want to use the TravellerMap.com JSONP APIs, but don’t trust the site to remain exploit-free), one mitigation would be to sandbox any use of the JSONP APIs. For example, your main site might be mytravellerforum.com, and create a sandbox.mytravellerforum.com subdomain that doesn’t do anything with users' forum accounts. And of course, if you are implementing server-side functionality, you can call directly into the non-JSONP versions of the APIs, in which case you’re parsing the data yourself.

(2) TravellerMap.com could THEORETICALLY expose a vulnerability that allows JSONP requests to include arbitrary content.

Here’s how a hacker might exploit that:

• Your site exposes a "make a map for sector X" form. The user can type the sector name into a form, which causes a JSONP request to TravellerMap.com
• A hacker crafts a URL which makes your site make that request automatically (due to the architecture of your site, possibly a redirect). The URL includes the sector name as: "); do_evil(…); void("
• Your page turns that into a JSONP request
• The TravellerMap.com site THEORETICALLY blithely outputs that as part of a valid response, un-escaped
• Your site executes that script with the do_evil() content (which, say, makes a forum post)
• The hacker posts this nasty URL to a forum. Any user that clicks on the link ends up with do_evil() running within their authenticated context.

It’s a bit convoluted, but that’s how these XSS attacks happen. A further THEORETICAL vulnerability would be if the TravellerMap.com site allowed users to post arbitrary data which could then be retreived by a third-party site, but it does not. (No submitted data is retained by the site beyond the lifetime of the request.)

So how to mitigate it?

• Sanitize user input on your site – don’t make arbitrary requests to external sites
• Ensure JSONP logic exists in a sub-domain sandbox (see above)
• Perform your own security audit – try the TravellerMap.com JSONP-enabled APIs and send test data. To the best of my knowledge, all data from successful requests are properly escaped (user data would appear as strings within JSON data) and errors are returned as 404s (the scripts should not execute).

Again, the same issues exist with any JSONP API - you must trust the site you're calling both to not return malicious scripts intentionally and to be hardened against vulnerabilities that would allow someone to cause malicious script to be returned.

So... an excellent question with a non-trivial answer. Feedback, as always, appreciated! Ω