Ilya Kozhevnikov

Browser Newsletter #28

June 27, 2008

SproutCore: rich web apps in JavaScript, no Flash needed

One session at last week’s WWDC featured featured a JavaScript application framework called SproutCore, which has generated quite a bit of buzz since then. The framework was used by Apple to develop .Mac’s Web Gallery feature and is likely being used to develop the web-based applications that are part of Apple’s MobileMe service. With Apple standing up for web standards—supporting standards in WebKit, working with W3C and WHATWG to develop next-gen standards, even remaking its web site in pure HTML, CSS, and JavaScript—SproutCore is being promoted by Apple as a recommended framework for creating rich, standards-based web applications that have a “native look-and-feel.”

Securing Cross Site XMLHttpRequest

As I mentioned in my post on Cross Document Messaging, client side cross domain request is an important area of interest for AJAX developers looking for ways to avoid expensive server side proxying calls. While Cross Document Messaging is useful for allowing third party components or gadgets embedded in a page to communicate/converse using script on both sides, other cross domain scenarios like web services require access to cross domain content using network requests from a client side web application. For example, you may want to use your client side map based mashup to pinpoint Chinese restaurants for your current neighborhood. This could require the mashup to request a text file from Zagat.com with the locations of Zagat rated restaurants in the area which can then be superimposed on the map.

Along those lines, a few proposals and implementations exist like XDomainRequest in IE8, JSONRequest and the W3C’s Web Applications Working Group’s Cross Site XMLHttpRequest (CS-XHR) draft specification, which combines an Access control framework with XMLHttpRequest or other features. While XDomainRequest is focused on enabling anonymous access of third party public data, Cross Site XMLHttpRequest has added functionality and consequently enables a broader set of scenarios that may appeal to the developer who may choose to use cross domain authentication and access control among other features. As can be expected with securing a large cross section of cross domain scenarios, a number of concerns have been identified with the CS-XHR draft by the web development community, the IE team members and members of the Web Apps Working Group. For a list of our recent feedback on security on CS-XHR and our take on important security principles in cross domain, please read our Security Whitepaper on Cross Domain. The paper also covers best practices and guidance for developers who will choose to build on the current draft if it’s supported by a future browser. Note that issues here are currently being discussed and some concerns may be mitigated as the draft evolves.

Threat remains despite Safari carpet bombing fix

A flaw that meant Safari automatically downloaded executable files based on IE zone settings was one of three vulnerabilties in the browser addressed in an update published by Apple on Thursday.

The other two updates addressed errors in processing image files that created a memory disclosure risk and a memory corruption flaw involving the handling of JavaScript arrays.

However, security researcher Billy Rios warns that the “carpet bombing” fix is only partial. If Safari is used on a system where Firefox is also installed it might be possible to steal arbitary files, he warns. The flaw, like the carpet bombing bug before it, involves a blended threat concerning how Safari and other browser packages work together. Rios is holding back details of the bug pending a release from Apple.

Read more…
© Channel Register, 23/06/08

IE8 Beta 1 June Security Update Now Available on Windows Update

Today we released the IE June Cumulative Security Update for Internet Explorer 8 Beta 1 for Developers on Windows Update. For detailed information on the contents of this update, please see the following documentation [...]

IE8 and Trustworthy Browsing

This blog post frames our approach in IE8 for delivering trustworthy browsing. The topic is complicated enough that some context and even history (before we go into any particular feature) is important, and so some readers may find this post a bit basic as it’s written for a wide audience. In previous posts here, we’ve written about IE8 for developers: the work in standards support, developer tools, script performance, and more. In future posts, we’ll write about IE8 for end-users (beyond the benefits of improved performance, activities, and Web Slices). This post starts a series about trustworthy browsing, a topic important for developers and end-users and everyone on the web. By setting the context and motivation with this post, the next posts that dive into the details of IE8 will build on this foundation.

Firefox 3 Memory Benchmarks and Comparison

Web browser performance is an often talked-about and flaunted thing, but many claims are not really backed up by solid evidence. I wrote software that collected millions of data points over 14 hours of actual browsing time, and this article reveals my findings.

Opera Sends Website Owners Auto-Compliance Feedback

Opera Software is building a team of “web evangelists” whose job it is to find sites that do not display correctly in Opera and are not standards-compliant, and then email the site owners. They are sending emails with specific tips on how to fix HTML, CSS or other issues that don’t make sites compliant. Opera has always been a strong advocate for web standards, and this initiative is good for not only Opera but standards support on the web in general.

On the Opera jobs website, there are job listings for multiple web evangelist positions. They are hiring in Norway, China, South Korea, the Czech Republic and the USA - so it is a multi-lingual global effort. Here is an example of an email sent to one site owner from an evangelist at Opera, with specific details on fixing a CSS bug [...]

about:addons - AMO changes & reviews, Dangers of eval(), New XULRunner, Firefox 3.1 changes & more

AMO 3.4.3 and 3.4.4 Pushed Live. addons.mozilla.org was updated recently with a number of bugfixes and new features, including a new theme browser, advanced search, and a beta of the new Developer Tools. You can read more about the new features on Basil Hashem’s blog and more about the Developer Tools beta on Justin Scott’s blog.

1.9 SDK Now Available. If you are building binary components for your add-on then the 1.9 SDK is the official way to build. It’s available for download in Linux, Windows and Mac flavours.

New CSS Features in Firefox 3.1. The current development builds of Firefox 3.1 have more of the CSS 3 selectors implemented including nth-child, first-of-type and default. David Baron discusses the selectors and other new CSS features landing in Firefox 3.1 builds.

New Documentation. Some tricks with laying out XUL boxes are explained. A list of the parts of XUL that are now deprecated and replaced by better objects is now available. A new code snippet section on creating background processes using setTimeout and threads has been added.

Zero-day flaw haunts Internet Explorer

An unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.

It affects Internet Explorer 6 on Windows XP SP2 and SP3. The new IE 7 browser is not affected because Microsoft changed the way Javascript protocol URLs are handled to prevent these types of attacks.

Security researcher Aviv Raff has created a test page that confirms the attack vector in IE 6. This screenshot shows a script loaded in one domain (raffon.net) showing a cookie of a different domain (google.com) [...]

20 million Firefox 3 downloads in a week, ~4% market share

Mozilla’s Firefox 3 web browser, which was officially released one week ago, has already been downloaded over 20 million times since the official launch. This is a noteworthy achievement for the open source browser, which is rapidly eroding the dominance of Microsoft’s Internet Explorer.

The number of Firefox 3 downloads continues to climb, but currently represents only a portion of Firefox’s 170 million daily users. This is primarily because Mozilla has not yet rolled out the new version to existing Firefox 2 users through the update channel. In response to an inquiry, Mozilla told us that they have not finalized the schedule for when Firefox 3 will be made available to Firefox 2 users through the update channel, but they suspect that it will happen within the next two or three months.