chrome - Dave's Blog


Search

Subtleties of postMessage

2013 Jul 15, 1:00

In IE10 and other new browsers one may create MessageChannel objects that have two MessagePorts each connected (w3c spec calls it entangled) to one another such that postMessage on one port results in the message event firing on the other. You can pass an array of ports as the last parameter to postMessage and they show up in the ports property of the message event arg.

Origin

The postMessage here is like the worker postMessage and unlike the window and iframe postMessage in that it applies no origin checking:

  1. No origin postMessage in workers and MessagePorts: postMessage(messageData, ports)
  2. Origin postMessage in windows and iframes: postMessage(messageData, targetOrigin, ports)

Unfortunately the origin isn't an optional parameter at the end to make the two postMessages have the same signature.

On the event handler side, the event arg always has an origin property. But in the no origin case it is always the empty string.

Source

There is also a source property on the message event arg which if set is an object that has a postMessage property allowing you to post back to your caller. It is set for the origin case, however, in the no origin case this property is null. This is somewhat reasonable because in the case of MessagePort and Workers there are only two endpoints so you always know the source of a message implicitly. Unlike the origin case in which any iframe or window can be calling postMessage on any other iframe or window and the caller is unknown. So not unreasonable but it would be nice if the source property was always set for consistency.

MessageChannel start

When a MessageChannel is created it has two MessagePorts, but until those ports are started they will queue up any messages they receive. Once started they will dispatch all queued messages. Ports don't have to be started to send messages.

A port may be started in two ways, either by explicitly calling the start method on the port, or by setting the onmessage callback property on the port. However, adding an event listener via addEventListener("message", does not start the port. It works this way in IE and Chrome and the spec states this as well.

The justification is that since you can have only one callback via onmessage that once set you must implicitly be ready to receive messages and its fine to start the port. As opposed to the addEventListener in which case the user agent cannot start implicitly because it doesn't know how many event listeners will be added.� I found Hixie stating this justification in geoloc meeting notes.

Links

W3C Spec

Opera introduction

PermalinkCommentsDOM html javascript postMessage technical web-worker worker

Everybody hates Firefox updates - Evil Brain Jono's Natural Log

2012 Jul 16, 1:59

Former FireFox developer on the switch to their continuous update cycle. 

Oh no, Chrome is doing such-and-such; we’d better do something equivalent or we’ll fall behind! We thought we needed a rapid update process like Chrome. We were jealous of their rapid update capability, which let them deploy improvements to users continuously. We had to “catch up” with Chrome’s updating capability.

Dealing with servicing on IE for years had led me to some of the same thoughts when I heard FireFox was switching to continuous updates.

PermalinkCommentsfirefox via:ericlaw web-browser technical web browser servicing update software

A Tale Of Two Pwnies (Part 2)

2012 Jun 11, 6:39

Summary of one of the Chrome security exploits from pwn2own.  Basically XSS into the chrome URI scheme which gives access to special APIs.

PermalinkCommentstechnical browser web-browser security xss

Try Chrome in Metro mode

2012 Jun 7, 3:34

Early Chrome for Win8 Metro!

PermalinkCommentschrome google web-browser web metro win8 windows technical

Google Chrome - Fuzzing for Security

2012 Apr 26, 3:09

Overview of Google’s fuzzing security practices for Chrome.

PermalinkCommentstechnical security fuzz fuzzing chrome web-browser browser google

HTML5 Table Flipper Experiment

2012 Mar 2, 1:02

The goal of this experiment was to combine the flipping tables emoticons with the Threw It On The Ground video using shiny new HTML5-ish features and the end result is the table flipper flipping the Threw It On the Ground video.

The table flipper emoticon is CSS before content that changes on hover. Additionally on hover a CSS transform is applied to flip the video upside down several times and move it to the right and there's a CSS transition to animate the flipping. The only issue I ran into is that (at least on Windows) Flash doesn't like to have CSS transform rotations applied to it. So to get the most out of the flip experiment you must opt-in to HTML5 video on YouTube. And of course you must use a browser that supports the various things I just mentioned, like the latest Chrome (or not yet released IE10).

PermalinkCommentscss-transform flipping-tables css-transition html5-video technical threw-it-on-the-ground

FireFox doesn't have innerText

2011 Nov 14, 12:34

I wrote my HTML against IE9 and continually validated with Chrome as I went. Afterward I tried it in FireFox and found out that FireFox has textContent whereas IE9 & Chrome have innerText

PermalinkCommentstechnical web web-browser firefox ie9 chrome ie innertext textcontent js html

Installable Web Apps - Google Code

2010 May 24, 6:29Installable web apps makes total sense given the Google Chrome OS: "An installable web app is a normal web site with a bit of extra metadata. You build and deploy this app exactly as you would build and deploy any web app, using any server-side or client-side technologies you like. The only thing that is different about an installable web app is how the app is packaged."PermalinkCommentstechnical web browser webapp google chrome

The State of Web Development 2010 – Web Directions

2010 Apr 29, 11:51Stats from the State of Web Development 2010 web survey including: "Few respondents use any form of Internet Explorer for their day to day web use, but IE8 is the number one browser developers test their sites in. Google Chrome has jumped dramatically as the browser of choice for developers, to rank 3rd, at 17% just behind Safari at 20%."PermalinkCommentsie web browser chrome statistics development html technical system:filetype:pdf system:media:document

Ajaxian » Getting Users to Upgrade Their Browsers

2010 Apr 11, 3:53Has graphs of browser usage by version over time to show upgrade speed for Chrome, IE, and Firefox. Chrome has a lovely graph.
PermalinkCommentsgraph statistics infographics web browser chrome ie firefox version upgrade technical.

Chromium Blog: Does Your Browser Behave?

2010 Mar 12, 7:56A tool to run Google's ECMA conformance test suite on your browser.PermalinkCommentschrome web browser javascript technical tool test google

ClickOnce Deployment Overview

2010 Mar 5, 12:33ClickOnce is a .NET app deployment technology that lets you easily install apps with minimal user interaction even from the web. This is what Google Chrome uses to install so easily.PermalinkCommentsmsdn technical development security windows .net csharp programming clickonce google chrome

Protecting Browsers from Extension Vulnerabilities

2010 Feb 27, 10:06A web browser add-on security research paper that describes the Google Chrome security model. "We propose a new browser extension system that improves security by using least privilege, privilege separation,
and strong isolation. Our system limits the misdeeds an attacker can perform through an extension vulnerability.
Our design has been adopted as the Google Chrome extension system."PermalinkCommentssecurity design google chrome firefox addon plugin web browser technical research adam-barth system:filetype:pdf system:media:document

Adam Barth - adambarth.com

2010 Feb 26, 2:42Adam Barth has tons of papers on web browser security.PermalinkCommentsadam-barth security web browser privacy javascript google chrome research technical

Chromium Blog: Security in Depth: New Security Features

2010 Jan 27, 9:56Some of the new security features in Chrome: XSS filter, HTTPS only, HTML5 origin header, and HTML5 postMessage function.PermalinkCommentshtml5 html script xss csrf chrome browser google security web technical

Chromium Blog: Links That Open in New Processes

2009 Dec 4, 10:29The Chrome blog documents what you do to your anchor tag to get it to open in a new process.PermalinkCommentshtml google chrome web browser technical

Waooooooow, Ample SDK - <Glazblog/>

2009 Dec 1, 5:55A cross browser javascript implementation of SVG, XUL, portions of HTML5 and more. Check out their demos. "Ample SDK, a must-see: cross-browser (Gecko, Webkit, Opera, Chrome, and even IE 5.5+ !!), XInclude 1.0, XML Events 1.0, XML Schema, SMIL 3.0, REX 1.0, XBL 2.0 (!), SVG, XUL (cross-browser !), HTML5, XForms, ..., superb demos (SVG-based @shepazu in IE, wow...), dual MIT/GPL licensing terms, open-source"PermalinkCommentstechnical browser svg xul webkit opera ie javascript web html5

YouTube - Google Chrome OS Demo

2009 Nov 20, 7:20I think I'm stuck on the first part of the Ars review "so it has taken the netbook, which was already a crippled notebook, and crippled it even further by removing a ton of flexibility and functionality". Still conceptually I like the idea and hope they figure out all their use cases.PermalinkCommentsgoogle chrome video os web browser technical

Chromium Blog: A 2x Faster Web

2009 Nov 12, 6:28Google to replace HTTP with SPDY?PermalinkCommentsbrowser web http spdy google chrome technical

Sam Ruby: Chromie Don’t Play That

2009 Sep 24, 3:58"Put more constructively, if GCF mentioned application/xhtml+xml AND intercepted it, my site would “just work”. But that wouldn’t be an “opt in”, a concept that Ian Hickson once described as yet another quirks mode switch."PermalinkCommentschrome google web browser extension webbrowser mime xml xhtml technical
Older Entries Creative Commons License Some rights reserved.