feed - Dave's Blog

Search

Multiple Windows in Win10 JavaScript UWP apps

2018 Mar 10, 1:47

Win10 Changes

In Win8.1 JavaScript UWP apps we supported multiple windows using MSApp DOM APIs. In Win10 we use window.open and window and a new MSApp API getViewId and the previous MSApp APIs are gone:

Win10 Win8.1
Create new window window.open MSApp.createNewView
New window object window MSAppView
viewId MSApp.getViewId(window) MSAppView.viewId

WinRT viewId

We use window.open and window for creating new windows, but then to interact with WinRT APIs we add the MSApp.getViewId API. It takes a window object as a parameter and returns a viewId number that can be used with the various Windows.UI.ViewManagement.ApplicationViewSwitcher APIs.

Delaying Visibility

Views in WinRT normally start hidden and the end developer uses something like TryShowAsStandaloneAsync to display the view once it is fully prepared. In the web world, window.open shows a window immediately and the end user can watch as content is loaded and rendered. To have your new windows act like views in WinRT and not display immediately we have added a window.open option. For example
let newWindow = window.open("https://example.com", null, "msHideView=yes");

Primary Window Differences

The primary window that is initially opened by the OS acts differently than the secondary windows that it opens:

Primary Secondary
window.open Allowed Disallowed
window.close Close app Close window
Navigation restrictions ACUR only No restrictions

The restriction on secondary windows such that they cannot open secondary windows could change in the future depending on feedback.

Same Origin Communication Restrictions

Lastly, there is a very difficult technical issue preventing us from properly supporting synchronous, same-origin, cross-window, script calls. That is, when you open a window that's same origin, script in one window is allowed to directly call functions in the other window and some of these calls will fail. postMessage calls work just fine and is the recommended way to do things if that's possible for you. Otherwise we continue to work on improving this.

PermalinkComments

Tweet from The A.V. Club

2016 Jun 6, 4:50
BuzzFeed backs out of RNC ad deal, citing profound awfulness of Donald Trump http://avc.lu/1t2uiEN 
PermalinkComments

Retweet of alvarombedoya

2015 Nov 11, 9:42
3/ This lets advertisers figure out that 'John owns this laptop AND this smartphone.' http://www.steamfeed.com/silverpush-launches-cross-device-ad-targeting-with-unique-audio-beacon-technology/ … pic.twitter.com/hci0aUeLoN
PermalinkComments

Retweet of sharonodea

2015 Sep 30, 5:53
Founder of #Peeple, an app designed to collect unsolicited feedback doesn't appear to like unsolicited feedback. pic.twitter.com/MmYZW3oHw4
PermalinkComments

Retweet of kylealden

2015 Apr 6, 8:51
Unlimited power forever. RT @NeowinFeed: what happens when you plug Surface 3 into itself http://neow.in/1Gi3ZPj  pic.twitter.com/R5kAduccqn
PermalinkComments

Tweet from David_Risney

2015 Feb 28, 8:47
8yo regularly feeds crows. Crows start giving girl shiny objs in return. http://www.bbc.com/news/magazine-31604026 … The future: girl & crow army open bead store
PermalinkComments

Netflix API : Retiring the Netflix Public API

2014 Jun 15, 3:02

First they came for our RSS feeds and I said nothing…

PermalinkCommentstechnical Netflix web api api

theatlantic: 'Please Contact Us': It's Been a Tough Week for...

2013 Oct 11, 9:25


theatlantic:

'Please Contact Us': It's Been a Tough Week for the Nobel Prize's Twitter Feed

Tales of temporary rejection from an organization not used to being ignored.

Read more.

PermalinkCommentshumor nobelprize twitter

Considerate MessagePort Usage

2013 Aug 7, 7:14
Sharing by leezie5. Two squirrels sharing food hanging from a bird feeder. Used under Creative Commons license Attribution-NonCommercial-NoDerivs 2.0 Generic.When writing a JavaScript library that uses postMessage and the message event, I must be considerate of other JS code that will be running along side my library. I shouldn't assume I'm the only sender and receiver on a caller provided MessagePort object. This means obviously I should use addEventListener("message" rather than the onmessage property (see related What if two programs did this?). But considering the actual messages traveling over the message channel I have the issue of accidentally processing another libraries messages and having another library accidentally process my own message. I have a few options for playing nice in this regard:
Require a caller provided unique MessagePort
This solves the problem but puts a lot of work on the caller who may not notice nor follow this requirement.
Uniquely mark my messages
To ensure I'm acting upon my own messages and not messages that happen to have similar properties as my own, I place a 'type' property on my postMessage data with a value of a URN unique to me and my JS library. Usually because its easy I use a UUID URN. There's no way someone will coincidentally produce this same URN. With this I can be sure I'm not processing someone else's messages. Of course there's no way to modify my postMessage data to prevent another library from accidentally processing my messages as their own. I can only hope they take similar steps as this and see that my messages are not their own.
Use caller provided MessagePort only to upgrade to new unique MessagePort
I can also make my own unique MessagePort for which only my library will have the end points. This does still require the caller to provide an initial message channel over which I can communicate my new unique MessagePort which means I still have the problems above. However it clearly reduces the surface area of the problem since I only need once message to communicate the new MessagePort.
The best solution is likely all of the above.
Photo is Sharing by leezie5. Two squirrels sharing food hanging from a bird feeder. Used under Creative Commons license Attribution-NonCommercial-NoDerivs 2.0 Generic.
PermalinkCommentsDOM html javascript messagechannel postMessage programming technical

(via Comedy: Great Job, Internet!: Here’s Patton...

2012 Oct 31, 6:47


(via Comedy: Great Job, Internet!: Here’s Patton Oswalt’s Halloween costume)

PermalinkCommentsadam-savage patton-oswalt spider-man Halloween

(via Real Myst “linking book”)

2012 Oct 30, 1:33


(via Real Myst “linking book”)

PermalinkCommentsgame humor video-game link book myst

Stripe CTF - Level 5

2012 Sep 11, 5:00

Level 5 of the Stripe CTF revolved around a design issue in an OpenID like protocol.

Code

    def authenticated?(body)
body =~ /[^\w]AUTHENTICATED[^\w]*$/
end

...

if authenticated?(body)
session[:auth_user] = username
session[:auth_host] = host
return "Remote server responded with: #{body}." \
" Authenticated as #{username}@#{host}!"

Issue

This level is an implementation of a federated identity protocol. You give it an endpoint URI and a username and password, it posts the username and password to the endpoint URI, and if the response is 'AUTHENTICATED' then access is allowed. It is easy to be authenticated on a server you control, but this level requires you to authenticate from the server running the level. This level only talks to stripe CTF servers so the first step is to upload a document to the level 2 server containing the text 'AUTHENTICATED' and we can now authenticate on a level 2 server. Notice that the level 5 server will dump out the content of the endpoint URI and that the regexp it uses to detect the text 'AUTHENTICATED' can match on that dump. Accordingly I uploaded an authenticated file to

https://level02-2.stripe-ctf.com/user-ajvivlehdt/uploads/authenticated
Using that as my endpoint URI means authenticating as level 2. I can then choose the following endpoint URI to authenticate as level 5.
https://level05-1.stripe-ctf.com/user-qtoyekwrod/?pingback=https%3A%2F%2Flevel02-2.stripe-ctf.com%2Fuser-ajvivlehdt%2Fuploads%2Fauthenticated&username=a&password=a
Navigating to that URI results in the level 5 server telling me I'm authenticated as level 2 and lists the text of the level 2 file 'AUTHENTICATED'. Feeding this back into the level 5 server as my endpoint URI means level 5 seeing 'AUTHENTICATED' coming back from a level 5 URI.

Notes

I didn't see any particular code review red flags, really the issue here is that the regular expression testing for 'AUTHENTICATED' is too permisive and the protocol itself doesn't do enough. The protocol requires only a set piece of common literal text to be returned which makes it easy for a server to accidentally fall into authenticating. Having the endpoint URI have to return variable text based on the input would make it much harder for a server to accidentally authenticate.

PermalinkCommentsinternet openid security stripe-ctf technical web

(via HTTPSTER T-Shirt) Maybe for Eric?

2012 Aug 8, 3:14


(via HTTPSTER T-Shirt)

Maybe for Eric?

PermalinkCommentshumor tshirt shirt gift http technical

(via Pareidoloop) “Phil McCarthy’s Pareidoloop...

2012 Aug 6, 4:11


(via Pareidoloop)

“Phil McCarthy’s Pareidoloop overlays randomly generated polygons on top of one another until facial recognition software recognizes a human face. Can’t sleep, at SIGGRAPH! [via @Brandonn]”

PermalinkCommentstechnical images facial-recognition siggraph

(via Classic pro-science-careers music video PSA: Chemical...

2012 Jun 29, 10:03


(via Classic pro-science-careers music video PSA: Chemical Party)

Xeni says: “The EU wasn’t always so terrible at promoting science careers through funny internet music videos! (thanks, Guido)”

PermalinkCommentshumor chemistry video

(via Parody Tech Startup Explainer Video for Vooza)

2012 Jun 7, 3:04


(via Parody Tech Startup Explainer Video for Vooza)

PermalinkCommentshumor startup buzzword vooza video web

(via Feature: Google gets license to test drive autonomous cars...

2012 May 7, 8:18


(via Feature: Google gets license to test drive autonomous cars on Nevada roads)

The coolest part of this article is that Nevada now has an autonomous vehicle license plate that’s red background and infinity on the left.

PermalinkCommentscar nevada google self-driving-car

Perfect Stranges video game (via The World Deserves A Perfect...

2012 May 2, 1:34


Perfect Stranges video game (via The World Deserves A Perfect Strangers Video Game. Now, It Has One. [Perfect Strangers])

PermalinkCommentshumor perfect-strangers music theme tv game videogame

(via An Embroidered George McFly: I’m Your Density by Sabrina...

2012 Apr 20, 9:39


(via An Embroidered George McFly: I’m Your Density by Sabrina Parolin)

PermalinkCommentshumor bttf george-mcfly

(via Tron-Style Light Dance Performance by Wrecking Crew...

2012 Mar 15, 5:21


(via Tron-Style Light Dance Performance by Wrecking Crew Orchestra)

PermalinkCommentstron dance video music dubstep
Older Entries Creative Commons License Some rights reserved.