Browser Variation of the Hub Reference Implementation (Illustrative)

From MemberWiki

Jump to: navigation, search

DISCLAIMER: This wiki page holds collective non-normative information about differences among popular web browsers in ways that matter to the open source reference implementation of OpenAjax Hub 2.0. There are no guarantees about the accuracy of this information, and no guarantees about ongoing updates to the information on this page over the course of time as browser updates appear.


Some implementations of the OpenAjax Hub standard may utilize features whose behavior varies from browser to browser. For example, some versions of some browsers may not support the HTML 5 postMessage feature, and on such browsers, an IframeContainer implementation may fall back on some other mechanism for achieving communication between sandboxes.

As with other implementations, certain behavior of reference implementation may be affected by browser behavior. The OpenAjax Interoperability Working Group provides this NON-NORMATIVE page in order to illustrate this variation with respect to the reference implementation.

This page is purely illustrative. It does not list all web browsers or all versions of web browsers, and it may not list variations of behavior that are specific to certain browsers. The presence or absence of browsers or behaviors does not indicate judgment about the suitability or security of these browsers, and the presence or absence of browsers or behaviors on this page does not constitute an endorsement of specific browsers or features.

Contents

HTML 5 postMessage

Recent versions of certain browsers support the HTML 5 window.postMessage() function. Others do not. Where this function is supported, the reference implementation of IframeContainer and IframeHubClient use the standard postMessage behavior to send messages between iframes associated with different origins. Where this function is not supported, the reference implementation uses an approach that involves Fragment Identifier Messaging (FIM).

As of March 2009, the following versions of the following browsers are known to support window.postMessage:

  • Apple Safari 4 (beta)
  • Microsoft Internet Explorer 8 (beta 2 and later)
  • Mozilla Firefox 3.x
  • Opera 9 (2009.03.18 Howard: but possibly not Opera 10)

onunload Handlers

The reference implementation uses HTML DOM onunload handlers to detect iframe unloads that may indicate frame phishing attacks.

The behavior of unload handlers varies from one browser to another. While we believe that onunload is always triggered when an attempt is made to navigate an iframe via JavaScript, and thus that the onunload handlers meet the requirement to detect frame phishing attempts, the onunload handlers may behave differently under other circumstances:

  • When the top-level browser window is closed, any onunload handlers registered for content inside the page's iframes may or may not be executed if the IframeContainers are not removed in a top-level onunload handler.2009.03.18 Howard: need to verify that removal actually works in top-level onunload handler on these browsers
  • When a DOM element containing an iframe is deleted, an onunload handler for the window inside the iframe may or may not be executed.

As of March 2009, the behavior of various browsers is believed to be as follows:

  • Microsoft Internet Explorer 6, 7 and 8: an onunload handler within an iframe is invoked when the iframe is navigated but is NOT invoked when the iframe is or deleted or when the parent window is unloaded.
  • Mozilla Firefox 3.x: an onunload handler within an iframe is invoked when the frame is navigated or deleted, and when the parent window is unloaded.
  • Opera 9: an onunload handler within an iframe is invoked when the iframe is navigated but is NOT invoked when the iframe is or deleted or when the parent window is unloaded.
  • Safari 3.x: an onunload handler within an iframe is invoked when the frame is navigated or deleted, and when the parent window is unloaded.

Maximum URL Length

The reference implementation passes some initial information into a client iframe via the iframe src URL. The manager application may also need to send information into the iframe via the URL. In this case, the fact that some browsers have URL size limits may impact the amount of information that can be passed into the iframe via the src URL.

In addition, when Fragment Identifier Messaging is used, the Container and HubClient exchange data messages by modifying the src URLs of iframes. Messages or message batches that exceed the browser's maximum URL size must be fragmented into multiple chunks. This may reduce performance of FIM implementations on browsers with short maximum URL lengths.

As of March 2009, maximum URL lengths are believed to be:

  • Apple Safari: 80,000 characters or more
  • Microsoft Internet Explorer (all versions): 2083 characters
  • Mozilla Firefox 3.x: 100,000 characters or more
  • Opera 9 for Windows: 190,000 characters or more

Clicking

When Fragment Identifier Messaging is used, messages may cause the iframe's src URL to change. On Microsoft Internet Explorer (all versions), this causes a clicking noise.

Retrieved from "http://www.openajax.org/member/wiki/Browser_Variation_of_the_Hub_Reference_Implementation_%28Illustrative%29"
Personal tools