Last week, we posted a story about deploying GWT to PHP back-ends. We’ve got another GWT-ish post this week: Pyjamas, a sort of GWT for Python.

The SourceForge project page has a brief overview and pointers to a tutorial, a widget showcase, and more.

Sunava Dutta has detailed the enhancements made to IE 8 beta 2 for Ajax developers including XDR, XDM/postMessage, DOM Storage, offline detection, and more. A lot of great stuff!

XDomainRequest (XDR)

This is an object built from the ground up to make client-side cross-domain calls secure and easy. To reduce the chances of inadvertent cross domain access, this object requires an explicit acknowledgement for allowing cross domain calls from the client script and the server. Additionally, it reduces the need for sites having to resort to the dangerous practice of merge scripting from third parties directly into the mashup page. This practice is dangerous because it provides third parties full access to the DOM. All this comes with the added benefit of improved client-side performance and lower server maintenance costs thanks to the absence of a need for server farms for proxying.

During the Beta 1 timeframe there were many security based concerns raised for cross domain access of third party data using cross site XMLHttpRequest and the Access Control framework. Since Beta 1, we had the chance to work with other browsers and attendees at a W3C face-to-face meeting to improve the server-side experience and security of the W3C’s Access Control framework. As a result, we’ve updated XDR to be explicitly compliant with syntax and directives in the sections of Access Control for requesting simple public third-party data anonymously on the client! (Section 5.1.3 in the Access Control Process Model)

The updates to XDR from Beta 1 allow IE8 to request data from the domain’s server by sending an Origin header with the serialized value of the origin of the requestor. IE8 Beta 2 will only return the response if the server responds with Access-Control-Allow-Origin: *, instead of allowing the XDomainRequestAllowed: 1 header as we did in Beta 1. Other changes include support for relative paths in the open method, and restricting access to only HTTP and HTTPS destinations.

Cross-document Messaging (XDM)

Cross-document messaging is another powerful cross-domain feature that I’ve blogged about in the past. Rather than make a backend request to a remote Web service, this allows sites hosting third-party IFrame-based “gadgets” or components to communicate directly with the parent, without unsafely violating the same site origin policy. This has advantages including improved performance and reliability, as developers don’t have to resort to workarounds that behave differently between browsers and have unwanted side-effects. This technique also removes the need for embedding third-party script in your page, lessening the chance of potential information disclosure vulnerabilities like the disclosure of your sensitive data (such as information in your social network profile) to third parties without your consent.

Beta 2 updates here include moving the onmessage handler from the document object to the window object to better align with the updated HTML 5.0 draft.

window.attachEvent(”onmessage”, HandleMessage);

We also replaced e.URI with e.origin, which is serialized form of “scheme” + “host” + “non-default port”. This is far safer as the URI can carry potentially sensitive information from the origin site that is not needed by the recipient for the decision to grant or not grant access.

if (e.origin == ‘http://www.contoso.com’) 
        { 
               // process message text     
        }

Finally, the HTML 5.0 draft also mandates that the targetOrigin parameter for the postMessage method now be made a required parameter, as opposed to an optional one. This will make it difficult for developers to make errors by requiring an explicit acknowledgement of the target destination of the message by specifying the origin <URL> or wildcard <*>.

 frameOther.postMessage(”This is a message”, “http://example.com”);

DOM Storage

Today, web pages use the document.cookie property to store data on the local machine. Cookies are limited in capability by the fact that sites can only store 50 key/value pairs per domain. Furthermore, the cookie programming model is cumbersome and requires parsing the entire cookie string for data. While cookies are useful for marking transitions and changes on the client to the server as they are sent with the request headers in chunks of up to 4KB, IE8 brings better alternatives for scenarios involving persisting data on the client and distinctly maintaining sessions in different tabs. The W3C’s HTML 5 DOM Storage objects provide a much simpler global and session storage model for key/value pair string data. Sites can store data for the life of a tab or until the site or user clears the data.

Updates for Beta 2 include changing the name of the persistent globalStorage attribute to localStorage and the removal of the need to specify the domain when writing to the localStorage

// Store a key-value pair.
localStorage.setItem(”FirstName”,”Sunava”);

Finally, we also included improved support of the updated onstorage HTML 5.0 event returned when the storage is changed. We now return the URI when the local storage is changed, so that handlers for pages can know who carried out the latest transaction in the storage space in addition to providing the source to the window of the origin. Furthering the good news, the HTML 5.0 Working Group has incorporated the clear method, which we shipped in Beta 1, into the draft. This essentially allows for script to clear all items accessible in its storage space without having to iterate though the keys.

Connectivity Event

The navigator.onLine property and online/offline events now work on Windows XP as well as Windows Vista. The work to enable this was not trivial, as connection awareness in Windows XP is not quite as advanced as Windows Vista. That said, this will be extremely beneficial for developers, who we believe shouldn’t have to worry about OS differences. The value of connectivity events is particularly appealing when used in conjunction with the localstorage, where data can be cached in case of network loss!

XMLHttpRequest

Introducing the XDomainRequest object in IE8 hasn’t diverted our attentions from constantly tweaking and improving XMLHttpRequest, which will continue to be our flagship object for same-domain communications. Post-Beta 1 energies here have focused on a few bug fixes around reliability and working with the Web Apps Working Group to clarify and improve the draft specification, our compliance with it, and W3C public test cases. A timeout method introduced here in Beta 1 for the convenience of developers is currently being evaluated for adoption in the XMLHttpRequest spec.

// Sets timeout after open to two seconds.
xhr.timeout             = 2000;

ToStaticHTML, to JSON, and fromJSON

What do you do with the strings returned from third parties using XDomainRequest or Cross-document Messaging? In today’s world of increasing script injection and Cross-site Scripting (XSS) attacks, having the option of passing these through a safe parser comes as a welcome relief. As detailed in Eric Lawrence’s post on Comprehensive Protection for IE8 Security, toStaticHTML provides a powerful way of sanitizing your strings by purging potentially executable content.

//Calling:
window.toStaticHTML(”This is some <b>HTML</b> with embedded script following… <script>alert(’bang!’);</script>!”);

//will return:
This is some <b>HTML</b> with embedded script following… !

In addition, IE8 Beta 2’s toJSON and fromJSON methods provide improved performance as opposed to non-native Javascript deserializers and serializers. Our implementation is based on the ECMAScript 3.1 proposal for native JSON-handling which uses Douglas Crockford’s json2.js API. In addition to the performance benefits of going native, the JSON parser provides a safe alternative to the eval() method, which has been a common and dangerous way to revive JSON objects, and could allow arbitrary script functions to execute.

Based on its performance on the regexes it does handle, WREC (WebKit Regular Expression Compiler) is indeed an awesome design. regexp-dna.js, however, is flawed and exaggerates SFX performance.

We could use nanojit to make a regex compiler for SpiderMonkey that would perform as well as WREC. But I don’t know if it’s worthwhile yet. Regex performance is much less important for today’s web than it is for SunSpider–I hope to link to a report on that in a future post.

That was the conclusion that David Mandelin of the Tamarin project as he looked into how “SquirrelFish Extreme (SFX) is kicking our butts so badly on regexp-dna.js.”

I love David’s posts, as they go into the real meat of the tech:

Technical details: the design of WREC. There are two main ways to implement regular expressions: using a backtracking matching engine, or by transforming the regex to a finite automaton (NFA, aka “state machine”), which does not backtrack. Most Perl-type regex engines, including both SpiderMonkey’s and WREC, follow the backtracking design. I don’t know the exact history of that choice, but at present it is much easier to implement features like group capture and backreferences in the backtracking design. Also, although some regexes scale only if implemented as NFAs, my tests suggest that many simple regexes, including those in SunSpider, are faster with backtracking.

As of this writing, WREC’s implementation strategy is dirt simple (which is a good thing). There are no transformations or fancy optimizations on the regex. WREC simply generates native code that directly implements the backtracking search. Thus, within a single match operation, there are no function calls, no traversals of regular expression ASTs, and few option tests, so almost all of the overhead is eliminated.

WREC’s code is very easy to read, so if you want to know exactly how it works, just read it in WREC.cpp. It’s also great example code for anyone implementing a compiler for a simple language like regular expressions. The basic plan is to parse the regular expression with functions named things like parseDisjunction (the | operator). Those functions directly call functions like generateDisjunction that generate the native code using the same assembler that the call-threading interpreter uses. There’s also the oddly named “gererateParenthesesResetTrampoline”. Inexplicably preserved typo, or watermark to detect copying of WREC code?

Pete Higgins released Dojo 1.2 the first version under his command. There are a ton of subtle improvements such as:

New Datastores

• dojox.data.JsonRestStore
• dojox.data.CouchDBRestStore
• dojox.data.GoogleFeedStore: A Google AJAX API powered data store for retrieving RSS and Atom feeds from Google.
• dojox.data.GoogleSearchStore: Data stores to interface Google’s AJAX search services.
• dojox.data.PersevereStore: dojox.data.PersevereStore is an extension of JsonRestStore to Persevere’s special features.
• dojox.data.S3Store: an extension of JsonRestStore to handle Amazon’s S3 service using JSON data

New Projects in DojoX

dojox.analytics.Urchin

• A Google-analytics helper, which supports lazy-loading the Google Analytics API at any point during a page lifecycle.
• Allows you to post-onload include Google Analytics helper, and track Ajax-y pages via a simple API, with a very small overhead.

dojox.av

• New project for Audio/Video elements
• dojox.av.FLVideo: a player for Flash video files
• dojox.av.widget.Player: Dijit-based object for playing Flash media

dojox.embed

• A set of utilities that allow you to load/include Objects such as Flash and Quicktime.
• dojox.embed.Flash for Flash movies
  • Create proxy information for Flash movies implementing ExternalInterface through dojox.embed.Flash.proxy
• dojox.embed.Quicktime for Quicktime movies
• dojox.embed.Object—a Dijit that can be used via markup for any dojox.embed objects available.

dojox.io.windowName

• Provides secure cross-domain request capability. Sends a request using
  an iframe (POST or GET) and reads the response through the frame’s window.name.

dojox.io.xhrPlugins

• This is a registry for creating alternate XHR handlers, for example
  you can register to use IE8’s XDomainRequest or a proxy server to handle
  cross-domain requests.

dojox.lang.aspect

• dojox.lang.aspect is a new AOP library module for before/around/etc advice and other AOP features.
• See the blog post for details.

dojox.lang.observable

• Provides a form of getter/setter support to objects.
  Observable objects can be created such that all property
  reads, writes, and method calls will trigger listener functions
  so that you can create APIs where property interaction can be
  controlled and monitored.
• This relies on VBScript hacks for IE and is somewhat
  limited in functionality.

dojox.secure.capability

• This provides object-capability JavaScript validation.
• This is a validator to run before eval to ensure that a script can’t access or
  modify any objects (like global objects) outside of those specifically
  provided to it.

dojox.secure.DOM

• Provides a DOM facade that restricts access to a specified subtree
  of the DOM.
• The DOM facade uses getters/setters and lettables to emulate the DOM API.

dojox.secure.sandbox

• Provides support for loading web pages, JSON, and scripts
  from other domains using XHR (and XHR plugins) with a safe
  subset library and sandboxed access to the DOM.

We updated the Google CDN to point to the new version too, and AOL has done the same.

Synchronized Multimedia Integration Language (or SMIL) 3.0 has now become a proposed recommendation at the W3C. SMIL hasn’t been widely used, but some of it is widely supported thanks to ACID tests that had the browser vendors put it in.

3.0 has the following goals:

• Define an XML-based language that allows authors to write interactive
  multimedia presentations. Using SMIL, an author may describe the temporal
  behaviour of a multimedia presentation, associate hyperlinks with media
  objects and describe the layout of the presentation on a screen.
• Allow reusing of SMIL syntax and semantics in other XML-based
  languages, in particular those who need to represent timing and
  synchronization. For example, SMIL components are used for integrating
  timing into XHTML [XHTML10] and into SVG
  [SVG].
• Extend the functionalities contained in the SMIL 2.1 [SMIL21] into
  new or revised SMIL 3.0 modules.
• Define new SMIL 3.0 Profiles incorporating features useful within the
  industry.

Matt Raible has posted on the Ajaxified Body pattern, that loads content into the main area instead of reloading an entire page.

The surrounding template stays put, and the red area changes when you have an action:

This is an old question: “When should you just reload the page?” In the sample application you see the trade offs. Every click causes a red “Loading…” indicator, and just the main area changes. The browser doesn’t have any indication that something is happening, hence the need for the custom red indicator. You also then have to implement support for browser history, make sure that direct access works and the like. The positive is that you don’t get a refresh flash, but is that enough to warrant the change?

One of the use cases on the page is the rich table component. That should definitely be able to refresh and page without the page changing, but when the main content gets swapped in, I start to question. What do you think?

Matt uses SiteMesh, a great technology that can knit together the look and feel, and can fit in very well in this kind of world. If a browser goes directly to a page it can piece together the entire page, but an Ajax request can come in and it can just send back the main content. Very nice.

Michael Carter et al have been working on js.io, a client library that gives you networking, including Comet like support, via JavaScript.

The low level work can sit upon Comet APIs, and in the future, Web Sockets, and you get high level APIs to protocols such as:

• amqp
• imap
• irc
• ldap
• smtp
• ssh
• stomp
• telnet
• xmpp

There are some demos such as LiveHelp that uses Orbited as the backend.

Mecca is a new browser by the prolific Todd Ditchendorf of Fluid fame. It is currently in the works, and features:

• Open Plug-in Architecture
• Built-in Userscripting
• Userstyles
• ÜberView for Plug-in Split Views
• Global Keyboard Shortcut
• Single-Window Browsing Mode
• BrowsaBrowsa Plug-in for Sidebars
• Session Restore
• Full-Screen Mode
• Customizable Shortcuts
• Integrated Gears-loading (InputManager)
• Hidden “Closed” Windows
• Thumbnail Plug-in for CoverFlow
• TinyURL creation/expansion
• Automatic Software Updates
• Custom User-Agent Strings
• Full WebInspector
• Custom Window Opacity/Level/Style

It looks very interesting, and I can’t wait to see it!

I am so happy that the NDA mess is over! Clancy has written about how you can have your iPhone Web app run in full screen and has a demo app that shows it off:

•  
• <meta name="viewport" content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" />
• <meta name="apple-mobile-web-app-capable" content="yes" />
• <meta names="apple-mobile-web-app-status-bar-style" content="black-translucent" />
•  

Here’s an interesting link for a Friday. Viktor Zeman on Quality Unit sent us a link to “PostAffiliateXpress“, some boring IT application with an interesting interface and an even more intriguing back-end.

The UI combines a Vista-like “Start” menu along with an OS X-like dock (using everyone’s favorite fish-eye widget). It also has a built-in widget system that leverages Google Widgets. Overall, it’s a pretty nice implementation of a desktop and windowing in Ajax.

The framework itself is “GwtPHP” which attempts to take all the advantages of GWT and deploy them to PHP backends in an attempt to solve the problem of limited Java-friendly hosting services. Unfortunately, the framework isn’t available for use until sometime in early November.

Dual-License

The developers intend to use the familiar “free for hobbyists, pay up for commercial use” licensing model (what their licensing page calls a “what for what” model).

Give some feedback

Viktor says that they are quite keen to get feedback from folks on the project, so interested folks should get in touch, let them know what you think about the licensing model, and perhaps get early access, etc.

I got to meet Aaron Newton at The Ajax Experience, and he is a thinker. He was really taking in the various talks, and interactions, and you could tell that he was trying to work out various angles on the frameworks. What makes them different? What makes them popular? Where are they going?

He wrote a really nice post on some of these thoughts that goes into detail on different patterns for JavaScript programing. The meme at the show was definitely “the frameworks all do the same thing, just with a different looking API” which makes it even harder to put your finger on differences sometimes. Aaron does a good job.

John Resig himself gave a talk comparing the frameworks. Considering that he is Mr. jQuery, I thought he was very unbiased and had some good thoughts:

Oliver Steele gave a great talk at The Ajax Experience this week on Practical Functional JavaScript.

For his talk, he ended up creating a samples application where you can run the code directly, very similar to what John Resig did in Learn JavaScript.

The samples take you through JavaScript world, stopping for:

• Callbacks
• Functions
• Closures
• Idioms
• Throttling
• Caching
• Retry

Kyle McGregor took a look at the JavaScript games for Life out there and decided to write a Canvas version that ends up being a lot snappier. The entire game is pretty small:

•  
• var counterface = 0;
• var oInstance;
• var Game = Class.create();
•  
• Game.prototype = {
•         'working': false,
•         'map': '',
•         'interval_id': '',
•     'initialize': function()
•     {
•  
•                 //generate map
•                 var startmap = [];
•                
•                 for(var y = 0; y <90; y++)
•                 {
•                         var row = [];
•                        
•                         for(var x = 0; x <90; x++)
•                         {
•                                 var state = Math.random();
•                                 state = (state> 0.8)? 1:0;
•                                 row[x] = state;
•                         }
•                        
•                         startmap[y] = row;
•                 }
•  
•                 this.map = startmap;
•                
•                 oInstance=this;
•                 this.interval_id = setInterval(function(){oInstance.loop()}, 100);
•     },
•     'loop': function()
•     {
•                 if (document.getElementById('frame').getContext)
•                 {
•                         // drawing code here
•                         if(this.working == false)
•                         {
•                                 this.working = true;
•                                 this.draw();
•                                 this.step();
•                                 this.working = false;
•                         }
•                 }
•                 else
•                 {
•                         // canvas-unsupported code here
•                         alert('Your Browser does not support the canvas tag. try again  in firefox 1.5+ or Opera 9+');
•                 }
•     },
•         'draw': function()
•         {
•                 var ctx = document.getElementById('frame').getContext('2d');
•                 ctx.save();
•                 ctx.clearRect(0,0,450,450);
•             ctx.fillStyle = "rgb(0,0,0)";
•  
•                 for(var y = 0; y <90; y++)
•                 {
•                         for(var x = 0; x <90; x++)
•                         {
•                                 if(this.map[y][x] == 1)
•                                 {
•                                         ctx.fillRect (x*5, y*5, 5, 5);
•                                 }
•                         }
•                 }
•  
•                 ctx.restore();
•                 ctx.fill();
•         },
•         'step': function()
•         {
•                 var output = '';
•                 supercount = 0;
•                
•                 var tempmap = [];
•  
•                 for(var y = 0; y <90; y++)//work around for arrays passing by reference.
•                 {
•                         var row = [];
•                        
•                         for(var x = 0; x <90; x++)
•                         {
•                                 row[x] = this.map[y][x];
•                         }
•                        
•                         tempmap[y] = row;
•                 }
•                                
•                 for(var y = 0; y <90; y++)
•                 {
•                         for(var x = 0; x <90; x++)
•                         {
•                                 var countme = this.getNeighborCount(y,x);
•                                
•                                 if ( this.map[y][x] == 0 ) // dead cell 
•                                 { 
•                                         if ( countme == 3 ) 
•                                         { 
•                                                 tempmap[y][x] = 1; 
•                                         } 
•                                 } 
•                                 else
•                                 { 
•                                         if ( ( countme == 2 ) || ( countme == 3) ) 
•                                         { 
•                                                 tempmap[y][x] = 1; 
•                                         } 
•                                         else 
•                                         { 
•                                                 tempmap[y][x] = 0 ; 
•                                         } 
•                                 } 
•                         }              
•                 }       
•                 counterface++;
•                 this.map = tempmap;
•         },
•         'getNeighborCount': function(starty,startx)
•         {
•                 var count = 0;
•                
•                 for(var y = starty-1; y <= starty+1; y++)
•                 {
•                         for(var x = startx-1; x <= startx+1; x++)
•                         {
•                                 if(y>= 0 && y <90 && x>= 0 && x <90)
•                                 {
•                                         if(startx != x || starty != y)
•                                         {
•                                                 if(this.map[y][x] == 1)
•                                                 {
•                                                         count++;
•                                                 }
•                                         }
•                                 }
•                         }
•                 }
•                
•                 return count;
•         }
• }
•  
• 

Netflix has a long history of presenting at the Ajax experience, starting with Sean Kane giving talks on their use of Ajax and their approach to usability to this year’s presentation when Bill Scott revealed Netflix’s new Ajax developer APIs.

If these APIs were just about allowing developers to manage rental queues, it would be of limited interest. Instead, the APIs are quite broad and include features like:

# Performing searches of movies, TV series, cast members, and directors
# Retrieving catalog titles, including details about the title such as name, box art, director, cast, etc.
# Determining the subscriber’s relationship to a specific title, e.g, in queue, saved, available on DVD, etc.
# Managing and displaying queues for users
# Providing conveniences such as auto-completion of partial search terms typed by a user.
# Displaying a user’s ratings and reviews.
# Including functional Add and Play buttons in your web application.

Since IMDB lacks an API (and the community-provided APIs seem to be in various stages of disrepair — note that the site linked to in this story is now down), this fully-supported offering from Netflix seems quite interesting indeed. Check out their blog post announcing the features and their new developer portal.

Alvaro Videla just wrote in to tell us about Firesymfony, a Firebug extension that provides an alternative to Symfony’s built-in web debug toolbar.

sometimes the toolbar position makes impossible to use some features of the layout of our website, like a link menu on the top right corner. It also happens that while we display a small popup with the resize functionality disabled it’s turns hard to access all the data displayed by the toolbar.

The solution I’ve came up with is to move all the data from the toolbar to Firebug, actually, to port the symfony web debug toolbar as a Firebug extension. This will remove the toolbar from the page html and will show it in a convenient place that almost every web developer is used to.

Taking advantage from the cool new features of symfony 1.2 I started a project to develop a symfony plugin to send the data to the Firebug extension. The later has been smartly called FireSymfony.

Alvaro has another blog post that talks more about the first release.

Nate Koechley has announced YUI 2.6.0 final:

2.6.0 introduces a new Carousel Control, offers the Paginator Control for general use (it was previously bundled with DataTable), includes more than 450 total fixes, enhancements and optimizations, graduates eight components out of “beta,” and now ships with more than 290 functional examples.

To go along with the carousel and paginator controls, you will also find details on updates too: TreeView, Calendar, Rich Text Editor, Drag & Drop, Uploader, DataTable, AutoComplete, and Container.

With Christian around, you can be sure that accessibility is taken seriously, and we see improvements there:

We’ve continued to work hard to make YUI accessible. The Carousel, Button, Menu, TabView, and Container all have enhanced accessibility support in addition to what’s otherwise noted in this blog post. We continue to count accessibility amongst our highest priorities; stay tuned for a few more blog posts on the topic in the coming days and weeks.