Tuesday, September 21, 2010

Old unresolved IE (pre 9) DOM bugs hinder its ability to work with HTML5


I've just started to read "Introducing HTML5" book http://goo.gl/DDa9 (my first HTML5 tutorial) and it's simply wonderful. I enjoy its concise but very live language a lot.


On a page 11 http://goo.gl/IAi3 Bruce Lawson said, "The way to cajole IE into applying CSS to HTML5 is to use JavaScript. Why? This is an inscrutable secret, and if we told you we'd have to kill you. (Actually, we don't know.) If you add
the following JavaScript into the head of the page

<script>
document.createElement(‘header’);
document.createElement(‘nav’);
document.createElement(‘article’);
document.createElement(‘footer’);
</script>

IE will magically apply styles to those elements, provided that there is a <body> element in the markup"

I think I know  - why.
Two years ago I found an article in a famous among .NET developers blog by Rick Strahl http://goo.gl/a4Cy about a very unfortunate Internet Explorer feature: it automatically creates matching global JavaScript objects for all DOM elements on the page based on their IDs. This clutters global space and often leads to clashes with user-defined JavaScript objects, which often leads to "Object doesn’t support this property or method" errors being displayed.

I bet these things are related: for IE to operate normally it needs all the DOM elements on the page to be in a global namespace. JavaScript snippet does just that - puts HTML5 'header', 'nav', etc. elements into a global namespace!

I already blogged http://goo.gl/ducY about this and another IE issue and tried desperately to notify IE staff... well, they don't like to be notified at all, they don't like bug reports.

#twitter

An update of 10/19/2010: I got a nice message from Microsoft Connect Team saying that a bug was resolved in IE 9. They said, This issue was resolved in Internet Explorer 9 Platform Preview Build 3 released on 6/23/2010… The fix prevents the error message. Note, IE still allows the DOM element to exist as a global javascript object. (Bold-italic mine, V.K.)

Well, I’m not sure that keeping DOM elements in global JavaScript namespace is a good idea (other browsers don’t do it), but at least they found a workaround. It’s interesting to see how correctly it now supports HTML 5 and if document.createElement() trick described above is still necessary.

Friday, July 02, 2010

About Internet Explorer DOM bugs

Almost four year ago I wrote a post http://goo.gl/VKTc in my blog describing incorrect behavior of window.onblur event in IE and a workaround. At that time I tried hardly to submit a bug report to Microsoft, but couldn't find a way to do that. My blog isn't really that popular, but I received numerous thanks from web developers for posting a workaround.

Two years ago I found an article in a famous among .NET developers blog by Rick Strahl http://goo.gl/a4Cy about another very unfortunate Internet Explorer feature: it automatically creates matching global JavaScript objects for all DOM elements on the page based on their id. This clatters global space and often leads to clashes with user-defined JavaScript objects, which often leads to "Object doesn’t support this property or method" errors being displayed.

Recently, thanks to Dimitri Glazkov's buzz about Enhanced Scripting in IE9 http://goo.gl/CO1v I asked the same questions on MSDN IE blog http://goo.gl/Un5g and got a suggestion to submit bug report to Microsoft Connect.

Then I found that someone already submitted "Incorrect behavior of window.onblur event" bug to IE blog http://goo.gl/6HlF. Unfortunately it was marked as "Won't fix" by IE 9 team. So, are we looking for another four years before this bug will be fixed? I doubt Internet Explorer would survive that long.

At least I went ahead and submitted "IE automatically creates matching global JavaScript objects for all DOM elements on the page based on their id" bug http://goo.gl/Eugd on Rick's behalf. Let's see if MS IE team would be willing to fix that.

Want to buzz about it?

An update of 10/19/2010: I got a nice message from Microsoft Connect Team saying the following:

“Greetings from Microsoft Connect!
This notification was generated for feedback item: IE automatically creates matching global JavaScript objects for all DOM elements on the page based on their id. which you submitted at the Microsoft Connect site.

Thank you for your feedback.
This issue was resolved in Internet Explorer 9 Platform Preview Build 3 released on 6/23/2010. Please verify the change and file a new feedback (or reactivate the existing one) if the problem persists.

The fix prevents the error message. Note, IE still allows the DOM element to exist as a global javascript object. (Bold-italic mine, V.K.)

Best regards,
The Internet Explorer Team
Thank you for using Microsoft Connect!”

Well, I’m not sure that keeping DOM elements in global JavaScript namespace is a good idea (other browsers don’t do it), but at least they found a workaround.
It was a first time in my life MS directly communicated to me, that’s nice.

Friday, May 07, 2010

What Facebook’s recent bug tells us

I was listening to latest TWIG when I heard that Facebook recently had a security breach. They explained that Facebook has a feature allowing to mimic a friend’s login for viewing on your profile by the eyes of that friend (“With Preview My Profile, users can view how their profile appears to any given Facebook friend”). And it happens that that friend’s login were almost real, allowing to see the live chats and friend requests of the friend in question.

OK, security breaches happen. They are discovered and then fixed. But what this particular case tells us about Facebook platform? I suspect, it tells a lot of negative and alarming things. Let me explain.

We have a similar feature in our Corporate Intranet written in a mix of classic ASP and ASP.NET. We call it Super User (SU) login. SU allows for selected administrators to login into Intranet as a different employee to debug some issues. In fact, SU login matches a regular login by 99%. One per cent of difference is that there is a special set of private user’s data which is visible only to user himself or to a user and strictly defined group of people, for example HR. In case an admin who uses SU is not in HR group, employee’s private data is not visible through SU login.

A several years ago security breaches like one which happened to Facebook was pretty common for us too. But now we virtually eliminated their possibility.
We use a regular ASP feature to store in memory current user’s identity – a Session variable. When SU login happens, user’s Session variable is actually reset to identity of user being SUed. It allows to fully mimic other user’s experience. In SU login, a second Session variable is set, keeping original user’s identity and indicating that we are in SU mode. When it comes to seeing some restricted private user’s data, code checks if user has permissions to see it and, if we are in SU mode, if actual user has rights to see it as well.

A real question is how system determines permissions (rights) of a particular user. Normally, Rights are attached either to user himself, or to Roles that user share. Initially, our Intranet used a bunch of ‘If’ statements in ASP code. If a user is HR, this is allowed on this page. If a user is DBA, he can do this and this. If you have a developer experience, it should be absolutely clear to you that such a system is very fragile and inconsistent. To break it, It’s enough to add a new page and forget some ‘If’ statement, it’s enough to modify Rights of a particular Role and forget to modify ‘Ifs’ on one page. It even much easier to add a new page and forget that you need to check not only rights of a current user, but also, in case it’s a SU login, rights of original user.
So, a system described above is really amateurish, fragile, hard to maintain, and no-professional.

Now you probably understand what I’m thinking about Facebook? As a web developer with 15 years of experience, I have a strong feeling, that Facebook, which had a bunch of developers of different levels, which grew up from a small system written in PHP for college students, suffers from the same inconsistent code, uses hard-coded ‘If’ statements to determine user’s rights and to mimic another user’s experience in “Preview My Profile”. This assumed amateurish inconsistent system in combination of its Facebook Über Alles syndrome looks especially dangerous and incapable of keeping users privacy.

Finally, a system managing users permissions looks as a relational structure in its essence. Basically, there should be tRight table, tRole table, and tRightOfRole link table (many-to-many relationships). It’s a bit more complex if Rights are assignable not only to Roles, but to individual Users as well. It gets some additional complexity if Role-Right combinations are different for different pages or sections of your system (web site). We introduced a notion of Scope. Both Roles and Rights are defined either globally or on a particular Scope within a system. Role-Right combination is to be assigned on a Scope too. A resulting relational system is extremely powerful and flexible, much more flexible than any system written based on Active Directory groups, like MS SharePoint (We tried to use MOSS 2007 and found it not flexible enough to accommodate for business rules).
And yes, we actually wrote such a relational system, called Roles Rights Management (RRM). Besides relational structure I described above, it uses some clever techniques and HttpModules, which allowed us to automate its usage. It is not a responsibility of particular programmer anymore, to properly check user’s permissions to allow/disallow viewing a page or to filter data. In most case, Security Trimming happens automatically.
That’s what I think Facebook programmers failed to implement.

Thursday, March 18, 2010

More Details on Microsoft's plans to ruin jQuery

Visual Studio Magazine: "Microsoft is working in a number of directions, including databinding, the script loader and contributing to development of templating functionality as part of the jQuery core."
Oh, no Microsoft! Please, please don't ruin jQuery! Don't make it as insanely overcomplicated as your own AJAX.NET. Don't mix together JavaScript client code with server-side "loaders". Don't you understand that RESTless WEB client is not the same as .NET server or Win desktop?!

Tuesday, February 23, 2010

Squeryl — Introduction

Squeryl — Introduction

"Squeryl is a strongly typed DSL (domain specific language) for SQL databases in which table rows are manipulated as Scala objects via an SQL like language"

I hate the idea. Aren't we already fed up with MS datasets which break n-Tier application structure by bringing excessive and over-complicated database only related properties into a domain layer?
To me it is clear, that there is only three legitimate ways of creating decoupled n-Tier applications:
1) Use hand-made Data Access Layer objects;
2) Use ORM tools like [N]Hibernate;
3) Use object-oriented databases like db4o

Wednesday, January 27, 2010

‘The WebForms Rant’ by karl Seguin


"ASP.NET WebForms is an ugly and messy framework that complicates an otherwise simple thing. ViewState, codebehind, postback, page lifecycle and databinding are things that you have to constantly program against."
"A framework that accepts that HTTP is stateless will always be simpler, cleaner and more powerful that a framework that doesn't."

Wow! Well done :)
I agree completely. Karl probably is a first developer whom I highly respect (as my virtual teacher too) and who is stating the matter straight and without usual 'polites'.

One more important argument against WebForms is that it leads to hard-to-avoid "Web page was expired" problem due to inability to implement Post-Redirect-Get (PRG) pattern.
See http://pro-thoughts.blogspot.com/2009/06/classic-aspnet-improper-abstractions.html

I also really like a classic I Spose I’ll Just Say It: You Should Learn MVC article by Rob Conrey.
Finally, recent MVC or WebForms: It's more about client side vs server side article by Ian Cooper is good too.

Don’t forget to read comments under all those articles!