Updating web applications for Firefox 3
There are a number of changes in the upcoming Firefox 3 that may affect your web site or web application, as well as new features you may wish to take advantage of. This article will serve as a starting point as you work on updating your content to take the fullest possible advantage of Firefox 3.
Nodes from external documents should be cloned using
document.importNode() (or adopted using
document.adoptNode()) before they can be inserted into the current document. For more on the
Node.ownerDocument issues, see the
W3C DOM FAQ.
Firefox doesn't currently enforce this rule (it did for a while during the development of Firefox 3, but too many sites break when this rule is enforced). We encourage Web developers to fix their code to follow this rule for improved future compatibility.
Firefox 3 closes a security bug in frames and iframes that allowed them to inherit the parent's character set. This could cause problems in certain cases. Now, frames are only allowed to inherit the parent's character set if both frame and parent were loaded from the same server. If you have pages that assume that frames loaded from other servers will inherit the same character set, you should update the frames' HTML to indicate their character set specifically.
<script> element in
text/html documents now requires a closing
</script> in HTML 4 documents, even if you're not including any content in between. While in previous versions of Firefox, you could do:
<script … />
Now the markup must comply with the HTML specifications (if it's actually HTML), and hence you must actually close it, like this:
This improves both compatibility and security.
font-size values in em and ex units used to be affected by the user's minimum font size setting: if a font was displayed larger due to the minimum font size, the em and ex units for font-size settings based on this one would be enlarged accordingly. This was inconsistent with the way percentage-based font sizes behaved.
font-size values in em and ex units are now based on an "intended font size" that is not affected by the user's minimum font size. In other words, font sizes are always calculated according to the designer's intention and are adjusted for minimum font size afterwards.
See bug 434718, especially its NOT A CASE FOR THE BUG TEMPLATE - The following link points to a Bugzilla attachment, not a Bugzilla bug; if you use the attachment number as a bug number, it becomes nonsense attachment 322943 NOT A CASE FOR THE BUG TEMPLATE for a demonstration (must be watched with a minimum font size >= 6 to see the difference: the two box cascades behave differently in Firefox 2, because the em-based font-size "bounces" off the minimum font size).
In prior versions of Firefox, any web page could load scripts or images from chrome using the
chrome:// protocol. Among other things, this made it possible for sites to detect the presence of add-ons — which could be used to breach a user's security by bypassing add-ons that add security features to the browser.
Firefox 3 only allows web content to access items in the
chrome://toolkit/ spaces. These files are intended to be accessible by web content. All other chrome content is now blocked from access by the web.
There is, however, a way for extensions to make their content web-accessible. They can specify a special flag in their
chrome.manifest file, like this:
content mypackage location/ contentaccessible=yes
This shouldn't be something you need to do very often, but it's available for those rare cases in which it's needed. Note that it's possible that Firefox may alert the user that your extension uses the
contentaccessible flag in this way, as it does constitute a potential security risk.
Note: Because Firefox 2 doesn't understand the
contentaccessible flag (it will ignore the entire line containing the flag), if you want your add-on to be compatible with both Firefox 2 and Firefox 3, you should do something like this:
content mypackage location/ content mypackage location/ contentaccessible=yes
In prior versions of Firefox, there were cases in which when the user submitted a file for uploading, the entire path of the file was available to the web application. This privacy concern has been resolved in Firefox 3; now only the filename itself is available to the web application.
Using code in JAR files loaded from other domains is no longer allowed in frames; this mitigates a potential attack vector.
The same-origin policy for file: URIs has changed in Firefox 3. This may affect your content; please see Same-origin policy for file: URIs for details.
Script object is no longer supported. This is not the