Updating web applications for Firefox 3

  • Revision slug: Updating_web_applications_for_Firefox_3
  • Revision title: Updating web applications for Firefox 3
  • Revision id: 92870
  • Created:
  • Creator: The Hunter
  • Is current revision? No
  • Comment

Revision Content

{{template.Fx_minversion_header(3)}}{{template.Draft()}} There are a number of changes in the upcoming Firefox 3 that may affect your web site or web application, as well as new features you may wish to take advantage of. This article will serve as a starting point as you work on updating your content to take the fullest possible advantage of Firefox 3.

Firefox 3 is currently scheduled for release in the spring of 2008.

DOM changes

{{wiki.template(':en/DOM/WRONG_DOCUMENT_ERR_note')}}

HTML changes

Firefox 3 closes a security bug in frames and iframes that allowed them to inherit the parent's character set. This could cause problems in certain cases. Now, frames are only allowed to inherit the parent's character set if both frame and parent were loaded from the same server. If you have pages that assume that frames loaded from other servers will inherit the same character set, you should update the frames' HTML to indicate their character set specifically.

Security changes

Chrome access

In prior versions of Firefox, any web page could load scripts or images from chrome using the <tt>chrome://</tt> protocol. Among other things, this made it possible for sites to detect the presence of add-ons -- which could be used to breach a user's security by bypassing add-ons that add security features to the browser.

Firefox 3 only allows web content to access items in the <tt>chrome://browser/</tt> and <tt>chrome://toolkit/</tt> spaces. These files are intended to be accessible by web content. All other chrome content is now blocked from access by the web.

There is, however, a way for extensions to make their content web-accessible. They can specify a special flag in their <tt>chrome.manifest</tt> file, like this:

content mypackage location/ contentaccessible=yes

This shouldn't be something you need to do very often, but it's available for those rare cases in which it's needed.

Note: Because Firefox 2 doesn't understand the <tt>contentaccessible</tt> flag (it will ignore the entire line containing the flag), if you want your add-on to be compatible with both Firefox 2 and Firefox 3, you should do something like this:
content mypackage location/
content mypackage location/ contentaccessible=yes

File upload fields

In prior versions of Firefox, there were cases in which when the user submitted a file for uploading, the entire path of the file was available to the web application. This privacy concern has been resolved in Firefox 3; now only the filename itself is available to the web application.

JavaScript changes

Firefox 3 supports JavaScript 1.8. One important change that may require updates to your web site or application is that the obsolete and non-standard Script object is no longer supported. This is not the <script> tag, but a JavaScript object that was never standardized. It is unlikely this is something you ever used anyway, so you're probably fine.

See also

Firefox 3 for developers, New in JavaScript 1.8, Updating extensions for Firefox 3


{{ wiki.languages( { "fr": "fr/Mise_\u00e0_jour_des_applications_Web_pour_Firefox_3", "ja": "ja/Updating_web_applications_for_Firefox_3", "pl": "pl/Aktualizacja_aplikacji_internetowych_dla_Firefoksa_3" } ) }}

Revision Source

<p>{{template.Fx_minversion_header(3)}}{{template.Draft()}}
There are a number of changes in the upcoming Firefox 3 that may affect your web site or web application, as well as new features you may wish to take advantage of.  This article will serve as a starting point as you work on updating your content to take the fullest possible advantage of Firefox 3.
</p><p>Firefox 3 is currently scheduled for release in the spring of 2008.
</p>
<h3 name="DOM_changes">DOM changes</h3>
<p>{{wiki.template(':en/DOM/WRONG_DOCUMENT_ERR_note')}}
</p>
<h3 name="HTML_changes">HTML changes</h3>
<p>Firefox 3 closes a security bug in frames and iframes that allowed them to inherit the parent's character set.  This could cause problems in certain cases.  Now, frames are only allowed to inherit the parent's character set if both frame and parent were loaded from the same server.  If you have pages that assume that frames loaded from other servers will inherit the same character set, you should update the frames' HTML to indicate their character set specifically.
</p>
<h3 name="Security_changes">Security changes</h3>
<h4 name="Chrome_access">Chrome access</h4>
<p>In prior versions of Firefox, any web page could load scripts or images from chrome using the <tt>chrome://</tt> protocol.  Among other things, this made it possible for sites to detect the presence of add-ons -- which could be used to breach a user's security by bypassing add-ons that add security features to the browser.
</p><p>Firefox 3 only allows web content to access items in the <tt>chrome://browser/</tt> and <tt>chrome://toolkit/</tt> spaces.  These files are intended to be accessible by web content.  All other chrome content is now blocked from access by the web.
</p><p>There is, however, a way for extensions to make their content web-accessible.  They can specify a special flag in their <tt>chrome.manifest</tt> file, like this:
</p>
<pre class="eval">content mypackage location/ contentaccessible=yes
</pre>
<p>This shouldn't be something you need to do very often, but it's available for those rare cases in which it's needed.
</p>
<div class="note"><b>Note:</b> Because Firefox 2 doesn't understand the <tt>contentaccessible</tt> flag (it will ignore the entire line containing the flag), if you want your add-on to be compatible with both Firefox 2 and Firefox 3, you should do something like this:
<pre class="eval">content mypackage location/
content mypackage location/ contentaccessible=yes
</pre>
</div>
<h4 name="File_upload_fields">File upload fields</h4>
<p>In prior versions of Firefox, there were cases in which when the user submitted a file for uploading, the entire path of the file was available to the web application.  This privacy concern has been resolved in Firefox 3; now only the filename itself is available to the web application.
</p>
<h3 name="JavaScript_changes">JavaScript changes</h3>
<p>Firefox 3 supports <a href="en/New_in_JavaScript_1.8">JavaScript 1.8</a>.  One important change that may require updates to your web site or application is that the obsolete and non-standard <code>Script</code> object is no longer supported.  This is not the <code><span class="plain">&lt;script&gt;</span></code> tag, but a JavaScript object that was never standardized. It is unlikely this is something you ever used anyway, so you're probably fine.
</p>
<h3 name="See_also">See also</h3>
<p><a href="en/Firefox_3_for_developers">Firefox 3 for developers</a>, <a href="en/New_in_JavaScript_1.8">New in JavaScript 1.8</a>, <a href="en/Updating_extensions_for_Firefox_3">Updating extensions for Firefox 3</a>
</p><p><br>
</p>
<div class="noinclude">
</div>
{{ wiki.languages( { "fr": "fr/Mise_\u00e0_jour_des_applications_Web_pour_Firefox_3", "ja": "ja/Updating_web_applications_for_Firefox_3", "pl": "pl/Aktualizacja_aplikacji_internetowych_dla_Firefoksa_3" } ) }}
Revert to this revision