Updating web applications for Firefox 3

  • Revision slug: Updating_web_applications_for_Firefox_3
  • Revision title: Updating web applications for Firefox 3
  • Revision id: 92878
  • Created:
  • Creator: Sheppy
  • Is current revision? No
  • Comment cleanup

Revision Content

{{template.Fx_minversion_header(3)}} There are a number of changes in the upcoming Firefox 3 that may affect your web site or web application, as well as new features you may wish to take advantage of. This article will serve as a starting point as you work on updating your content to take the fullest possible advantage of Firefox 3.

Firefox 3 is currently scheduled for release in the spring of 2008.

DOM changes

{{wiki.template(':en/DOM/WRONG_DOCUMENT_ERR_note')}}

HTML changes

Changes to character set inheritance

Firefox 3 closes a security bug in frames and iframes that allowed them to inherit the parent's character set. This could cause problems in certain cases. Now, frames are only allowed to inherit the parent's character set if both frame and parent were loaded from the same server. If you have pages that assume that frames loaded from other servers will inherit the same character set, you should update the frames' HTML to indicate their character set specifically.

Change to the SCRIPT element

The <tt><script></tt> element in text/html documents now requires a closing <tt></script></tt>, even if you're not including any content in between. While in previous versions of Firefox, you could do:

 <script ... />

Now the markup must comply with the HTML specifications (if it's actually HTML) or with Appendix C of XHTML 1.0 (if it's XHTML), and hence you must actually close it, like this:

 <script ...></script>

This improves both compatibility and security.

Security changes

Chrome access

In prior versions of Firefox, any web page could load scripts or images from chrome using the <tt>chrome://</tt> protocol. Among other things, this made it possible for sites to detect the presence of add-ons -- which could be used to breach a user's security by bypassing add-ons that add security features to the browser.

Firefox 3 only allows web content to access items in the <tt>chrome://browser/</tt> and <tt>chrome://toolkit/</tt> spaces. These files are intended to be accessible by web content. All other chrome content is now blocked from access by the web.

There is, however, a way for extensions to make their content web-accessible. They can specify a special flag in their <tt>chrome.manifest</tt> file, like this:

content mypackage location/ contentaccessible=yes

This shouldn't be something you need to do very often, but it's available for those rare cases in which it's needed. Note that it's possible that Firefox may alert the user that your extension uses the contentaccessible flag in this way, as it does constitute a potential security risk.

Note: Because Firefox 2 doesn't understand the <tt>contentaccessible</tt> flag (it will ignore the entire line containing the flag), if you want your add-on to be compatible with both Firefox 2 and Firefox 3, you should do something like this:
content mypackage location/
content mypackage location/ contentaccessible=yes

File upload fields

In prior versions of Firefox, there were cases in which when the user submitted a file for uploading, the entire path of the file was available to the web application. This privacy concern has been resolved in Firefox 3; now only the filename itself is available to the web application.

JavaScript changes

Firefox 3 supports JavaScript 1.8. One important change that may require updates to your web site or application is that the obsolete and non-standard Script object is no longer supported. This is not the <script> tag, but a JavaScript object that was never standardized. It is unlikely this is something you ever used anyway, so you're probably fine.

See also

Firefox 3 for developers, New in JavaScript 1.8, Updating extensions for Firefox 3


{{ wiki.languages( { "fr": "fr/Mise_\u00e0_jour_des_applications_Web_pour_Firefox_3", "ja": "ja/Updating_web_applications_for_Firefox_3", "pl": "pl/Aktualizacja_aplikacji_internetowych_dla_Firefoksa_3" } ) }}

Revision Source

<p>{{template.Fx_minversion_header(3)}}
There are a number of changes in the upcoming Firefox 3 that may affect your web site or web application, as well as new features you may wish to take advantage of.  This article will serve as a starting point as you work on updating your content to take the fullest possible advantage of Firefox 3.
</p><p>Firefox 3 is currently scheduled for release in the spring of 2008.
</p>
<h3 name="DOM_changes">DOM changes</h3>
<p>{{wiki.template(':en/DOM/WRONG_DOCUMENT_ERR_note')}}
</p>
<h3 name="HTML_changes">HTML changes</h3>
<h4 name="Changes_to_character_set_inheritance">Changes to character set inheritance</h4>
<p>Firefox 3 closes a security bug in frames and iframes that allowed them to inherit the parent's character set.  This could cause problems in certain cases.  Now, frames are only allowed to inherit the parent's character set if both frame and parent were loaded from the same server.  If you have pages that assume that frames loaded from other servers will inherit the same character set, you should update the frames' HTML to indicate their character set specifically.
</p>
<h4 name="Change_to_the_SCRIPT_element">Change to the SCRIPT element</h4>
<p>The <tt><span class="plain">&lt;script&gt;</span></tt> element in <code>text/html</code> documents now requires a closing <tt><span class="plain">&lt;/script&gt;</span></tt>, even if you're not including any content in between.  While in previous versions of Firefox, you could do:
</p>
<pre> &lt;script ... /&gt;
</pre>
<p>Now the markup must comply with the HTML specifications (if it's actually HTML) or with Appendix C of XHTML 1.0 (if it's XHTML), and hence you must actually close it, like this:
</p>
<pre> &lt;script ...&gt;&lt;/script&gt;
</pre>
<p>This improves both compatibility and security.
</p>
<h3 name="Security_changes">Security changes</h3>
<h4 name="Chrome_access">Chrome access</h4>
<p>In prior versions of Firefox, any web page could load scripts or images from chrome using the <tt>chrome://</tt> protocol.  Among other things, this made it possible for sites to detect the presence of add-ons -- which could be used to breach a user's security by bypassing add-ons that add security features to the browser.
</p><p>Firefox 3 only allows web content to access items in the <tt>chrome://browser/</tt> and <tt>chrome://toolkit/</tt> spaces.  These files are intended to be accessible by web content.  All other chrome content is now blocked from access by the web.
</p><p>There is, however, a way for extensions to make their content web-accessible.  They can specify a special flag in their <tt>chrome.manifest</tt> file, like this:
</p>
<pre class="eval">content mypackage location/ contentaccessible=yes
</pre>
<p>This shouldn't be something you need to do very often, but it's available for those rare cases in which it's needed.  Note that it's possible that Firefox may alert the user that your extension uses the <code>contentaccessible</code> flag in this way, as it does constitute a potential security risk.
</p>
<div class="note"><b>Note:</b> Because Firefox 2 doesn't understand the <tt>contentaccessible</tt> flag (it will ignore the entire line containing the flag), if you want your add-on to be compatible with both Firefox 2 and Firefox 3, you should do something like this:
<pre class="eval">content mypackage location/
content mypackage location/ contentaccessible=yes
</pre>
</div>
<h4 name="File_upload_fields">File upload fields</h4>
<p>In prior versions of Firefox, there were cases in which when the user submitted a file for uploading, the entire path of the file was available to the web application.  This privacy concern has been resolved in Firefox 3; now only the filename itself is available to the web application.
</p>
<h3 name="JavaScript_changes">JavaScript changes</h3>
<p>Firefox 3 supports <a href="en/New_in_JavaScript_1.8">JavaScript 1.8</a>.  One important change that may require updates to your web site or application is that the obsolete and non-standard <code>Script</code> object is no longer supported.  This is not the <code><span class="plain">&lt;script&gt;</span></code> tag, but a JavaScript object that was never standardized. It is unlikely this is something you ever used anyway, so you're probably fine.
</p>
<h3 name="See_also">See also</h3>
<p><a href="en/Firefox_3_for_developers">Firefox 3 for developers</a>, <a href="en/New_in_JavaScript_1.8">New in JavaScript 1.8</a>, <a href="en/Updating_extensions_for_Firefox_3">Updating extensions for Firefox 3</a>
</p><p><br>
</p>
<div class="noinclude">
</div>
{{ wiki.languages( { "fr": "fr/Mise_\u00e0_jour_des_applications_Web_pour_Firefox_3", "ja": "ja/Updating_web_applications_for_Firefox_3", "pl": "pl/Aktualizacja_aplikacji_internetowych_dla_Firefoksa_3" } ) }}
Revert to this revision