CSP level 3 nonce implementation prevents all the inline events. It is possible to override this using script-src-attr directive in Chrome and edge. But script-src-attr directive is not available in Firefox browser. Thus, all the inline events are blocked. How to fix this issue in Firefox without rewriting the inline events.
Related
I'm building a bootstrapped Firefox extension using the Mozilla add-on SDK (not a traditional XUL addon like other similar questions).
I'd like to capture navigation events before they issue HTTP requests.
I've been using pageMod.PageMod({contentScriptWhen: "start", onAttach: MY_CODE_HERE}) - however, it only triggers onAttach after the page is loaded.
That is reinforced by the SDK documentation:
contentScriptWhen = "start": load content scripts immediately after the document element is inserted into the DOM, but before the DOM content itself has been loaded
On a bootstrapped Firefox extension, is it possible to capture navigation events before the page loads?
You can intercept, and handle, requests via the SDK's system events: How to handle every request in a FF extension
You don't need a pagemod, as this is on the Firefox level, not the per-tab level like the pagemod.
I am working on a new website. While testing some of the functionality I had a number of debug statements and was watching the logs. It seems that Firefox (at least) loads the "next" page in the menu as well as the page I have clicked on. If I have menu items A B C D E and click on B then I see a request for mysite.com/B and then a request for mysite.com/C in the logs, and so on.
Is this some kind of look-ahead performance thing? Is there any way to avoid it (setting an attribute on the link maybe?) The problem is that the second page in my menu is somewhat heavier as it loads a whole lot of data from a web service. I'm happy for people to do that if they want to use the functionality, but would rather not that every visitor to the front page loads it unneccessarily. Is this behvaiour consistent across browser?
Yes, Firefox will prefetch links to improve the perceived performance to the user. You can read more about the functionality in Firefox here https://developer.mozilla.org/en-US/docs/Link_prefetching_FAQ
It isn't possible to disable this in the client's browser, however the request should include the header X-moz: prefetch which you can use to determine if it is in fact a prefetch request or not, and potentially return a blank page for prefetch requests. You can then use Cache-control: must-revalidate to make sure the page loads appropriately when actually requested by the user.
If you happen to be using Worpdress for your site, you can disable the tags with the prefetch information by using:
Wordpress 3.0+
//remove auto loading rel=next post link in header
remove_action('wp_head', 'adjacent_posts_rel_link_wp_head');
Older versions:
//remove auto loading rel=next post link in header
remove_action('wp_head', 'adjacent_posts_rel_link');
Yes, it's called prefetch. It can be turned off in the client, see the FAQ:
https://developer.mozilla.org/en-US/docs/Link_prefetching_FAQ
I'm not aware of a way to turn it off via the server
I'm trying to enable HTTPS support in my app before the October deadline, but the JavaScript call FB.getLoginStatus never calls my callback.
I'm using OAuth2.0, and I added the channelUrl parameter.
This works fine in HTTP mode.
FireFox is reporting no security warnings during page load, all files appear to be correctly served via HTTPS, and all references in the html/js code appear to be updated to point to https:// instead of http:// (including the channelUrl file).
What else can cause the getLoginStatus to not return?
Which of JavaScript libraries and frameworks has support for "onprogress" event for XmlHttpRequest (perhaps as a plugin or extension), emulated if necessary? Alternatively which JavaScript framework would be easiest to extend to support xhr.onprogress?
By "emulated if necessary" I mean here that if web browser doesn't support XHR 2.0 "onprogress" event, then "onreadystatechange" would be used. Because some browsers fire onreadystatechange only once for each state, and do not call onreadystatechange on server flush, then some kind of timer / interval would probably be necessary to periodically check XHR object if it is such browser.
jQuery and YUI provide only success and error (or equivalent) callback
MooTools provide 'progress' event, but limited to Browsers that support the event. (At this time: Gecko and WebKit).
You may be able to extend jQuery to achieve what you desire with $.ajax Transports. You will have to do all the hard work yourself though.
When using Comet, or Ajax Long Pull techniques - an iframe is usually used. And while that iframe is waiting for the long connection to close, the browser is spinning its throbber (the progress/loading indicator).
Some websites, for example etherpad.com, managed to make it stop.
How do they do it?
After digging for a day and a night in the guts of the internets, here is what I came up with:
server-sent events - Very cool, currently works only in Opera, but may be part of HTML5 and other browsers may support it sometime. Adds a new element tag with content-type of "application/x-dom-event-stream" which allows the Server to fire events in the Client DOM. And it should not show a progress indicator, as far as I understand. It's also a working draft of a standard, and not a hack like the whole iframe comet thing.
XMLHttpRequest - in Firefox and Safari, but not in IE, it can be used for long-pull page loading that enables to handle fragments as they appear on each readyStateChange event. Will not show progress indicator*. -- see comment below
ActiveXObject("htmlfile") - can be used in IE to create a page/window that is outside of the current window scope. This makes the progress indicator go away! The loaded iframe will be in an invisible browser.
More about server-sent-events:
http://my.opera.com/WebApplications/blog/show.dml/438711
And more about the other two techniques (also explains the problem better):
* http://meteorserver.org/browser-techniques/
Even more in-depth about each technique, and more techniques:
http://cometdaily.com/2007/12/11/the-future-of-comet-part-1-comet-today/
http://cometdaily.com/2008/01/10/the-future-of-comet-part-2-html-5’s-server-sent-events/
For me, running a setTimeout on the ajax request solved everything. When I ran the request from document.ready, I got the "throbber of doom". But with setTimeout it doesn't happen. (This fix also works for Chrome).
Just in case that you may need some examples, this guy did give a solution to solve firefox problem.
http://www.shanison.com/?p=237
I had the same problem, and the solution was to use Ajax instead of hidden iframe. So instead of generating iframe somewhere in the page:
$("#chat .msg_list").prepend('<iframe id="hidden" src="chatFrame?id=$userId" frameborder="0" height="0" width="100%"></iframe>');
I used jquery ajax call to load iframe contents into some div:
$('#chat #chat_comet').load('chatFrame?id=$userId');