Firefox3.1/Server-Sent DOM Events
Add support for WhatWG's Server-Sent DOM Events HTML5.
- Background links
- bug 338583 - Add support for Server-Sent DOM Events (Remote Events)
- http://www.whatwg.org/specs/web-apps/current-work/#server-sent-events - HTML5 spec for Server-sent events.
- http://br.youtube.com/watch?v=iGdPJYtMgSM - YouTube demonstration.
Security and Privacy
- What security issues do you address in your project?
- Accessing cross domains, and events security issues.
- Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
- nsIRemoteEventSourceManager interface
- text/event-stream protocol
- nsIDOMRemoteEventTarget interface
- nsIDOMHTMLEventSourceElement interface (add the eventsource tag)
- Explain the significant file formats, names, syntax, and semantics.
- Main C++ code:
- Main test file: content/events/test/test_bug338583.html
- Message Event or Remote Event: An actual event object that is created by the browser in response to a remote server's command
- Remote Event Target: A DOM object that can have Remote Event Sources
- Remote Event Source: The object which is responsible for maintaining a connection to the server and parsing events.
- DOM Event Stream: The stream of characters a server sends to the browser to create events. Its MIME type is text/event-stream
- Main C++ code:
- Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
- Yes, dom/public/idl/events/nsIDOMRemoteEventTarget.idl and dom/public/idl/html/nsIDOMHTMLEventSourceElement.idl
- Does it change any existing interfaces?
- Yes, nsPIDOMEventTarget.
- What other modules are used (REQUIRES in the makefile, interfaces)
- mimetype, htmlparser, content, dom.
- What data is read or parsed by this feature
- What is the output of this feature
- Server-sent events (Message Events)
- What failure modes or decision points are presented to the user?
- Failures are transparently handled and when necessary there is some information in the errors console.
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
- No files to corrupt.
- Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
- Are there build options for developers? [#ifdefs, ac_add_options, etc.]
- What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
Relationships to other projects
Are there related projects in the community? No.
- is some form of CheckLoadURI() called on the connections?
- are the nsIContentPolicy providers consulted?
- There is currently no way to disable this functionality. At the very least we need a global "off" pref (say "dom.server-events.enabled", default true but can be set false).
- will people want the flexibility to control this per site? Would that be sites that are allowed to use the feature, or sites which are allowed to be an event source? Probably the former, but either way that could be added by an extension as long as the nsIContentPolicy providers are called.
- Probably need a new load type for the providers to check.
- Need to make sure connections get cleaned up when their node goes away. Does it make a difference if their node is not part of a document?
- Having servers create events the mimic other event types (clicks, etc) is troubling. We'd be happier if they were always clearly messages.
- what-wg spec seems to be still a moving target
- Discussed with Hixie about injecting <eventsource src="some_evil_site_with_ac"> to a site. Hixie argued that whitelisting is what the sites should do. -Smaug