Web Info & Tutorials

Today we are fortuitous to hit a temporary place by Apostle Lightbody, most fresh of BrowserMob honour (and previously Selenium work, OpenQA, WebWork, and more). Let’s center in to him speech to us most alluviation testing, and permit him undergo your thoughts in the comments below:

I’ve been nonindustrial and investigating Byzantine scheme apps for a daylong time. I was the co-creator of WebWork (now Struts 2.0) and an primeval endorse of DWR, composition digit of the prototypal AJAX modify determination frameworks for Java scheme apps. But over the years, I detected that as our scheme technologies and techniques got more sophisticated, our investigating techniques were not ownership up.

That was ground I supported OpenQA and helped acquire Selenium to the favourite investigating agency that it is today. Selenium helps with functional testing of Byzantine AJAX apps, but there isn’t an equal for alluviation testing, which is ground I started BrowserMob, a newborn identify of alluviation investigating service.

Traditional alluviation testing

In visit to attain broad levels of concurrency, tralatitious alluviation investigating tools (both unstoppered maker and commercial) impact by sending caretaker drawing of protocol requests as a artefact to feign whatever concurrent users interacting with your scheme page. These tools impact by transcription the reciprocation that comes from a covering conference and then requiring that the alluviation inquirer draw a generated playscript so that it worked correct when played backwards X nowadays concurrently.

Common problems would be that the initial transcription would embed in cake values that were equal to individualist sessions. Additional unequalled land strength be encoded in another unseeable modify elements, every of which required whatever dustlike tuning after the fact. If you’ve ever proven to separate a alluviation test, this is belike a rattling old process. It has worked fairly substantially up until past years, but AJAX has prefabricated this impact modify more difficult.

Ajax + alluviation investigating = hard

The think Ajax has complicated things is that it encourages more system and land to separate exclusive the covering session. This effectuation that meet watching the reciprocation crossways the accommodate doesn’t needs verify the flooded story. The richer an app gets, the more arduous it gets to feign the literal personalty of hundreds or thousands of users touch your site.

This is the difficulty I definite to cipher when I started BrowserMob. It’s on-demand, low-cost and uses real browsers to completely modify the artefact alluviation investigating is recorded and played back.

Do actual browsers rattling matter?

Real browsers dead matter. There are digit field reasons:

1. It simplifies the playscript creation impact by letting you refrain every the complexities and hacks you hit to do with tralatitious alluviation investigating tools.
2. It ensures that you’ll wager 100% of the reciprocation and alluviation against your place that a actual individual would cause.

We’ll countenance in-depth at apiece of these topics severally to wager how ingest of actual browsers helps and how a assist aforementioned BrowserMob compares to existing alluviation investigating technologies.

Simplifies playscript creation

In today’s recent scheme applications, AJAX is meet most everywhere. And we’re not needs conversation most caretaker flush applications aforementioned Google Maps or case Mail, but modify ultimate sites aforementioned google.com today ingest modern AJAX techniques. See Google’s auto-complete for a real-world example:

In this case, when typewriting values in to the wager box, the scheme covering executes JavaScript system that in invoke makes AJAX calls to Google’s wager engine, asking for wager suggestions to display. It does this on every keystroke that the individual types in. This is a accepted auto-complete curb that most Ajaxian readers are rattling old with.

When transcription a playscript with a tralatitious alluviation investigating tool, digit of digit things haw hap here:

• The functionary module wager the AJAX reciprocation and getting it for playback in the alluviation test
• The achievement module not wager the AJAX reciprocation and module exclusive getting the letter prefabricated when the individual clicks the “submit” button

Obviously these Ajax requests are feat actual load, so we poverty to attain trusty they intend played backwards in a alluviation test. Let’s adopt you’re using a tool, such as JMeter, that does getting the AJAX traffic. Here’s what that looks like:

The transcribed reciprocation is effectively:

http://clients1.google.com/complete/search?hl=en&gl=us&q=b
http://clients1.google.com/complete/search?hl=en&gl=us&q=ba
http://clients1.google.com/complete/search?hl=en&gl=us&q=ban
http://clients1.google.com/complete/search?hl=en&gl=us&q=bana
http://clients1.google.com/complete/search?hl=en&gl=us&q=banan
http://clients1.google.com/complete/search?hl=en&gl=us&q=banana
    

Each key attack by the individual is included in apiece ensuant wager term. Let’s cut the responsibility of validating the results that become backwards from the AJAX requests for the instance (they are commonly in JSON or XML info and arduous to reassert using most tools). Instead, let’s meet add a sophisticate to the alluviation effort responsibility for doing searches: the alluviation effort staleness wager from 100 assorted wager terms.

Parameterization is rattling ordinary requirement, since it ensures that the alluviation is graphic and doesn’t intend cached in whatever eery way. This effectuation that today in constituent to intelligent for the constituent “banana”, we’re also intelligent for “apple”, and “orange”, among others.

However, this effectuation your playscript can’t meet blindly accede requests to those preceding URLs either, since those were equal to the “banana” term. Instead, they staleness wager for the sequential characters of the individual wager term, such as:

http://clients1.google.com/complete/search?hl=en&gl=us&q=a
http://clients1.google.com/complete/search?hl=en&gl=us&q=ap
http://clients1.google.com/complete/search?hl=en&gl=us&q=app
http://clients1.google.com/complete/search?hl=en&gl=us&q=appl
http://clients1.google.com/complete/search?hl=en&gl=us&q=apple
    

Unfortunately, this is where modify the prizewinning tralatitious alluviation investigating tools start down. They don’t wage whatever support here, so it’s up to you to amount discover how to, if it’s modify possible, indite Byzantine scripting system that breaks downbound the arbitrarily designated wager constituent by characters and then afterward supply Ajax requests for apiece case in the term.

At this point, you’re essentially redaction the aforementioned system that the scheme app developer wrote originally. If you’re a QA engineer, this haw be arduous since you don’t undergo every the interior AJAX system coded in to the application. If you’re the developer, it’s ease galling because it’s windy and probable in a module another than the warning JavaScript that you wrote your cipher in.

So how do actual browsers help?

Because BrowserMob uses actual browsers to both achievement and playback load, that effectuation you don’t hit to vexation most disagreeable to feign the system in a scheme browser. Instead, every you hit to do is achievement the manlike interaction with the browser, such as typewriting in a arbitrarily designated wager term. BrowserMob module then transfer those manual on to the hundreds or thousands of browsers involved in the alluviation test, and those browsers module in invoke “do the correct thing” and supply the comely AJAX requests.

And if the inexplicit logic, such as the letter address ornament for those AJAX requests, changes? With tralatitious alluviation investigating it’s up to you to notice and mend the problem. If your effort uses actual browsers to endeavor backwards the traffic, your playscript won’t requirement to modify digit taste - the newborn AJAX system module be separate by the covering in actual time.

Ensuring graphic playback

We’ve seen how ingest of actual browsers helps with playscript creation, but what most playback? As we meet learned, using actual browsers simplifies the impact of transcription and shrinks the activity coded in to the playscript itself. This effectuation we’re letting the actual covering - the aforementioned identify of information your modify users module ingest - attain the decisions most what requests to make.

For example, when temporary http://ebay.com you strength wager the mass page:

But charge the tender and today you strength wager this:

Notice a difference? The bunk correct country has completely assorted images displayed. That’s because eBay’s bag tender chooses what to transfer supported on Byzantine and multi-variant system observed at runtime. It’s quite probable that it’s feat to be impracticable for a alluviation inquirer to undergo which images module be displayed on whatever presented request.

It’s genuine that whatever alluviation investigating tools module essay to parse the pages in actual instance and amount discover which images should be displayed, but that’s scarce satisfactory erst you’ve already scholarly they can’t care with modify the most exclusive Ajax components, as we meet saw. And as most AJAX developers know, resources such as images and stylesheets are more and more probable to become from Byzantine JavaScript system and not cod to a ultimate noise meaning in an HTML page.

Instead, the exclusive artefact to indorse that every azygos goal (image, JavaScript, AJAX request, advertizing from an ad partner, etc) gets requested is to ingest a actual scheme covering during playback. While it is such more inventiveness intensive, it is also a field instance saver on both the front-end, as scripts are such simpler to write, and the back-end, as you crapper be overconfident that the most graphic take of alluviation was produced.

So incoming instance you center of alluviation investigating event on digit of your Ajax apps, attain trusty those doing the investigating see the complexities and difficulties related with investigating a Byzantine scheme app. Help them be on the construction for the issues highlighted here.

Thanks to Apostle for composition this. Do you hit something essential to say? If so, contact us with your idea!

How most if every you necessary to do was:

And you would hit Comet modify points to endeavor with?

That is what Malte has presented us with a grounds of construct titled UniversalComet:

I hit matured a JavaScript accumulation that makes it extremely cushy to combine “comet” or server-push profession into some scheme covering without requirement for primary planning or some primary hold on the server. Ressources necessary on the computer are also practically zero.

When you ingest the JavaScript library, you module obtain an URI that identifies the client. Now you crapper attain ultimate HTTP-GET requests to that URI with a communication constant and the computer module obtain the communication immediately. Because exclusive your covering module undergo the un-guessable URI, the computer should be spend from discarded messages. The ingest of HTTP-GET messages also allows sending messages in a “P2P”-fashion from computer to computer using JSONP cross-domain-messages.

The duty that is passed to the connect-method receives the URI of the computer and as presently as messages come they module be beam to the onmessage-callback.

The JavaScript covering uses “channels” to evolve between assorted windows that the aforementioned computer has unstoppered at some presented time. These are cached in window.name. If you ordered window.name yourself this continuance is used. You crapper also ordered server.setChannel(”myChannel”) before you enter to study the steer yourself.

You crapper check discover the demo.

John Resig wants us to enter fault reports to application vendors but what most accessibility? Is that a domain that we hit as Web developers?

Todd Kloots of Yahoo! shows us how to configure our organisation for concealment reverend testing with flooded instructions:

When nonindustrial using the WAI-ARIA Roles and States, you requirement to effort your cipher in a concealment reverend to secure everything is working as you expect. As a study up to my show on Developing Accessible Widgets with ARIA and in the welfare of serving another developers effort their code, I intellection I would wage whatever tips on how to configure your utilization surround for concealment reverend testing.

1. Install virtualization software
2. Install browsers & verify a photograph of that state
3. Install and configure concealment readers
4. Restart the realistic organisation & verify a photograph of that state

The essay on MD5 thoughtful bruising today delivered at the 25th Annual Chaos Communication legislature in songster has got grouping afraid again.

The aggroup showed an MD5 impinging which is well explained by saint Willison (he is so beatific at effort to the meat, a thickened power indeed):

Use an MD5 impinging to create digit certificates with the aforementioned hash, digit for a field you possess and added for amazon.com. Get Equifax CA to clew your domain’s credential using the noncurrent “MD5 with RSA” language method. Copy that mode on to your home-made amazon.com credential to create a imitation credential for Amazon that module be acknowledged by whatever browser.

Mozilla Security folks issued an advisory which included the effect to users:

If a individual visits an SSL place presenting a fraudulent certificate, there module be no manifest clew of a difficulty and the unification module materialize to be secure. This could termination in the individual disclosing individualized aggregation to the site, believing it to be legitimate. We apprize users to training warn when interacting with sites that order huffy information, specially when using open internet connections.

Status

This is not an move on a Mozilla product, but we are yet employed with strained credential polity to secure that their supply processes are updated to preclude this threat. Mozilla is not alive of whatever instances of this move occurring in the wild.

Microsoft also advised.

Then we intend SSL in perspectives which talks us finished 2008:

1. Dan Kaminski shook world’s establishment in DNS. BTW, you already patterned your DNS hardness or switched to OpenDNS, didn’t you? Anyway, DNS section or not, you cannot consortium non-SSL reciprocation when you’re traveling, or you’re behindhand a agent you can’t curb (TOR, for instance), or otherwise not using a trusty ISP… wait, do you really consortium your ISP? OK, you should not consortium non-SSL traffic, period.
2. But then, Mike commodore demonstrated how cookies crapper be taken from SSL-secured sites (and NoScript deployed whatever countermeasures).
3. Unfortunately, a shameful incident revealed that you crapper easily acquire a legal SSL credential for a scheme place you’re not attendant with, if you encounter an corrupt sufficiency vendor: in this case, a mozilla.com credential has been obtained by Eddy Nigg of StartCom Ltd. from the Certstar Comodo reseller, no discourse asked. Of course, as a work-around, you could remove the sinning CA root, but you staleness wait lateral personalty (I unconcealed this breaks cleverbridge e-commerce back-ends, for instance). And, most important, are you trusty this is the exclusive sloppy CA discover there?
4. As if this didn’t draw enough, a style has been presented today at 253c by Alex Sotirov, Arjen Lenstra and another high-profile researchers, who managed to investment famous MD5 weaknesses and not-safe-enough practices of whatever credential issuers to build their possess rapscallion CA.

It then talks most Perspectives the Firefox plug-in that compares cert hashes with a database of famous fingerprints to notice simulated certs.

Phew. Two Web section pieces nearly in a bed :/

Thanks to the folks at Adobe, we’ve got recording of pretty such every conference from the Ajax Experience 2008 that we crapper deal on-line, liberated of charge. We’ll promulgation them over the incoming hebdomad or so in batches. What meliorate artefact to pay your New Year’s pass than coiled up with a laptop acquisition most software?

Even Faster Web Sites with Steve Souders

In this conference you learn: How to attain your Web sites 25-50% faster; The effect of iframes on your Web site, including grapheme iframes; How inline scripts country action in the whole tender and downloads; What you strength be doing with stylesheets that attain your pages twice as slow; The different techniques for dynamically weight JavaScript, and how they depart in how they change the browser.

Advanced Web App Security with Joe Walker

The section genre is dynamical dramatically from period to month. Unless you are alive of CSRF, Anti-DNS Pinning, Javascript highjacking, and the some structure to delude an XSS filter, it’s probable that your Web covering is not secure. Attackers utilised to centre on ActiveX, but today Javascript, CSS and modify ultimate HTML elements hit are utilised against Web sites.

* Security challenges portion to a Web 2.0 world;
* Details of CSRF, Anti-DNS Pinning, JavaScript hijacking, light an XSS separate and more;
* How you crapper protect yourself, from both the saucer of analyse of place owners and users.

The 7 Habits for Exceptional Perf with Stoyan Stefanov and Nicole Sullivan

Improvements in Web place action are kindred to improvements in forcefulness or render efficiency: We attain enthusiastic progress, still we modify up intense more. Learn how to equilibrise organisation and features with the requirement for speed. This conference highlights Yahoo!’s stylish investigate results and action breakthroughs. Apple’s iPhone has denaturized the mettlesome for Web feeding on ambulatory devices. While the iPhone presents newborn and elating opportunities for Web developers, it also provides a unequalled ordered of action challenges. Solutions that turn the sort of components meliorate the individual undergo greatly by making pages alluviation faster. In this session, we explore housing studies that shew how these solutions hit expedited the individual undergo on Yahoo!’s most striking Web pages. In this conference you learn: Performance optimizations that provide you the large charge for your buck; Latest investigate results and action breakthroughs unconcealed at Yahoo!; Apple iPhone’s store characteristics; How to equilibrise features with speed.

Steve Souders has detailed the connector of playscript loading with assorted anachronic techniques with examples that exhibit the timings that you crapper get. First he sets the scene:

One supply with async playscript weight is handling with inline scripts that ingest symbols circumscribed in the outside script. If the outside playscript is weight asynchronously without intellection to the inlined code, vie conditions haw termination in undefinable symbolisation errors. It’s necessary to secure that the async outside playscript and the inline playscript are connected in much a artefact that the inlined cipher isn’t executed until after the async playscript finishes loading.

There are a some structure to pair async scripts with inline scripts.

• window’s onload - The inlined cipher crapper be equal to the window’s onload event. This is pretty ultimate to implement, but the inlined cipher won’t fulfil as primeval as it could.
• script’s onreadystatechange - The inlined cipher crapper be equal to the script’s onreadystatechange and onload events.  (You requirement to compel both to counterbalance every favourite browsers.) This cipher is lengthier and more complex, but ensures that the inlined cipher is titled as presently as the playscript finishes loading.
• hardcoded callback - The outside playscript crapper be restricted to explicitly start the inlined playscript finished a asking function. This is dustlike if the outside playscript and inline playscript are existence matured by the aforementioned team, but doesn’t wage the plasticity necessary to pair 3rd band scripts with inlined code.

Then he goes into an warning display a ultimate anachronic weight technique, and then connector Evangelist Resig’s dishonourable playscript tags pattern, additional to the modify of the direct script, and lazy loadingit:

Finally, the conclusion:

Loading scripts asynchronously and lazyloading scripts meliorate tender alluviation nowadays by avoiding the interference activity that scripts typically cause. This is shown in the assorted versions of adding sorttable to UA Profiler:

• Normal Script Tags - 487 ms
• Asynchronous Script Loading - 429 ms
• Lazyloading - ~320 ms

The nowadays above inform when the onload circumstance occurred. For another scheme apps, rising when the asynchronously unexploded functionality is bespoken strength be a higher priority. In that case, the Asynchronous Script Loading edition is slightly meliorate (~400 ms versus 417 ms). In both cases, existence healthy to pair inline scripts with the outside playscript is a necessity. The framework shown here is a artefact to do that patch also rising tender alluviation times.

While dosing soured terminal period a some conversations excited up in my semi-consciousness. They were of impact arounds and layout issues. Too some were “We hit to do this in housing a playscript does a document.write somewhere in the future.”

It’s hornlike to verify of course. You haw allow a playscript that dynamically adds a playscript that does a document.write (ads anyone?).

The difficulty is that we are stipendiary the toll on every tender that we impact with. Optimizations can’t be prefabricated because of the quantity of something that haw not happen.

So, for Christmas, maybe we could hit some artefact of informing the application that you prospect document.write() isn’t ahead, and nonachievement discover if that happens.

But, backwards to the actual abstract (or some pass recreation you are having):

Bob Philips erst said there are 3 stages of man:

• He believes in Santa Claus,
• He doesn’t conceive in Santa Claus,
• He is Santa Claus

Have a pleasant break, and grownup you after!

We’ve been watching over the terminal lowercase patch as the Humanized gathering has leveraged their undergo with Enso to create Ubiquity, an in-development command-line programme for the browser. But what most folks who aren’t as enamored with their keyboard as they are with their mouse?

Aza Raskin has fresh published an engrossing video display how Ubiquity could impact with meet a mouse. It centers around this lowercase point which is just circumpolar when book is selected:

Hover over it, and it becomes more opaque:

Click on it, and a side-panel appears with the practical Ubiquity commands:

Check discover the flooded video:

Aza also blogged most a construct they didn’t use, a describe of which crapper be seen here:

Aza explains that the bounteous difficulty with this UI is that it only isn’t scalable; erst you add a super sort of actions, it becomes a untidy mess.

I posted on my individualized journal most using the gathering to verify us most application responsiveness in which I discussed gift developers aggregation most application sensitiveness and how add-ons crapper change it:

I hit had whatever folks speech to me most sensitiveness issues with Firefox 3. I hit had a strange experience, and currently I separate Mozilla nightlies / Minefield / Shiretoka (3.1.*) and WebKit nightlies lateral by side. I am rattling bright with the appearance that Minefield is in.

Of course, the supply with the spreading execution with Firefox is that you intend a pane to the whole concern (which has also been a think that advance to awful add-ons). Since this is the housing a intense add-on crapper do a lot.

Chrome does a beatific employ display you base content most a journalism (memory etc). What if we did that and more for add-ons. Give me crowning for the browser.

Now, this is a aggregation of field away, so crapper we ingest the gathering to support out?

What if we created an add-on that would road sensitiveness aggregation and beam it backwards (anonymously) to the darken (say, to Weave). We could ingest science to impact discover plausible culprits and could modify board that aggregation backwards to the grouping using the add-on. Thus, you would then encounter discover that FooAddOn seems to be a offender that slows downbound the browser. Maybe it could be titled Vacinate-addon.

Then I got conversation with Dav Glass who is employed on a rattling engrossing grounds of construct BrowserPlus Profiler:

A assist that analyzes the module and cpu practice of a scheme browser. The assist crapper verify 1 distribution or binary samples at a given interval. When distribution at intervals, at most 1,000 samples are taken. If you wage a asking function, your javascript module be titled after every distribution is taken. If no asking is provided, every samples are stored in an clothing and returned after start() completes or stop() is called.

The distribution goal is a transpose with the mass keys (most values are floats):

• [sample] - the distribution sort (1-1,000)
• [time] - the progress state of the instance the distribution was taken
• [sys] - the proportionality mainframe “sys” processes are using
• [user] - the proportionality mainframe “user” processes are using
• [ffxcpu] - the proportionality mainframe Firefox is using, or -1.0 if it is not running
• [ffxmem] - the amout of module Firefox is using, or -1.0 if it is not running
• [safcpu] - the proportionality mainframe Safari is using, or -1.0 if it is not running
• [safmem] - the amout of module Safari is using, or -1.0 if it is not running

This is rattling primeval stage, and they are hunting for beatific grouping and ideas on how t intend beatific accumulation crossways platforms (browsers and operative systems). I would fuck to wager this.

Steve Souders has updated his UA Profiler tool that tracks the action traits of assorted browsers. Being healthy to learn downbound and wager the differences from physique to physique is enthusiastic stuff, and here are every the newborn features:

drilldown

Previously, I had digit adjudge for a browser. For example, Firefox 3.0 and 3.1 results were every lumped low “Firefox 3?. This hebdomad I additional the knowledge to drilldown to wager more careful data. The results crapper be viewed in fivesome ways:

1. Top Browsers - The most favourite browsers as substantially as field newborn versions on the horizon.
2. Browser Families - The flooded itemize of unequalled application names: Android, Avant, Camino, Chrome, etc.
3. Major Versions - Grouped by prototypal edition number: Firefox 2, Firefox 3, IE 6, IE7, etc.
4. Minor Versions - Grouped by prototypal and ordinal edition numbers: Firefox 3.0, Firefox 3.1, Chrome 0.2, Chrome 0.3, etc.
5. All Versions - At most I spend threesome levels of edition numbers. Here you crapper wager Firefox 3.0.1, Firefox 3.0.2, Firefox 3.0.3, etc.

hiding distributed data

The termination tables grew long cod to extraordinary User Agent section with abnormal edition numbers. These strength be the termination of nightly builds or drill tweaking of the User Agent. Now, I exclusive exhibit browsers proven by at small digit assorted grouping a turn of quaternary or more times. If you poverty to wager every browsers, disregarding of the turn of testing, analyse “show distributed results” at the top.

individual tests

Several grouping asked to wager the individualist effort results, that is, apiece effort that was separate for a destined browser. There were individual motivations: Was there such alteration for effort X? What were the literal User Agent section that were matching to this browser? When were the tests finished (because that difficulty was immobile on such-and-such a date)? When hunting at a results table, clicking on the Browser study module unstoppered a newborn plateau that shows the results for apiece effort low that browser.

sort

Once I sat downbound to do it, it took me ~5 transactions to attain the results plateau sortable using royalty Langridge’s sorttable. Now you crapper variety to your heart’s content. (This weekend I’ll indite a place most how I prefabricated his cipher impact when unexploded asynchronously using a alteration of Evangelist Resig’s Degrading Script Tags pattern.)