Towards High Assurance HTML5 Applications

Total Page:16

File Type:pdf, Size:1020Kb

Towards High Assurance HTML5 Applications Towards High Assurance HTML5 Applications Devdatta Akhawe Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2014-56 http://www.eecs.berkeley.edu/Pubs/TechRpts/2014/EECS-2014-56.html May 7, 2014 Copyright © 2014, by the author(s). All rights reserved. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission. Towards High Assurance HTML5 Applications by Devdatta Madhav Akhawe A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor Dawn Song, Chair Professor David Wagner Professor Brian Carver Spring 2014 Towards High Assurance HTML5 Applications Copyright 2014 by Devdatta Madhav Akhawe 1 Abstract Towards High Assurance HTML5 Applications by Devdatta Madhav Akhawe Doctor of Philosophy in Computer Science University of California, Berkeley Professor Dawn Song, Chair Rich client-side applications written in HTML5 proliferate diverse platforms such as mobile devices, commodity PCs, and the web platform. These client-side HTML5 applications are increasingly accessing sensitive data, including users' personal and social data, sensor data, and capability-bearing tokens. Instead of the classic client/server model of web applications, modern HTML5 applications are complex client-side applications that may call some web services, and run with ambient privileges to access sensitive data or sensors. The goal of this work is to enable the creation of higher-assurance HTML5 applications. We propose two major directions: first, we present the use of formal methods to analyze web protocols for errors. Second, we use existing primitives to enable practical privilege separation for HTML5 applications. We also propose a new primitive for complete mediation of HTML5 applications. Our proposed designs considerably ease analysis and improve auditability. i To my parents. ii Contents Contents ii List of Figures iv List of Tables v 1 Introduction 1 1.1 Towards a Formal Foundation for Web Protocols . 1 1.2 Privilege Separation for HTML5 Applications . 2 1.3 Data Confined HTML5 Applications . 3 2 Towards A Formal Foundation for Web Protocols 4 2.1 Introduction . 4 2.2 General Model . 7 2.3 Implementation in Alloy . 13 2.4 Case Studies . 19 2.5 Measurement . 28 2.6 Summary of Results . 28 3 Privilege Separation for HTML5 Applications 31 3.1 Introduction . 31 3.2 Problem and Approach Overview . 33 3.3 Design . 36 3.4 Implementation . 41 3.5 Case Studies . 47 3.6 Performance Benchmarks . 54 3.7 Summary of Results . 54 4 Data-Confined HTML5 Applications 56 4.1 Introduction . 56 4.2 Data Confinement in HTML5 applications . 57 4.3 Problem Formulation . 60 4.4 The Data Confined Sandbox . 63 iii 4.5 Implementation . 68 4.6 Case Studies . 68 4.7 Summary of Results . 77 5 Related Work 79 5.1 Formal Verification of Security Protocols . 79 5.2 Privilege Separation for Web Applications . 80 5.3 Data-confined HTML5 Applications . 82 6 Conclusion 83 Bibliography 84 iv List of Figures 2.1 The metamodel of our formalization of web security. Red unmarked edges represent the `extends' relationship. 16 2.2 Vulnerability in Referer Validation. This figure is adapted from [85], with the attack (dashed line) added. 23 2.3 Counterexample generated by Alloy for the HTML5 form vulnerability. 24 2.4 The WebAuth protocol . 25 2.5 Log-scale graph of analysis time for increasing scopes. The SAT solver ran out of memory for scopes greater than eight after the fix. 29 3.1 CDF of percentage of functions in an extension that make privileged calls (X axis) vs. the fraction of extensions studied (in percentage) (Y axis). The lines for 50% and 20% of extensions as well as for 5% and 20% of functions are marked. 35 3.2 High-level design of our proposed architecture. 37 3.3 Sequence of events to run application in sandbox. Note that only the bootstrap code is sent to the browser to execute. Application code is sent directly to the parent, which then creates a child with it. 42 3.4 Typical events for proxying a privileged API call. The numbered boxes outline the events. The event boxes span the components involved. For example, event 4 involves the parent shim calling the policy code. 44 3.5 Frequency distribution of event listeners and API calls used by the top 42 extensions requiring the tabs permission. 53 4.1 High-level design of an application running in a DCS. The only component that runs privileged is the parent. The children run in data-confined sandboxes, with no ambient privileges and all communication channels monitored by the parent. 64 v List of Tables 2.1 Statistics for each case study . 28 3.1 Overview of case studies. The TCB sizes are in KB. The lines changed column only counts changes to application code, and not application independent shims and parent code. 48 4.1 Comparison of current solutions for data confinement . 61 4.2 List of our case studies, as well as the individual components and policies in our redesign. 70 4.3 Confidentiality Invariants in the Top 20 Google Chrome Extensions . 78 vi Acknowledgments First, I want to thank my advisor Dawn for being such a fantastic advisor and guide through my graduate career. Also, thanks to David Wagner whose advice and guidance I have always sought and received during my graduate career. Thanks also to my committee members Brian Carver and George Necula for their help and guidance. The research presented in this thesis is a joint effort. A special thanks goes to all my co-authors: Adam Barth, Warren He, Eric Lam, Frank Li, John Mitchell, Prateek Saxena, Dawn Song. Over the course of my graduate life I have co-authored papers with nearly 30 different co-authors. These collaborators, all my friends in the Security group, and all my teachers at Berkeley have directly impacted my research, my work, and my evolution as a researcher and I remain thankful to them all. I am extremely lucky to have been surrounded by and worked with such a tremendously talented group of people over the past five years. Pursuing graduate studies was in a large part due to all the great mentors and teachers I have had over the years. I would like to particularly thank my undergraduate advisor, Sundar Balasubramaniam, as well as Helen Wang and Xiaofeng Fan for their fantastic mentoring and advice. Without their help and support, it is unlikely I would have even applied to graduate school. Thanks also to all my friends, from Pilani to Berkeley, who made the stress of graduate life easy to manage. You know who you are and I feel blessed to call such an amazing group of people my friends. Finally, and most importantly, I want to thank my extended family: my brother, my cousins, my uncles and aunts, and their respective families for their amazing love, care, and guidance over the years. I would like to particularly thank all my four aunts: they ensured I got an education and never lost focus. 1 Chapter 1 Introduction Rich client-side HTML5 applications|including packaged browser applications (Chrome Apps) [57], browser extensions [56], Windows 8 Metro applications [98], and applications in new browser operating systems (B2G [105], Tizen [134])|are fast proliferating on diverse computing platforms. These applications run with access to sensitive data such as the user's browsing history, personal and social data, financial documents, and capability-bearing tokens that grant access to these data. A recent study reveals that 58% of the 5,943 Google Chrome browser extensions studied require access to the user's browsing history, and 35% request permissions to the user's data on all websites [34]. In addition, the study found that 67% of 34,370 third-party Facebook applications analyzed have access to the user's personal data [34].1 HTML5 applications also form a significant chunk of mobile applications; Chin et al. recently found that 70% of smartphone applications they surveyed on Google Play rely on HTML5 code in some form [35]. These HTML5 applications often execute with access to the same sensors available to native mobile applications, including private data from GPS receivers, accelerometers, and cameras. These trends indicate the evolution of the client-side web from a front-end for servers to a complex application platform running privileged applications. Despite immense prior research on detection and mitigation techniques [7, 45, 66, 82, 122], web vulnerabilities are still pervasive in HTML5 applications on emerging platforms such as browser extensions [30]. As the HTML5 platform achieves wider adoption, enabling higher-assurance in the HMTL5 applications is critical to its success. In this thesis, we address this need. 1.1 Towards a Formal Foundation for Web Protocols First, we present initial work on formal modeling and verification of web protocols. As we discussed above, HTML5 applications on emerging platforms are moving away from the client/server paradigm to a new paradigm of standalone HTML5 applications that 1 The study measured install-time permissions, which are a lower bound for Facebook applications, since they can request further permissions at runtime. CHAPTER 1. INTRODUCTION 2 call diverse web services. The security of protocols used by HTML5 applications to communicate with diverse cloud-based services is just as critical to the security of the platform as the security of the HTML5 application itself.
Recommended publications
  • THE FUTURE of SCREENS from James Stanton a Little Bit About Me
    THE FUTURE OF SCREENS From james stanton A little bit about me. Hi I am James (Mckenzie) Stanton Thinker / Designer / Engineer / Director / Executive / Artist / Human / Practitioner / Gardner / Builder / and much more... Born in Essex, United Kingdom and survived a few hair raising moments and learnt digital from the ground up. Ok enough of the pleasantries I have been working in the design field since 1999 from the Falmouth School of Art and onwards to the RCA, and many companies. Ok. less about me and more about what I have seen… Today we are going to cover - SCREENS CONCEPTS - DIGITAL TRANSFORMATION - WHY ASSETS LIBRARIES - CODE LIBRARIES - COST EFFECTIVE SOLUTION FOR IMPLEMENTATION I know, I know, I know. That's all good and well, but what does this all mean to a company like mine? We are about to see a massive change in consumer behavior so let's get ready. DIGITAL TRANSFORMATION AS A USP Getting this correct will change your company forever. DIGITAL TRANSFORMATION USP-01 Digital transformation (DT) – the use of technology to radically improve performance or reach of enterprises – is becoming a hot topic for companies across the globe. VERY DIGITAL CHANGING NOT VERY DIGITAL DIGITAL TRANSFORMATION USP-02 Companies face common pressures from customers, employees and competitors to begin or speed up their digital transformation. However they are transforming at different paces with different results. VERY DIGITAL CHANGING NOT VERY DIGITAL DIGITAL TRANSFORMATION USP-03 Successful digital transformation comes not from implementing new technologies but from transforming your organisation to take advantage of the possibilities that new technologies provide.
    [Show full text]
  • Rootkit- Rootkits.For.Dummies 2007.Pdf
    01_917106 ffirs.qxp 12/21/06 12:04 AM Page i Rootkits FOR DUMmIES‰ 01_917106 ffirs.qxp 12/21/06 12:04 AM Page ii 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iii Rootkits FOR DUMmIES‰ by Larry Stevenson and Nancy Altholz 01_917106 ffirs.qxp 12/21/06 12:04 AM Page iv Rootkits For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit- ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission.
    [Show full text]
  • Aplicaciones Enriquecidas Para Internet: Estado Actual Y Tendencias
    Universidad de San Carlos de Guatemala Facultad de Ingeniería Escuela de Ciencias y Sistemas APLICACIONES ENRIQUECIDAS PARA INTERNET: ESTADO ACTUAL Y TENDENCIAS Miguel Alejandro Catalán López Asesorado por la Inga. Erika Yesenia Corado Castellanos de Lima Guatemala, enero de 2012 UNIVERSIDAD DE SAN CARLOS DE GUATEMALA FACULTAD DE INGENIERÍA APLICACIONES ENRIQUECIDAS PARA INTERNET: ESTADO ACTUAL Y TENDENCIAS TRABAJO DE GRADUACIÓN PRESENTADO A JUNTA DIRECTIVA DE LA FACULTAD DE INGENIERÍA POR MIGUEL ALEJANDRO CATALÁN LÓPEZ ASESORADO POR LA INGA. YESENIA CORADO CASTELLANOS DE LIMA AL CONFERÍRSELE EL TÍTULO DE INGENIERO EN CIENCIAS Y SISTEMAS GUATEMALA, ENERO DE 2012 UNIVERSIDAD DE SAN CARLOS DE GUATEMALA FACULTAD DE INGENIERÍA NÓMINA DE JUNTA DIRECTIVA DECANO Ing. Murphy Olympo Paiz Recinos VOCAL I Ing. Enrique Alfredo Beber Aceituno VOCAL II Ing. Pedro Antonio Aguilar Polanco VOCAL III Ing. Miguel Ángel Dávila Calderón VOCAL IV Br. Juan Carlos Molina Jiménez VOCAL V Br. Mario Maldonado Muralles SECRETARIO Ing. Hugo Humberto Rivera Pérez TRIBUNAL QUE PRACTICÓ EL EXAMEN GENERAL PRIVADO DECANO Ing. Murphy Olympo Paiz Recinos EXAMINADOR Ing. Juan Álvaro Díaz Ardavin EXAMINADOR Ing. Edgar Josué González Constanza EXAMINADOR Ing. José Ricardo Morales Prado SECRETARIO Ing. Hugo Humberto Rivera Pérez HONORABLE TRIBUNAL EXAMINADOR En cumplimiento con los preceptos que establece la ley de la Universidad de San Carlos de Guatemala, presento a su consideración mi trabajo de graduación titulado: APLICACIONES ENRIQUECIDAS PARA INTERNET: ESTADO ACTUAL
    [Show full text]
  • Wines by the Glass
    WINES BY THE GLASS SPARKLING 2013 Domaine Carneros, Brut 16 2012 Frank Family, Brut Rosé, Carneros 25 WHITE 2016 Albariño, Cave Dog, Stewart Ranch, Carneros 14 2014 Sauvignon Blanc / Sémillon, Tramuntana, 'Beyond the Mountains' 17 2014 Sauvignon Vert / Sémillon / Golden Chasselas / Green Hungarian, DeSante, 'The Old 15 Vines' 2013 Chardonnay, Massican, 'Gemina' 20 2015 Chardonnay, HdV, 'Le Debut', Hyde Vineyard, Carneros 19 2014 Chardonnay / Grenache Blanc / Ribolla Gialla / etc., Durant & Booth, Blanc 20 ROSÉ 2016 Cabernet Sauvignon / Petite Syrah, Wingspan, 'Saturn Return' 16 RED 2013 Pinot Noir, Mira, Stanly Ranch, Carneros 15 2014 St. Laurent, Forlorn Hope, 'Ost-Intrigen', Ricci Vineyard, Carneros 15 2014 Grenache / Charbono / Petite Sirah, Shypoke, 'Keep', Calistoga 17 2006 Cabernet Sauvignon, Notre Vin, 'L'Etrier' 24 2014 Cabernet Sauvignon, Paul Hobbs, 'Crossbarn' 26 2014 Cabernet Sauvignon, Clos du Val, 'Estate', Stags Leap District 25 DESSERT 2009 Fore Family, Late Harvest, (Sauvignon Blanc) 375 ml 20 2010 Far Niente 'Dolce' Late Harvest (Sauvignon Blanc, Semillon) 375 ml 25 2008 Philip Togni, 'Ca' Togni' (Black Hamburgh) 375 ml 25 2010 Gandona, 'Fraga do Arco', Touriga Nacional 25 PORT / SHERRY / MADEIRA NV Cockburn’s, 20 Year Tawny Port 500 ml 17 NV Ramos Pintos, Ruby Port 9 2009 Dow’s, Late Bottled Vintage 15 1977 Fonseca Vintage Port 38 NV Equipo Navazos, Fino, Bota #35 28 NV Equipo Navazos, Amontillado, #58 29 NV Equipo Navazos, Amontillado, 'Bota NO' #61 500 ml 34 NV Equipo Navazos, Manzanilla Pasada, 'Bota Punta' #60 500
    [Show full text]
  • Next Media Deliverable Template
    WP 1 AND EREADING AND D 1.1.4.1 STATE-OF-THE-ART-STANDARDS Deliverable number 1.1.4.1 State-of-the art, html5-standard Author(s): Olli Nurmi Confidentiality: Public Date and status: 7.9.2011 - Status: Version 1.0 This work was supported by TEKES as part of the next Media programme of TIVIT (Finnish Strategic Centre for Science, Technology and Innovation in the field of ICT) Next Media - a Tivit Programme Phase 2 (1.1-31.12.2011) Version history: Version Date State Author(s) OR Remarks (draft/ /update/ final) Editor/Contributors 0.9 30.6.2011 draft Olli Nurmi 1.0 1.9.2011 update Olli Nurmi 1.1 28.9.2011 final Olli Nurmi 1.2 4.10.2011 final Olli Nurmi Issues about Onix is removed to separate deliverable next Media www.nextmedia.fi www.tivit.fi WP 1 AND EREADING AND D 1.1.4.1 1 (12) STATE-OF-THE-ART-STANDARDS Next Media - a Tivit Programme Phase 2 (1.1-31.12.2011) Table of Contents 1 Introduction ............................................................................................................. 3 1.1 Web browsers ................................................................................................. 3 1.2 HTML5 – an open standard ............................................................................ 4 1.3 CSS - Cascading Style Sheets ....................................................................... 6 1.4 HTML5 vs native applications ......................................................................... 6 2 HTML5/CSS3 standards ........................................................................................
    [Show full text]
  • SSC - Communication and Networking
    SSC - Communication and Networking SSC - Web applications and development Introduction to Java Servlet (I) Shan He School for Computational Science University of Birmingham Module 06-19321: SSC SSC - Communication and Networking Outline Outline of Topics What will we learn Web development Java servlet Java servlet: our first example SSC - Communication and Networking What will we learn What is web applications and development? I Java Servlet: basic concepts, configure, install and use servlet based web applications, basic implementation. I Session management and Servlet with JDBC I Model View Controller (MVC) for Java Servlet and Java Serve Pages I Advanced topics: Multithreaded Servlet SSC - Communication and Networking Web development What is web applications and development? I Web-based application: an application that uses a web browser as a client, e.g., google calendar or GMail. I Web development: work involved in developing a web site for the Internet or intranet, which include: I web design I web content development I client-side/server-side coding I Web development coding (platforms or languages): I Client side: HTML5, JavaScript, Ajax (Asynchronous JavaScript), Flash, JavaFX, etc. I Server side: PHP, Python, Node.js, Java servlet I Client-side/Server-side: Google Web Toolkit, Opa I Full stack web frameworks { built on the development platforms wtih a higher level set of functionality: Meteor, Yahoo! Mojito, MEAN SSC - Communication and Networking Java servlet What is Java servlet? I Java servlet: a Java platform technology \for
    [Show full text]
  • Natur Pur Native Apps Native
    06/2018 Apps mit React Native und Nativescript entwickeln Programmieren Natur pur Native Apps Native 74 Die Javascript-Frameworks React Native und Nativescript versuchen eine Brücke zwischen Webapp-Entwick- lung und nativer App-Entwicklung zu bauen. Worin die Vorteile dieser Native Frameworks liegen, betrachtet der Artikel vor dem Hintergrund des klassischen App-Framework Meteor. Andreas Möller, Kristian Kißling www.linux-magazin.de schafft wegen der Code-Redundanz zu- sätzliche Fehlerquellen. Klassische Webapps nutzen hingegen HTML, CSS und Javascript und laufen plattformübergreifend im Browser jedes Systems. Allerdings beschränken die Plattformen den Zugriff auf das System mit Hilfe der so genannten Browser- Sandbox und geben APIs nur punktuell frei, was die Fähigkeiten von Webapps beschränkt. 2009 erschien dann Phone Gap (heute Apache Cordova). Mit ihm lassen sich Webapps besser an das System anbin- den. Unter Cordova laufen Apps in einer Webansicht auf dem System wie in einem Browser. Plugins erweitern den Zugriff © Leonid Tit, 123RF Tit, © Leonid auf das System für die Apps. Die beiden quelloffenen Javascript- intern über C oder C++ auf nativen Code E Meteor Frameworks React Native [1] und Nati- zugreifen, stützen sich Entwickler dafür vescript [2] erlauben es, mit Hilfe eige- beispielsweise auf das Java Native Inter- Ein Vertreter dafür ist das Javascript- ner IDEs mit Javascript native Apps für face (JNI, [6]). Die Entwicklungsumge- Framework Meteor [3]. Es hat sich von Android und I-OS zu entwickeln. Der bungen Android Studio [7] und Xcode einem Framework zum Entwickeln echt- Ansatz hat Vorteile gegenüber dem Weg [8] helfen ihnen dabei, die Anwendung zeitfähiger Webapps [9] zu einer Open- der klassischen Webapp-Entwicklung, zu programmieren und in die entspre- Source-Plattform entwickelt, die von sich den etwa das Javascript-Framework Me- chenden App-Stores zu bringen.
    [Show full text]
  • Will HTML 5 Restandardize the Web?
    TECHNOLOGY NEWS Will HTML 5 Restandardize the Web? Steven J. Vaughan-Nichols The World Wide Web Consortium is developing HTML 5 as a stan- dard that provides Web users and developers with enhanced func- tionality without using the proprietary technologies that have become popular in recent years. n theory, the Web is a resource enhanced functionality without using “Microsoft is investing heavily in that is widely and uniformly proprietary technologies. the W3C HTML 5 effort, working with usable across platforms. As Indeed, pointed out Google our competitors and the Web commu- such, many of the Web’s researcher Ian Hickson, one of the nity at large. We want to implement key technologies and archi- W3C’s HTML 5 editors, “One of our ratified, thoroughly tested, and stable Itectural elements are open and goals is to move the Web away from standards that can help Web interop- platform-independent. proprietary technologies.” erability,” said Paul Cotton, cochair of However, some vendors have The as-yet-unapproved standard the W3C HTML Working Group and developed their own technologies takes HTML from simply describing Microsoft’s group manager for Web that provide more functionality than the basics of a text-based Web to creat- services standards and partners in Web standards—such as the ability to ing and presenting animations, audio, the company’s Interoperability Strat- build rich Internet applications. mathematical equations, typefaces, egy Team. Adobe System’s Flash, Apple’s and video, as well as providing offline At the same time though, Web QuickTime, and Microsoft’s Silverlight functionality. It also enables geoloca- companies say their proprietary tech- are examples of such proprietary tion, a rich text-editing model, and nologies are already up and running, formats.
    [Show full text]
  • Innovating Through Standardization
    Association for Information Systems AIS Electronic Library (AISeL) Pacific Asia Conference on Information Systems PACIS 2018 Proceedings (PACIS) 6-26-2018 Innovating through standardization: How Google Leverages the Value of Open Digital Platforms Yoshiaki Fukami Rikkyo Business School, Keio Research Institute at SFC, [email protected] Takumi Shimizu McGill University, [email protected] Follow this and additional works at: https://aisel.aisnet.org/pacis2018 Recommended Citation Fukami, Yoshiaki and Shimizu, Takumi, "Innovating through standardization: How Google Leverages the Value of Open Digital Platforms" (2018). PACIS 2018 Proceedings. 208. https://aisel.aisnet.org/pacis2018/208 This material is brought to you by the Pacific Asia Conference on Information Systems (PACIS) at AIS Electronic Library (AISeL). It has been accepted for inclusion in PACIS 2018 Proceedings by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact [email protected]. Innovating through standardization Innovating through standardization: How Google Leverages the Value of Open Digital Platforms Completed Research Paper Yoshiaki Fukami Takumi Shimizu Rikkyo Business School, Desautels Faculty of Management, Keio Research Institute at SFC McGill University [email protected] [email protected] Abstract The purpose of this paper is to examine how an actor strategically develops and diffuses technology standards that align with innovation trajectories while maintaining a consensus with competitors.
    [Show full text]
  • EMERGING TECHNOLOGIES Making the Web Dynamic: DOM and DAV
    Language Learning & Technology January 2004, Volume 8, Number 1 http://llt.msu.edu/vol8num1/emerging/ pp. 8-12 EMERGING TECHNOLOGIES Making the Web Dynamic: DOM and DAV Robert Godwin-Jones Virginia Comonwealth University Five years ago, in the January, 1998, issue of LLT, I wrote a column on Dynamic Web Page Creation, discussing options for Web interactivity and bemoaning incompatibilities among browsers. In the current column we will explore what has changed since 1998, new options that have arrived, and where we are with standards implementation. Scripting Transformations: CSS and the DOM Five years ago, "Cascading Style Sheets" (CSS) were just beginning to be used in designing Web pages; the specifications for CSS 1 were at that point about a year old. Since then, CSS Level 2 (May, 1998) is an approved recommendation (by the W3C), and CSS Level 3 modules have been issued as working drafts or candidate recommendations. More significant than the W3C activity is the fact that CSS has become the most widely used method for formatting Web pages. This development has only been possible because of CSS support in Web browsers. Beginning with the 5th generation browsers (Internet Explorer 5, Netscape 6, Opera 5), support for CSS 1 has been sufficiently robust and consistent to encourage developers of HTML authoring tools to incorporate CSS support. A helpful development that has served to encourage more wide-spread deployment of CSS has been the push to provide more accessible Web pages. Accessibility to users with special needs is much easier to code in a consistent and machine-readable fashion using CSS than in traditional HTML formatting, often built around the use of tables for formatting.
    [Show full text]
  • High Performance, Federated, Service-Oriented Geographic Information Systems
    High Performance, Federated, Service-Oriented Geographic Information Systems Ahmet Sayar Submitted to the faculty of the University Graduate School in partial fulfillment of the requirements for the degree Doctor of Philosophy in the Department of Computer Science, Indiana University February 2009 Accepted by the Graduate Faculty, Indiana University, in partial fulfillment of the requirements for the degree of Doctor of Philosophy. Doctoral Committee ________________________________ Prof. Geoffrey C. Fox (Principal Advisor) ________________________________ Prof. Randall Bramley ________________________________ Prof. Kay Connelly ________________________________ Prof. Yuqing (Melanie) Wu February 2, 2009 ii © 2009 AHMET SAYAR ALL RIGHTS RESERVED iii Acknowledgements This dissertation has been achieved with the encouragement, support, and assistance I received from many remarkable people. I would like to offer my sincere gratitude to them. First of all, I would like to thank my advisor Prof. Geoffrey C. Fox for his support, guidance and an exceptional research environment provided by him along the way of this endeavor. I deeply appreciate how much he contributed with his keen insight and extensive experience. His advice was always invaluable contribution to my academic life. I would also like to thank the members of the research committee for generously offering time, support, guidance and good will throughout the preparation and review of this dissertation. I am very thankful to Prof. Randall Bramley for his suggestions and remarkable inspiration, Prof. Kay Connelly and Prof. Yuqing (Melanie) Wu for their constructive comments, kindnesses and keen intellects. I want to thank all members of Community Grids Lab for the priceless moments that we shared together. I have had great pleasure of working with these wonderful people.
    [Show full text]
  • HTML5 Standard and Features
    HTML5 Standard and features INF5750/9750 - Lecture 6 (Part I) Problem Area • The core language of the World Wide Web is HTML • The WWW is accessed through a number of devices • Current HTML standard was designed for creating web pages that are accessed through browsers in computers with links to other web pages • Today HTML is used to create Touch-screen websites, Games, 3D graphics, Audio-video conferencing, etc… • Still we have to think whether our applications will work across devices How to solve Standardization • HTML is different from XHTML (WHATWG, 2004) • WHATWG, a living HTML standard • W3C uses version releases (HTML5, 2014. HTML5.1 – 2016) • Testing browser compatibility part of the standard to check adherence • Remember Acid2 and Acid3? HTML-syntax & XML-syntax <!doctype html> <?xml version="1.0" encoding="UTF-8"?> <html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <head> <meta charset="UTF-8“> <title>Example document</title> <title>Example document</title> </head> </head> <body> <body> <p>Example paragraph</p> <p>Example paragraph</p> </body> </body> </html> </html> Character Encoding & Doctype <meta charset="UTF-8"> Instead of <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> No more DTDs. (earlier used for HTML quirks mode) and since HTML was SGML-based <!DOCTYPE html> Instead of <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> STRICT OR TRANSITIONAL <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> What’s different in HTML5 • 28+ new elements • Many new attributes • Many changed attributes • Obsolete elements • Obsolete attributes • HTML5 does not use the terms "block- level" or "inline“ • New APIs • Extensions Content Model - Categories • Metadata content, e.g.
    [Show full text]