Web
The web is not one platform. It is a multitude of platforms, most of which you’ll never test on. — Peter-Paul Koch
See also:
News
All issues | Web Platform News - https://webplatform.news/feed.xml
PDF
Media type
Aka MIME type, content type
application/x-www-form-urlencoded
text/event-stream
used by server-sent events (Set charset could be requiredtext/event-stream; charset=utf-8
)
Some subtypes support optional parametersimage/webp;animation=y
, image/webp;version=0.3
Charset case
Note: utf-8
or UTF-8
? (Don't use UTF8
nor utf8
). Prefer UTF-8
. It's case insensitive, stick to one.
Canonical names are, by convention, usually in upper case. — Charset (Java Platform SE 7 )
Multipart resource
Works only for images (used by MJPEG images):
It's used also for form upload with multipart/form-data
used only by HTTP requests
Multiple Choices
External-Body type
Note: It's used by emails
Set Content-Type
to:
Server environnements
local
development (or testing, integration) (could have a dedicated env. for Quality Assurance and User acceptance Testing)
staging, uat, preprod
production
Detection
Always use feature detection (Don't sniff User Agent! Never!) instead of browser/platform detection. Easyer client side with JavaScript or CSS.
var webkit = !document.uniqueID && !window.opera && !window.globalStorage
: old code that evaluates to true in IE, Opera + Firefox today. — Mike Taylor on Twitter
User-Agent Client Hints - Alternative to user agent string parsing to detect potential features supported
http://detectmobilebrowsers.com/ - Simplified (support lot of language) and not up-to-date UA detection.
A-grade: Full enhanced experience with Ajax-based animated page transitions.
B-grade: Enhanced experience except without Ajax navigation features.
C-grade: Basic, non-enhanced HTML experience that is still functional.
Client-Hints - intended to be used as input to proactive content negotiation
Maps
Protomaps | A free and open source map of the world - "deployable as a single static file on cloud storage" "PMTiles, [...] accessible via HTTP Range Requests." Protomaps Documentation | Protomaps Docs
Analytics
Tracking and analytics
Use Navigator.sendBeacon() - Web APIs | MDN
Tracking parameters
Aka query stripping
mc_eid
oly_anon_id
oly_enc_id
__s
vero_id
_hsenc
mkt_tok
fbclid
Mozilla Firefox's Enhanced Tracking Protection
privacy.query_stripping.enabled.pbmode
:
Data layer
Customer Experience Digital Data Layer (CEDDL): This is a data layer specification developed by the World Wide Web Consortium (W3C). It is declared as a key-value JavaScript object. However, it has pretty much been discarded/deprecated/ignored because of its static interface that does not work well with modern web frameworks.
Event-Driven Data Layer (EDDL): A general term referring to any data layer that is designed to respond to data that is pushed into it, where each push is termed an "event". There's a good write-up about this at https://jimalytics.com/tag-management/the-event-driven-data-layer/. Google Tag Manager's dataLayer is a common implementation of a EDDL.
Adobe Client Data Layer (ACDL): Adobe's implementation of a EDDL. It has been integrated into AEM and some Adobe products, but can be used as a standalone data layer in any website by including its JavaScript library. See https://github.com/adobe/adobe-client-data-layer for more info.
Direct Call Rule (DCR): This is a feature that is specific to Adobe Launch (or what is now called Adobe Experience Platform Data Collection Tags). By running _satellite.track("identifier") anywhere in a web page, you can trigger a Rule in Adobe Launch that listens for that Direct Call event with the "identifier" value. You can read more about how to use it at https://experienceleague.adobe.com/docs/experience-platform/tags/extensions/adobe/core/overview.html?lang=en#other-events
— Hi, can any one help me to understand the differen... - Adobe Experience League Community - 438861
Adobe Launch
Tracking data
page view
printing
track_printing.css
(should be served with header that disable cache):default font size (use blank iframe)
default zoom level
screen size
language
user timing
Tracking events
https://developers.google.com/analytics/devguides/collection/analyticsjs/
https://support.google.com/analytics/answer/1033068?hl=en
https://developers.google.com/analytics/devguides/collection/analyticsjs/events
https://developers.google.com/analytics/devguides/collection/analyticsjs/field-reference
https://developers.google.com/analytics/devguides/collection/analyticsjs/command-queue-reference
Be carefull of types (integer for eventValue)
Google Analytics Legacy
Aka ga.js
Use analytics.js instead
Use async, via _gaq.push()
Universal Analytics tracking library
Aka analytics.js
Universal Analytics tracking library (analytics.js):
For a custom function name: (ex: __gaTracker
)
GoogleAnalyticsObject
Social interactions:
Google Tag Manager
Aka GTM
Handle inclusion of libraries (third party services).
See also: Third parties
Allow predefined set of events (category + action + label + value, etc.) with macros, conditions, etc.
Privacy
Use "do not track" feature navigator.doNotTrack
CNAME cloaking
Tracking virtual pageviews
Ex: Ajax pages of Single Page Application (SPA)
Tracking scripts errors
Track errors, like front end (window.onerror
) or backend errors with https://developers.google.com/analytics/devguides/collection/analyticsjs/exceptions
https://stackoverflow.com/questions/21718481/report-for-exceptions-from-google-analytics-analytics-js-exception-tracking
https://davidwalsh.name/track-errors-google-analytics
Anchor hash tag behaviour
use an anchor (
<span id="target"></span>
) in targeted element (don't usea
withouthref
) (viaposition: absolute; top: -200px;
etc.). Position absolute can also be used, to prevent autoscroll(on click on link)
event.preventDefault();
,history.pushState()
(window.location.hash
will scroll automatically, so need to overridedocument.body.scrollTop
anddocument.body.scrollLeft
after changing its value)rename target IDs. Some browser keep in memory the position of the previous ID
History.scrollRestoration = "manual"
https://developer.mozilla.org/en-US/docs/Web/API/History/scrollRestorationhttp://lea.verou.me/2011/05/change-url-hash-without-page-jump/
http://css-tricks.com/hash-tag-links-padding/
In frame blocking
Use header Content-Security-Policy: frame-ancestors 'self'
(or the depreciated X-Frame-Options: SAMEORIGIN
)
See Clickjacking
Adaptive
Aka adaptive web design, responsive, adaptative web design
Deliver the best possible experience to the widest possible audience
Device Detection: Don't Do It!
Note: Sometimes it's better to have a dedicated version for a context. Ex: mobile version
RWD (responsive web design) = provide an optimal viewing experience, adapts the layout to the viewing environment by using fluid, proportion-based grids, flexible images, and CSS3 media queries, an extension of the @media rule
Progressive enhancement = Allows everyone to access the basic content and functionality of a web page, using any browser or Internet connection, while also providing an enhanced version of the page to those with more advanced browser software or greater bandwidth
Depends on features detections and usage:
output (interactive screen, print, projection)
screen capabilities (screensize, dpi)
network capabilities (latency, upload and download bandwidth)
touch capability
supported formats (video, audio, etc.)
number of users (usually one)
Responsive images
Aka content aware image cropping and art direction
Define an interest area or predefined crop rules based on breakpoints
See also HTML - Responsive image
art direction problem involves wanting to change the image displayed to suit different image display sizes — Responsive images - Learn web development | MDN
define find the focal point(s)
https://github.com/jwagner/smartcrop.js/ https://github.com/jwagner/smartcrop-cli - Content aware image cropping library
An XMP schema for responsive metadata - a W3C Community work
-Universal Images Community Group
https://github.com/sbaechler/thumbor-rmd-demo
https://github.com/sbaechler/thumbor-universalimages
Service generate art directed images:
Progressive Enhancement
Aka feature detection
See offline-first approach, Progressive Enhancement (CSS)
Old browsers support
Only in the case of progressive enhancement, if it's not work and no alternative is available for a major functionality, show a message about it.
Internationalization
Aka I18n
Image sequence
Aka turn table, Object VR, 360° object, object VR
Use turntable to captures differents angles.
Similar to a video, but with the ability to play in both ways, seek, without any audio track
Methods:
decompose effect and recreate it with 3D models, JS, CSS, SVG... But won't look the same
use video with specific frames encoding. Use only I-Frames or B-frames (B for bidirectional frame). See Frame types
use images: Can use format like APNG, MNG, JNG, Animated WebP, SVG (animation), QTVR, tar archive contains images and data files. If multiple images use the same container, content encoding could be used to compress more (GZip, Brotli) to reduce redonancy between images. For JPEG, use same DCT coefficients and omit it to reduce weight. Use codecs of compressed texture format, JPEG, PNG, etc.
images diff (pixels + metadata) and draw the patched image (frames:
I,P,P,P...
)P
images could refer to the I frame or to the previous P frame (see how APNG works) Need fine control of playbackbunch of images loaded into blobs and load into the DOM (IMG or Canvas or via ImageData) and drawn on canvas (frames:
I,I,I,I...
)
Examples, using differents methods:
Phosphor:
https://itunes.apple.com/us/app/phosphor/id589654268
http://chrisdowling.biz/demos/phosphor-filesize/
Image Sequences: Let Me Count The Ways « Thomas Reynolds - Use CSS animation or Canvas or DOM image suite
Third parties
and widgets
Don't trust your third parties
See also Third parties webperf
Comments services:
Source code embed:
Website JS plugins
To isolate a third party script (or DOM access, geolocation, modal APIs, etc.), use:
iframe with a cross origin (third party origin or null), ex: iframe with sandbox attribute but without
allow-same-origin
a virtual machine using a ECMAScript engine (that could be cross-compiled to WebAssembly)
use the Realm API (similar to
with(proxy){}
)
See also:
Loading Third-Party JavaScript | Web Fundamentals | Google Developers - "Be sure to conduct careful audits of the third-party scripts you load to ensure they’re being good actors."
oEmbed
Web Application
Script to create custom shortcuts on the iOS springboard. Check it out at: http://dev.fokkezb.nl/shortcutter - Generate data URI HTML document (to bookmark), allow to start native apps with custom arguments
Viewport size
Screen Size[1]
320 × 480 pt
320 × 568 pt
375 × 667 pt
414 × 736 pt
1366 × 1024 pt
1024 × 768 pt
Rendered Pixels
640 × 960 (@2x)
640 × 1136 (@2x)
750 × 1334 (@2x)
1242 × 2208 (@3x)
2732 × 2048 (@2x)
2048 × 1536 (@2x)
Physical Pixels
640 × 960
640 × 1136
750 × 1334
1080 × 1920
2732 × 2048
2048 × 1536
Pixels Per Inch (PPI)
326
326
326
401
264
264
Browser viewport
-
-
-
-
-
-
- Portrait
-
-
-
-
-
-
* normal[2]
320 × 372 px
320 × 460 px
375 × 559 px
414 × 628 px
?
?
* minimal[3]
320 × 440
320 × 528
375 × 627
414 × 696
?
?
* fullscreen[4]
320 × 460
320 × 548
375 × 647
414 × 716
?
?
- Landscape
-
-
-
-
-
-
* normal[2]
480 × 212 px
568 × 212 px
667 × 267 px
736 × 306 px
?
?
* minimal[3]
480 × 280
568 × 280
667 × 335
736 × 374
?
?
* fullscreen[4]
480 × 300
568 × 300
667 × 355
736 × 394
?
?
JS:
screen.[height|width]
; CSS:device-width
,device-height
normal-ui (with normal browser navigation bars) JS:
window.inner[Height|Width]
; CSS:width
,height
minimal-ui (with the small browser navigation bars) JS:
window.inner[Height|Width]
; CSS:width
,height
fullscreen (without any browser chrome for a web app, only status bar if any) JS:
screen.avail[Height|Width]
; CSS:width
,height
Privacy
Aka GDPR or EU Cookie Law, law and privacy legislations
See also Cookies
See Do Not Track https://www.eff.org/dnt-policy navigator.doNotTrack
https://en.wikipedia.org/wiki/Do_Not_Track
Cookie banner:
I don't care about cookies 3.3.1 - WebExtension to block cookies banner
Cookies
See also Privacy
App Download interstitials
App Association
Open native application
App install banner
Android app links
Android App Link: https://<domain>/.well-known/assetlinks.json
http://example.digitalassetlinks.org/.well-known/assetlinks.json
Apple app site association
Aka AASA or Universal Links
https://<domain>/apple-app-site-association
or https://<domain>/.well-known/apple-app-site-association
without redirect (200 OK only)
Fetch/apdated when (no expired):
app install
app update
Can't use MITM to handle/override association (certificate pinning)
Dummy and placeholder media
Aka Video test pattern, test image, sample image
See Sample files
16/9 image:
Web fonts
Favicon
For icons, use a large one 180×180 icon for iOS and Android
Some browsers usally try to get the following resource: /favicon.ico
convert favicon.png -background none -resize 256×256 -define icon:auto-resize="256,128,96,64,48,32,16" favicon.ico
https://github.com/RealFaviconGenerator/realfavicongenerator/issues/211
https://github.com/GoogleChrome/lighthouse/issues/291#issuecomment-219074630
WebIDL
.webidl
, .widl
, .idl
Tools:
microsoft/TypeScript-DOM-lib-generator: Tool for generating dom related TypeScript and JavaScript library files - generated from WebIDL Sources with idlfetcher and Microsoft Edge Platform internally generated WebIDL (
browser.webidl.json
, from sources?)
Format:
WebIDL Level 1 and Web IDL (Second Edition)
WebIDL Sources:
http://www.w3.org/TR/2011/REC-SVG11-20110816/svg.idl https://dev.w3.org/SVG/profiles/1.1F2/publish/idl.html
webidl - mozsearch https://github.com/mozilla/gecko-dev/tree/aade4252608ed43047e975217e8a39c2a71b0728/dom/webidl
Révision 267813 – WebKit - A commit that list all
.idl
used by WebKit
See also:
Browsers
Browsers version fragmentation
Version penetration
Browser support
User Agent String
Can be used server side to detect browser, bot, etc.
Apple Shortcuts App: Shortcuts/700 CFNetwork/974.2.1 Darwin/18.0.0
See Detection
User-Agent Reduction - Chrome reduce and freeze informations given by the UA string. See also Intent to Deprecate and Freeze: The User-Agent string
Not up to date UserAgentString.com - List of User Agent Strings
Mobile Detect - lightweight PHP class for detecting mobile devices (including tablets) and https://github.com/serbanghita/Mobile-Detect
Browsers extension
Aka Web Extensions
Download Google Chrome extension without installing it
CRX / NEX (Opera)
Sideloading in Firefox is no more allowed since version 73:
Sideloading in Chrome:
Safari Extensions
Safari App Extension
Safari Extension
Depreciated by Safari 12
Use xar
Ex: https://safari-extensions.apple.com/details/?id=com.diigo.safari.awesomescreenshot-5DXNM3K2CT
Kiosk mode
Chrome:
chrome --chrome --fullscreen --kiosk URI
chrome --kiosk "https://example.com"
, see also--kiosk-printing
and--chrome-frame
Opera:
opera -kioskmode -noexit URI
Firefox:
firefox --headless URI
firefox --kiosk
IE:
iexplore -k URI
Windows + Shift + Enter
(fullscreen mode), likeF11
See also:
Firefox
Awesome bar:
Add
^
to search for matches in your browsing history.Add
*
to search for matches in your bookmarks.Add
+
to search for matches in pages you've tagged.Add
%
to search for matches in your currently open tabs.Add
~
to search for matches in pages you've typed.Add
#
to search for matches in page titles.Add
@
to search for matches in web addresses (URLs).Add
$
to search for matches in suggestions. – Awesome Bar - Search your Firefox bookmarks, history and tabs from the address bar | Firefox Help
Open Tabs to the right of the current tab:
about:config?filter=browser.tabs.insertAfterCurrent
, https://addons.mozilla.org/en-US/firefox/addon/always-right/
Source code:
Dev tools:
Network debug
Session / tabs
open
about:support
(profile directory)open the directory
open the sub directory
sessionstore-backups
Files in this directory:
previous.jsonlz4
: cleanBackup: copy of sessionstore.js from previous session that was loaded successfullyrecovery.jsonlz4
: latest version of the sessionstore written during runtimerecovery.baklz4
: previous version of the sessionstore written during runtimeupgrade.jsonlz4-<build_id>
: backup created during an upgrade of Firefox
See also:
Session History Scrounger for Firefox (with lz4 support) — Fx File Utilities - read file format in
sessionstore-backups
directory
Integrated authentication
Aka silent authentication
authenticate the user to an Intranet server or proxy without prompting the user for a username or password
go to
about:config
accept harmful consequences warning
search
network.negotiate-auth.trusted-uris
and update with value.example.com
to allow auto login on that domainsif required, search
network.negotiate-auth.allow-non-fqdn
and set totrue
to allow non fully qualified domain names in the previous given list
For the list of trusted URIs, see:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
Safari
Source code:
https://sourcegraph.com/search?q=repo%3Awebkit%2Fwebkit+%s
web developer tools:
Dev tools:
WebKit on Windows
From playwright (a NPM library) WebKit Windows builds:
https://playwright2.blob.core.windows.net/builds/webkit/{version}/webkit-win64.zip
whereversion
is one of the WebKit version supported (see alsobrowser_patches/webkit/BUILD_NUMBER
)WinCairo, 64 bits only
browsers pre-builds binaries are fetched when you
npm install playwright
.Webkit can be downloaded and started with
npx playwright wk https://example.com/
(with NPM) or execPlaywright.exe
(require to download it manually)
Chrome
OmahaProxy - Google Chrome - Look up information about a given Chrome release
https://crrev.com/<branch_position|commit>
https://storage.googleapis.com/chromium-find-releases-static/d4a.html#<commit>
https://omahaproxy.appspot.com/deps.json?version=<version>
(Major.Minor.Branch.Patch
)
Source code:
Dev tools:
Skia:
Enable Chrome developer tools experiments:
chrome://flags/#enable-devtools-experiments
webdev tools "Settings"
webdev tools "Experiment" tab
press "Shift" 6 times to show more experiments
Update error "An error occurred while checking for updates: Update check failed to start (error code 4: 0x80070005 – system level)" on Windows (one of):
run Chrome browser as administrator
start
Google Update Service (gupdate)
(services.msc
) then updatestart up type
:Automatic
orManual
reinstall Chrome browser (without uninstall it)
in
C:\Program Files\Google\Chrome\Application
orC:\Program Files\Google\Chrome Beta\Application
, renamenew_chrome.exe
tochrome.exe
andnew_chrome_proxy.exe
tochrome_proxy.exe
"%USERPROFILE%\Local Settings\Application Data\Google\Chrome\Application\0.4.154.25\Installer\setup.exe" --rename-chrome-exe --verbose-logging
Network debug
NetLog log:
queueing delay to schedule DNS resolves to threads
stalls due to exceeding socket pool limits
attempts to do a TCP connect to an IP address
speculative DNS resolves
proxy resolution
cache hits for DNS resolves
reads/writes from disk cache
network change events
proxy configuration change events
stalls due to chrome extensions pausing requests
errors
cookie store
Features needing reliable network information should never be built on top of NetLog
chrome://net-export/#
--net-log-capture-mode=IncludeCookiesAndCredentials
orIncludeSocketBytes
--log-net-log=/path/to/file
(ex:netlog.json
ornet-export/chrome-net-export-log.json
)chromium tools - chrome_proxy/webdriver/common.py and chromium catapult - netlog_viewer/netlog_viewer/log_util.js - About the invalidity of NetLog output when used with
--log-net-log
and a workaroundEvent time:
new Date(data.constants.timeTickOffset + parseInt(event.time))
Network Traffic Annotations and tools/traffic_annotation - chromium/src - "What is the intent behind each network request". See also
DefineNetworkTrafficAnnotation
To know what extension handle requests (marked as 307 Internal Redirect
, see delegate_info
, CHROME_EXTENSION_REDIRECTED_REQUEST
, URL_REQUEST_FAKE_RESPONSE_HEADERS_CREATED
)
Custom device with higher granularity
https://developer.chrome.com/devtools/docs/device-mode#custom-devices
https://github.com/ChromeDevTools/devtools-frontend/blob/9f1eee62ea4b12b10515582647260353f2f0c5e5/front_end/models/emulation/EmulatedDevices.ts#L645-L1801 default emulated devices
~/Library/Application Support/Google/Chrome/Default/Preferences
JSON,data.devtools.preferences.customEmulatedDeviceList
chrome.experimental.devtools.*
See also:
https://github.com/GoogleChrome/devtools-device-data/blob/release/devices.json
Update loop
Nearly up to date! Relaunch Google Chrome to finish updating.
start as Administrator
How a web browser works
inter-frame, event loop
Caches: ( Application DNS cache) → ( libc DNS cache ) → ( gateway DNS cache ) → ( DNS caching resolver cache ) → ( DNS nameserver authoritative cache ) → Filesystem Cache → Hard disk Device Cache → ( JavaScript JIT cache ) → HTTP cache → HTTP push cache → HTTP Preload cache → CPU L1 → CPU L2 → (CPU L3) → ( HTTP proxy cache ) → (N hops invoking many of these steps N times) → ( HTTP router/relay cache ) → ( HTTP Reverse Proxy cache ) → HTTP Server request caching. (add also CSS cache and Image cache)
See also How ECMAScript engine works (event loop, etc.)
Constructing the Object Model | Web Fundamentals - Google Developers and https://github.com/google/WebFundamentals/blob/master/src/content/en/fundamentals/performance/critical-rendering-path/constructing-the-object-model.markdown and
https://w3c.github.io/requestidlecallback/#figure1
event loop
Event loop: frame (vsynced): input (events) → Javascript and rAF → Frame commit (style, layout, paint, compose) (→ idle callbacks?); then other frame (vsynced); With the exception of intersection observers & element resize observers, which happen after raf.
Design Elements - About V8, ECMAScript engine used in Chromium and NodeJS
How JavaScript works
about:telemetry
,about:performance
,about:memory
(Firefox) https://addons.mozilla.org/en-US/firefox/addon/task-manager/ https://addons.mozilla.org/en-US/firefox/addon/tab-data/ 515352 - Implement Firefox own Task Manager (with live updating of per-tab CPU and memory usage)Task Manager (Chrome)
Inside look at modern web browser
Headless browser
Puppeteer: Node API for Headless Chrome and Headless Firefox - Puppeteer API
https://developer.mozilla.org/en-US/Firefox/Headless_mode
Chrome:
--user-agent="..."
, could require--single-process
. See also--use-mobile-user-agent
Headless browser detection
It's a cat-and-mouse game
puppeteer-extra/packages/puppeteer-extra-plugin-stealth at master · berstend/puppeteer-extra - Puppeteer plugin to prevent detection
Reader view
Firefox Reader view, based on Readability:
https://github.com/mozilla/readability/blob/c3c91a739beab6fd067404cd7610f6d64f53ad5a/Readability.js#L1721
Safari reader mode, based on Readability:
/Applications/Safari/Contents/Resources
(Reader.html
,ReaderThumb.png
,ReaderTrack.png
,ReaderBg.png
,ScratchBg.png
)
open safari web inspector.
disable (pause) Javascript in the Safari console debugger
open a web page that can be view in reader mode
See also Safari Reader Source Code and anonyme.js (ReaderArticleFinder
)
Other:
"Request Desktop Site"
On mobile browsers
Links and alternate
Canonical URL = the preferred URL (same document content, aka duplicated content) Alternate URL = other version of this canonicalized document (mobile or other lang)
For languages alternate, each canonicalized document must include the list of all languages available, even itself
Use alternate URL only for canonicalzed documents
On desktop:
or via http header:
And on mobile:
For HTTPS page (on http://www.example.com/page
):
x-default
Date
use ISO 8601 in JSON
Troubleshooting
safe browsing / ad blocker issues:
banner.jpg
,ads.js
andanalytics.js
,sponsor
analytics can even fails
some HTML element like images or video with keywords like "publicité" (in URL or title) don't appears on some browsers
Firefox with the Tracking Protection block the Facebook SDK in private mode (by default)
Adblock block IDs starts with
ad
ex: http://example.com/images/AD/AD/9F/D2/13803437-3-1520-3.jpg is blocked by easylist, see https://github.com/easylist/easylist/blob/536e287/easylist/easylist_general_block.txt#L268
uBlock/assets.json at a4376e950067d301beb89af26e9ef9a58e3862f3 · gorhill/uBlock - uBlock lists enabled by default
Class and ID to avoid because of AdBlock https://github.com/easylist/easylist (IDs start with
###
, classes start with##.
)Opera and UC Browser include ad blockers
some pages or files are not display correctly. Do you use the
Vary
header to define on which request headers you use to deliver content (oftenAccept-Encoding
,User-Agent
orCookie
)scripts or content not executed/loaded because CSP don't allow it
too many cookies
Maximum on HTTP header values? - Stack Overflow - Request
Cookie
is too long:400 Bad Request - Request Too Long
(IIS) or413 Entity Too Large
browser storage limitations
Browser Cookie Limits (2017)
Cookie size limits - Chrome Platform Status - RFC 6265bis: "limit the sum of the lengths of the cookie's name and value to 4096 bytes, and limit the length of each cookie attribute value to 1024 bytes. Any attempt to set a cookie exceeding the name+value limit is rejected, and any cookie attribute exceeding the attribute length limit is ignored."
https://searchfox.org/mozilla-central/rev/f63ca2952da98e0817bdae0ddf1314281a497106/netwerk/cookie/CookieCommons.h#55-61
https://source.chromium.org/chromium/chromium/src/+/main:net/cookies/cookie_monster.h;l=117-134;drc=326a0bccb07af93a8084d2836d8b6ec4685c9b7e
https://github.com/WebKit/WebKit/blob/28a06fc72f32a1ccbb5a3a09924253efb4a5469e/Source/WebCore/platform/network/curl/CookieUtil.cpp#L45
https://github.com/WebKit/WebKit/blob/28a06fc72f32a1ccbb5a3a09924253efb4a5469e/Source/WebCore/platform/network/curl/CookieJarDB.cpp#L46-L47
1264192 - Browsing Twitter wipes out its login cookie because of a per-host limit - about cookies eviction strategy
open Chrome
open a white page:
open a new tag
write this URL in address bar + enter : about:blank
open developement tools:
Crtl+Maj+I
or Menu at the top right (< ⁝ >), then "More tools", then "Developement tools"
or right clic on page, then "Inspect"
enable history logs perservation:
open "Console" tab
open the menu "Console settings" (< ⚙️ >)
check "Preserve log"
enable requests history perservation:
open "Network" tab
check "Preserve log"
follow your scenario: keep developement tools opened in background
open the first page (in the browser tab by write/pasting it URL in the address bar + enter)
the follow the rest of the scenario
once the scenario is complete, without closing the browser tab, show the developement tools window
save console logs:
go to "Console" tab
right click on the main area (where you see yellow, red and white entries)
choose "Save as..."
save requests hisoty:
go to "Network" tab
right click on the main area (where you see all logged entries)
choose "Save all as HAR with content"
send us both saved files
Cross domain & integrity
integrity
<script>
and<link>
attributecrossorigin
<script>
,<img>
attributenoreferrer
noopener
X-Frame-Options
header (depreciated)Content-Security-Policy
header
See XSS and injection prevention
Subresource checksum
Aka subresource integrity
See also nonce
attribute.
JavaScript:
PHP:
Command line (sh, openSSL):
Be carefull of (significant) spaces, quotes, etc. The hash could be different.
Bypass cross domain control
If your JS need a resource but it's disallow but the third party (does not allow with Access-Control
headers)
Always filter which URL/domain you allow. Else some evil people could use your proxy for illegal activity, etc.
reverse proxy
http://query.yahooapis.com/v1/public/yql?q=select%20*%20from%20html%20where%20url%3D%27http%3A%2F%2Fbbc.co.uk%27%0A&format=json
select * from html where url='http://bbc.co.uk'
JSONP (previous example support
&callback=foo
)https://github.com/Athlon1600/php-proxy
Note: CSP can block it.
Server logging
Chrome Logger - Server side application debugging - use
X-ChromeLogger-Data: jsonbase64data
Server timing
Aka Server Timing API
CMS
JSON Schema + form:
Google Docs Sheets as CMS
Need to: File > Publish to the Web
https://spreadsheets.google.com/feeds/list/{worksheet_id}/{sheet_id}/public/full?alt=json
https://spreadsheets.google.com/feeds/worksheets/{sheet_id}/public/full?alt=json
https://spreadsheets.google.com/feeds/worksheets/{sheet_id}/private/full
Where sheet_id
is default
or 1
, 2
, etc. match the tab order
Web IDE
GitHub web editor (github.dev)
use Visual Studio Code for the Web
Visual Studio Code for the Web
See also: zvizvi/GitHub-Web-IDE: ⚡ Open GitHub repositories in online web IDE
User script
openuserjs:
it's possible to import Script from GitHub, and use a webhook to sync with the source repo
don't forget to allow Github auth (Authorized OAuth Apps), and add a licence field
Bookmarklet
See Bookmarklet
Note: Bookmarklets are blocked by CSP in Firefox, where bookmarklet = unsale-inline
script
Accessibility
A benefit of descriptive links is that screenreader users can pull all the links on a page together into a list and find what they need. ‘Click here’ doesn’t describe where you are linking to and means nothing without textual context! Eg. Instead of “Our school has X many students and does Y and Z. For more information, click here” to link to your About Us page, use: “Our school has X many students and does Y and Z. Read more About Us” Ps. If you do this you will not only make life easier for people who use screen readers but you also have a really simple way to improve your Search Engine Optimisation. Nobody Googles “Click here.” (the WCAG 2.1: 2.4 rule - Ed.)
See Accessibility
EU: ETSI EN 301 549, require WCAG 2.1 Level AA
FR: ETSI EN 301 549 and fallback to internations standards + use RGAA (based on WCAG 2.1) for technical requirements - public online communication services, public institutions, and the state
DE: BITV 2.0 (based on WCAG 2.1 Level AA) - government websites
IT: Stanca Act (based on WCAG 2.0 Level A)
JP: JIS X 83141 (based on WCAG 2.1)
ES: UNE 139803:2012 (based on WCAG 2.1 Level AA): government and government-funded organizations; or organizations larger than 100 employees; or with trading column greater than six million euros; or those providing financial, utility, travel/passenger, or retail services online
US: Section 508 require WCAG 2.0 Level AA
AU: Disability Discrimination Act (Advisory Notes, based on WCAG 2.0)
See also:
About support of old browser vs accessibiliy:
"Prefer make website accessible rather than a full support of IE8"
Stats:
Tools:
ARC Toolkit | The Paciello Group (TPG) – Digital Accessibility Solutions - Accessibility tool to evaluate screens for accessibility and uncover issues related to the WCAG 2.1 Level A/AA
Checklist Vox Product Accessibility Guidelines
random a11y curate beautiful color palettes that are accessible
https://github.com/nature/pa11y
https://github.com/squizlabs/HTML_CodeSniffer
XCode Accessibility Inspector
chrome://accessibility/
Edge 14: F12 Developer Tools > Accessibility Tree viewer
https://tenon.io/ (non free)
Other:
tools for browser for users or authors: zoom and font size settings, reduce motion, custom font, screen reader, colors inversion, video sub titles, keyboard navigation, etc.)
accessibility overlay tools / add-on accessibility / plug and play solutions (accessiBe, Facil'iti)
AccessiByeBye and PneumaSolutions/accessibyebye-extension - WebExtension that remove accessibility overlays
An Alphabet of Accessibility Issues - Blind, color blind, epilepsy, poor hearing, vertigo, fractured multiple fingers
Mobile Dyslexic – Get this Extension for 🦊 Firefox (en-US) - "Mobile Dyslexic replaces all fonts of all web pages with carefully crafted special font which is easier to read by people with dyslexia."
Screensaver
Create a screensaver from a web page:
télécharger l’application « HTML Screen Saver » sur http://myweb.tiscali.co.uk/djmclean/htmlscreensaver.html
l’installer l’application
ouvrir le panneau de configuration (du système) (click droit sur le bureau → personaliser)
ouvrir les préférences du économiseur d’écran / screen saver
choisir dans la liste déroulante « HTML Screen Saver », si c’est pas déjà le cas
cliquer sur options / settings
parcourir et sélectionner le fichier .html précédemment reçu
clicker sur Test pour prévisualiser
clicker sur OK
HTML Screensaver, Universal ScreenSaver, Web Screen Saver - Windows only. Require
X-UA-Compatible
header/meta orFEATURE_BROWSER_EMULATION
registery key. See Web Browser Control & Specifying the IE Version - Rick Strahl's Web Log
BaaS
Aka backend as a service, Mobile backend as a service (MBaaS)
Email:
Email Delivery Service | SendGrid
For sending via SMTP, provide the string
apikey
as the SMTP username, and use your API Key as the password.
SMS and phone call (voice):
Email to SMS - Send Free SMS via Email - mfitzp/List_of_SMS_gateways: This content was previously available on WikiPedia but deleted as not really encylopaedia-worthy. Since an article of mine was originally a major source for the data in the page, I took a copy for posterity. It's now here on Github, reformatted as an editable CSV file and publicly editable by all.
Transfert files
Digital signature
Trusted third party
Advertising
Aka Ads
See also:
Content blocking - blocked ads by filters
Acceptable Ad criteria - Rules by AdBlock
SEO and ASO - balance between content and ads
The Initial Better Ad Standard - Coalition for Better Ads - Coalition for Better Ads
A/B testing
Content blocking
Safe Browsing (UrlSubresourceFilter, BetterAds)
chrome://components/
ITP (Intelligent Tracking Prevention) used by Safari - third party cookies isolation
Microsoft Edge – All the news from Build 2019 - Microsoft Edge Blog - Privacy tools: tracking prevention
New Year, New Samsung Internet – Samsung Internet Developers – Medium - Samsung Internet 9.2 includes Smart Anti-Tracking
See also:
Safe browsing
chrome://safe-browsing/
Google Safe Browsing
https://google.com/safebrowsing/diagnostic?tpl={safari|mozilla|}&site={host}&hl=en-US
https://www.google.com/safebrowsing/report_error/?tpl={safari}
Safe Browsing: malware and phishing – Google Transparency Report - Check site status
k-anonymity of the API:
Google first computes the SHA256 hash of each unsafe URL in its database, and truncates each hash down to a 32-bit prefix to save space.
Google sends the database of truncated hashes down to your browser.
Each time you visit a URL, your browser hashes it and checks if its 32-bit prefix is contained in your local database.
If the prefix is found in the browser’s local copy, your browser now sends the prefix to Google’s servers, which ship back a list of all full 256-bit hashes of the matching URLs, so your browser can check for an exact match.
Tencent Safe Browsing, Safe Browsing API is a drop-in replacement of Google's API
https://www.urlsec.qq.com/check.html?tpl={safari|}&site={host}
https://urlsec.qq.com/check.html?url={url|domain}
https://urlsec.qq.com/report.html?url={url} reportAnError
https://urlsec.qq.com/complain.html
https://safebrowsing.urlsec.qq.com
https://www.urlsec.qq.com/standard/s1.html Learn more
phishing sites have a lifecycle of about 15 hours
most malicious links are hidden within benign domains
about 400,000 phishing sites are created each month
Code:
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework
Datasets
Datasets:
chrome-ux-report (aka CrUX)
Sourcemap
Aka source map, VLQ, variable-length quantity
Inspect:
source-map-visualization - To drag and drop custom both source and map files: name it
*.js
(even if the content is not JS) and*.map
unless the source map contains the fieldfile
that match the dragged source filename. See https://github.com/sokra/source-map-visualization/blob/9b1e3adc1ca8e03006ccb4c4e0c4c0bc897203f9/app/app.js#L248-L257
For CSS and JavaScript
PWA
See also
Service worker
What’s new on iOS 12.2 for Progressive Web Apps – Maximiliano Firtman – Medium - PWA lifecycle on iOS 12.2
iOS Add to Homescreen => simulate web app manifest - simulate
start_url
manifest field in iOS
Wi-Fi Captivate
Walled garden, captive portal
with Captive Network Assistant (mini-browser / webview), some features can be disabled (persistant cookies, alert, confirm, popin, cross-origin AJAX, sessionStorage)
/Library/Preferences/SystemConfiguration/CaptiveNetworkSupport/Settings.plist
User-Agent: CaptiveNetworkSupport/1.0 wispr
/System/Library/CoreServices/Captive Network Assistant.app
Captive Portal - How to trick a device to launch its captive portal window
Tested URLs:
http://www.apple.com/library/test/success.html
http://captive.apple.com/hotspot-detect.html
http://connectivitycheck/gstatic/com/generate_204
On iOS and OSX, when WiFi connection is detected, the OS try to open this URL: http://captive.apple.com/hotspot-detect.html
(previously http://apple.com/library/test/success.html
) which return 200 Ok
with content <HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML>
https://stackoverflow.com/questions/18891706/ios7-and-captive-portals-changes-to-apple-request-url
http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html
http://www.davidcalculli.com/blog/2012/10/apples-secret-connecting-to-a-wi-fi-network-requires-an-active-internet-connection
https://en.wikipedia.org/wiki/Captive_portal
/System/Library/CoreServices called Captive Network Assistant.app
/Library/Preferences/SystemConfiguration/CaptiveNetworkSupport/Settings.plist
http://apple.stackexchange.com/questions/211593/how-to-disable-captive-apple-com
http://superuser.com/questions/937325/wifi-hotspot-why-os-does-not-detect-me-as-a-captive-portal
http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html
http://www.dd-wrt.com/wiki/index.php/Chillispot
http://coova.github.io/CoovaChilli/
http://blog.trifork.com/2013/01/15/building-a-captive-portal-controlling-access-to-the-internet-from-your-network/
https://www.howtoforge.com/tutorial/how-to-install-a-wireless-hotspot-with-captive-page-in-linux-using-coovachilli/
https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/install-software
http://www.pihomeserver.fr/2014/05/22/raspberry-pi-home-server-creer-hot-spot-wifi-captive-portal/
http://www.pihomeserver.fr/2014/05/23/raspberry-pi-home-server-creer-hot-spot-wifi-portail-captif-22/
Popup
Allow multiple popup, or open popup from non user action:
Chrome:
open website informations (from the URL bar)
click website parameters (chrome://settings/content/siteDetails?site=http%3A%2F%2Fexample.com)
set "Popups & redirections" to "Allowed"
Firefox:
open page informations (Tools > Page informations)
go to permissions tab
uncheck "default permissions" for "Open popus" and select "Allow"
Edge:
open Settings
go to Advanced Settings
switch Block Pop Ups Off
after using the desired website, roll back these settings
Parties
first party: the host, the application
second party: CDN (substitution)
End-to-end tests
Use ID to traget elements: IDs for robots
To find an element with specific classname token foo
, do not use //*[@class='foo']
nor //*[starts-with(@class,'foo')]
, but:
//*[contains-token(@class, 'foo')]
(XPath 3.1)//*[count(index-of(tokenize(@class), 'foo')) >= 1]
(XPath 2.0)//*[contains(concat(' ', normalize-space(@class), ' '), concat(' ', 'foo', ' '))]
(XPath 1.0)
See also:
Website analysis
Aka technology sniffing
For:
technologies
framworks
libraries
tools, CDN, CMS
providers of services, etc.
plugins
Last updated