17 Comments

At ZYB we have been doing cross domain JavaScript calls for quite some time now. Whenever we tell that to people, many don’t believe it is possible with standard security settings in any modern browser. This surprised me a bit since it has always been possible with a simple little trick.

The problem

Say you have a website (site A) with an iframe wherein you host another website (site B). In old and unsecure browsers it was possible to do a JavaScript call from site B to site A like this:

window.parent.doSomething();

Here the doSomething function is living on site A and is called by site B through its parent window. For security reasons, this simple way of cross iframe communication was disabled years ago by all browser vendors.

The solution

There are different scenarios with possible solutions:

1: Site B is a sub domain under/beside Site A

Let’s say that:

  • Site A is located at example.com or sitea.example.com
  • Site B is located at siteb.example.com

All you need to do is to add this line of JavaScript to both site A and B:

document.domain = 'example.com'

That tells the browser that both site A and B belongs to the app located at example.com and are therefore allowed to communicate using JavaScript. It could be by calling window.parent.doSomething(); Now Same Origin Policy principle has been enabled on both sites.

2: Site B is on a different top domain than site A

This is more tricky, because we need to let the browser think both site A and B are under the same top domain.  When it does, we can implement the trick from solution 1 above.

Let’s say that:

  • Site A is located at example.com or sitea.example.com
  • Site B is located at foobar.com

To make this work, you need to create a sub domain called e.g. siteb.example.com. Then point the new sub domain to the IP address of foobar.com. Now both site A and B is located under example.com and you can start to implement solution 1.

There is no security risk going on here because you can only implement solution 1 if both site A and B participate in the trick.

Other solutions

If you can't use either solution 1 or 2 the game isn't over. Here are some other techniques to use:

Though not as simple as the document.domain trick, these are well documented and proven techniques.

8 Comments

Back in March, I wrote about my grand plan for 2009 – my new year’s resolution. The plan was simple. I had to visit 12 different countries in 2009, preferably 12 countries I’d never visited before. Now, half way through the year it’s time to do status on the progress.

January

A business trip to Düsseldorf, Germany kicked off the plan. Beautiful city with very nice restaurants, bars and more Porche’s, Mercedes’ and BMW’s I’ve ever seen in one place.

February

Another business trip, this time to rainy London. Also, later the same month I went to Chişinău, the capital of Moldova. This is by far the most interesting place I’ve ever visited and I have a feeling that I might be the first tourist in that country. I can highly recommend visiting Moldova and I will definitely go back in maybe 5 years time.

Moldova

March

Went to the MVP Summit in Seattle. It was my first time in the state of Washington, but my 5th trip to USA and my 14th state. It rained, but it didn’t change the fact that Seattle is a very nice city with very nice and outgoing people.

The Space Needle

April

Malaga, Spain was the starting point of my Easter holiday. From there we drove to Gibraltar to see the wild monkeys and beautiful views and of course the new casino. You can actually see Morocco from there across the Mediterranean Sea. Then drove to Sevilla before returning home.

Gibraltar

May

Visiting a friend in Stirling, Scotland, the home of William Wallace aka Mel Gibson in Braveheart. Drove around Loch Lomond and tried some excellent whisky along the way – I wasn’t driving. I then took a flight from Scotland to Düsseldorf to revisit the Vodafone mother ship before returning home.

June

Back in March I asked around the office if anyone wanted to join me on a trip to Amsterdam, Holland. 9 colleagues said “yes, please”, so off we went to one of the more fun places I’ve ever visited for reasons I will not share with you or anyone else. If you’ve been there you know why. If you haven’t been there, go before it’s too late.

Arriving in Amsterdam

June/July

I’ve been very busy at work and by travelling, so for the summer holiday I just wanted to relax by a pool somewhere warm. I did that on Corfu – a Greek island off of the Albanian coast. The only energy spent on that trip was getting into a cap to the ferry leaving for Sarande, Albania.

Paradise Hotel in Corfu, Greece

That concludes the first half of my grand plan. Next up is:

August: Fringe Festival in Edinburgh, Scotland and a trip to Boston
September: Weekend in Monaco to win big on the casinos
October: 11 days roundtrip to Iran

After that it’s either India with the family in November or Malta for Christmas. If the rest of the year turns out as stated here, then the grand plan succeeds. This grand plan also carries some of the blame for me not blogging much anymore.

0 Comments

I’ve been working lately with some ASP.NET performance optimization automation HTTP modules. In one of them I needed to know if the last-modified header had been set through the Response.Cache.SetLastModified(DateTime) method. For some reason, there is no API available anywhere within the BCL to retrieve the last modified date of a response – you can only set it.

Since the module wouldn’t work without a way to read the last modified date of the response, I had to use Reflector to figure out how to pull the information out using reflection. The result became a simple little method to retrieve the date. It looks like this:

private static DateTime ReadLastModifiedFromResponse(HttpCachePolicy cache)

{

  BindingFlags flags = BindingFlags.NonPublic | BindingFlags.GetField | BindingFlags.Instance;

  return (DateTime)cache.GetType().GetField("_utcLastModified", flags).GetValue(cache);

}

And you can use it like this:

DateTime responseModified = ReadLastModifiedFromResponse(Response.Cache);

 

if (responseModified > DateTime.MinValue)

{

  // Last-modified is set. Do something...

}

If you know of another way to retrieving the last-modified date, please let me know.

0 Comments

In the past 6 months I’ve been involved in hiring a lot of ASP.NET developers. It was very interesting to learn just how different skill sets ASP.NET developers have. It also made it more and more clear that every developer we talked to would fit into one of three categories:

  • The web developer
  • The developer who build websites
  • The ASP.NET super hero

Before looking deeper into the different categories I recommend you too check out how I define the ASP.NET framework 

The developer categories

With the ASP.NET definition in place it is now easier to look at the different categories of ASP.NET developers we have interviewed.

The web developer

Not many ASP.NET developers fall into this category. It’s usually the ones that come from classic ASP or PHP and made the switch to ASP.NET later on. They know everything about browser compatibility, JavaScript, CSS and the request life cycle. Also, they are usually not that hardcore in C# because they have mostly worked with client technologies. They are also more agnostic to the server-side platform and can work on PHP and RoR projects just as efficiently.

The web developer is also the kind of guy who thinks about new web technologies such as microformats and OpenID. This guy lives and breathes web.

The developer who builds websites

This is by far the biggest category. We’ve interviewed many developers who have worked with ASP.NET since it was first released. They have worked with everything from the database, data- and business logic, web services and ASP.NET. Most of them don’t care much for browser capabilities or JavaScript but they are hardcore C# developers. They have built many ASP.NET sites, but they are far from experts on the framework and stuff like modules and handlers are not where they have spent most of their time to say the least.

Their knowledge of the .NET framework, BCL and C# is immense, but they don’t qualify as web developers. They don’t live and breathe web, but their skills are just as needed in an ASP.NET project.

Take a web developer and a developer who build websites and put them in a room at the Romance Inn and wait 9 months. Then you get:

The ASP.NET super hero

This breed of developers is very difficult to get your hands on. They are a special race of individuals who know all about the ASP.NET framework and client-side technologies and are just as proficient in the more hardcore C# disciplines as well. ASP.NET is a very broad and diverse area because it is the point where the BCL, C#, XHTML, CSS, JavaScript, dependency injection, unit testing, mocking, AJAX etc. all come together in one project. To master all these disciplines takes an ASP.NET super hero.

The web developer and the developer who builds websites are both very important to a successful execution of a website project, but at least one ASP.NET super hero is essential in my opinion.

0 Comments

I have a very clear view on what ASP.NET is and what it isn’t. I’ve never given it much thought until recently when I learned that my view was different from a lot of other ASP.NET developers’. It started at an ASP.NET session at the MVP summit where a presenter asked whether or not people in the audience used the Entity Framework or Linq2Sql. I thought to myself that data access had absolutely nothing to do with ASP.NET but found to my surprise I was the only one finding it a weird question at an ASP.NET session.

Since that session I started talking to people about this and almost everyone told me that a website without some sort of database is a thing of the past and that being an ASP.NET developer involved mastering databases, data access and business logic. I don’t disagree that mastering these disciplines is a huge part of being a .NET developer, but I still refused that it had anything to do with ASP.NET. Yes, I’m that anal.

The field trip

So, I went to Barnes & Noble to find some ASP.NET books. They had 8 different titles and I started to look at the table of contents in all of them. 7 out of the 8 ASP.NET books had minimum one chapter about databases and data access. I looked at the covers again and was reassured that I was indeed skimming ASP.NET books. Not data access books, but ASP.NET books.

What I have learned in the past few months is that databases and data access is part of ASP.NET. Or in other words, ASP.NET is a database presentation framework and NOT a web application framework. Not acceptable!

Here is my view on what ASP.NET is and what it isn’t.

My clear view of ASP.NET

ASP.NET is a framework for creating dynamic websites. It is not a framework for doing data access, business logic or any other thing besides building websites. If your business logic knows it is being used by an ASP.NET project by relying on an HttpContext for instance, then you are doing something wrong. Business logic is an API for what ever (presentation) logic that sits on top of it whether it being ASP.NET, WinForms, WCF or something completely different. This is a rule of the N-tier application architecture.

Smaller web projects often have the business- and data logic classes in the App_Code folder within the web project itself. Those classes are physically part of the web project but logically they are separate from the ASP.NET logic and as such the same 3-tier architecture applies. But it is still not ASP.NET, it is just C# classes that physically lives inside the web project in Visual Studio.

ASP.NET handles everything related to browser/server interactions and nothing more. Calling the database directly from your code-behind or controller action doesn’t make ADO.NET part of the ASP.NET framework. The presence of the BCL in both ASP.NET and the business logic makes it less transparent, but I hope you see my point.

Even though the data- and business logic aspects are both related and important to ASP.NET developers, they are still not ASP.NET.

This is my clear view on the ASP.NET database presentation framework.