Difference between MessageChannel and WebSockets? - html

I can't figure out what is difference between MessageChannel and WebSockets?
I need following requirements:
minimize delay
full-duplex
minimum header data length
Are both fullfil this requirements? Which is better?

HTML5 Web Messaging API can be used to communicate between independend pieces of code loaded in the browser (specification calls them "browsing contexts"). For example, if your page contains an <iframe>, and you want to securely communicate between it and the outside code, you might use Web Messaging. Consider this explanation from the Opera dev portal:
Channel messaging is particularly useful for communication across
multiple origins. Consider the following scenario. We have a document
at http://socialsite.example containing content from
http://games.example embedded in one iframe, and content from
http://addressbook.example in another.
Now let’s say that we want to
send a message from our address book site to our games site. We could
use the social site as a proxy. That, however, means the address book
gains the same level of trust as the social site. Our social site
either has to trust every request, or filter them for us.
With channel
messaging, however, http://addressbook.example and
http://games.example can communicate directly.
Web Sockets API can be used to communicate between code loaded in the browser and the server. So it serves a completely different purpose. Since you're mentioning the requirement of low latency and "full-duplex" I assume you mean client-server communication, and so you're looking for a web sockets.

Related

How does open.spotify.com work?

I can go to the webpage https://open.spotify.com and select songs that are then immediately played on my desktop spotify application. How does this work? I could imagine a scenario where the webpage sends a request to a server which then tells my desktop application to play, but the website and my application seem too in sync. Sure the web is fast, but the song time counters are perfectly in sync and there is no lag when I click play.
I guess they could do something clever with syncing the song time counter, but I'm wondering if they're dong something even more clever: not using a server at all.
So the real question: Is there a way to have direct communication between a webpage and an application running on the client?
The mechanism is described on How does the Spotify web browser button interact with the Spotify app?. When you install Spotify's desktop application, a process called SpotifyWebHelper runs in the background. This process acts as a local server and receives requests from open.spotify.com to interact with the current playback. As you see, there is a way to communicate a web site and a local application.
It's worth noting that there is an increase concern by browser vendors about this mechanism (see https://bugs.chromium.org/p/chromium/issues/detail?id=378566) and it will stop working at some point in the future. A more future-proof solution could be based on a proxy service that gets requests from the web page and updates your application, and viceversa. Web sockets are a good candidate for this. Although the proxy, acting as a state management service, introduces some delay, it also allows for some other use cases: eg you don't need to have the application installed on the same machine on which the web page is browsed, and one could for instance control a mobile client.

HTML5 with local peripherals

We're investigating porting a fat-client .NET application to be an HTML5-based webapp, but a hangup is that we interface with a variety of usb/serial/shared devices (receipt printers, report printers, specialty archive printers, sigpads, scanners, webcams, etc).
Is there any feasible way to get an HTML5 site the ability to interface with local USB/serial peripherals, or with a local service (e.g., browse to www.site.com/app and have it interact with localhost:1234/api to request things like signatures and send stuff like print jobs)?
The other option I was thinking of is to have a local thin-client type setup, which requests UI elements from the remote server's API, but internally has logic to know what peripherals are doing and passes data via the API.
The least preferential item is to try to write some sort of browser plugin, which is is tied with using a java applet. Silverlight might work, but I haven't researched it too much.
Ideally we'd like to do this to make our app cross-platform, and we're not sure what the best practices are for our situation, or what is the path of least resistance, etc.
Try to embed a web browser into a standalone application and code the interaction in the backend:
Some alternatives:
CEF is cross platform https://code.google.com/p/chromiumembedded/
Old and tried SHDocVw ActiveX for embedding IE using COM on Windows http://msdn.microsoft.com/en-us/library/aa752040(v=vs.85).aspx
You could of course use a local service application to do the dirty work for you and you would have to communicate somehow: WebSockets, AJAX requests. There are ways around the security measures that are coded into modern browsers (cross domain requests and DNS trickery) but the major hurdle will be to get your customers to install a service. If you manage that, then the service could very well serve HTML pages directly and handle requests for peripherals.

RESTful HTML page

My understanding of web services is that they are used to provide distributable functionality. However, as RESTful web services can return HTML and show this HTML as a regular web page in the browser, we then have a view rather than business logic. Is this ever useful or is it a violation of the separation of concern principle?
You are confusing something here.
REST is a web api design model and thus focuses on the integration of different applications rather than the internal structure of those.
That being said, REST is a very relaxed model. However the corner stones of a rest system are:
Its state less
You do not have some kind of a session like with soap, where you first authenticate and then get a session id and can perform actions. In rest every call is independent and has all the data/information needed to be processed and does not rely upon any preceeding or sucessing calls
every service is uniquely adressable by a uri
there are oprations that must meet certain criteria
for example a simple web server usually servers GET requests, those must be safe, meaning they will not modify anything, they are read only
here is a good article...
http://www.codeproject.com/Articles/253944/Representational-State-Transfer-A-Short-Walkthroug

Client-Server Model

I would like to develop a webpage (using any technology) with these conditions:
When client A types the web address on his browser, they automatically receive a remote IP (no other data)
With this IP, Client A automatically request some data from that IP (Client B)
Client B sends the requested information to Client A.
Which technology and libraries could I use to develop this webpage? (Javascript, Applets, browser plugin...) I think is some kind of P2P, so it should be possible to develop it.
Let's put one example.
Imagine that the webpage I have to program is www.hi.com/test.html.
I type it on my browser and receive automatically this IP: 212.22.62.106
My browser automatically request data to 212.22.62.106, which is another client of www.hi.com/test.html
This second client sends me the requested information, which is the only one is shown on my browser.
THANKS
Just about everything in browser security is going to fight this model - Ajax, javascript in general, applets, cookies - they're all tied to the current domain.
To do this, you're going to need to get something onto the desktop, if only in the form of an ActiveX control, which will severely limit your browser-base.
I think you're barking up the wrong tree - maybe if you could pop up one level of abstraction and tell us what you're trying to accomplish with this model?
This is not possible with web page, you're looking in the wrong direction.
You'll have to build your own application which by the way sounds really similar to eMule.. :)

How do i get a verified location using HTML5?

I've been playing with HTML5 location lookups recently and its relatively straightforward to pull someones location from a device like an iPhone.
I want to write an app that uses location data, but its important that the location be factual. In other words I need to prevent people from authoring a fake post to the backing website / web service with mocked up GPS coordinates.
Is there anyway to collect GPS coordinates from a mobile device using the HTML5 geolocation apis and securely transmit that back to a web service in a way that someone wouldn't be able to author a post with the same data and "game the system" so to speak?
Not without some serious encryption on the payload on the client. Which if there is money involved, someone will reverse engineer and figure out how to create valid payloads themselves. Remember if there is money or fame involved then somebody will think the effort to do something like this is "worth it". If your web service is public and not using some kind of encryption nothing on the client will ensure that someone with a network connection can't sniff your protocol and fake whatever data they want. And SSL won't cut it. Anyone can proxy the SSL connection on their local network decrypt the payload and inspect it to their hearts content.
No. Completely agree with the answer from fuzzy lollipop. If you’re talking to a remote machine, the data can always be faked. Always always. What makes you certain you’re even talking to a mobile device at all? The User-Agent string? Pfft, it can be faked. Talking to a GPS? Pfft, could be coming from a predefined path. Talking to a web browser? Pfft, could be a bot, or some other malware.
And don’t think encryption (i.e. HTTPS) is going to help you. The client could edit any of your HTML, CSS, or JavaScript on-the-fly — take Firebug or Greasemonkey for example.
The reasons why you can’t trust the client are the same as the reasons why exploits such as SQL or HTML injection are so common. Ever heard the phrase “the customer is always right”? Well, the customer may be right, but the client is always untrustworthy.
The system is there to be gamed. As flaws are discovered, you patch them one by one. It’s more like leapfrog, rather than achieving the holy grail. Bruce Schneier’s quip “security is a process, not a product” comes to mind. Asking for a system that “can’t be gamed” is missing the point. What you need to be doing is creating a system where the server sanitises the data, and/or rejects bad data — fuzz testing is not a bad idea, either.
That’s about the best you can do without shipping custom untamperable mobiles to your customers with the OS in ROM, and the inside sealed with epoxy.