Microsoft Security Bulletin MS11-018

April 13, 2011 by: oyvind.kinsey

Microsoft will today (2011-04-12) start to push out cumulative update that affects amongst others Internet Explorer 6 and Internet Explorer 7.

For these two browsers easyXDM provides a transport called NixTransport, which was derived from the work done on the Apache Shindig project, and this transport works by exploiting one of the security holes closed with this security update.

Most home users will receive this update tonight, or early next morning from Windows Update, and corporate/enterprise users per their respective update schedules, but thanks to some people in the loop I was informed of this yesterday and have had time to prepare a transport that replaces the NixTransport for IE6 and IE7.

The new transport is called FlashTransport and utilizes an AS2 swf and its LocalConnection capabilities to relay data between domains. It is on par with the other A-grade transports with regards to speed, but it does require that Flash is installed (6+) in order to function. Without Flash, one of the lower-grade fall backs will be used instead.

Anyways; in order to still be able to support IE6 and IE7 after this update from Microsoft is pushed out you need to upgrade to v2.4.12 (get the zip at gihub).

How to upgrade

Upload the new easyxdm.min.js file together with the new easyxdm.swf file and add the following to your transports configuration:

swf: "absolute/or/relative/path/to/easyxdm.swf"

You MUST only reference one of the domains `easyxdm.swf`files, and preferably the providers (fits with regular use cases too), and there is no need of any `crossdomain.xml` files.

For those who are interested in the inner workings, here they are:

Filed under: Blog
Tags: ,
  • Tried replacing version 2.4.8.101 with 2.4.12.108 and I get a js script error in IE7.

    Line: 2477
    Char: 9
    Error: ‘serializer’ is null or not an object
    Code: 0

    • Line 2477 of what file?
      What example? Using Socket or Rpc? Using which setup code?

      • easyXDM.js, using easyXDM.Rpc. The only thing I’ve changed so far is changing the js-file loaded by the page.

        var xdm = new easyXDM.Rpc(
        { remote: url },
        { remote: { ajax: {}}}
        );

        • Did you ever figure out what was causing this issue as I’m having the same problem?

          • If I remember correctly, he was missing the JSON2.js library (he replaced a modified easyXDM.js file with a clean one).

          • Mahendra Shelar

            I was also having same issue.
            i.e: Error: ‘serializer’ is null or not an object

            I was able to solve this after adding JSON2 library directly after the script that includes easyXDM.js as per documentation.

  • Steven

    I’m testing IE6 using easyxdm.rpc. IE6 + flash works for a small amount of data but if I try sending 50k then it just hangs. Looking at the log I get nothing after this statement 10:24:17.864:easyXDM.stack.RpcBehavior: executing method request.

    IE6 without flash installed doesnt work for me. I’ve tried the xhr example http://consumer.easyxdm.net/current/example/xhr.html and that does not work for me either.

    Let me know if I can provide any more information.

    • I honestly haven’t tested with large amounts yet – this was an emergency fix – but if you register this as an issue I will take a look at it.

      IE6 without flash, and without the NameTransport set up as fallback will either way be a problem with those amounts of data as it will have to use the HashTransport, and this can only send about 3-4k in each message. The latency of this transport combined with the need to use the ReliableBehavior (uses ack’ing) will cause this to be terrible slow…

      But in theory, it _should_ fall back to the HashTransport without flash…

  • Frank G

    Hi, I’m doing RPC, but it seems all returned values are now coming in asynchronous. Intended? Or I’m I missing something?

    • easyXDM has always been asynchronous, and in fact, it is impossible to support synchronous messaging and you really don’t want it either as it would block the executing thread while performing.

      So you if mean that you have used easyXDM synchronously, then I have no idea what you have been doing 🙂

      • Frank G

        Well, in fact I’ve came across easyXDM just this afternoon and consider myself quite the nood 🙂

        Considering this ‘consumer’-code:

        var output;
        remote.init(“test”, function(result) {
        output = result;
        });
        alert(output);

        with this ‘provider’-implementation:

        init: function(text) {
        alert(“remote”);
        return text;
        }

        In IE8 this gives:
        alert -> ‘remote’
        alert -> ‘test’.

        In IE7:
        alert -> ‘undefined’
        alert -> remote.

        So from a consumer point of view, the RPC seems to have gone from sync to async…

      • Neelima Kapoor

        Hi, could you please reconfirm this:

        One has the option to send a same-origin request synchronously/async using XMLHTTPRequest object.

        But one cannot send a synchronous cross-domain request using EasyXdm.

        • easyXDM is asynchronous (must be), and so the sum of the function calls must also be asynchronous. Single calls can of course still be synchronous, like a toString() or an xhr request…

          • Neelima Kapoor

            thanks for the reply,

            by single calls, you mean single-domain calls.. right?

          • No, single calls as in single vs plural. Understanding the synchronous vs asynchronous paradigms can be challenging, but is needed.

  • Ghostcoder25

    um, there is no new easyxdm.min.js file at the github source, there is none at all… and the easyXDM.debug.js file just acts as an aggregator now, meaning it needs all the other files too unlike in the previous version, where just the easyXDM.debug.js file was req..?
    https://github.com/oyvindkinsey/easyXDM
    am i missing something?

    • You are referring to the source (which needs to be run through the build steps) while I was referring to the zip that you can download 🙂

  • Slawek

    I just wanted to upgrade today and I’m having troubles with it – I followed your steps above…. In IE6 and 7 the returned message is always ‘undefined’….
    I’m using easyXDM for iframe resizing. I thought I was doing something wrong, but the example on your website is also not working for me – same problem…. This is what I’m getting with DebugBar:

    Line: 32
    Character: 21
    Code: 0
    Error Message: Invalid argument.
    URL: http://consumer.easyxdm.net/current/example/resize_iframe.html

    and when I traced it this is because the message returned is undefined.

    Please help as if I won’t get that working, I will fall few weeks behind with current project (it’s a widget based on iFrames – and they need to be resizable, if nopt I will have to redo it to jsonp which I would like to avoid)….

    If you need some more info please let me know.

    • Hm, that was weird.. I haven’t got time to debug this right now, but I’ll make sure to get it fixed before the next version which will be soon.

      • Slawek

        Thanks Sean…. I can imagine you are busy man 🙂
        Can you at least point me in some direction – I can imagine it will be something really small (it always is) and I’m wreaking my head for few hours now??? The message is being posted correctly from what I’ve checked… But for unknown reason to me the message is coming back as undefined. According to your tests – in tests dir – everything is working fine.. but like I’ve said the example on your website is not working for me as well – in both IE6 and 7… Also you’ve said that new version will be coming soon – can you tell me when??? In 3 weeks the project is going to production environment and I based everything on easyXDM…. thanks for your help!!!!

        • That’s just it – the message seems to get lost inside the SWF-SWF link (LocalConnection), and it seems to only be like this for this specific example.
          The new version will probably come within a week (waiting for a security review).

          • Slawek

            Thanks for this update… works like a charm (like I thought really small thing)!!!! Sadly but I still need to look after IE6 users as they are 40% of my user base – annoying as hell, but what can you do….

            Thanks again….

    • Found the bug – the FlashTransport didn’t properly ensure that all messages were strings.
      https://github.com/oyvindkinsey/easyXDM/commit/57dbe5b3c7bf388a44803c58f3c9e3ae251469f2

      You should be able to monkey path this easily.

  • david

    Hi,
    I use easyxdm in our project. It works well except ie 7, and i do not test in ie 6. IE7 + flash-plugin can works. But if i uninstall the flash-plugin it cann’t work any more. This is a big issue currently.
    Many customers don’t install flash-plugin. I use socket. Can you help me to fix this problem?
    1.main.html
    var transport = new easyXDM.Socket(/** The configuration */{
    remote: “http://www.mlwm1.com:8080/wlwm/c2.html”,
    container: “embedded”,
    swf:”http://localhost:8080/wlwm/easyxdm.swf”,
    onMessage: function(message, origin){
    alert(message);
    }
    });

    2. iframe_test_socket.html
    var socket = new easyXDM.Socket({
    swf:”http://localhost:8080/wlwm/easyxdm.swf”,
    onReady: function(){
    socket.postMessage(“thanks easyxdm”);
    },
    onMessage: function(url, origin){
    }
    });

    My page can not alert any message in ie7 without flash-plugin. Bug it works well in other browsers.

    • If flash isn’t installed then it should try to fall back to either the NameTransport (the preferred one if you can put the name.html file on both domains) or the HashTransport.
      Without the trace logs, it’s impossible to say why that isn’t happening here.

      You say ‘many’ customers don’t have Flash – can you back this with numbers? According to Adobe 99% of internet enabled browser has Flash, and IE6/7 is really falling behind on market share too.

      • david

        Thanks for your response so quickly. I will have a try. and i will give the feedback.

  • jim spath

    Awesome, works great!

    However, I noticed that it doesn’t work in IE6+7 when the consumer and provider are on the same domain?

    • If they are on the same domain then the SameOriginTransport will kick in, so the FlashTransport will not be used. If this isn’t working for you then might have run into this issue here: https://groups.google.com/forum/#!topic/easyxdm/IhRdwMtKKs8

      • jim spath

        I’m also using noConflict mode if that matters …

        • If you are using it correctly then this shouldn’t matter.
          Correctly means that the easyXDM object must be accessible in the global scope through
          window.name.space.easyXDM, eg (in global scope)

          var name = {
          space: {
          easyXDM = easyXDM.noConflict(“name.space”)
          }
          };

          • jim spath

            This is what I am doing:

            var EEWD = EEWD || {};
            EEWD.easyXDM = easyXDM.noConflict(‘EEWD’);

            It seems to work in IE 8+9 but not in 6+7. There are no errors … the consumer never receives the messages.

            I’m actually not terribly concerned about this, since the only time I am on the same domain is on development, and even there, I can be on separate domains ( as long as I remember 🙂 )

          • Hm, I don’t know then – I’ll do some tests next time I do some work on this. Could you file a bug report on github?

          • I filed an issue here:  https://github.com/oyvindkinsey/easyXDM/issues/192

            IE + Popups + noConflict = FAIL

  • Doug Knight

    I am encountering these issues with both IE6 and IE7. I’m trying to reconfigure to use flash, but from the OP and from the discussion below it is unclear what changes I need to make to both sides of the connection (sender and receiver). Could someone post an example of both sides?

    • See the readme, it explains the new options. Also, all the examples now come configured for this.
      The only change needed is an swf: property in the transport configuration with the url for loading the swf-file.

  • Mark Greed

    The link to this article from the home page is broken.

    Also, consider using better link text instead of ‘this’ and more obvious link highlighting (eg, the universal underline at least on hover).

      Notice: easyXDM may have [link]suddenly stopped working in IE6 and IE7[/link].

  • hoooopo

    easyxdm is so good!

  • Anil

    Great Work,

    For IE i am getting

    ” SEC7118: XMLHttpRequest for http://fls-na.amazon.com/1/batch/1/OE/ required Cross Origin Resource Sharing (CORS) ”

    I have include “easyXDM.js” and “flashTransport.js” both side still i am not able to read the Local Storage and Cookie value’s.