|
1 IO Utility Change History |
|
2 ========================= |
|
3 |
|
4 3.10.3 |
|
5 ------ |
|
6 |
|
7 * [security] Hardened SWF file by filtering all data passed through ExternalInterface to fix XSS vulnerability. |
|
8 |
|
9 3.10.2 |
|
10 ------ |
|
11 |
|
12 * No changes. |
|
13 |
|
14 3.10.1 |
|
15 ------ |
|
16 |
|
17 * [security] Hardened SWF file by filtering all data passed through ExternalInterface to fix XSS vulnerability. |
|
18 |
|
19 3.10.0 |
|
20 ------ |
|
21 |
|
22 * No changes. |
|
23 |
|
24 3.9.1 |
|
25 ----- |
|
26 |
|
27 * No changes. |
|
28 |
|
29 3.9.0 |
|
30 ----- |
|
31 |
|
32 * Normalized IO's handling of falsy request and response bodies. A majority of |
|
33 the environments want request/response bodies to always be a string, so they |
|
34 use an empty string instead of undefined, null, etc. |
|
35 |
|
36 This specifically fixes two issues: |
|
37 |
|
38 * IE 10 converts a response body of `undefined` to the literal string: |
|
39 `"undefined"`. No other environments do this, so a change has been made to |
|
40 default the request body to `""` unless it has a non-falsy value. |
|
41 |
|
42 * IO's node.js transport uses the Request npm module, which returns |
|
43 `undefined` when a response has no body. This normalize IO's `responseText` |
|
44 to an empty string when Request returns a false response body. |
|
45 |
|
46 |
|
47 3.8.1 |
|
48 ----- |
|
49 |
|
50 * Exposed IO's form serialize via the new `Y.IO.stringify()` method. |
|
51 [Ticket #2529073] [Pull Request #351] [John Lindal] |
|
52 |
|
53 * Stringified request data is now passed to custom transport layers. |
|
54 [Ticket #2532594] [Pull Request #383] [John Lindal] |
|
55 |
|
56 |
|
57 3.8.0 |
|
58 ----- |
|
59 |
|
60 * No changes. |
|
61 |
|
62 |
|
63 3.7.3 |
|
64 ----- |
|
65 |
|
66 * Fixed issue in Chrome where form submits with `upload: true` were not working |
|
67 properly. [Ticket #2531860] |
|
68 |
|
69 * Add `empty()` method to io-queue which clears out all requests waiting to be |
|
70 sent. [Pull Request #282] [Julien Sanchez] |
|
71 |
|
72 |
|
73 3.7.2 |
|
74 ----- |
|
75 |
|
76 * No changes. |
|
77 |
|
78 |
|
79 3.7.1 |
|
80 ----- |
|
81 |
|
82 * No changes. |
|
83 |
|
84 |
|
85 3.7.0 |
|
86 ----- |
|
87 |
|
88 * Prevent IO from maintaining cookies across requests in Node.js. |
|
89 [Ticket #2532676] |
|
90 |
|
91 * Remove "X-Requested-With" header from cross-domain XHRs. Setting any |
|
92 non-standard HTTP headers when performing a cross-domain request using CORS |
|
93 results in a _required_ pre-flight OPTIONS request. Not adding this header by |
|
94 default allows the browser to communicate with a server which is not |
|
95 CORS-ready. [Ticket #2532673] [Clarence Leung] |
|
96 |
|
97 |
|
98 3.6.0 |
|
99 ----- |
|
100 |
|
101 * Fixed issue when running in Node.js where `config.data` wasn't automatically |
|
102 stringified. [Ticket #2532390] |
|
103 |
|
104 |
|
105 3.5.1 |
|
106 ----- |
|
107 |
|
108 * No changes. |
|
109 |
|
110 |
|
111 3.5.0 |
|
112 ----- |
|
113 |
|
114 * Configuration data can now include an instance of FormData for HTTP POST |
|
115 requests. [Ticket #2531274] |
|
116 |
|
117 * Implemented FormData file upload in io-base. [Ticket #2531274] |
|
118 |
|
119 * Fixed transport error in io-base [Ticket #2531308, #2531941, #2531947] |
|
120 |
|
121 * Fixed IO loader meta-data [Ticket #2531320] |
|
122 |
|
123 * Fixed transport error in io-base [Ticket #2531308] |
|
124 |
|
125 * Implemented Node.js compatibility [Ticket #2531495] |
|
126 |
|
127 * Fixed transport error in io-base [Ticket #2531308] |
|
128 |
|
129 * Fixed API docs discrepancy for IO [Ticket #2531756] |
|
130 |
|
131 * Fixed error in sending an XML document as POST data. [Ticket #2531257] |
|
132 |
|
133 * success/failure/complete/etc callbacks that throw errors no longer hijack all |
|
134 future transactions. [Ticket #2532107] |
|
135 |
|
136 |
|
137 3.4.1 |
|
138 ----- |
|
139 |
|
140 * HTTP 304 now treated as a success condition. [Ticket #2530931] |
|
141 |
|
142 * Fixed transport creation error when both io-xdr and io-upload-iframe modules |
|
143 are in use. [Ticket #2530999] |
|
144 |
|
145 * Querystring stringify added to io-upload-iframe. [Ticket #2531037] |
|
146 |
|
147 * Fixed request abort error in IE. [Ticket #2531038] |
|
148 |
|
149 * Add try/catch to io-upload-iframe response to handle failure cases where the |
|
150 document may be inaccessible. [Ticket #2531041] |
|
151 |
|
152 * Add IO support for XHR basic user authentication. [Ticket #2530023] |
|
153 |
|
154 * Revert Y.mix usage for synchronous requests. [Ticket #2531056] |
|
155 |
|
156 * Fixed io-upload-iframe transport destruction. [Ticket #2531058] |
|
157 |
|
158 |
|
159 3.4.0 |
|
160 ----- |
|
161 |
|
162 * Added ability to get the configuration of a transaction. [Ticket #2528240] |
|
163 |
|
164 * Instantiable IO. [Ticket #2529314] |
|
165 |
|
166 * IO now uses `event-custom` and event facades. [Ticket #2529317] |
|
167 |
|
168 * Exposed more of the internals of IO for extensibility. [Ticket #2529447] |
|
169 |
|
170 * Fixed IO iframe upload to reset form attributes. [Ticket #2529553] |
|
171 |
|
172 * Add IO support for XHR basic user authentication. [Ticket #2530023] |
|
173 |
|
174 * IO will not send `data` for `GET`, `HEAD` and `DELETE` HTTP methods. |
|
175 [Ticket #2530091] |
|
176 |
|
177 * Fixed issue with IO doubling the URL query-params on a HTTP `GET` request when |
|
178 sending `data` together with form serialization. [Ticket #2530494] |
|
179 |
|
180 |
|
181 3.3.0 |
|
182 ----- |
|
183 |
|
184 * When using `io-xdr` to load `io.swf`, a date-time stamp will appended, as a |
|
185 query-string, to the transport source for IE. [Ticket #2528898] |
|
186 |
|
187 * Implemented default HTTP headers can be suppressed in the transaction's |
|
188 configuration object by setting the header with a value of `disable`. |
|
189 [Ticket #2529324] |
|
190 |
|
191 For example: |
|
192 |
|
193 var config = { headers: { "X-Requested-With": "disable" } }; |
|
194 |
|
195 * Use Y.io without listening for the `io:xdrReady` event. [Ticket #2528710] |
|
196 |
|
197 * Fixed native XDR detection for IE8 in `io-xdr`. [Ticket #2529290] |
|
198 |
|
199 |
|
200 3.2.0 |
|
201 ----- |
|
202 |
|
203 * Fixed malformed HTML entities in JSON response, when using `io-upload-iframe`. |
|
204 [Ticket #2528646] |
|
205 |
|
206 * Fixed configuration HTTP headers should override preset HTTP headers, when |
|
207 identical. [Ticket #2528893] |
|
208 |
|
209 |
|
210 3.1.2 |
|
211 ----- |
|
212 |
|
213 * [!] Fixed security vulnerability in `io-xdr` when using the Flash transport. |
|
214 Removed: `Security.allowDomain("*")` setting from `io.as` (source) and |
|
215 `io.swf` (compiled). The implementation reverts back to the version in 3.0.0. |
|
216 |
|
217 This reversion prevents third-party sites from being able to load `io.swf` |
|
218 from a disparate domain, and make HTTP requests with the SWF's domain |
|
219 privileges, and passing the domain's credentials. Only the domain serving |
|
220 `io.swf` will be permitted to load it, and call its fields. |
|
221 |
|
222 See the "Security Bulletin" for more details: |
|
223 http://yuilibrary.com/yui/docs/io/#security-bulletin |
|
224 |
|
225 |
|
226 3.1.1 |
|
227 ----- |
|
228 |
|
229 * Fixed broken synchronous IO requests in IE. [Ticket #2528739] |
|
230 |
|
231 |
|
232 3.1.0 |
|
233 ----- |
|
234 |
|
235 * YUI io now supports synchronous transactions for same-domain requests. To |
|
236 enable synchronous transactions, set the configuration property `sync` to |
|
237 `true`; the default behavior is `false`. During a synchronous request, all io |
|
238 events will fire, and response data are accessible through the events. |
|
239 Response data are also returned by io, as an alternative. [Ticket #2528181] |
|
240 |
|
241 For example: |
|
242 |
|
243 var request = Y.io(uri, { sync: true }); |
|
244 |
|
245 `request` will contain the following fields, when the tx is complete: |
|
246 |
|
247 * `id` |
|
248 * `status` |
|
249 * `statusText` |
|
250 * `getResponseHeader()` |
|
251 * `getAllResponseHeaders()` |
|
252 * `responseText` |
|
253 * `responseXML` |
|
254 * `arguments` |
|
255 |
|
256 When making synchronous requests: |
|
257 |
|
258 * The transaction cannot be aborted, |
|
259 * The transaction's progress cannot be monitored. |
|
260 |
|
261 * `arguments` defined in the configuration object are now passed to io global |
|
262 event handlers, as well. [Ticket #2528393] |
|
263 |
|
264 * Only pass the value of the `arguments` property to listeners if defined. |
|
265 [Ticket #2528313] |
|
266 |
|
267 |
|
268 3.0.0 |
|
269 ----- |
|
270 |
|
271 * Native cross-domain transactions are now supported in `io-xdr`. To specify an |
|
272 XDR transaction, set the config object with the following properties: |
|
273 |
|
274 * `use`: Specify either `native` or `flash` as the desired XDR transport. |
|
275 |
|
276 * `credentials`: Set to `true` if cookies are to be sent with the request. |
|
277 Does not work with XDomainRequest (e.g., IE8) or the Flash transport. |
|
278 |
|
279 * `datatType`: Set to `xml` if the response is an XML document. |
|
280 |
|
281 For example: |
|
282 |
|
283 var configuration.xdr = { |
|
284 use : 'flash', // Required -- 'flash` or 'native'. |
|
285 credentials : true, // Optional. |
|
286 dataType : 'xml' // Optional. |
|
287 }; |
|
288 |
|
289 The `use` property is required. The others are optional or |
|
290 functionality-specific. |
|
291 |
|
292 When using the native transport, io will fallback to the Flash transport if |
|
293 the browser is not capable of supporting the native mode. Make sure the |
|
294 resource responds with the correct `Access-Control-Allow-Origin` header before |
|
295 attempting a native XDR request. |
|
296 |
|
297 * The sub-module `datatype-xml` is now a dependency for `io-xdr`, to support XML |
|
298 response data in XDR transactions. |
|
299 |
|
300 * XDR transport initialization is simplified to one required value -- the path |
|
301 to Flash transport. For example: |
|
302 |
|
303 Y.io.transport({ src:'io.swf' }); |
|
304 |
|
305 |
|
306 3.0.0beta1 |
|
307 ---------- |
|
308 |
|
309 * The `io-queue` sub-module now implements YUI `Queue`. The io queue interface |
|
310 allows transaction callback handlers to be processed in the order the |
|
311 transactions were sent, regardless of actual server response order. |
|
312 For example: |
|
313 |
|
314 * io queue is used to make three requests. |
|
315 |
|
316 * The actual server response order happens to be: transaction 2, 1, 3. |
|
317 |
|
318 * However, using the queue interface, the transaction callbacks are processed |
|
319 in the order of: transaction 1, 2, 3. |
|
320 |
|
321 * All transaction event flows now resolves to `success` or `failure`; the abort |
|
322 event is removed. Transaction abort and timeout conditions resolve to |
|
323 `failure`, and is distinguishable in the response data. Specifically, the |
|
324 response object's `status` and `statusText` properties will be populated as: |
|
325 |
|
326 * `response.status` will be 0. |
|
327 |
|
328 * `response.statusText` will be set to `timeout` or `abort` to differentiate |
|
329 the two possible conditions. |
|
330 |
|
331 * A new `end` event is introduced in the transaction event flow; this is the |
|
332 terminal event for all transactions. Its event handler signature is the same |
|
333 as the `start` event, receiving the transaction id and user-defined arguments. |
|
334 |
|
335 * The global event name is `io:end`. |
|
336 |
|
337 * To subscribe to the transaction event, define the `end` property in the |
|
338 transaction's configuration object. `{on: {end: function(){…} } }`. |
|
339 |
|
340 |
|
341 3.0.0 PR2 |
|
342 --------- |
|
343 |
|
344 * YUI `io` is now comprised of several modules, allowing users to specify and |
|
345 implement only the needed modules. These modules are: |
|
346 |
|
347 * `io-base`: This is the IO base class, using `XMLHttpRequest` as the |
|
348 transport. |
|
349 |
|
350 * `io-xdr`: This sub-module extends IO to enable cross-domain transactions |
|
351 using Flash as the transport. |
|
352 |
|
353 * `io-form`: This sub-module extends IO to enable the serialization of an HTML |
|
354 form as transaction data. |
|
355 |
|
356 * `io-upload-iframe`: This sub-module extends IO, to allow file uploads with |
|
357 an HTML form, using an `iframe` transport. |
|
358 |
|
359 * `io-queue`: This sub-module extends IO to add transaction queuing |
|
360 capabilities. |
|
361 |
|
362 * If defined in the configuration object, user-specified, HTTP `Content-Type` |
|
363 headers will correctly override POST default headers, for HTTP POST |
|
364 transactions. [Ticket #SF2262707] |
|
365 |
|
366 * XML is not supported as a response datatype when using sub-modules `io-xdr` |
|
367 and `io-upload-iframe`. |
|
368 |
|
369 |
|
370 3.0.0 PR1 |
|
371 --------- |
|
372 |
|
373 * Initial Release. |