Friday, January 25th, 2008

Prototype security and performance improvements

Category: JavaScript, Library, Prototype

Sam and the team have released Prototype (and

Prototype is a backwards-compatible, drop-in replacement recommended for all 1.6.0 users. We’ve fixed 28 bugs and made over a dozen improvements to the code base, including performance improvements for CSS selectors in Safari 3 and for the Element#up/#down/#next/#previous and Event#findElement methods in all browsers. We’re also now officially supporting the Opera browser, version 9.25 and higher. You can get the full scoop on all the changes in the CHANGELOG.

They also fix a security hole (minimal):

Among the numerous bug fixes is a change to the way Ajax.Request handles automatic JavaScript response evaluation. Previous versions of Prototype relied on the browser’s XMLHttpRequest same-origin policy to ensure that response bodies with a content type of text/javascript were safe to evaluate. Alexey Feldgendler from Opera kindly alerted us to the possibility that certain non-browser environments (like Opera’s widget system) do not enforce the same-origin policy and as such may be subject to cross-domain script exploits. To combat this we’ve added an Ajax.Request#isSameOrigin method which returns true when a request is being made to the same domain, port, and protocol as the document. Furthermore, Prototype will no longer automatically evaulate JavaScript response bodies when this method returns false.

Go drop in that puppy.

Posted by Dion Almaer at 6:57 pm

4.4 rating from 32 votes


Comments feed TrackBack URI

Packed version already available?

Comment by r0land — January 26, 2008

There’s also a brand new cheat sheet for

Comment by kangax — January 26, 2008

packed versions at:

Comment by jdalton — January 26, 2008

maybe some improvements…. but I’m about to revert to, not being able to find a calendar (date picker for forms) working with….

calendar date select is broken

calendar view too
(I don’t know any other with enough features)

I’m able to make basic prototype programming, but those things are way to advanced for me…. I couldn’t fix the bugs raised… it’s not just a javascript error, it’s a “not work anymore at all on any browser” issue…

so just be sure you have good ways to revert to the previous version if things goes bad before migrating a project (as I did :( ), I cannot agree on “backwards-compatible, drop-in replacement”, it is not unfortunately….

Comment by jujudellago — May 20, 2008

Leave a comment

You must be logged in to post a comment.