Closed Bug 155749 Opened 22 years ago Closed 13 years ago

Implement DOM3 Load/Save


(Core :: DOM: Core & HTML, defect)

Not set





(Reporter: bzbarsky, Unassigned)




(Keywords: helpwanted, meta)


(4 files)

Keywords: meta
Priority: -- → P2
QA Contact: gerardok → bzbarsky
Target Milestone: --- → Future
Depends on: 133827
dup of bug 55394 comment #4.
yeah, except I'm working on this and this is the bug I'm using to track the work
that needs to happen for a full implementation...
Blocks: 55394
Depends on: 159311
Blocks: 139276
Blocks: 137240
Blocks: 146220
Component: DOM Other → DOM Load and Save
QA Contact: bzbarsky → stummala
I think 1.2alpha should be the timeframe we aim for most of the implementation,
and hopefully we can expose the interfaces in 1.3 (hoping the spec would be in a
final state by then).
nsbeta1+ for internal stuff. Like I said, we should expose the interfaces later
when the spec becomes final. 

Let's keep it in the 1.2alpha milestone to remind us of the work, and move it to
a later milestone (1.3?) to do the interfaces.
Keywords: nsbeta1+
Target Milestone: Future → mozilla1.2alpha
Blocks: 165606
hasn't happened yet, and alpha shipped..
Target Milestone: mozilla1.2alpha → mozilla1.3alpha
Priority: P2 → P3
Target Milestone: mozilla1.3alpha → Future
I don't know when I'll have time to get to this.
Keywords: helpwanted
Priority: P3 → P5
Can't 'load()' be load from another domain? 
No, for security reasons.
is it specification? 
What security problem is there? 
The problem that one site would be able to load and read another while using
your cookies and cached authentication tokens.

E.g. a random ad server could find out the balance in your bank account.
Yes, I also know the problem. 
However, I think user has the right to choose ... about does it load? or
doesn't it load.

For example, it warns in a dialog, and it can choose. 
Or it sets up by pref... or Menu...

load is very useful for Web automation.
The user almost certainly does not have enough information to make that choice.
 Users who think they do can disable the security check altogether via setting
the appropriate hidden pref.

> load is very useful for Web automation.

We don't want to make automating attacks too easy, though.
I agree that reading thirs party sites might pose a problem but are you going 
to require all web sites to host their DTDs and schemas localy so the DOM 
objects will be allowed to load them? Even in the case of standard ones, such 
That may be required, yes.  For standard ones, we may simply provide redirects
inside mozilla...
>setting the appropriate hidden pref

Oh! nice. Where is it? 

>We don't want to make automating attacks too easy, though.

I of the feeling am the same as you. 
but wants only a few freedom... 

On Frames and Sub Windows , aother domain cannot be accessed. 
However, it can load.
If they cannot be read, I think that Web was boring. 

Test Example
No plans to work on this any time in the foreseeable future, so to default owner.
QA Contact: stummala → ian
Priority: P5 → --
Target Milestone: Future → ---
No plans to work on this anytime soon.
Assignee: bz-vacation → general
Blocks: 72494
(we should so just wontfix this. Is there anything this does that XMLHttpRequest
doesn't and that people really want?)
Yes, this allows various ways of serializing a DOM and parsing a DOM.  People
use the DOMParser and DOMSerializer in Mozilla a good bit, so apparently there's
something that XMLHttpRequest just doesn't provide... ;)
Notwithstanding the uses which are just plain wrong [1], it seems that there is
basically just one DOMParser feature used from script, parseFromString(), and
one DOMSerializer feature used, serializeToString(). (And the baseURI feature of
the DOMParser seems to be only available from native code.)

Given that these features can all be provided using a grand total of two
methods, and that we can in fact make the API to use them *even simpler* than
what we have now [2], I see absolutely _no_ reason to propose that people use
the DOM3 Load and Save API, which is massively more complicated.

[1] I found one case that used a DOMParser to create a new Document with just
one node, and one case that used DOMSerializer to get a string that it then
passed to E4X to have reparsed into XML.

[2] I would suggest that instead of having to create a DOMParser and then invoke
a method on it, we just have createDocumentFromString() or parseXML() method on
the Window or DOMImplementation objects. Then you could just do:

   var myDoc = window.parseXML(s);

...instead of the two lines you need now (or the even more lines you'd need with
DOM3 LS). Similarly to serialise to XML we can just use document.toXMLString()
or some such, we don't need a new interface.

By "we" here I mean either the DOMWG or the WHATWG, and implemented by the
browser vendors instead of DOM3LS.

First off, I have no strong opinions on what API to use.  Here's how the
functionality stands off the top of my head:

Features provided by DOMParser/DOMSerializer/DOM3LS that people use that are not
present in your (corrected) model:

-Parsing/serializing to/from streams.  Certainly people parse from streams...  I
can see serializing to streams in a number of cases (eg when trying to produce a
POST data stream with multiple parts in a useful way without trying to create
all the MIME headers by hand).

Features provided bug DOM3LS that are needed but we don't provide anywhere:

-Reporting of XML parse errors (we have bugs on trying to do this in a sane way
for XMLHttpRequest and DOMParser).

Keep in mind that there's more to Mozilla than just the web aspect.  We want a
significant amount of the DOM3LS functionality (all except the filters part is
definitely needed, as far as I can see) for the platform aspect, basically.  We
could use the DOM3LS api for it, or we could use our own private little API
(DOMParser+DOMSerializer+whatever)...  But the functionality is still needed.
For our own platform, we *really* should not use DOM3LS. That API is horrendous.
DOMParser/DOMSerializer work quite well, and are already implemented and used; I
see no reason to change Mozilla-the-platform to use something else at this point.
If there are missing features, they should IMHO be filed as separate bugs on
improving those APIs.

For the Web side, I don't really understand how streams would work, and I think
if the API I mentioned earlier would be much better than DOM3LS.

DOM3LS is, with no offence intended to those involved, a committee-written mess.
> For the Web side, I don't really understand how streams would work

Web content can create streams if it requests UniversalXPConnect privileges first.

Like I said, I'm not particularly tied to this API, but if we're going to
reinvent this wheel we would do well to actually design what our proposed API
will look like instead of doing it bit by bit.  Adding things like error
reporting to an existing API in a sane way is really hard.

Regarding error handling, is there really a use case for having more detailed
error reporting than the current Error exception? (Which already includes pretty
much everything the user needs to know, albeit without letting the script know
much about what exactly the error is.)
At the moment, DOMParser does not report any XML well-formedness errors in any
useful way.  This has come up as an issue over and over again -- people need to
be able to tell what happened if their XML doesn't parse, and specifically they
want to get all the information in the message we'd normally output in
red-on-yellow when you load a malformed XML file.
I suggest filing that bug then. Implementing all of DOM3LS just to get error
handling in DOMParser seems a little over the top. :-)
There are bugs filed on these various issues already.
(we should so just wontfix this)
While I can appreciate that there might be other higher priorities, "won't fix" (as in ever) seems to be too strong for a browser claiming to adhere to web standards. Just because the functionality already exists in a non-standard way doesn't make a standard useless! Regardless of the perceived complexity (could multiple APIs be used?), DOM Level 3 is a standard, and besides being familiar to those who use it in other applications, it facilitates cross-browser solutions. And 20 votes is not that small of a small number from the bugs I've seen. Thank you.
> DOM Level 3 is a standard

So are a lot of other things that we shouldn't be implementing...  I suggest you take a look at
A simple (and quite incomplete) JavaScript skeleton/wrapper with some examples implementing existing DOMParser and XMLSerializer functionality using basic Load/Save API (i.e., a simple workaround).
Regarding cross-domain loading, do you have to send all the session information when a document is loaded?  And if that's necessary for some applications which load local files, can you restrict it to local files but still allow remote files to be requested?
Would it be possible to implement--for the web at least--just the current DOMParser and XMLSerializer features (perhaps just wrapping them internally like I did in JavaScript with my simple attachment) and forget about streams, or even the error handling you mentioned, etc.--just the functionality you already support? As a web developer, I'd like to be able to utilize these very basic features with an API which was not Mozilla-only (or Mozilla + IE, etc.). If other browsers implement the DOM 3 API in the future, of course such code should remain compliant into the future.

As taken from my comments in the attachment, this is all that is needed in DOM Level 3 for serialization:

  var ser = DOMImplementationLS.createLSSerializer();
  var str = ser.writeToString(document);

And while parsing to DOM is a bit more cumbersome...

  var lsInput = DOMImplementationLS.createLSInput();
  lsInput.stringData = '<myXml/>';

  var lsParser = DOMImplementationLS.createLSParser(1, null);
  var doc = lsParser.parse(lsInput);

These can easily be wrapped by the user in utility functions (I find a need to wrap the Mozilla API anyways, since I use these methods quite often).

It'd also be awesome if it could work with XML depending on an external DTD for entities.

Thank you very much!
I have a few requirements for loading an XML file.

1. In addition to http:, it must work for file: (so a local page can load a local xml file) without changing the loading code.

2. Must have a simple way to set a callback function that fires if the xml file is found and parsed without errors.

3. Must be async.

4. Must have a simple way to set a callback function that fires when there's an error.

5. Must not have to detect a parse error by checking the new document for a documentElement and or making sure that getElementsByTagNameNS("", "parsererror").length === 0. A parse error should be part of #4.

I can hack that together with XMLHttpRequest like this:

, but that's not very straightforward, fails #2, #4 and #5 and MS doesn't allow XHR to work for file:.

I can use document.load(), but that fails #5 and #4, is an old version of load and save, not supported in Safari and the async version fails in Opera (including how exceptions are thrown).

However, with DOM3 LS, I can do this:

var parser = this.createLSParser(this.MODE_ASYNCHRONOUS, null);
parser.domConfig.setParameter("error-handler", function(err) {
parser.addEventListener("load", function(e) {
}, false);

, which is great, simple, intuitive, straightforward and way easier than XHR even.

Now, Opera is the only one that supports it. (The load event never fires in Opera right now though because of a bug. The synchronous mode, which causes parseURI to just return the doc works fine though.)

But, it'd be lovely if all browsers supported Load and Save.

Further, wrapping those few lines in DOMImplementation.prototype.loadXMLFile, makes it even better.

Now, there's a lot more to Load and Save than that (like writeToURI), but the above is the main part I'd like.
I don't see how getting all browsers to implement Load&Save is easier for your use case than getting them to improve XHR.  For example, #5 will be fixed once we implement the current draft XHR spec; a readystate handler will do most of #2 and #4 for you, and IE adding XHR for file:// is much more likely than IE implementing Load and Save.
(In reply to comment #40)
> I don't see how getting all browsers to implement Load&Save is easier for your
> use case than getting them to improve XHR.


> For example, #5 will be fixed once
> we implement the current draft XHR spec;


> a readystate handler will do most of
> #2 and #4 for you,

Yeh, I can make that work using readyState by wrapping things etc. XHR should support 'load' and 'error' events also though. Then, that would solve that part.

> and IE adding XHR for file:// is much more likely than IE
> implementing Load and Save.

I reported the issue for IE fwiw. Not sure what they'll do, but maybe they'll fix that.  The XHR spec doesn't really cover "file:" though, so they probably won't do anything unless it's in the spec. I really think the browser should make "file:" give a status of 200 when the file is found and readable to be consistent with http (so you don't have to have extra code conditions for file:)

Load and Save does it exactly like I want. If XHR can be extended to also do the same as an option, then yeh, that'd be acceptable. In fact, I don't see how making XHR also support onload and onerror (in addition to onreadystatechange) would interfere with anything.

But, also want to make sure saving to file: from a file: page works with XHR across the board.
Assignee: general → nobody
QA Contact: ian → general
Blocks: 212218
(In reply to Hixie (not reading bugmail) from comment #32)
> (we should so just wontfix this)

Closed: 13 years ago
Resolution: --- → WONTFIX
Component: DOM: Other → DOM
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.