Giorgio Sardo (Senior Technical Evangelist)
What is HTML5?
- Currently Working Draft
- Microsoft believes that HTML5 is ready to go “Last Call” (Feature Complete) and early May 2011
- This isn’t everything that has been talked about as being HTML5 since several different specs related to HTML5 are being worked on and in different stages
Developer Web Platform
- Silverlight
- XAML
- Managed Languages
- .NET APIs
- Browser
- HTML
- SVG
- CSS
- Javascript
- Web Apps
- Note: For Microsoft, Silverlight shouldn’t compete with HTML5, but really being an extension for HTML5, since it does things that are currently not possible in HTML6.
- Client Side Frameworks
Comparing some elements between HTML5 and Silverlight
| HTML5 | Silverlight |
| Doctype | App Manifest |
| SVG | XAML Graphics |
| SVG Styles | Resource Dictionaries |
| Canvas | Canvas/WritableBitmap |
| Audio & Video | Audio & Video |
| CSS3 Grid, Flexbox | Layout Controls |
| CSS3 WOFF | Typography |
| CSS3 Transforms | Transforms |
| DOM | OO and Event Model |
| Timer | DispatcherTimer |
| Ecma Script 5 | Managed Languages |
| XDomainRequest | Crossdomainpolicy.xml |
| Web Storage | Isolated Storage |
| windowPerformance | Profiling |
Tools
- Visual Studio 2010 SP1
- Microsoft Expression
- Microsoft Expression Design
- Microsoft Expression Web
- Microsoft Expression Encoder
- Microsoft Expression Super Preview
- AI->Canvas
- AI
- Inkscape
HTML5 DOC Type
- Similar purpose to the AppManifest in Silveright
SVG
- SVG Stands for Scalable Vector Graphics, an XML grammar for stylable grafics, usable as an XML namespace
- Hosted as inline HTML, image, frame
- Similar to XAML
SVG Graphics
- Shapes: ‘path’, ‘rect’, ‘circle’, ‘ellipse’, ‘line’, ‘polyline’ and ‘polygon’
- Text
- Solid Colors, Linear and Radial Gradients, Pattterns
- Raster Images
- As in XAML you can use ViewBox
SVG Resources
- ‘defs’ – defines the resources / ‘use’ – uses the resource
- in XAML you can apply resource to just one scope and in SVG defs are accessible to all, like a Page Resource in XAML
- ‘g’ – groups ‘defs’
- CSS styling
- you can use CSS rules to style SVG
- Everything you draw in SVG as action and events
- It doesn’t exist any Visual State Manager
HTML5 <Canvas>
- HTML5 <canvas> != Silverlight canvas
- Gives your Pixel Manipulation
- the content of the <canvas> is the fallback that will appear in case of the browser no supporting that element
HTML5 <audio> & <video>
- Suggested codec: MPEG-4 (H.264), MP3
- Composite with HTML content
- Not supported
- Full screen
- Smooth Streaming
- DRM
CSS3 Layout
- Silverlight Border = CSS3 Border
- Silverlight Canvas = absolute positioning
- Silverlight Grid = CSS3 Grid (submitted by Microsoft to W3C)
- Silverlight Stackpanel: CSS3 Flexbox
- Silverlight ViewBox: SVG ViewBox
CSS3 WOFF
- Typography
- @font-face (submitted by Microsoft and Mozilla to W3C)
Javascript and DOM
- “Classic” Javascript
- APIs exposed by the DOM:
- DOM core
- DOM Events
- DOM HTML
- DOM Style
- … (around 20)
- ECMA Script 5 simplifies the development
- Frameworks
Animations
- setTimer() and setInterval() are your best friend
- Be carefull since in Web you have only 1 thread
Cross Domain Requests
- In Silverlight we have the crossdomainpolicy.xml
- In HTML5 it uses Headers (origin) using XDomainAddress
HTML5 Web Storage
- Similar to Silverlight Isolated Storage
- Local or Session Storage
- Based on Key/Value pairs
- Limit 5MB per domain
- Currently you can’t increase the limit
Profiling
- windows.Performance.timing.ToJSON() – Proposed by Microsoft and currently a standard
Frameworks
- jQuery
- Modernizr
- Raphael
- RxJs
- Script#
- MVVM for JS (????)
More to come …
- Network: HTML5 Web Sockets
- Database: HTML5 IndexedDB
- Devices: HTML5 Media Capture APIs
Resources
Michael Cook ( Developer on Silverlight Performance )
- Ideology
- Develop a performance culture in your group
- Test throughout your product cycle
- Automate your performance Tests
- Use your customer’s target hardware
- Performance is a feature, treat it like one!
- Profiling with Visual Studio 2010
- Sampled profiling (Available for Silverlight in the SP1 of VS2010)
- Collects statistics about program execution
- Identifies execution bottlenecks
- Low overhead
- Available on VS2010 Premium and Professional
- If you don’t have it just use the WIndows Performance Toolkit (XPerf) – Free
- Using the “EnableRedrawRegions” flag
- How?
- SilverlightHost host= Application.Current.Host;
- host.Settings.EnableRedrawRegions = true;
- Analyzing memory usage
- What is memory profiling?
- Analysis of the working set of an application
- Careful, the terminology is confusing
- VMMap.chm is a good authority for defining memory related terms
- What is working set?
- represents the amount of committed virtual memory that is physical memory and owned by the process
- Most developers only look at “private”
- Getting Started
- VMMap
- Great tool for getting 30.000 ft view of what’s going on in your app memory footprint
- Managed Memory
- WinDbg + Son of Strike (SOS) extension
- Debugger extension for WinDbg
- Allow you to inspect the live managed heap in an application
- Some commands for quick reference
- !loadby sos coreclr
- !dumpheap –stat
- !dumpheap –type <typename>
- !dumpheap –mt <metertag>
- !gcroot <address>
- !do <address>
- Third-party Memory Profilers are also interesting
- Native Memory
- XPerf native heap analysis
- HeapMonitor.cmd makes it easier (Silverlight Performance Blog)
- HeapMonitor.cmd –p %pid%
- General Tips & Tricks
- Improve Startup
- The cardinal rule
- Do the absolute minimum required to display your main screen
- Methods
- Simplify your XAML
- Load less data and/or load data asynchronously
- Reduce your XAP download size
- Time Heuer’s “Loading Dynamic XAPs and Assemblies”
- Use a splash screen if needed
- Improve runtime performance
- Reduce the complexity of the visual tree
- Update only what is necessary on the screen
- Use “EnableRedrawRegions”
- Avoid updating elements with effects applied (eg. Shader Effects)
- Leverage GPU acceleration and cached composition
- Use BackgroundWorker for long running operations
References
Nick Kramer (Senior Program Manager in the Silverlight Team) nkramer@microsoft.com
Agenda
- Unrestricted File Access
- In Silverlight 4 trusted Apps can access
- Documents
- Music
- Pictures
- Videos
- Silverlight 5 Trusted Aps can access everything
- Using Standard System.IO classes
- Trusted Apps In-Browser
- SL4: has OOB apps run in trusted with user consent
- SL5: in-browser trusted apps with admin consent
- Set permissions via group policy
- No prompts or installs
- familiar navigation model
- can be part of a large HTML site
| Feature | Sandboxed App | Trusted SL4 App | Trusted SL5 App |
| Prompt-free | No | Yes | Yes |
| Cross domain networking | No | Yes | Yes |
| Full keyboard in fullscreen mode | No | Yes | Yes |
| COM | No | Yes | Yes |
| Unrestricted File Access | No | Special Folders only | Yes |
| P/Invoke | No | No | Yes |
| Run in-browser | No | No | Yes |
- Creating a In-Browser Trusted App
- Part 1 – Ask for Trust:
- In the current Beta it’s just like SL4 trusted OOB
- Set the OOB SecuritySettings ElevatedPermissions = “Required”
- Part 2 – Sign your XAP
- Sign your .xap
- Same as for a trusted OOB
- In Visual Studio or on command line
- Note: if you run an in-browser trusted app in localhost you don’t need to sign your .xap file
- Group Policy
- Actually, only one permission – Trusted or not
- Network admin specifies which publishers are trusted
- Publishers identified by Authenticode certificate
- Put certificate in client machine’s trust publisher store
- Same as ClickOnce
- Xaps are associated with publishers by Authenticode
- The trust is not for a specific app but for a certificate, and so every sl5 app that is sign with the same certificate will be trusted
- P/Invoke (Coming Soon) – Only on Windows
- P/Invoke lets you call native code
- COM (SL4) also lets you call native code
- Anything you can do with COM can also be done with P/Invoke
- Strongly Typed
- No COM registration
- P/Invoke is optimized for Win32 APIs & native C/C++ code
- COM is optimized for COM Automation APIs, example Office
- COM & P/Invoke are available on Windows to trusted apps
- How to use it
- Works exactly the same as in the .NET Framework
- Part 1: Setting up the declaration
- [DllImport(“kernel32.dll”)]
- static extern int GetDriveType(string lpRootPathName);
- Part 2: Using it
- int type = GetDriveType(drive);
- HTML Support (Coming Soon)
- Use HTML inside Silverlight Apps
- To reuse existing HTML/ASP.NET content
- To integrate with outside websites
- In SL4, only OOB’s got WebBrowser (based on the WebOC)
- In SL5, in-browser WebBrowser support (based on WebOC/IE)
- trying to extent that to browsers not WebOC
- WebBrowser control
- Currently with SL5 the WebBrowser control in-Browser runs only on IE
- You also have the WebBrowser Brush that is not interactive but it will make it possible to use it as the brush for other controls
- Multiple Windows (Coming Soon)
- Works only in OOB
- System.Windows.Window is now an instantiable class
- Window w = new Windows();
- w.Height=400;
- w.Width=600;
- w.Content = new MyUserControl();
- w.Visibility = Visibility.Visible;
- Window Titles and Positioning are now completely up to the developer, and not strict as it was in SL4
- Sandboxed OOBs automatically have the domain name added to the window title as a security measure
- 64-bit (Coming Soon)
- 64-bit machines & apps becoming increasingly common
- SL5 can run in 64-bit process
- 64-bit browsers
- Sidebar on 64-bit Windows
- Why 64-bit is interesting
- Because you don’t get to choose the browser
- Because you’re native hosting in 64-bit process
- Because you need a lot of address space (taking advantage of address space)
- Pivot Viewer (Coming Soon)
- Ships as part of the SL5 SDK
- Dynamic client-based collections
- XAML-based visuals
- You can define your visuals instead of the Bitmap
- You can define different visuals for different zoom levels
- Customizability
- Now we have access to the fonts, sizes, colors, and so on ..
- It will have the same process for binding as the DataGrid (ItemsSource)
Silverlight still has size constraints, currently with 7 MB with the version 5.
Call to Action
Jess Sandquist (Senior Director)
- Announcing: Kinect for Windows SDK –research.microsoft.com/kinectsdk
- Available later this spring
Scott Guthrie (Corporate Vice President)
In December Silverlight 5 was announced
New Features
- Media
- Hardware decode
- Integrating with IE9 Hardware accelerated graphics
- TrickPlay
- Remote Control
- Better Text Quality
- New 3D Api
- Uses the familiar XNA 3D APIs
- 64 bits version
- Projection
- Project 2D Objects in 3D Space
- Binding in Style Setters
- Implicit Data Templates
- DataBinding Debugging
- The Source code for the Demo shown will be available in the near future.
- Announcing: Silverlight 5 Beta, Visual Studio 2010 SP1 Tools for Silverlight 5, Microsoft Expression Blend 5
Scott Guthrie ( Corporate Vice President )
Shipped over the Last 12 months:
- Visual Studio 2010
- ASP.NET 4.0
- ASP.NET MVC 3
- WebMatrix & IIS Express
- Razor Syntax
Launched the nuGet project
Contributed for Open Source projects like jQuery
ASP.NET MVC 3
- Announced Today a Refresh for ASP.NET MVC 3 tools that include:
- HTML 5
- jQuery 1.5 + Modernizr
- Entity Framework 4.1 (Shipping officially today)
- Includes the CodeFirst capability
- Scaffolding support in VS2010
- Preinstalled nuGet Packages
WebMatrix
- Popular WebMatrix Helpers
- Facebook
- PayPal
- Twitter
- TemplateMonster.com
- WuFoo
- polldaddy
- bit.ly
- UserVoice
- get Satisfaction
- Scribd
- DISQUS
- Foursquare
- PlanCast
- EventBrite
- GroupOn
- Web Application Ecosystem
- Several OpenSource Web Applications
Orchard CMS
Windows Azure
- Focus on Apps not Infrastructure
- Scale elastically
- Pay only for the resources that you use
- Announcements
- v2 of Access Control Service
- Caching
- CDN
- Traffic Manager
Niels Hartviq – Umbraco CMS
Dean Hachamovitch (Corporate Vice President)
- HTML5: Native Windows
- Real-World HTML5 Applications
- Features
- GPU Acceleration
- Site Pinning
- JumpLists Integration
- SVG Integration
- Applications
- FourSquare
- DirectorsCut
- PacMan
- Test Drive Site: PaintBall Application
- Moving the Web Forward. How?
- Embrace Emerging Web Technologies
- Make them Competitive with “Native Applications”
- Use Hardware Acceleration
- Make them Site-Ready
- Use the Same Markup
- Embrace Web Standards
- Listen to Community Engagement
- Deliver Platform Previews
- IE9 Patterns
- Included Elements
- Standards
- HTML5
- Inline SVG, Parsing Rules, XHTML, Selection APIs, Canvas, Audio & Video, Semantic Tags, Geolocation
- SVG 1.1
- A document as image or object, inline in HTML
- CSS 3n
- Selection, Namespaces, Colors, Values, Backgrounds and Borders, Fonts, Media Queries, 2D Transforms
- DOM
- Core, Events, Style and Range, …
- ECMAScript 262
- Graphics and Focus
- Web Performance
- Privacy
- Community
- Preview Builds
- Updates approximately every 8 weeks
- Forums
- more open feedback programs
- HTML5 Labs
- Standards
- Open Testing
- Cooperative W3C test results
- Note: the Bold elements were added due to Community feedback
- Demo Recap: IE10
- Performance: Fishbowl
- CSS3 MultiColumn Layout
- CSS3 Grid Layout and CSS3 Flexible Box Layout
- ECMAScript 5 Strict Mode
- CSS3 Gradients
- CSS3 Transitions and CSS3 3D Transforms
- What’s Next
- Take Advantage of IE9 Today
- Emerging Standards at HTML5 Labs for your experimentation
- Take and Early Look of IE10
Save the Date: Announcing Microsoft next Developer Conference – September 13-16, 2011. Anaheim - California
One of the very important part of security is to know you threats, and in Cloud it’s important to know what threads are different from the On-premise environments, and those are:
- Traditional threats, like:
- Cross-site scripting (XSS), SQL Injection
- DoS Attacks, network spoofing, DDoS
- Old threads are mitigated by the system and are responsibilities of the Cloud Vendor
- Patching is automated and instances are moved to secure systems
- Cloud resiliency improves failover across a service
- Also some of the existing threads are expanded, like:
- Data privacy such as location and segregation
- Abuse of privilege access by admins
- So new Threads also appear. Threads like:
- Privilege escalations from the virtual machines to hosted server
- Breaking the boundaries between VM’s
- “Hyperjacking”
Windows Azure implements the following security measures:
| Level | Defenses in place |
| Data | - Strong storage keys fro access control
- SSL support for data transfers between all parts involved
|
| Application | - Partial Trust mode to run public facing applications
- Windows account with least privileges in order to avoid gaining access to something important even if getting in the application
|
| Host | - Special version of Windows Server 2008 R2 Operating System
- Host boundaries enforced by external hypervisor
|
| Network | - Host firewall limiting traffic to the VMs
- VLANs and packet filters in routers
|
| Physical | - World class physical security
- ISO 27001 and SAS 70 Type II certifications for datacenter processes
|
Defenses inherited by Windows Azure Platform Applications
| Type of Thread | Defense |
| Spoofing | VLANs
Top Rack switches
Custom packet filtering |
| Tampering / Disclosure | VM switch hardening
Certificate Services
Shared-access signatures
HTTPS
Side channel protections |
| Repudiation | Monitoring
Diagnostics Service |
| Denial of Service | Configurable scale-out |
| Elevation of Privilege | Partial Trust Runtime
Hypervisor custom sandboxing
Virtual Service Accounts |
Windows Azure Data Center Security
- World-Class Physical Security
- 24x7 secured access
- Electronically controlled access systems
- Video camera surveillance
- Motion detectors
- Security breach alarms
- Industry Certifications
- ISO 27001-2005
- SAS 70 Type II
This information was achieved base on the following video.
Security is one of the very important parts of Cloud Computing, since we are in a completely new environment that the ones we are used to. When using Cloud Computing “The Platform is managed for us” rather, the “Us managing our platform”.
Another thing that is completely different between the On-Premise and the Platform as a Service Model, is because instead of having full control of the platform (Physical/Network/Host/Application and Data), we are really only controlling the Data and the Application, since the rest is the responsibility of our vendor, in the Windows Azure Service Platform case this is Microsoft. But having this managed by Microsoft, we need assurance that our data is secure, and protected even from Microsoft Admins.
So some of the Cloud Security Concerns are:
- Where is my data located? Is the Data Stored in some place that is possible based on my country laws and regulations?
- Is the Microsoft Cloud “secure”?
- Who can see my data?
- How do you make sure my company data follows “the rules”? (Country rules and laws)
And for all of this Cloud Security needs a Mind Shift, since:
- Much of the traditional infrastructure security moves to the platform and application layers, and we are unable to change them. So we need to do something different like:
- So Network Access Control Lists and Firewalls become host packet filters and virtual filters
- Reduction of the attack surface, least privilege, user authentication and input sanitization become key concerns when designing and developing an application.
- Also the Platform and Network Level encryption will still play a very important role, but the most important point is that the developer becomes more responsible for the application security and encryption design.
In order to manage the Security on Windows Azure we can use:
- Service Management Security
- Customers create a Windows Azure subscription using LiveID credentials
- Live ID is one of the longest running Internet Authentication Services available
- Hosted services and storage accounts managed through LiveID or a Service Management API or SMAPI with user-generated public/private key pairs.
- SMAPI protocol runs over SSL and it’s authenticated based on the user-generated public/private keys.
- All communications between the several Windows Azure internal components are encrypted using SSL, and also the communication between the Fabric Controller and the managed nodes is unidirectional.
By default the Web Roles run in partial trust mode, and the recommendation is that all public facing roles should use Partial Trust as well as avoiding to have secret information. Instead we should really pass that information to a higher level trust role, for example to a Worker Role running on Full-Trusted mode and only with Internal Endpoints.
Within each Windows Azure Subscription a developer can create multiple storage account, and each account has 2 Keys in order to provide the key rollover capability, the same way as we change our passwords frequently in order to maintain security.
SQL Azure Security
- Same security Model as in SQL Server Authentication Model
- SQL Server Logins
- Authenticate access to SQL Azure
- Database Users
- Grant access to the database level
- Database Roles
- Group users and grant to the database level
- Only SQL Server authentication is supported
- User must provide credentials every time they connect
- Password resets will not force a connection to be re-authenticated
- Every 60 minutes has passed since last authentication, a re-authentication is performed (done automatically, and if there is a password update, this will be used instead)
- During the provisioning process, SQL Server created a login for you that is the server-level principal similar to SA (System Administrator) login in SQL Azure.
- Used to create additional user accounts
- Only available thought port TCP 1433, which needs that customers configure their internal firewalls to allow Outgoing request to this port.
- Source IP address needs to be authorized in SQL Azure Firewall
More Posts
« Previous page -
Next page »