- Implement TLS certificate verification and enable it by default in the Ruby
client class
Faye::Client
- Add a
:tls
option to the Ruby client with sub-field:verify_peer
for configuring TLS verification - Officially support the
tls
option in the Node.js client, whose contents are forward to thehttps
andtls
modules as appropriate
- Support
user:pass@
authorization in URIs and sendAuthorization
headers from the Node HTTP transport - Support IPv6 hostnames in URIs
- Allow credentials (cookies and
Authorization
headers) in cross-origin requests, by:- setting
Access-Control-Allow-Origin
to the value of theOrigin
header (not*
) - enabling
Access-Control-Allow-Credentials
- setting
- Enable credentials when sending cross-origin requests
- Don't disconnect WebSocket on page unload if
autodisconnect
is turned off - Catch errors when creating a WebSocket, which happens when Content Security Policy blocks it, allowing other transports to be tried
- Fix a bug in the client where it handles messages from other clients as though
they're the server's response to its own messages, based on the
id
field; now we only treat messages as server responses if they containsuccessful: true
- Stop sending an empty message list
[]
from the WebSocket client as a keep-alive mechanism since CometD does not accept this message - Fix deprecation warnings for using the
new Buffer()
constructor - Switch to the Apache 2.0 license
- Fix
/meta/*
channel recognition bug in the server that enables authentication bypass
- Fix
RackAdapter#get_client
that was failing due to a URI error - Define
Promise#catch
in a safe way for old browsers - Log errors in the Node HTTP transport
- Return an error if the
data
field is missing on published messages - Fix errors that occur in the new
websocket
util when the browser does not support WebSocket
- Mitigate the HTTPoxy vulnerability: https://httpoxy.org/
- Fix a missing variable error in
NodeAdapter
- Add
client.subscribe().withChannel()
to yield the message channel for wildcard subscriptions - Restructure the JavaScript codebase around Node modules (require/exports) rather than globals
- Update the Promise shim to reflect the standard API, including
catch()
andall()
- Support connecting to servers that use SNI in the Ruby client
- Make the JavaScript client work inside React Native and Web Workers
- Remove JSON2; you should import a JSON shim yourself if necessary
- Handle errors that occur when a message is partially delivered via EventSource
- Reject requests with invalid (non-array or -object) top-level JSON values
- Make local client requests asynchronous to avoid re-entrant request handling errors
- Remove
Connection: Close
from HTTP responses to allow use of keep-alive - Use
XMLHttpRequest
in preference to the ActiveX API in IE10 - Fix bug where flushing large message batches puts promises in an invalid state
- Fix
/meta/*
channel recognition bug in the server that enables authentication bypass
- Allow the
Authorization
header to be used on CORS requests - Disallow unused methods like PUT and DELETE on CORS requests
- Stop IE prematurely garbage-collecting
XDomainRequest
objects - Make sure messages can be sent if they overflow the request size limit and the outbox is empty
- Don't send messages over WebSockets unless they are in the 'open' ready-state
- Fix a bug preventing use of the in-process transport in Ruby
- Make sure the client ID associated with a WebSocket is not dropped, so the socket can be closed properly
- Handle cases where a JSON-P endpoint returns no response argument
- Stop trying to retry messages after the client has been disconnected
- Remove duplication of the client ID in EventSource URLs
- Allow the server and client to use WebSocket extensions, for example permessage-deflate
- Support the
HTTP_PROXY
andHTTPS_PROXY
environment variables to send all client connections through an HTTP proxy - Introduce the
Scheduler
API to allow the user to control message retries - Add the
attempts
anddeadline
options toClient#publish()
- Let
RackAdapter
take a block that yields the instance, so extensions can be added to middleware - Allow monitoring listeners to see the
clientId
on publishd messages but still avoid sending it to subscribers - Return a promise from
Client#disconnect()
- Fix client-side retry bugs causing the client to flood the server with duplicate messages
- Send all transport types in the
supportedConnectionTypes
handshake parameter - Don't close WebSockets when the client recovers from an error and sends a new
clientId
- Replace
cookiejar
withtough-cookie
to avoid global variable leaks
- Fix
/meta/*
channel recognition bug in the server that enables authentication bypass
- Make some changes to JSON-P responses to mitigate the Rosetta Flash attack
- http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
- Add
Adapter#close()
method for gracefully shutting down the server - Fix error recover bug in WebSocket that made transport cycle through
up
/down
state - Update Promise implementation to pass
promises-aplus-tests 2.0
- Correct some incorrect variable names in the Ruby transports
- Make logging methods public to fix a problem on Ruby 2.1
- Client changes:
- Allow clients to be instantiated with URI objects rather than strings
- Add a
ca
option to the NodeClient
class for passing in trusted server certificates - Objects supporting the
callback()
method in JavaScript are now Promises - Fix protocol-relative URI parsing in the client
- Remove the
getClientId()
andgetState()
methods from theClient
class
- Transport changes:
- Add request-size limiting to all batching transports
- Make the WebSocket transport more robust against quiet network periods and clients going to sleep
- Support cookies across all transports when using the client on Node.js or Ruby
- Support custom headers in the
cross-origin-long-polling
and server-sidewebsocket
transports
- Adapter changes:
- Support the
rack.hijack
streaming API - Migrate to MultiJson for JSON handling on Ruby, allowing use of JRuby
- Escape U+2028 and U+2029 in JSON-P output
- Fix a bug stopping requests being routed when the mount point is
/
- Fix various bugs that cause errors to be thrown if we try to send a message over a closed socket
- Remove the
listen()
method fromAdapter
in favour of using server-specific APIs
- Support the
- Server changes:
- Use cryptographically secure random number generators to create client IDs
- Allow extensions to access request properties by using 3-ary methods
- Objects supporting the
bind()
method now implement the fullEventEmitter
API - Stop the server from forwarding the
clientId
property of published messages
- Miscellaneous:
- Support Browserify by returning the client module
Faye.logger
can now be a logger object rather than a function
- Make some changes to JSON-P responses to mitigate the Rosetta Flash attack
- http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
- Specify ciphers for SSL on Node to mitigate the BEAST attack
- Mitigate increased risk of socket hang-up errors in Node v0.8.20
- Fix race condition when processing outgoing extensions in the Node server
- Fix problem loading the client script when using
{mount: '/'}
- Clean up connection objects when a WebSocket is re-used with a new clientId
- All JavaScript code now runs in strict mode
- Select transport on handshake, instead of on client creation to allow time for
disable()
calls - Do not speculatively open WebSocket/EventSource connections if they are disabled
- Gracefully handle WebSocket messages with no data on the client side
- Close and reconnect WebSocket when onerror is fired, not just when onclose is fired
- Fix problem with caching of EventSource connections with stale clientIds
- Don't parse query strings when checking if a URL is same-origin or not
- Patch security hole allowing remote execution of arbitrary Server methods
- Make sure messages pushed to the client over a socket pass through outgoing extensions
- Fix a bug in
URI.parse()
that caused Faye endpoints to inherit search and hash fromwindow.location
- Optimise upgrade process so that WebSocket is tested earlier and the connection is cached
- Check that EventSource actually works to work around broken Opera implementation
- Emit
connection:open
andconnection:close
events from the Engine proxy - Increase size of client IDs from 128 to 160 bits
- Fix bug with relative URL resolution in IE
- Limit the JSON-P transport's message buffer so it doesn't create over-long URLs
- Send
Pragma: no-cache
with XHR requests to guard against iOS 6 POST caching - Add
charset=utf-8
to response Content-Type headers
Client#subscribe
returns an array of Subscriptions if given an array of channels- Allow different endpoints to be specified per-transport
- Only use IE's
XDomainRequest
for same-protocol requests - Replace URL parser with one that treats relative URLs the same as the browser
- Improve logging of malformed requests and detect problems earlier
- Make sure socket connections are closed when a client session is timed out
- Stop WebSocket reconnecting after
window.onbeforeunload
- Fix replacement of
null
with{}
incopyObject()
- Make EventSource transport trigger
transport:up/down
events - Supply source map for minified JavaScript client, and include source in gem
- Return
Content-Length: 0
for 304 responses - Handle pre-flight CORS requests from old versions of Safari
- Make
Publisher#trigger
safe for event listeners that modify the listener list - Make
Server#subscribe
return a response if the incoming message has an error - Fix edge case in code that identifies the
clientId
of socket connections - Return
Content-Length
headers for HTTP responses - Don't send empty lists of messages from the WebSocket transport
- Stop client sending multiple
/meta/subscribe
messages for subscriptions made before handshaking - Stop client treating incoming published messages as responses to
/meta/*
messages
- Extract the Redis engine into a separate library,
faye-redis
- Stabilize and document the Engine API so others can write backends
- Extract WebSocket and EventSource tools into a separate library,
faye-websocket
- Improve use of WebSocket so messages are immediately pushed rather than polling
- Introduce new EventSource-based transport, for proxies that block WebSocket
- Support the Rainbows and Goliath web servers for Ruby, same as
faye-websocket
- Improve detection of network errors and switch to fixed-interval for reconnecting
- Add
setHeader()
method to Client (e.g. for connecting to Salesforce API) - Add
timeout()
method toFaye.Deferrable
to matchEventMachine::Deferrable
- Fix some bugs in client-side message handlers created with
subscribe()
- Improve speed and memory consumption of
copyObject()
- Switch from JSON to Yajl for JSON parsing in Ruby
- Patch security hole allowing remote execution of arbitrary Server methods
- Extension
added()
andremoved()
methods now receive the extended object - Detection of WebSockets in RackAdapter is more strict
- Provide an event API for monitoring engine events on the server side
- Implement server-side WebSocket connections for improved latency
- Fix WebSocket protocol bugs and expose APIs for developers to use
- Make server-side HTTP transports support SSL and cookies
- Allow clients to disable selected transports and autodisconnection
- Add callback/errback API to
Client#publish()
interface - Add
socket
setting for the Redis engine for connecting through a Unix socket
- Patch security hole allowing remote execution of arbitrary Server methods
- Cache client script in memory and add
ETag
andLast-Modified
headers - Fix bug in Node Redis engine where
undefined
was used if no namespace given - Flush Redis message queues using a transaction to avoid re-delivery of messages
- Fix race condition and timing errors present in Redis locking code
- Use
Cache-Control: no-cache, no-store
on JSON-P responses - Improvements to the CORS and JSON-P transports
- Prevent retry handlers in transports from being invoked multiple times
- Use the current page protocol by default when parsing relative URIs
- Add
:key
and:cert
options to theAdapter#listen
methods for setting up SSL - Fix error detection of CORS transport in IE9 running IE8 compatibility mode
- Fix dependency versions so that Rubygems lets Faye install
- Fix UTF-8 encoding bugs in draft-75/76 and protocol-8 WebSocket parsers
- Switch to streaming parser for WebSocket protocol-8
- Remove an
SREM
operation that shouldn't have been in the Redis engine - Move
thin_extensions.rb
so it's not on the Rubygems load path
- Support WebSocket protocol used by Chrome 14 and Firefox 6
- Fix handling of multibyte characters in WebSocket messages on Node
- Improve message routing in Node memory engine to avoid false duplicates
- Use sequential message IDs to reduce memory usage on the client side
- Only send advice with handshake and connect responses
- Stop trying to publish
/meta/*
messages - no-one is listening and it breaks/**
- Fix bug causing invalid listeners to appear after a client reconnection
- Stop loading
rubygems
within our library code - Make sure we only queue a message for each client once in the Redis engine
- Use lists instead of sets for message queues in Redis
- Improve clean-up of expired clients in Redis engine
- Add authentication, database selection and namespacing to Redis engine
- Clean up all client data when removing clients from Redis
- Fix
cross-origin-long-polling
forOPTIONS
-aware browsers - Update secure WebSocket detection for recent Node versions
- Reinstate
faye.client
field in Rack environment
- Fix
cross-origin-long-polling
support inRackAdapter
- Plug some potential memory leaks in
Memory
engine
- Extract core logic into the
Engine
class to support swappable backends - Introduce a Redis-backed engine to support clustered web front-ends
- Use CORS for
cross-domain long-polling
- Make server more resilient against bad requests, including empty message lists
- Perform subscription validation on the server and use errbacks to signal errors
- Prohibit publishing to wildcard channels
- Unsubscribing from a channel is now O(1) instead of O(N)
- Much more thorough and consistent unit test coverage of both versions
- Automatic integration tests using Terminus and TestSwarm
- Open a real socket to check for WebSocket usability, not just object detection
- Catch server-side errors when handshaking with WebSockets
- Add a
#callback
method toSubscriptions
to detect when they become active - Add
:extensions
option toRackAdapter
to make it easier to extend middleware - Detect secure WebSocket requests through the
HTTP_X_FORWARDED_PROTO
header - Handle socket errors when sending WebSocket messages from
NodeAdapter
- Use exponential backoff to reconnect client-side WebSockets to reduce CPU load
- Improve detection of
wss:
requirement for secure WebSocket connections - Correctly use default ports (80,443) for server-side HTTP connections
- Support legacy
application/x-www-form-urlencoded
POST requests - Delete unused Channel objects that have all their subscribers removed
- Fix resend/reconnect logic in WebSocket transport
- Keep client script in memory rather than reading it from disk every time
- Prevent error-adding extensions from breaking the core protocol
- Support draft-76 of the WebSocket protocol (FF4, Chrome 6)
- Reduce
Connection::MAX_DELAY
to improve latency
- Fix a publishing problem in Ruby
LocalTransport
- Handle multiple event listeners bound to a channel
- Add extension system for adding domain-specific logic to the protocol
- Improve handling of client reconnections if the server goes down
- Change default polling interval to 0 (immediate reconnect)
- Add support for WebSockets (draft75 only) as a network transport
- Remove support for Ruby servers other than Thin
- Make client and server compatible with CometD (1.x and 2.0) components
- Improve clean-up of unused server-side connections
- Change Node API for adding Faye service to an HTTP server
- Stop local clients going into an infinite loop if a subscription block causes a reconnect
- Bring Node APIs up to date with 0.1.97
- Catch
ECONNREFUSED
errors in Node clients to withstand server outages - Refactor the
Server
internals
- Fix problems with JSON serialization when Prototype, MooTools present
- Make the client reconnect if it doesn't hear from the server after a timeout
- Stop JavaScript server returning
NaN
foradvice.interval
- Make Ruby server return an integer for
advice.interval
- Ensure EventMachine is running before handling messages
- Handle
data
andend
events properly in Node HTTP API - Switch to
application/json
for content types and stop using querystring format in POST bodies - Respond to any URL path under the mount point, not just the exact match
- Pass client down through Rack stack as
env['faye.client']
- Refactor some JavaScript internals to mirror Ruby codebase
- Add server-side clients for Node.js and Ruby environments
- Clients support both HTTP and in-process transports
- Fix ID generation in JavaScript version to 128-bit IDs
- Fix bug in interpretation of
**
channel wildcard - Users don't have to call
#connect()
on clients any more - Fix timeout race conditions that were killing active connections
- Support new Node APIs from 0.1.29.
- Kick out requests with malformed JSON as 400s
- Fix server-side flushing of callback-polling connections
- Backend can be used cross-domain if running on Node or Thin
- Port server to JavaScript with an adapter for Node.js
- Support Thin's async responses in the Ruby version for complete non-blocking
- Fix some minor client-side bugs in transport choice
- Fix a broken client build
- Ruby Bayeux server and Rack adapter
- Internally evented using EventMachine, web frontend blocks
- JavaScript client with
long-polling
andcallback-polling