Polymer 3.0 preview

Preview of main features and updates of upcoming Polymer 3.0
29 August 2017   2484

At the 2017 Polymer Summit in Copenhagen, devs team announced one of the biggest changes to developer workflow:

  • Polymer is moving from Bower to npm.
  • We're switching to using ES6 modules instead of HTML Imports.

At the moment, team is still previewing these changes and waiting for a feedback. An if you are starting a new project, they recommend to use Polymer 2.x. Developers will try to make migration process as smooth as possible.

The Polymer 3.0 API will be essentially identical to the 2.x API. All of the classes, mixins, elements, template system, and other APIs that are a part of Polymer 2.x are being ported to modules, including the Polymer 1.x legacy syntax. All of the knowledge that Polymer developers have will translate directly to Polymer 3.0.

Also, a tool called Polymer Modulizer will automate the conversion of your current elements and apps to Polymer 3.0. This tool will be available immediately as part of the preview and has already been tested against the Polymer library and the full set of Polymer elements.

Why developers decided to move to other technologies?

According to the team, moving to ES6 modules and npm has several advantages:

  • Polymer becomes more compatible with the workflow and tools that a huge number of JavaScript developers are familiar with.
  • Polymer elements and applications will run without any polyfills on recent versions of Chrome, Opera, and Safari. When Edge and Firefox ship custom elements and shadow DOM, Polymer will run polyfill-free on those browsers, too.
  • You'll be able to work with regular JavaScript libraries more easily, whether you're importing a Polymer element into a library, or using a libraries inside an element.

Since the beginning, Polymer has used HTML Imports to load dependencies. HTML Imports have a lot of benefits:

  • Web-native loading mechanism. No build tools are required to load code using HTML Imports.
  • Transitive loading of dependencies with ordered evaluation. That is, if A imports B, and B imports C, C and B are loaded and evaluated before A.
  • Deduplication of dependencies by URL. Each import is downloaded and evaluated only once, even if imported multiple times.
  • Native HTML parsing.

Also, moving to npm will make Polymer packages seamlessly available to the millions of npm users, and allow Polymer packages to easily use other packages from the massive npm ecosystem. 

Learn more at official website

Third Party Apps Could Read Twitter Messaging

According to the company, no one used this vulnerability and the issues is now solved
18 December 2018   94

Until the beginning of December, third-party applications could access Twitter private messages. According to the company, no one took advantage of this vulnerability. Terence Eden, who found it, was paid almost $ 3,000 under the Bug Bounty program.

In 2013, there was a leak of keys to the Twitter API - so applications could access the interface bypassing the social network. To protect users, Twitter implemented an application authorization mechanism through predefined addresses (Callback URL), but it didn’t suit everyone.

Applications that do not support Callback URLs could authenticate using PIN codes. With this authorization, a window pops up that lists which data the user opens to access. The window did not request access to private messages, but in fact the application received it.

On December 6, Twitter reported that it had solved the problem. Judging by the statement of the company on the HackerOne website, no one had time to take advantage of this vulnerability.

This is not the first social network security error related to the API. In September, Twitter discovered a bug in AAAPI (Account Activity API): the system sent a copy of the user's personal message to a random recipient.