RELEASE_NOTES - wookie - Git at Google

 Apache Wookie Release Notes
 ===========================
 See https://issues.apache.org/jira/browse/WOOKIE-* (where * is the number of the issue below)

 For more detailed information on significant changes, see NEW_AND_NOTEWORTHY

 Version 0.14
 ============

 BUGS FIXED
 ==========

 WOOKIE-403
 ProxyServlet doesn't work well on chunked data

 WOOKIE-406
 Widget redeploying fails on Windows

 WOOKIE-404
 Server crashed after long wait, while reloading widget

 WOOKIE-405
 Widget localization does not work

 WOOKIE-387
 deploying flatpack to another wookie results in an error

 WOOKIE-382
 Flatpack function returns wrong widget package

 WOOKIE-402
 Package files are overwritten by updates

 WOOKIE-399
 Twitter widget: public timeline no longer works

 WOOKIE-290
 Widget templates not allowing content to be overwritten properly

 WOOKIE-386
 HTML Hex-encoded unicode entities are incorrectly encoded in start files

 WOOKIE-44
 Default widget returns js "error" when loaded into a browser

 IMPROVEMENTS
 ============

 WOOKIE-360
 Process all start files, not just specified locales

 WOOKIE-397
 Improvements to assetPlayer Template

 WOOKIE-366
 Update to the Walkthrough template and test widget

 NEW FEATURES
 ============

 None

 Known Issues
 ============

     * WOOKIE-222 - There is a known issue when using Tomcat 7.* with Wookie. Sometimes when a widget is actually
     loaded, a browser alert box sometimes appears informing the user of a "Session Error".

     This is caused by the DWR library used by Wookie for Comet-based widgets handling HTTP-only cookies incorrectly;
     Tomcat 7 uses HTTP-only cookies as the default setting to prevent cross-site scripting (XSS) attacks.

     A workaround is to add the following to the WEB-INF/web.xml file

     <init-param>
         <param-name>crossDomainSessionSecurity</param-name>
         <param-value>false</param-value>
     </init-param>

     Note that XSS prevention will still be in place in Tomcat 7; this just disables the additional mechanism
     implemented in DWR that conflicts with it.

     This is an issue for DWR 2.* with Tomcat 7.* (or earlier versions of Tomcat where useHttpOnly="true" is set.)
	Apache Wookie Release Notes
	===========================
	See https://issues.apache.org/jira/browse/WOOKIE-* (where * is the number of the issue below)

	For more detailed information on significant changes, see NEW_AND_NOTEWORTHY

	Version 0.14
	============

	BUGS FIXED
	==========

	WOOKIE-403
	ProxyServlet doesn't work well on chunked data

	WOOKIE-406
	Widget redeploying fails on Windows

	WOOKIE-404
	Server crashed after long wait, while reloading widget

	WOOKIE-405
	Widget localization does not work

	WOOKIE-387
	deploying flatpack to another wookie results in an error

	WOOKIE-382
	Flatpack function returns wrong widget package

	WOOKIE-402
	Package files are overwritten by updates

	WOOKIE-399
	Twitter widget: public timeline no longer works

	WOOKIE-290
	Widget templates not allowing content to be overwritten properly

	WOOKIE-386
	HTML Hex-encoded unicode entities are incorrectly encoded in start files

	WOOKIE-44
	Default widget returns js "error" when loaded into a browser

	IMPROVEMENTS
	============

	WOOKIE-360
	Process all start files, not just specified locales

	WOOKIE-397
	Improvements to assetPlayer Template

	WOOKIE-366
	Update to the Walkthrough template and test widget

	NEW FEATURES
	============

	None

	Known Issues
	============

	* WOOKIE-222 - There is a known issue when using Tomcat 7.* with Wookie. Sometimes when a widget is actually
	loaded, a browser alert box sometimes appears informing the user of a "Session Error".

	This is caused by the DWR library used by Wookie for Comet-based widgets handling HTTP-only cookies incorrectly;
	Tomcat 7 uses HTTP-only cookies as the default setting to prevent cross-site scripting (XSS) attacks.

	A workaround is to add the following to the WEB-INF/web.xml file

	<init-param>
	<param-name>crossDomainSessionSecurity</param-name>
	<param-value>false</param-value>
	</init-param>

	Note that XSS prevention will still be in place in Tomcat 7; this just disables the additional mechanism
	implemented in DWR that conflicts with it.

	This is an issue for DWR 2.* with Tomcat 7.* (or earlier versions of Tomcat where useHttpOnly="true" is set.)