Apex Tutorial - Form & Report sharing the same page

Apex Tutorial - Form & Report sharing the same page

Oracle Application Express - New Features in Release 4.1

Oracle Application Express
New Features in Release 4.1
	Error Handling Release 4.1 includes improved error handling and user-defined exception processing. You can now easily capture error messages generated by the Oracle database and replace the message text with user friendly text. For example, instead of an error message such as "ORA-00001 unique constraint (EMP_UK) violated" the developer can define a message such as "Employee Name must be unique".

Use of ROWID Application Express now supports the use of ROWID for updates, inserts and deletes as an alternative to specifying primary keys. Previously you could only specific two primary key columns. Therefore, if your table had more than two key columns then you could not use the default DML processes and had to manually write your own processes. Use of ROWID is now the default method for any new DML processes generated.

Data Upload Developers can now easily add the capability for end-users to load spreadsheet data into existing tables within an application. The developer can utilize a wizard to create a collection of pages that allow the end user to upload a file or cut and paste data into a table. Additionally the developer can define lookup columns and data transformations. End users are then led through a runtime wizard which allows them to load the data, map the columns, see whether the data will be inserted or updated, and review the results.

Calendar The calendar wizards have been enhanced to include the ability to create an Edit page as part of creating the calendar. Further calendars can now include drag and drop functionality which allows the end user to change the date and or time of a record by simply dragging it on the calendar itself.

Websheets Building on their initial introduction in Release 4.0, the look and feel of Websheets in Release 4.1 has been substantially improved and the controls redesigned to make it more intuitive for users. There are also new page section types, and enhanced data grid integration. Learn more >

Tabular Forms Tabular Forms now support all validation types. Depending on the validation type you can use bind variable syntax, substitution syntax, or just specify the tabular form column name. These enhancements allow developers to declaratively define complex validations instead of having to perform extensive manual PL/SQL coding.

Plug-Ins Plug-ins enable developers to enhance the existing built-in functionality by writing PL/SQL components for various components. This release expands the plug-in functionality and introduces the ability to create plug-ins for authentication and authorization schemes. View and Download Plug-Ins >

Dynamic Actions Dynamic Actions allow developers to declaritively define client-side functionality, without needing to master JavaScript and AJAX. With this release, a number of enhancements were added including the ability to define dynamic actions for buttons and also use dynamic actions to set multiple item values.

	Accessibility Release 4.1 includes dramatic improvement in the HTML generated by the Application Express engine, together with accessibility improvements in existing themes and HTML templates.
Mobile Applications Release 4.1 includes a number of key improvements to improve support for mobile frameworks, including form rendering without HTML tables.

New Browser Security Attributes in APEX 4.1

Oracle Application Express (APEX) 4.1 added two new Browser Security attributes: Cache and Embed in Frames. The attributes can be found by navigating to Shared Components > Security Attributes > Browser Security (region). Clicking on the items’ labels reveals some great documentation. I couldn’t find any other documentation online to link to so I’ve copied the contents here for everyone to see:

Cache

Enabling the cache allows the browser to save the contents of your application's pages in its cache, both in memory and on disk. If a user presses the browser back button, the page will typically be loaded from the cache, not from the server. If the cache is disabled, the browser is instructed to not save page content and will request it anew from the server.
From a security perspective the cache should be disabled, so the browser does not store sensitive data and will always request pages if the URL changes. Otherwise, it may even be possible to go back in the browser history after a logout and see cached content of the former session.
Disabling the browser cache will also prevent subtle back button issues with pages that use partial page refreshes for example pages with Interactive Reports.
If this item is set to "Disabled", Application Express will send the HTTP header cache-control: no-store which instructs the Browser to not cache the page contents on disk or in memory.
Note: This feature requires modern browsers that support the HTTP header response variable "cache-control".

 
Embed in Frames 

Use this attribute to control if the browser is allowed to display your application's pages within a frame:

• Deny: The page cannot be displayed in a frame, regardless of the site attempting to do so.
• Allow from same origin: The page can only be displayed in a frame on the same origin as the page itself.
• Allow: The page can be displayed in any frame.

Displaying pages within frames can be misused with "clickjacking" attacks, when an attacker uses multiple layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is hijacking clicks (and/or keystrokes) meant for their page and routing them to another page.
Note: This feature requires modern browsers that support the HTTP header response variable "X-Frame-Options".

The Embed in Frames attribute was preventing the plug-in from working correctly - it was set to “Deny”. As the plug-in uses iframes, this attribute’s value must be set to either “Allow from same origin” or “Allow”. After upgrading to APEX 4.1, existing applications will be set to “Allow” but new applications will be set to “Deny”. Perhaps “Allow from same origin” would have been a better choice for the new default?
At the end of the day, the new Cache and Embed in Frames security attributes are very powerful in that they can help make your applications more secure with very little investment. Also, the additional benefits of the Cache feature sound great. However, developers should be mindful of the impact these attributes can have on their applications. Always test!