Jump to content

XMLHttpRequest

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 75.71.216.105 (talk) at 00:09, 26 June 2009 (Addition of the functioning of XMLHttpRequest. Could be extended/improved.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

HTTP
Request methods
Header fields
Response status codes
Security access control methods
Security vulnerabilities

XMLHttpRequest (XHR) is a DOM API that can be used inside a web browser scripting language, such as JavaScript, to send an HTTP or an HTTPS request directly to a web server and load the server response data directly back into the scripting language [1]. Once the data is within the scripting language, it is available as both an XML document, if the response was valid XML markup [2], and as plain text [3]. The XML data can be used to manipulate the currently active document in the browser window without the need of the client loading a new web page document. Plain text data can be evaluated within the scripting language to manipulate the document, too; in the example of JavaScript, the plain text may be formatted as JSON by the web server and evaluated within JavaScript to create an object of data for use on the current DOM.

This type of AJAX architecture should not be confused with (XDR) XDomainRequest which is a lightweight form of the XMLHttpRequest design by Microsoft which doesn't utilize XML-RPC. [4]

XMLHttpRequest is an important part of the AJAX web development technique, and it is used by many websites to implement responsive and dynamic web applications. Examples of web applications that make use of XMLHttpRequest include Google Maps, Windows Live's Virtual Earth, the MapQuest dynamic map interface, Facebook, and many others.

History and support

The XMLHttpRequest concept was originally developed by Microsoft as a server side API call for Outlook Web Access 2000.[5] At the time, it was not a standards-based web client feature; however, de facto support for it has been implemented by many major web browsers. The Microsoft implementation is called XMLHTTP. It has been available since the introduction of Internet Explorer 5.0[6] and is accessible via JScript, VBScript and other scripting languages supported by IE browsers.

The Mozilla project incorporated the first compatible native implementation of XMLHttpRequest in Mozilla 1.0 in 2002. This implementation was later followed by Apple since Safari 1.2, Konqueror, Opera Software since Opera 8.0, iCab since 3.0b352, and Microsoft since Internet Explorer 7.0.[6]

The World Wide Web Consortium published a Working Draft specification for the XMLHttpRequest object's API on 15 April 2008.[7] Its goal is "to document a minimum set of interoperable features based on existing implementations, allowing Web developers to use these features without platform-specific code". The draft specification is based upon existing popular implementations, to help improve and ensure interoperability of code across web platforms. As of April 2008, the W3C standard was still a work in progress.

On 25 February 2008 the World Wide Web Consortium published a Working Draft of XMLHttpRequest2 object's API with some extended functionality (such as progress events, cross-site requests, handling of byte streams)[8].

Versions of Internet Explorer prior to 7 did not pre-define the XMLHttpRequest class, so the following code is required to instantiate XMLHttpRequest in all Ajax-class browsers: 

// Provide the XMLHttpRequest class for IE 5.x-6.x:
// Other browsers (including IE 7.x-8.x) ignore this when XMLHttpRequest is predefined
if( typeof XMLHttpRequest == "undefined" ) XMLHttpRequest = function() {
 try { return new ActiveXObject("Msxml2.XMLHTTP.6.0") } catch(e) {}
 try { return new ActiveXObject("Msxml2.XMLHTTP.3.0") } catch(e) {}
 try { return new ActiveXObject("Msxml2.XMLHTTP") } catch(e) {}
 try { return new ActiveXObject("Microsoft.XMLHTTP") } catch(e) {}
 throw new Error( "This browser does not support XMLHttpRequest." )
};

Web pages that use XMLHttpRequest or XMLHTTP can mitigate the current minor differences in the implementations either by encapsulating the XMLHttpRequest object in a JavaScript wrapper, or by using an existing framework that does so. In either case, the wrapper should detect the abilities of current implementation and work within its requirements.

Traditionally, there have been other methods to achieve a similar effect of server dynamic applications using scripting languages and/or plugins:

In addition, the World Wide Web Consortium has several recommendations that also allow for dynamic communication between a server and user agent, though few of them are well supported.[citation needed] These include:

  • The object element defined in HTML 4 for embedding arbitrary content types into documents, (replaces inline frames under XHTML 1.1)
  • The Document Object Model (DOM) Level 3 Load and Save Specification.[9]

HTTP request

The following is how a request using the XMLHttpRequest object functions in a conforming user agent based on the W3C Working Draft. As the W3C standard for the XMLHttpRequest object is still a draft, user agents may not abide by all the functionings of the W3C definition and any of the following is subject to change. Extreme care should be taken into consideration when scripting with the XMLHttpRequest object across multiple user agents. This article will try to list the inconsistencies between the major user agents.

The open method

The HTTP and HTTPS requests of the XMLHttpRequest object must be initialized through the open method. This method must be invoked prior to the actual sending of a request to validate and resolve the request method, URL, and URI user information to be used for the request. This method does not assure that the URL exists or the user information is correct. This method can accept upto five parameters, but as little as two, to initialize a request.

The first parameter of the method is a text string indicating the HTTP request method to use. The request methods that must be supported by a conforming user agent, defined by the W3C draft for the XMLHttpRequest object, are currently listed as the following. [10]

However, request methods are not limited to the ones listed above. The W3C draft states that a browser may support additional request methods at their own discretion.

The second parameter of the method is another text string, this one indicating the URL of the HTTP request. The W3C recommends that browsers should raise an error and not allow the request of a URL with either a different port or ihost URI component from the current document.

The third parameter, a boolean value indicating whether or not the request will be asynchronous, is not a required parameter by the W3C draft. The default value of this parameter should be assumed to be true by a W3C conforming user agent if it is not provided. An asynchronous request ("true") will not wait on a server response before continuing on with the execution of the current script. It will instead invoke the onreadystatechange event listener of the XMLHttpRequest object throughout the various stages of the request. A synchronous request ("false") will hang execution of the current script until the request has been completed, not invoking the onreadystatechange event listener.

The fourth and fifth parameters are the URI user and password, respectively. These parameters are not required and should default to the current user and password of the document if not supplied, as defined by the W3C draft.

The setRequestHeader method

Upon successful initialization of a request, the setRequestHeader method of the XMLHttpRequest object can be invoked to send HTTP headers with the request. The first parameter of this method is the text string name of the header. The second parameter is the text string value. This method must be invoked for each header that needs to be sent with the request. Any headers attached here will be removed the next time the open method is invoked in a W3C conforming user agent.

The send method

To send an HTTP request, the send method of the XMLHttpRequest must be invoked. This method accepts a single parameter containing the content to be sent with the request. This parameter may be omitted if no content needs to be sent. The W3C draft states that this parameter may be any type available to the scripting language as long as it can be turned into a text string, with the exception of the DOM document object. If a user agent cannot stringify the parameter, then the parameter should be ignored.

If the parameter is a DOM document object, a user agent should assure the document is turned into well-formed XML using the encoding indicated by the inputEncoding property of the document object. If the Content-Type request header was not added through setRequestHeader yet, it should automatically be added by a conforming user agent as "application/xml;charset=charset," where charset is the encoding used to encode the document.

The onreadystatechange event listener

If the open method of the XMLHttpRequest object was invoked with the third parameter set to true for an asynchronous request, the onreadystatechange event listener will be automatically invoked for each of the following actions that change the readyState property of the XMLHttpRequest object.

  • After the open method has been invoked successfully, the readyState property of the XMLHttpRequest object should be assigned a value of 1.
  • After the send method has been invoked and the HTTP response headers have been received, the readyState property of the XMLHttpRequest object should be assigned a value of 2.
  • Once the HTTP response content begins to load, the readyState property of the XMLHttpRequest object should be assigned a value of 3.
  • Once the HTTP response content has finished loading, the readyState property of the XMLHttpRequest object should be assigned a value of 4.

The major user agents are inconsistent with the handling of the onreadystatechange event listener.

The HTTP response

After a successful and completed call to the send method of the XMLHttpRequest, if the server response was valid XML and the Content-Type header sent by the server is understood by the user agent as XML, the responseXML property of the XMLHttpRequest object will contain a DOM document object. Another property, responseText will contain the response of the server in plain text by a conforming user agent, regardless of whether or not it was understood as XML.

Cross-site HTTP requests

Modern browsers are in the process of implementing cross-site XMLHttpRequests, notably Firefox 3.5. [11] An alternate technique for cross-site HTTP requests is AJAST.

Known problems

Caching

Most of the implementations also realize HTTP caching. Internet Explorer and Firefox do, but there is a difference in how and when the cached data is revalidated. Firefox revalidates the cached response every time the page is refreshed, issuing an "If-Modified-Since" header with value set to the value of the "Last-Modified" header of the cached response.

Internet Explorer does so only if the cached response is expired (i.e., after the date of received "Expires" header). This raises some issues, since a bug exists in Internet Explorer, where the cached response is never refreshed.[12]

It is possible to unify the caching behavior on the client. The following script illustrates an example approach (See the history and support section for compatibility with versions of Internet Explorer prior to 7.0): 

var request = new XMLHttpRequest();
request.open("GET", url, false);
request.send(null);
if(!request.getResponseHeader("Date")) {
 var cached = request;
 request = new XMLHttpRequest();
 var ifModifiedSince = cached.getResponseHeader("Last-Modified");
 ifModifiedSince = (ifModifiedSince) ?
 ifModifiedSince : new Date(0); // January 1, 1970
 request.open("GET", url, false);
 request.setRequestHeader("If-Modified-Since", ifModifiedSince);
 request.send("");
 if(request.status == 304) {
 request = cached;
 }
}

In Internet Explorer, if the response is returned from the cache without revalidation, the "Date" header is an empty string. The workaround is achieved by checking the "Date" response header and issuing another request if needed. In case a second request is needed, the actual HTTP request is not made twice, as the first call would not produce an actual HTTP request.

The reference to the cached request is preserved, because if the response code/status of the second call is "304 Not Modified", the response body becomes an empty string ("") and then it is needed to go back to the cached object. A way to save memory and expenses of second object creation is to preserve just the needed response data and reuse the XMLHttpRequest object.

The above script relies on the assumption that the "Date" header is always issued by the server, which should be true for most server configurations. Also, it illustrates a synchronous communication between the server and the client. In case of asynchronous communication, the check should be made during the callback.

This problem is often overcome by employing techniques preventing the caching at all. Using these techniques indiscriminately can result in poor performance and waste of network bandwidth.

If script executes operation that has side effects (e.g. adding a comment, marking message as read) which requires that request always reaches the end server, it should use POST method instead.

Workaround

Internet Explorer will also cache dynamic pages and this is a problem because the URL of the page may not change but the content will (for example a news feed). A workaround for this situation can be achieved by adding a unique time stamp or random number, or possibly both, typically using the Date object and/or Math.random().

For simple document request the query string delimiter '?' can be used, or for existing queries a final sub-query can be added after a final '&' – to append the unique query term to the existing query. The downside is that each such request will fill up the cache with useless (never reused) content that could otherwise be used for other cached content (more useful data will be purged from cache to make room for these one-time responses).

A better workaround can be achieved by adding meta tags to dynamic pages in order to make them no-cachable: 

<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="-1" />

Reusing XMLHttpRequest Object in IE

In IE, if the open method is called after setting the onreadystatechange callback, there will be a problem when trying to reuse the XHR object. To be able to reuse the XHR object properly, use the open method first and set onreadystatechange later. This happens because IE resets the object implicitly in the open method if the status is 'completed'. For more explanation of reuse: Reusing XMLHttpRequest Object in IE. The downside to calling the open method after setting the callback is a loss of cross-browser support for readystates. See the quirksmode article.

Cross-browser support

Microsoft developers were the first to include the XMLHttp object in their MSXML ActiveX control. Developers at the open source Mozilla project saw this invention and ported their own XMLHttp, not as an ActiveX control but as a native browser object called XMLHttpRequest. Konqueror, Opera and Safari have since implemented similar functionality but more along the lines of an identical XMLHttpRequest. Some Ajax developer and run-time frameworks only support one implementation of XMLHttp while others support both. Developers building Ajax functionality from scratch can provide if/else or try/catch logic within their client-side JavaScript to use the appropriate XMLHttp object as well. Internet Explorer 7 added native support for the XMLHttpRequest object, but retains backward compatibility with the ActiveX implementation.[6] To avoid excess conditionals, see the source code in the history and support section.

Frameworks

Because of the complexity of handling cross-browser distinctions between XMLHttpRequest implementations, a number of Ajax frameworks have emerged to abstract these differences into a set of reusable programming constructs.

References

  1. ^ XMLHttpRequest object explained by the W3C Working Draft
  2. ^ The responseXML attribute of the XMLHttpRequest object explained by the W3C Working Draft
  3. ^ The responseText attribute of the XMLHttpRequest object explained by the W3C Working Draft
  4. ^ XDomainRequest, Microsoft Developer Network
  5. ^ XMLHTTP's Original Development, Article on XMLHTTP Original Development from an Original Developer
  6. ^ a b c Dutta, Sunava (2006-01-23). "Native XMLHTTPRequest object". IEBlog. Microsoft. Retrieved 2006-11-30.
  7. ^ The XMLHttpRequest Object 15 April 2008
  8. ^ The XMLHttpRequest2 Object 25 February 2008
  9. ^ Document Object Model (DOM) Level 3 Load and Save Specification, V 1.0, W3C Recommendation 07 April 2004
  10. ^ Dependencies of the XMLHttpRequest object explained by the W3C Working Draft
  11. ^ HTTP access control Information
  12. ^ - Sergey Ilinsky's cross-compatible XMLHttpRequest implementation (Internet Explorer: cached document is not checked against modification date)

See also

Documentation/Browser implementations

Cross-Browser implementations

Tutorials

Security

Retrieved from "https://en.wikipedia.org/w/index.php?title=XMLHttpRequest&oldid=298654616"