Slashdot Mirror

← Back to Stories (view on slashdot.org)

Advanced Requests and Responses in Ajax

Posted by ryuzaki0 on from the cleaner-code-not-just-a-cleaner dept.

An anonymous reader writes "The Web is no longer a place where simple applications are tolerated; 'users have become more advanced, customers expect robustness and advanced error reporting, and managers are fired because an application goes down 1 percent of the time. It's your job then, to go beyond a simple Ajax application that requires a more thorough understanding of XMLHttpRequest.' This DevWorks article tries to help developers use Ajax to build a solid foundation in which an application handles errors and problems smoothly."

48 of 209 comments (clear)

  1. Re:AJAX? by mmkkbb · · Score: 2, Informative

    It's the rather scary idea of using JavaScript on a webpage to run XML-RPC requests to a remote server and update the local page, allowing for flashy stuff like Google Maps and GMail that does not require a new page to be loaded.

    Too bad it requires JavaScript!

    --
    -mkb
  2. CS101 by slackaddict · · Score: 4, Insightful
    "...to build a solid foundation in which an application handles errors and problems smoothly."

    Um, aren't these concepts something we learned in college??? This is just basic stuff... although I think it highlights how RAD languages can teach you sloppy coding habits if you don't take the time do do things correctly.

    --
    ConsultingFair.com
    1. Re:CS101 by Anonymous Coward · · Score: 2, Insightful

      Isn't that a contradiction? The whole point of RAD is the "R"... you know, rapid. As in, NOT taking time?

      Oh sure, *I* agree with your point about doing things the right way, but the average acronym loving project manager sees "RAD" and (aside from the "party-on dude" connotations), assumes it means he doesn't have to spend time developing. One of the many reasons I hate that term and encourage others not to use it. It convinves people not to think in a relative perspective... "Rapid" means "faster than doing it in C. Not fewer ticks of the clock. But people don't see that.

    2. Re:CS101 by firewrought · · Score: 3, Interesting
      Um, aren't these concepts something we learned in college?u

      Error handling wasn't taught well at my college. Yeah, you might fail one of Greenlee's assignments if you if you didn't check the return status of a system call, but that's not the same thing as knowing how to handle an error when you get one.

      It wouldn't be difficult to add an error-handling module to an intermediate-level programming class. There are only a few basic response to any error situation: ignore it, propagate it, retry it, ask the user about it, log it to disk/email/syslog/database/whatever, log it to the GUI, and/or bail-and-quit. Talk about when and how to use each approach; throw in material about retry strategies, explicit vs. implicit error signaling, fail-fast behavior, ask-forgiveness, pitfalls of catching all exceptions, the needs of production systems, etc., and followup with an examination of a few platform-specific error-handling facilities.

      If you're college taught all this, then great!!! Mine did not. Maybe I should email some of my old profs...

      --
      -1, Too Many Layers Of Abstraction
    3. Re:CS101 by hey! · · Score: 3, Insightful

      What the issue at hand boils down to this: knowing how to program in an asynchronous enviornment. If you've done it before, you can skim the article in under five minutes, because it's just a small and managemeable set of conventions that sets dealing with the XMLHttpRequest that would be new to you. The strategy is just common sense, if you've done this sort of thing.

      CS101 certainly touches on aspects of asynchronous programming, such as threads, but I suspect the student's first serious exposure is more likley to come in second or third year OS class. But in any case you have to expect a CS program to fill the student's heads with more knowledge than skills. I've even hired engineers with masters degrees who, while they had the basic theoretical knowledge needed to do this kind of work, don't have a decent feel for it.

      The reason is that while they learned the theory, in practice details have always been taken care of by some framework or another. For example some ajax frameworks work by callback functions; clearly they're doing just this stuff under the covers.

      I'm not saying this is rocket science; quite the contrary. Very, very little in CS is. Most practical skills in CS amount to this: attention to detail and taking care with making assumptions you make -- particularly knowing when an assumption can be trusted to hold and when it cannot. I've often reflected that doggedness and fastidiousness (well, mental fastidiousness at least) are equally important with intelligence in making a good programmer.

      The problem is that programmers always have too many details to manage. Succeeding is what differentiates the good ones from the bad, and experience is very helpful. As in many things, an ounce of prevention is worth a pound of cure. It's all to easy to be careless or inattentive in the wrong places. Believing you know when to do this is what converts garden variety laziness into the hubris. Getting this stuff right isn't hard, but getting it wrong isn't hard either, in which case you end up with hard to debug problems or systems that are unresponsive.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  3. Ironically by RealProgrammer · · Score: 3, Funny
    When I tried to download the code from the article, and clicked through the license, it said:
    404 Not Found

    Not Found
    The requested URL /ibmdl/pub/software/dw/web/ wa-ajaxintro3_ajax-xhr_adv.zip was not found on this server.

    Perhaps someone should write an article on how to write robust AJAX code. Oh, wait...

    --
    sigs, as if you care.
  4. Re:AJAX? by DeveloperAdvantage · · Score: 3, Informative

    If you want a one hour summary, take a listen to our most recent audiobook at http://www.developeradvantage.com/products.html . It's free for now.

    --
    FREE - Java, J2EE and Ajax Audiobooks for Software Developers - www.DeveloperAdvantage.com
  5. nothing too new by nuttzy · · Score: 2, Insightful

    I think the article covers some things that are missing in a lot of ajax classes available, but really is nothing new. My own ajax class is far, far superior (trying to get the okay from work to OSS it).

    Too many classes are using a global httprequest object. This is not good if you are doing many requests (though I suppose uses less memory). There's also no timeout for graceful handling of a slow server. I've done quite a bit in the way of error handling.

    At least this one doesn't make you learn a damn mini-language... a major pet peeve of mine!

  6. Re:AJAX? by codesurfer · · Score: 2, Informative

    Not the most definitve source, but this should give you an adequate overview:

    http://en.wikipedia.org/wiki/AJAX

  7. Good for Them by trongey · · Score: 2, Insightful

    ...This DevWorks article tries to help developers use Ajax to build a solid foundation in which an application handles errors and problems smoothly.

    That's good, because none of the commercial "enterprise class" software that I have to work with handles errors and problems smoothly. They just crash or send an error message that has no relation ot the actual problem.

    --
    You never really know how close to the edge you can go until you fall off.
  8. Re:AJAX? by FooAtWFU · · Score: 4, Funny

    Ajax was a king of Salamis, and a legendary hero of ancient Greece.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  9. Users.. by onion2k · · Score: 4, Insightful

    users have become more advanced

    They really haven't actually. They've stopped being mostly geeks and academics and now the internet is open to all. Users are much, much less advanced today than they were ten years ago. What has changed in more recent times is that the users now they're think more advanced. They're presented with interesting social networks (FlickR, Blogger, deli.co.us, etc), and they're capable of using these straightforward interfaces with lots of handholding (rebranding categories as tags for example) and they get the impression that they're learning something. Does that mean they know, or care, what an XMLHTTPRequest is? Nope.

    The same goes for customers. Yes, they want advanced reporting and robust apps .. do they care how those are achieved? Generally, nope.

    As for managers being fired for an application being unavailable 1% of the time .. the article talks about AJAX .. AJAX relies on JavaScript. Between 7% and 10% of web users have JavaScript turned off either implicitly or due to their IE security level. Surely if you're creating an AJAX application then you must realise the application is already unavailable to 7% of users even when your server is up and running? If high availability is key then you'd better not be using anything beyond HTML.

    --
    http://twitter.com/onion2k
    1. Re:Users.. by nuttzy · · Score: 2, Informative

      If high availability is key then you'd better not be using anything beyond HTML.

      Uh... how about having an app degrade nicely? In most cases it's not that tough. So for the large majority that can take advantage of your whiz bang web app, go ahead and use AJAX (where it makes sense) and just be sure to have it degrade nicely for browsers that are not ajax aware and then also for browsers that are not handling javascript.

    2. Re:Users.. by spyrral · · Score: 2, Interesting

      My company uses a very popular ad system that relies on javascript to function. If the user doesn't have javascript turned on, then they can't see our ads. If they can't see our ads, then ... we really don't care if the site doesn't work for them.

      For all of you who've got adblockers on and javascript and flash turned off, welcome to the beginning of the end. I hope you enjoy cruising the crusty bowels of the Internet while the rest of us enjoy Flickr and the rest of the really tasty web 2.0 apps that are coming down the pipe.

    3. Re:Users.. by just_another_sean · · Score: 3, Interesting

      For all of you who've got ad blockers on and JavaScript and flash turned off, welcome to the beginning of the end.

      Oh the delicious irony of seeing this post immediately after a sensible poster mentions graceful degradation.

      See, I actually see things differently then you do. I do run with JavaScript disabled for the most part and AdBlock turned on. And you know what? I don't really have that many issues with websites. And if I do run into issues? Well, I really don't care if my browser doesn't work for them.

      I think perhaps just because you have "They're not seeing our ads? Well F them then!" attitude towards customers does not a) mean all companies do and more importantly b) not all developers do. Standards are generally designed to implement some backward compatibility. I don't think, despite your gloomy predictions, that this is likely to change anytime soon. The majority of (useful, interesting) sites will continue to keep this in mind in order to take advantage of as many eyeballs as possible.

      So I think I'll continue to use ad block, watch all my TV on DVR and skip the commercials, avoid tracking tools, like toolbars that integrate with my browser and in general keep myself as ad free as possible.

      Meanwhile you and the rest of the mass marketing industry can try the RIAA route and whine to the government about it. Maybe they'll make my DVR and ad blockers illegal. Then, I guess you win.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
    4. Re:Users.. by mpcooke3 · · Score: 2, Insightful

      The problem is that for various well known reasons "we" (the technical community) have decided that most applications will be deployed over the web these days. As new users come onto the internet for the first time they access these applications and they quite naturally expect them to behave like other applications. Whether an application was accessed via the "Blue E" or by the start button they expect them to behave in similar ways. Internet users in the old days used to be looking at research papers and the users got used to expecting websites to look like pages of static text.

      Like it or not since we've bastardised the web in this way with forms, cookies, javascript, DHTML, AJAX, Tagging, etc, we have changed users understanding of what the web is. It's a shame that a standardised technology for deploying applications over the internet never took off and that we ended up having to use the mass of hacks that has resulted today in AJAX.

      On an unrelated note, Categories and Tags are not really the same thing.

      Normally there are a fixed number of categories and/or hierarchy of categories and items belong to one low level category only, categories are normally but not always defined by the site.
      Tags are arbitrary user defined keywords that are applied to items to help users search through items. Tags are always defined by users.

      Also outside of the web2 community most people understand categories and do not understand tags. My mum for example.

    5. Re:Users.. by cruachan · · Score: 2, Interesting

      Ho Ho Ho. Why would anyone want to turn Adblockers off? Personally I keep javascript on (why should I disable an extremely useful browser extension because some advertising scum abuse it?) but run the Adblocking at the highest level I can. I rarely see any adverts and it seems to me that the adblockers are winning the arms race - we can have our web 2.0 applications just fine without the dregs of humanity that are advertiser messing things up for us.

  10. Unfortunately... by everphilski · · Score: 4, Interesting

    In this day and age a lot of us are asked to program who are not by nature computer programmers. In a perfect world all the programmers would be CS majors. For example, I am an Aerospace Engineer, however I spend 6 hours a day writing code in c++. It isn't pretty but it works. Why? The company I work for could either:

    (a) Hire engineers who know engineering and are crappy programmers, and make them learn programming, or
    (b) Hire CS majors who don't know engineering, and spend 4 years to teach them engineering

    (a) makes more sense to me. A lot of my code looks like crap, and I know my CS friends could do better quicker, but they don't know the engineering principles I do. Long story short, I didn't have CS101, CS102, etc. There are a lot of us out here who are asked to code, who weren't brought up to be coders, who have to be taught some principles that aren't immediately apparent :P

    1. Re:Unfortunately... by AuMatar · · Score: 5, Insightful

      The correct answer is c

      c)Have the people who understand the engineering write pseudocode algorithms and work hand in hand with real programmers.

      The advantages you get from this- code that doesn't look like shit and have major architectural short commings, and much easier/cheaper maintenance. While I'm sure an Aero can learn to do basic programming in a month or so, it does take a few years to write good, well designed code. Whereas an experienced programmer can write equivalent functionality in 1/10 the time. By working together, you end up with higher quality software for much cheaper. This is the same way you see EEs and MechEs working with programmers in the embedded world.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    2. Re:Unfortunately... by Quarters · · Score: 2, Insightful

      Except that c) doubles the costs (at least) the company will incur. While it is the right answer from a technical standpoint, from a business standpoint it isn't optimal.

    3. Re:Unfortunately... by Radres · · Score: 4, Insightful

      But c) will also half the maintenance costs of your crappy code.

    4. Re:Unfortunately... by AuMatar · · Score: 4, Insightful

      Not in the medium to long term. The improved maintainability (and very likely, quicker turn around time) of the programmer's code will very quickly make up the cost and more. If a good programmer can turn an algorithm from an aero to code in 1/4 the time (which is not, by any means, an unreasonable assumption) you end up saving money very quickly- you can hire 4 aero engineers to code, or you can hir 1 programmer and 1 aero engineer. And the aero might have free bandwidth to do more aero based stuff as well.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    5. Re:Unfortunately... by khendron · · Score: 2, Interesting

      I also graduated with a Masters in Aerodynamics, and I worked for an engineering company that required us to program. They adopted choice (a), and I will tell you (a) just doesn't work.

      Our code was crap and our applications extremely fragile. Nothing we produced was scalable or easily transferable from one client to another. Oh, everything worked after a fashion, but the architecture was comparable to a house of cards.

      I agree that our engineering background was essential, but what they should have done is hire an *experienced* CS major to be the system architect (a task that requires CS knowledge), and let us engineers work on the specific pieces that required engineering knowledge.

      --
      Life is like a web application. Sometime you need cookies just to get by.
    6. Re:Unfortunately... by kibbled_bits · · Score: 2, Insightful

      It surely sounds like these aren't software projects at all. Kludge would be a very good word to describe that. There must be some development process (IE: Agile, RUP, etc). Problem is that people want the results of crappy code (quick), but not the side effects (bad quality). Unless as programmers we push back and educate our audience then we will never overcome this and plug the offshoring hole.

    7. Re:Unfortunately... by Tooky · · Score: 2, Insightful

      Have the people who understand the engineering write pseudocode algorithms and work hand in hand with real programmers.

      Even better, get them to pair-program. I heard a talk at XPDay London recently by a guy from a company who build gear boxes. They had similar problems where either developers didn't understand the engineering well enough or the engineers produced poor code.

      They began to implement XP (which we don't need to go into) and had developers and engineers pair-program on the tasks. This was a huge benefit for them as not only did they get well developed code that worked in terms of the engineering, but they also began to spread the domain knowledge around the team. The engineers started to get a better appreciation of development, and the developers were starting to pick up some of the domain knowledge from the engineers.

  11. Pretty sparse by Gopal.V · · Score: 3, Informative
    The document is pretty much ranks in the category of 30 second ajax tutorials. It would have been better if the document has explained how you were supposed to handle concurrent XmlHttpRequests - a problem I am faced with. Yesterday, I noticed the new Y! libs released had - transaction ids for Ajax requests. I've been using closures in javascript to maintain the context info, but this way sounds much better.

    Any decent webdev entering the field should know about http status codes, HEAD requests and all that. Also it should be noted that article didn't even mention how many times state 3 is hit for a particular request - I got caught by that one once.

    --
    Quidquid latine dictum sit, altum videtur
  12. Corrected URL by RealProgrammer · · Score: 4, Informative
    The download link in TFA has an error. To get the code from the article, use:

    http://download.boulder.ibm.com/ibmdl/pub/software /dw/web/wa-ajaxintro3_ajax-xhr_adv.zip

    Taking the "%20" away from the final "/" made it work.

    (There should be no spaces in the URL.)

    --
    sigs, as if you care.
  13. frameworks reduce need for low level details by DeveloperAdvantage · · Score: 2, Interesting

    Every Ajax application uses the XMLHttpRequest object, so you'll want to be intimately familiar with it to make your Ajax applications perform and perform well.

    I think this is true right now, at least to some extent, but as frameworks solidify and become proven, there will be less benefit to being "intimately familiar" with the XMLHttpRequest object. Of course, knowing more about the underlying technology can't hurt, and you will need to know them if you are the one writing a framework.

    For a very good source on frameworks, take a look at http://ajaxpatterns.org/Ajax_Frameworks

    --
    FREE - Java, J2EE and Ajax Audiobooks for Software Developers - www.DeveloperAdvantage.com
  14. the web IS such a place! by tjr · · Score: 3, Insightful
    The Web is no longer a place where simple applications are tolerated;

    Sure it is. Most web applications that I use, whether if they make use of AJAX or not, could certainly be plenty usable and valuable without AJAX.

    AJAX makes some things possible that aren't possible using plain HTML, but it doesn't make ALL plain HTML so much better that it would be impossible to imagine the site without it.

  15. simple != intolerable by blue_adept · · Score: 5, Insightful

    The Web is no longer a place where simple applications are tolerated

    Not so. Simple = GOOD, just look at the success of google; no fancy front end required. AJAX, like good special effects in a movie, can enhance the end-user experience when applied selectively and intelligently. They are NOT an end in themselves.

    The truth is, the web is a place were only USEFUL applications are tolerated, whether or not they use AJAX.

    --

    "Is this just useless, or is it expensive as well?"
    1. Re:simple != intolerable by jetxee · · Score: 2, Insightful

      I agree with you. Content and usefulness matter. And Simple = BEAUTIFUL.

      Yet, Simple != Easy to create. And Simple != Low Tech. Simple = Nothing excessive.

      And as far as AJAX helps to save some mouse clicks and page reloads, it may be used to weave really simple web.

  16. The Web is no longer... by jetxee · · Score: 2, Funny

    The Web is no longer a place for information exchange. It is a place to invest your money, to hire more and more coders/artists/testers/managers, to maintain all this eye-candy. There is a reason: It looks just like a real application inside your web browser!

    We don't have anything special to say. But now instead of looking for a `Back' button, you may drag-n-drop our whole corporate site directly to your Recycled Bin!

    1. Re:The Web is no longer... by SixDimensionalArray · · Score: 2, Insightful

      You know, this comment is not just funny, I find it rather ironic. Why do we try and force a "real application" through a web browser? The way we are treating browsers these days, it seems like they are less about information presentation/sharing and more about actual application-type functionality. I thought that was what all the GUI libraries that come with your OS were meant for!

      Rather than taking an incremental approach and altering the core purpose of "web browsing", why don't we get all of the major technology companies that exist today to agree to support ONE standard for the remote binding of locally displayed user interface components. That way, every company can make their own components and their own code, but everybody knows a standard way to bind network-based logic to an interface. I'm pretty sure this is what Bill Gates was after when he envisioned .NET, what Sun hoped Java would be, what Macromedia hoped Flash would be. It's clear that no plugin, no single method is dominant. All we have is a [slowly] improving mess of HTML, CSS and Javascript. AJAX makes a difference, but only so far as it accomplishes the goal of ONE standard for fat-client, desktop application type functionality.

      Seriously, are all the big players so greedy that they can't ALL band together, for the good of humanity and advancement of technology, to agree on ONE standard? ONLY ONE? Take some time, flesh out a good model, agree to standardize, build new products, free and proprietary, and let's make the shift to these well-defined products.

      I guess I'm biased... I've been developing web applications for years, and I recently was speaking with a long-time desktop GUI developer. This developer hasn't suffered nearly as many of the injustices that we web developers have, trying to shoehorn something into a "web browser". Of course, his application doesn't work on every OS and every type of system (terrible in and of itself), but hey, if we had ONE standard for UI binding to network-enabled logic (web-services, remote components, anything at all), maybe it could.

      SixD

  17. Re:AJAX? by Serapth · · Score: 4, Funny

    ... and a bleach!

  18. Re:AJAX? by DeveloperAdvantage · · Score: 3, Informative

    Thanks. Sometimes I really don't understand the censoring, I mean mod system here. Our audiobooks are currently freely downloadable, we have no advertising on our side, and it seems reasonable and on topic that if someone asks about Ajax to point them to our material. After all, this whole thread is about an article from a huge, profitable corporation. Maybe instead of audiobooks, I should call them "audicles", and then it will be ok to mention them when people are looking for information.

    Anyway, thanks again.

    --
    FREE - Java, J2EE and Ajax Audiobooks for Software Developers - www.DeveloperAdvantage.com
  19. Re:AJAX? by slamb · · Score: 2, Informative
    It's what most web people have been doing for years now anyways. using html, javascript and a server side scripting like PHP together to make a website. in a way you could call slashdot a AJAX type of site.

    You'd be wrong. I don't believe slashdot uses any Javascript, except maybe some ad stuff. And even if it did, that's not a good definition. The point of Ajax is updating the client's display with new data from the server without reloading the entire page. This is why Ajax is so trendy - these pages are more pleasant to use because they respond more quickly, and without unrelated parts of the display going away and coming back or causing everything to scroll away from what you were looking at.

    Ajax accomplishes this with the XMLHttpRequest() object. (It's a misnomer - XML doesn't have to be involved at all.) It's just a way to issue a request and execute some code when it completes (by success, failure, or timeout). That code can update a status bar, add some text to the page, or do something more sophisticated.

  20. Re:AJAX? by PsychicX · · Score: 2, Insightful

    So have they figured out how to have the back button not wreak havoc on the page yet?

  21. I would prefer the JSON way by moria · · Score: 4, Informative

    Using JSON, JavaScript can load data from any address, when XMLHttpRequest requires you to stay in the same domain. Besides, JSON is JavaScript native and is therefore much easier to consume, for example, using MochiKit. As for the generator, it is trivial to convert native data to JSON data in a wide range of programming languages, including all the major server side scripting languages, like Python and Java. Yahoo has released a lot of their APIs on JSON and some excellent Python WebApp Framework has built-in support to speak to the client scripts in JSON.

    1. Re:I would prefer the JSON way by aztracker1 · · Score: 2, Interesting

      There's always Anthem.Net for those that like C# as well... ;) I think JSON is much lighter for data than using xml... since the syntax can be *much* lighter with json, especially for somewhat complex relationships, and data.

      --
      Michael J. Ryan - tracker1.info
    2. Re:I would prefer the JSON way by brpr · · Score: 2, Informative

      There's nothing to it, it's just a subset of the Javascript literal syntax which happens to have a lot of library/community support (i.e. you don't have to roll your own Perl parser/generator library, or whatever).

      --
      Freedom is not increased by mere diminuation of government. Anarchy is freedom for the strong and slavery for the weak.
    3. Re:I would prefer the JSON way by sivadnitsuj · · Score: 2, Interesting

      While AJAX is limited to acquiring data from within the same basedomain, it's trivial to use something on a local server like cURL wrapped with PHP/Perl to get & parse remote content. You can then do sanity & security checks on the acquired content before passing it along to your AJAX application.

      (Silly, but it reminds me of my first few Perl scripts, and how I would get around "taint" checking by passing all input through a 's/(.)/$1/' regular expression)

  22. Re:AJAX? by Biffa · · Score: 2, Informative

    The core concept of AJAX is to use Javascript in the browser to make requests to the server and then update the browser without having to load a new web page. This is accomplished by using the XMLHTTPRequest object which is available in one form or another in the lastest major browsers. This concept isn't particularly new (I worked on a project in 1999 that used a Java Applet to do the work that XMLHTTPRequest now does). However, what is new is that the technology is available natively in the major browsers, and can be used to make web-based applications more interactive and user friendly, without requiring any additional plug-ins. However, AJAX is currently a hot buzzword and way over-hyped. Anyone who already has solid Javascript skills and knows a server side scripting language should be able to pick up AJAX in a couple of hours. Eventually, there will be a nice OSS AJAX library available that will hide the details, but for right now, there's nothing better than an intimate understanding of the XMLHTTPRequest object.

  23. No longer tolerating what?? by ben_1432 · · Score: 3, Interesting

    Where's the ajax on slashdot? Are we supposed to be rebelling because it uses the traditional get/post methods instead of the (new name, old technology) "ajax" version?

    Where's the ajax on msn & yahoo .com's? Or on mainstream news sites?

    Ajax is a "web two point oh" buzzword, and 99% of "web two point oh" services/systems aren't going to be a success just because they utilize it.

    I'm not disputing it can be useful and add something to an application, but the hype outweighs the benefit.

    One thing I fear about ajax is the poor standards many developers work to - how long before we see phpbb/phpnuke/et al tearing servers apart because each visitor is suddenly making an extra 10 database queries a minute while previously they'd alt-tab back and hit refresh every few minutes?

    1. Re:No longer tolerating what?? by Run4yourlives · · Score: 2, Insightful

      To really ajax this site web two point oh style you'd have to have it automatically checking for new comments, new posts, alerts or notifications that someone's replied to you, modded a comment etc.

      No, those things would be useless... AJAX is about improving the user experience, not loading as much crap onto a page that you can, just 'cause.

  24. AJAX Privacy and Security? by WebCowboy · · Score: 4, Interesting

    Forget about the back button...that is an annoyance I've grown to tolerate (for almost a decade we've had to deal with "sticky" web pages). MY biggest concerns centre on SECURITY and PRIVACY.

    One thing about Javascript is that it is very aware of the client's environment--we can use it to determine screen size, colour depth, browser type, browser history and so forth. Until the introduction of the XMLHTTPRequest object, developers were limited in how they could bring this information into the server. It wasn't impossible (you could do stuff with traditional javascript and server-side programming involving hidden input tags, cookies, automatic page submits/reloads, etc), however the user would usually have a visual cue (IE would produce an audible "click" during page submits and redirects by default, the page would blink, the "throbber" icon and status bar would indicate an HTTP request was happening, etc). Furthermore, such schemes were more easily breakable (disablihng cookies, etc).

    Now with AJAX, a coder could write client side script that (for example) enumerates your browser's history and ships it back using the XMLHTTPRequest object. The page does not need to use cookies, install special software like IE "browser helper objects" or need to expose itself through the use of hidden input tags. It's the greatest thing since sliced bread for spyware developers (multi-platform, lightweight, not yet easy to detect). I think javascript is generally better contained than, say, VBS, from a security standpoint, but I still have my concerns.

    Worse yet, there isn't much in the way of user control--a person can disable Javascript entirely but then the whole app breaks. Browsers like Firefox can limit the use of javascript to do popo-up ads, alter toolbars and such, but I see nothing regarding security control of the XMLHTTPRequest object. As far as I can tell, if Javascript is enabled at all, a script can make full use of that object, and it'd be REALLY easy to use it to report my browsing history on a constant basis, without me knowing about it unless I do a lot of sleuthing in source files and cache.

    In any case, I have some questions for "seasoned" AJAX coders (I am well-versed in Javascript but am a neophyte with ful-blown AJAX apps): What do you do to make sure your app is secure from client-side shenanigans (perhaps an AJAX-equivalent to SQL-injection), what can a user do to manage security within your AJAX app, and have you used AJAX techniques for potentially intrusive purposes (sniffing a client's environment in particular)? You can post anonymously if you've had to "do evil" as part of your job if you want ;-)

    (BTW, a competent AJAX developer would at least take measures to disable the back button's functionality, and there are measures that can be taken to handle the back button gracefully. It is mostly a matter of sound design...)

    1. Re:AJAX Privacy and Security? by AKAImBatman · · Score: 2, Informative

      One thing about Javascript is that it is very aware of the client's environment--we can use it to determine screen size, colour depth, browser type, browser history and so forth.

      The browser history is not available for security reasons. Off the top of my head, I don't remember if anything more than the screen resolution can be obtained. Really, you're not getting back anything useful. Just a lot of statistics that the Javascript uses to do its job.

      Until the introduction of the XMLHTTPRequest object, developers were limited in how they could bring this information into the server.

      Hidden IFrames have all the power of XMLHTTPRequest. There is a "click" in Internet Explorer, but all other cues are missing.

      Browsers like Firefox can limit the use of javascript to do popo-up ads, alter toolbars and such, but I see nothing regarding security control of the XMLHTTPRequest object.

      Depends on the browser, but many browsers chose the path provided by Java Applets. i.e. An AJAX application can only ship back data to the server it was downloaded from. That means that the server needs to act as a proxy if it wants to send calls elsewhere on the Internet.

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:AJAX Privacy and Security? by WebCowboy · · Score: 2, Interesting

      The browser history is not available for security reasons. Off the top of my head, I don't remember if anything more than the screen resolution can be obtained.

      I guess you are right about the history. However you can get more than just the resolution via Javascript. For example, you can still access the history in a limited fashion by using Javascript to create invisible tags with various URLs, then checking their "visited" property and using XMLHTTPRequest to send this back to your server. You can also sniff for browser, OS and IP Address, and do so more reliably than with server-side techniques (parsing the HTTP request). For example, you could under some circumstances get the REAL IP address of a machine (vs. the proxy address reported on the server side).

      Hidden IFrames have all the power of XMLHTTPRequest.

      There is a reason they are deprecated (the iframe tag is not valid strict XHTML). I suspect becasue they are very evil--an even worse kludge than XMLHTTPRequest, and the source of some very serious security holes in IE (and even the source of some grief in Firefox). As you mention, in IE even invisible iframes trigger clicks when they submit data in IE, and furthermore iframes can be disabled by the client user independently of Javascript (that is generally standard practice for me with IE anyways).

      AJAX does have an important redeeming feature in comparison to VBscript in that it is contained within a Javascript "sandbox", however the implementation is inconsistent. Remember that in IE AJAX relies on an ActiveX control, and if there is a security bug in that control it can be exploited via AJAX. How the sandbox is defined is also inconsistent...IE actually (at one point at least) exposed information about LOCAL HARD DRIVES to Javascript!

      The concept behind AJAX is very cool, however I am less than impressed by the implementation. A very important component of AJAX--the XMLHTTPRequest object--is NOT A STANDARD IMPLEMENTATION! It is an idea conceived by the Mozilla team and picked up by others as a de-facto standard..and of course, MS had to be all screwy and come up with their own kludgy way of doing things, naming their object differently and implementing a slightly different model just to be difficult. I think the whole thing should be dropped in favour of the ACTUAL standard (DOM Level 3 "Load and Save" -- a standard released by the W3C nearly two years ago). The W3C standard might look a bit more cumbersome (hey, it fits in with the rest of Javascript and the DOM then) but at least there'd be consistency and some method to the madness.

  25. Re:AJAX? by pete6677 · · Score: 2, Funny

    It's that stuff you clean your bathtub with.