A Few Ajax Gotchas At Jalecode

Andrew Sutherland offers a few Ajax Gotchas/Tips. I’ll add some comments.

  • Escape content with encodeURIComponent() which is superior to escape.

  • XMLHttpRequest’s readyState tells you how far the request has progressed. MM: If you’re confused about readyState‘s transition from 0 to 4, you have good reason to be. Read the recent posting and comments on David Flanagan’s blog, and you’ll learn that 2 and 3 are ambiguous to the point of being unusable. Essentially, you want to wait for either 4 or timeout, and probably ignore everything else.

  • Permission Denied” for XMLHttpRequest is usually due to trying to call another domain. MM: The standard security policy is that requests can only be sent to the originating server, just like the traditional policy for Java applets. To get to another domain, you can set up a Cross-Domain Mediator. This security issue has become interesting with the growing popularity of Single Page Applications (SPA). What can an HTML page sitting on you hard drive access? All domains or no domains? It would certainly be convenient if it could access the web at large. I don’t think it can access any domains on standard browsers, but it’s still possible if the user wants it to happen. Here’s what Steve Yen (TrimPath) says on this issue: “I’m shooting for now to have explicity user-driven synchronization working, which my experiments lead me to believe is workable.”

  • MM: Finally, I’ll add another gotcha-inspired tip to Andrew’s collection: Set content type to XML (in the case where you want to treat the response as XML), e.g. in PHP, header("Content-Type: text/xml");.

0 thoughts on A Few Ajax Gotchas At Jalecode

  1. Re: Permission denied For development purpose (tweaking a DHTML file locally while allowing it to make requests to the server), I wrote a Greasemonkey script that bypasses the security restriction. You can get it here: [http://blog.monstuff.com/archives/000262.html](XmlHttpRequest – Bypass Security)

  2. Julien, Thanks for the link. Maybe it’s more than for development purposes. If you can allow file://*mySPALocation.html as a GM filter, then maybe it’s a useful way to give a SPA app unlimited access. Progressive enhancement: without GM, the app works fine, but the user has to explitly add access to any domains. That works fine for a SPA app trying to “phone home”, i.e. go to its home domain. But what about a SPA app that incorporates generic stuff like RSS reading – that could get annoying if you have to keep giving permission. It would be convenient to have a GM script that says the page is trusted and has unlimited access.

Leave a Reply