What is AJAXExtended?

AJAXExtended is a JS/server library that make cross-domain AJAX requests possible. It does not use any proprietary methods or security holes — it relies on a server-side proxy to fetch data from any 3rd party server.

Although a server proxy might seem a bit obvious and a way-too-simple solution, it’s a bit more complicated than it seems. To emulate a cross-domain XMLHTTPRequest, a server proxy should support HTTP headers (including cookies), HTTP authentication, data re-encoding and more. AJAXExtended does just it all.

The JavaScript part of AJAXExtended has the same properties, methods and events as the native browser implementation. You don’t have to rewrite your code — just plug in the AJAXExtended and you’re in business.

Key features

  • Cross-domain AJAX requests
  • HTTP headers support (yes, you can manipulate cookies)
  • Works in 99%+ browsers (no matter what security restrictions apply)
  • Native syntax

How does this work?

AJAX Extended loads the data via dynamic SCRIPT tags. It doesn’t use the standard XMLHTTP objects (i.e. ActiveX and XMLHttpRequest) or IFRAMEs, because these have lots of drawbacks. Just to name a few:

  • Microsoft.XMLHTTP relies on ActiveX that makes it virtually impossible to use XMLHTTP in a strict security environment.
  • Both XMLHttpRequest (Mozilla, Firefox, Safari) and Microsoft.XMLHTTP impose strict cross-domain restrictions that cannot be overridden in a cross-browser way.
  • IFRAME used to be the only solution for Opera users (and still is for older versions). It consumes lots of memory (since technically every IFRAME is a new browser window) therefore it is quite slow and it breaks the browser history.

AJAXExtended is free of all these drawbacks since it relies on a very simple technology: creating dynamic SCRIPT tags. No cross-domain or other security restrictions and no usability problems (breaking browser history). It works in all modern browsers: IE5+, Mozilla, Firefox, Opera, Safari (except a buggy 2.0 version, 2.0.2 is ok).

Security

Too many people speculate on the issue of AJAX cross-domain requests. However, there’re no security implications whatsoever: no possibility of attacks, no personal data theft. No nothing. Most of those people who consider cross-domain requests (through JS) a vulnerability just don’t get the idea.

Below you will find some short key points. For an in-depth overview of the underlying security issues, please, take a look at this article: AJAX greatest security myth busted.

Third-party website ruining your website
The data you get from a third-party website is not executed. It means that any malicious script that might be received from a third-party website won’t ever run. Unless you explicitly order so.
Stealing personal information
You can’t steal user’s personal information that belongs to a third-party website (cookies, that is). The user’s browser connects to the server proxy (not the third-party website), so it never sends out any cookies belonging to the third-party website. Cookies are safe. Absolutely.
Stealing secret information (from the intranet)
One thing to remember: the data is received via the server-backend. The server has the same visibility scope as any other computer on the net. So it can’t get any data from the intranet or any other closed part of the net that the user has access to.
Stealing not-so-secret information
Some people argue, that using cross-domain requests you may steal content from a third-party website. But AJAX has absolutely nothing to do with it. One can just as easily copy&paste the content from any source to one’s own website. It’s a matter of ethics, not technology.

Interface

The JavaScript class contains all the same properties, events, and methods as the original XMLHttpRequest objects (except browser-specific methods and properties). You don’t have to rewrite your code. All you have to do is to include the supplied javascript file.

Example

Instead of doing this (in Internet Explorer):

xmlhttp = new ActiveXObject(“Msxml2.XMLHTTP”);

or this (in Firefox):

xmlhttp = new XMLHttpRequest();

with AJAXExtended you can do it like this (in any browser):

xmlhttp = new XMLHTTP();

Just don’t forget to include the supplied javascript file:

Methods, properties and events

  • method abort ()
  • method addEventListener (type, listener, useCapture) not implemented
  • method dispatchEvent (event) not implemented
  • method getAllResponseHeaders ()
  • method getResponseHeader (name)
  • method open (method, url, [async, [username, [password]]])
  • method openRequest (method, url, [async, [username, [password]]])
  • method overrideMimeType (mimetype)
  • method removeEventListener (type, listener, useCapture) not implemented
  • method send ([data])
  • method setRequestHeader (name, value)
  • property status
  • property statusText
  • property responseText
  • property responseBody not implemented
  • property responseStream not implemented
  • property responseXML supported in previous version
  • property readyState
  • event onreadystatechange
  • event onerror
  • event onload
  • event onprogress not implemented

Related items