Java Reference
In-Depth Information
According to the same-origin policy, these two pages are of the same origin. They share the same host
(www.site.com), use the same protocol (HTTP), and are accessed on the same port (none is specifi ed;
therefore, they both use 80). Since they are of the same origin, JavaScript on one page can access the
other page.
Now consider the next two pages:
❑
Page 1 is located at
http://www.site.com/folder/mypage1.htm
❑
Page 2 is located at
https://www.site.com/folder/mypage2.htm
These two pages are not of the same origin. The host is the same.. However, their protocols and ports
are different. Page 1 uses
HTTP
(port 80) while Page 2 uses
HTTPS
(port 443). This difference, while
slight, is enough to give the two pages two separate origins. Therefore, JavaScript on one of these pages
cannot access the other page.
So what does this have to do with Ajax? Everything because a large part of Ajax is JavaScript. For example,
because of this policy, an
XMLHttpRequest
object cannot retrieve any fi le or document from a different
origin. You can easily overcome this hurdle by using the server in the page's origin as a proxy to retrieve
data from servers of a different origin. This policy also affects the hidden frame/iframe technique.
JavaScript cannot interact with two pages of different origins, even if they are in the same frameset.
ActiveX
One of the downsides of
XMLHttpRequest
is in ActiveX, and only affects Internet Explorer on Windows;
however, IE currently has the highest market share of all browsers, and it seems that isn't going to
change anytime soon. Over the past few years, more security concerns have been raised with ActiveX,
especially since many adware and spyware companies have used the technology to install their wares
onto trusting user's computers.
Because of this rise in the awareness of security concerns, Microsoft (and users) is taking steps to make
the browser more secure from hijacking attempts by restricting access to ActiveX plug-ins and objects.
If a user turns off ActiveX completely, or your site is fl agged for a certain security zone, ActiveX objects
cannot be created, rendering your
XMLHttpRequest
-based Ajax applications dead in the water.
Usability Concerns
Ajax breaks the mold of traditional web applications and pages. It enables developers to build applica-
tions that behave in a more conventional, non-“webbish” way. This, however, is also a drawback, as the
Internet has been around for many, many years, and users are accustomed to traditional web pages.
Therefore, it is up to developers to ensure that the user can use their web pages, and use them as they
expect to, without causing frustration.
The Browser's Back Button
One of the advantages of
XMLHttpRequest
is its ease of use. You simply create the object, send the
request, and await the server's response. Unfortunately, this object does have a downside: most brows-
ers do not log a history of requests made with the object. Therefore,
XMLHttpRequest
essentially breaks
