whatwg / xhr Goto Github PK

The XHR spec defers HTTP header handling to the Fetch spec, and the header names are byte-lowercased in Fetch spec.
https://xhr.spec.whatwg.org/#the-setrequestheader()-method
https://fetch.spec.whatwg.org/#terminology-headers

However, all major browers don't normalize them at this point. I think this is due to compatibility issue around legacy servers that may handle the header names in case-sensitive manner.
OTOH, I found it's beneficial for Chrome in terms of cleaner code and better performance to normalize all request / response header names to lowercase.

So, I want to confirm that the XHR is expected to use lowercase header names. Or is that actually expected to pass through the overridden request headers as-is?

At this point only Gecko actually throws an exception, and a site broke:
https://bugzilla.mozilla.org/show_bug.cgi?id=1260515

Since the restriction is in a sense artificial and is unlikely to make much of an impact on overall sync XHR usage, dropping it seems OK.

What does this mean?

Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience.

JSON body parsing algorithm states that trying to parse a response which is an invalid JSON (thus, making JSON.parse throw an exception) will result in setting null to the response property. But according to ECMA-404 (but not to RFC 4627), null is a valid JSON. So there is no way to distinct a valid response containing null and an invalid JSON.

This can be done after whatwg/html#727 lands.

We seem to have a fully active check in open() but not send(). That doesn't make much sense to me...

The setup in HTML changed and as @Ms2ger pointed out the first step of open() now no longer makes sense.

I think that workers do not run if they're not in the active document so maybe we don't need that step to apply to workers at all...

Workers shouldn't have access to Document objects, and WPT even tests for this in workers/semantics/xhr/001.html, however the spec doesn't seem to say anything about response (where responseType=="document") and responseXML when being evaluated from a worker context.

Perhaps we should be early-returning null in both cases?

Currently building XMLHttpRequest fails because Fetch changed a few things around due to Streams integration.

@yutakahirano you were going to fix that, right?

https://xhr.spec.whatwg.org/#sync-warning

I just had Google Chrome block my ajaxObj.open('POST','StdGradReSet.aspx',false); because it was synchronous and would "disrupt the user experience". I have built an online web application program that depends on this action being synchronous as it is a modal state required to prevent data corruption in the program. If the server is being a bit slow, that is expected in this case and is not a problem. What is a disruption of the "user experience" is blocking the call and preventing the operation from taking place even if it is "slow" by a second or two. I understand this problem in some web site cases uses, but that does not apply in a full application program where modal action is required. If the server is slow in responding that is a server management issue, not a browser enforcement problem. At this point in time, the ajax object .open command does not have a timeout option in it that can be set and handled within the command itself, or any way to set the modal action on intent. Please provide an alternative option in the command to explicitly determine modal action and not block it. Band-aiding this by forcing asynchronous processing and use of the .onreadystatechange event only causes data corruption problems for data processing applications.

Bob Curtice
Web Software Developer

This better matches ES's Map and Set types.

https://xhr.spec.whatwg.org/#goog-gt-tt

https://xhr.spec.whatwg.org/#interface-formdata

The append(name, value, filename) method, when invoked, must run these steps:​

See discussion in jsdom/jsdom#1533

Given this code:

var formData = new FormData();
var file = new Blob([
   JSON.stringify({})
], { type: 'application/json' });
formData.append('somename', file);
formData.entries().next().value

My reading is that per the spec this should append a new entry whose name is "somename" and whose value is a Blob to the form data. Then, entries().next().value should return the Blob right back.

However, apparently in Chrome and Firefox it does not do that. Instead it converts it to a File (not a Blob) with, at least in Chrome, name "blob".

In Fetch we changed this in whatwg/fetch#189 per a suggestion from @youennf. We should probably change it here too.

https://xhr.spec.whatwg.org/#sync-warning

Synchronous XMLHttpRequest outside of workers is in the process of being removed from the web platform as it has detrimental effects to the end user's experience. (This is a long process that takes many years.) Developers must not pass false for the async argument when the JavaScript global environment is a document environment. User agents are strongly encouraged to warn about such usage in developer tools and may experiment with throwing an InvalidAccessError exception when it occurs.

There are some Blink use counters for sync XHR:
https://www.chromestatus.com/metrics/feature/timeline/popularity/465 (measure only)
https://www.chromestatus.com/metrics/feature/timeline/popularity/472 (deprecated)
https://www.chromestatus.com/metrics/feature/timeline/popularity/581 (deprecated)
https://www.chromestatus.com/metrics/feature/timeline/popularity/677 (async for comparison)

This does not look at all promising. There's a slight downwards trend, but starting from >2% it's hard to see it dropping to the point where removal is possible.

In most cases, I agree that synchronous requests should be avoided. I fully understand why they should be avoided. I strongly disagree with the decision to deprecate them. We are talking about programmers and tools here, not children and knives.

In some cases, synchronous requests are a life saver: Let's say I have a 3rd party component, like jQueryUI datepicker, and there is a user-override-able callback for a feature of the control (like getting the current time). In this case, we'll get the time from the server with an ajax request (since we can't assume the clock on the client side is correct).

If that request has to be asynchronous, how do I keep the rest of the 3rd party code from merrily chugging away before I get the date back from the server? Continuations aren't much help here (unless I want to wrap the remainder of each callback-calling function in the 3rd party library as a function passed to a continuation).

This option was considered some time ago:
https://www.w3.org/TR/2008/WD-XMLHttpRequest-20080415/#notcovered

This would be extremely useful to avoid losing response code and headers returned by the original resource.

Best, A.

https://xhr.spec.whatwg.org/#dom-xmlhttprequest-getallresponseheaders

https://xhr.spec.whatwg.org/#acknowledgments

The usages here are much simpler than those in HTML, it seems. You can e.g. replace

If the JavaScript global environment is a document environment

with

If the entry settings object's global object is a Window

and

If the JavaScript global environment is a worker environment

with

If the entry settings object's global object is not a Window

Hmm, I guess HTML can do that too, brb... It's much easier once you realize that it's not possible to access a worker-version of the constructor from a window, and vice-versa.

https://xhr.spec.whatwg.org/#interface-formdata

For the purposes of interaction with other algorithms, an entry's type is "string" if its value is a string and "file" otherwise. If an entry's type is "file", its filename is "blob" if value is not a File object, and otherwise its filename is the value of entry's value's name attribute.

I don't see any good reason to force 'blob' as filename here: a File can have an empty name, and a HTMLInputElement type=file, if not set, contains a blob without name. This makes an inconsistent behavior between a form submission and FormData.

hgfh

https://xhr.spec.whatwg.org/#dom-xmlhttprequest-send, step 5, mentions that the request destination should be "subresource".

However, "subresource" doesn't exist in https://fetch.spec.whatwg.org/#concept-request-destination.

When a new ArrayBuffer object is created this can throw a RangeError. We need to decide how to deal with that.

Gecko throws the exception from the response getter as long as allocation keeps failing. But it might be simpler to return null. That means developers won't have to expect exceptions from using a simple getter and don't have to write complicated code to keep trying to get an ArrayBuffer allocated in a loop.

https://xhr.spec.whatwg.org/#sync-warning

Synchronous XMLHttpRequest outside of workers is in the process of being removed from the web platform as it has detrimental effects to the end user's experience.

Despite there being many, many cases in which synchronous results are preferred and would not be detrimental to the user's experience, clearly, this nonsense is happening anyway. So... why not put a link to a page offering alternative solutions to how to use Async XHR in a manner that satisfies the common needs of what Sync XHR would be used for. Rather than just saying "don't do that", you should say "do this instead". Don't take things away without offering replacements.

https://xhr.spec.whatwg.org/#firing-events-using-the-progressevent-interface

fire an progress event named e ==> fire a progress event named e

I would like to be able to remove any headers from the XHR request when sending to the same origin.

See: https://bugs.webkit.org/show_bug.cgi?id=160432

It's not clear to me which algorithm from the XML spec that step 4 of the text response is referring to. Is it this or something else?

https://xhr.spec.whatwg.org/#interface-formdata

If value is a Blob object and not a File object, then set value to a new File object, representing the same bytes, whose name attribute value is "blob".

It's not clear what other properties are copied over. Per http://w3c-test.org/XMLHttpRequest/formdata-blob.htm, at the very least type is copied over. What about isClosed? What is lastModified set to?

https://xhr.spec.whatwg.org/#toc

I noticed a discrepancy between the spec IDL and Blink, that comes down to this bug:
https://code.google.com/p/chromium/issues/detail?id=395931

If this makes sense, I suggest replacing Exposed=(Window,Worker) with Exposed=(Window,DedicatedWorker,SharedWorker) in the spec too.

CC @coonsta and @jakearchibald

"open() method" step 9:

If parsedURL's relative flag is set, run these substeps:

Seems this definition is gone from the URL spec, there's a "not relative flag" instead.

@annevk ?

It is hard to investigate status 0 errors, since they are missing a statusText value. A message would be very helpful, since it can have multiple reasons. (proxy, firewalls, broken cors, empty response...)

This is basically whatwg/fetch#361 for XMLHttpRequest.

Step 10 in handle response end of file isn't implemented by any web browser and the extra progress event seems somewhat superfluous since several other events can tell you when the request is done. I suggest removing step 10 to align the spec with current implementations.

https://fetch.spec.whatwg.org/#concept-request-url
https://fetch.spec.whatwg.org/#concept-request-current-url

Can it be understood as url being the first URL that is added into the url list, while the current url is the URL that is most recently added into url list?

https://xhr.spec.whatwg.org/#sync-warning

Synchronous XMLHttpRequest outside of workers is in the process of being removed from the web platform as it has detrimental effects to the end user's experience. (This is a long process that takes many years.) Developers must not pass false for the async argument when entry settings object's global object is a Window object. User agents are strongly encouraged to warn about such usage in developer tools and may experiment with throwing an InvalidAccessError exception when it occurs.

This statement/deprecation is related to the way browsers do handle the (a)sync behavior.
Whether it has (or not) any "detrimental effects to the end user's experience" is subjective and should not be a valid argument.

Synchronous means it should not proceed to the next javascript statement until the request is complete, none said that browsers should freeze the UI by launching the request in the main thread...

Think about the "alert()" or "confirm()" in javascript. Those are synchronous because they block the execution of the script but it does not have "freeze" effects and does not have such "detrimental effects to the end user's experience" (subjective again).

So the specification should not be backing off the synchronous capability because browsers do implement it the wrong way.

The abort() method, as in the spec:

1. Terminate the request.
2. If state is either opened with the send() flag set, headers received, or loading, run the request error steps for event abort.
3. If state is done, set state to unsent.

Consider this:

var xhr = new XMLHttpRequest(); // UNSENT
xhr.open('GET', '');            // OPENED with send() flag unset
xhr.abort();                    // UNSENT

Following the spec, nothing should happen in steps 2 and 3, leaving the state OPENED. This breaks web-platform-tests/abort-during-open, which expects UNSENT.

From what I've seen, abort() was last changed in the scope of #54.

At this point I have no good suggestion on how to reformulate it to pass web-platform-tests/abort-during-open and web-platform-tests/open-during-abort, as both get to step 3 with "OPENED with send() flag unset", but the final status is expected to be different.

See whatwg/html#1667 for context. Idea was inspired by a suggestion from @rianby64.

Difficulties: blobs/files (have name, value, filename); multiple keys (use array for values?).

Nobody cares about MIME type validation but me: https://bugzilla.mozilla.org/show_bug.cgi?id=918731.

Note that we cannot just ignore invalid MIME types. Should either have some kind of failure value or store the MIME type as a string until we need to inspect it.

Ref https://github.com/w3c/web-platform-tests/blob/master/FileAPI/blob/Blob-XHR-revoke.html

    var blob = new Blob(["test"]);
    var url = URL.createObjectURL(blob);
    var xhr = new XMLHttpRequest();
    xhr.open("GET", url);

    URL.revokeObjectURL(url);
    xhr.onload = function() {console.log(xhr.response)}
    xhr.send();

Firefox has interesting behavior when it comes to revoked blob URIs.

If, for example, you call xhr.open() on a nonrevoked blob URI, that URI can be fetched via XHR even after it is revoked. Newer fetches (via XHR or otherwise) cannot access it, however, only fetches opened before the revocation.

Additionally, calling xhr.open() on a revoked URI will error. I'm not so fond of this behavior myself, I don't think open() should be erroring on valid but nonexistant URIs since that can be unexpected behavior -- it should instead wait for the send() and error then.

We should discuss getting some or all of this behavior into the spec, or removing it if not desired.

cc @izgzhen @Baku @annevk

https://xhr.spec.whatwg.org/#the-send()-method

Release the storage mutex.

I believe the storage mutex has been made obsolete in the HTML specification. If so, this should be removed.

https://xhr.spec.whatwg.org/#the-response-attribute

Returns the response's body.

Currently, the spec does not state anything about case-sensitivity with respect to response header names. In the W3C version of the spec (http://www.w3.org/TR/XMLHttpRequest/#the-getresponseheader()-method) it is stated that a header is a case-insensitive match for a response header.

To me it makes more sense to ignore the case in matching response headers.

Created in response to whatwg/fetch#91 (comment).

As @yutakahirano reported in whatwg/fetch#91 (comment), Chrome (only GET/HEAD) and Firefox (also for POSTs) are not sending the Origin header for same origin requests. The background for Chrome (WebKit) is a little complicated (see whatwg/fetch#91 (comment)).

As it's been so for long time, we could make XHR an exception (i.e. no Origin for same origin requests).

...so spec has got some backwards incompatible change at some point?

Hello

My checkout page won't continue because i have the following error :

Any idea?

Consider this testcase:

var xhr = new XMLHttpRequest();
xhr.open("GET", "data:text/plain,");
console.log(xhr.readyState);
xhr.send();
xhr.onreadystatechange = function() {
  xhr.onreadystatechange = null;
  xhr.open("GET", "data:text/plain,hello");
  xhr.onload = function() { alert(xhr.responseText); }
  xhr.send();
}
xhr.abort();
console.log(xhr.readyState);

per the letter of the current spec, this should log 1 then 0. And it should alert "hello". This is the behavior I see in Blink and WebKit. However, this means that after the abort() call the readyState is 0 but there is a load in progress. That's the busted part.

Gecko has a guard in abort() step 3 and only reset the state to "unsent" if it's still "done" after the request error steps and all their events have terminated. This leaves state as a correct reflection of the actual state of the object.

Context: https://bugzilla.mozilla.org/show_bug.cgi?id=1162658

I would propose this IDL:

void append(USVString name, Blob value, optional USVString filename);
void append(USVString name, USVString value);

(This is what Blink does.)