25 March, 2008

AJAST - Cross-domain REST calls using JSON injection

The typical (and original AJAX) approach to calling web services asynchronously from a browser uses the `XMLHTTPRequest` object to request data asynchronously. However, as most of you probably already know, requests made using this object are restricted to the same domain as the script they originate from. This means that in order to request data from services like Google Maps, Flickr, etc. you need to implement a server-side proxy on your domain to use the `XMLHTTPRequest` object. But what if you want to stay on the client side? Enter JSON injection.

JSON injection, or actually script tag injection, is a rather common technique that circumvents the `XMLHTTPRequest` limitation by dynamically injecting script tags into the calling page. A script tag can have any domain as its source, which means that cross-domain calls are possible. The technique is also referred to as JSON callbacks, although it really is not limited to JSON payloads. The technique is also referred to as JSONP, although [the original JSONP](http://ajaxian.com/archives/jsonp-json-with-padding) is a bit more extensive than just callbacks using script injection.

It really is a neat technique without a cool term. JSONP is a term for a superset of JSON injection. A more precise term than JSON injection would be Javascript injection, but that's already used to describe vulnerabilities in web pages where malicious Javascript code is injected through e.g. links from external sites. I hereby propose the term AJAST - Asynchronous Javascript And Script Tags. At least it'll be the name of my implementation. If it doesn't catch on for anything but that, we'll even be a bit more confused than we already are. Now, what do we require to do AJAST?

AJAST requirements

The requirements an AJAST request lays on the server-side are the following:
  1. The server must provide its services through HTTP GET requests.
  2. The client must be able to supply the name of a callback function that the response will be wrapped in.
  3. The server is expected to provide a response on the form callback(payload), where callback is the name of the callback function supplied by the client, and payload is the payload returned by the server. The payload can be XML, JSON, or any other form of data that the Javascript callback function can accept as a single argument.

These requirements are already fulfilled by many REST services, but they are still hard to use in an AJAST fashion due to client side challenges. The two main requirements for an AJAST library are:
  1. Complete handling of requests. Nothing more than a URL and a callback should be needed to create a request.
  2. Timeouts is a show stopper for AJAST. With script injection, it is difficult to know if a call completes, and from an AJAST usage perspective it is essentially impossible to create a decent solution without knowing if requests complete or not.

Security is another obvious challenge, although in my view it is a challenge for the Internet in general rather than AJAST in particular. Developers creating cross-domain applications should be aware of the security risks involved, and take measures to prevent security breaches accordingly. There is no silver bullet.

Although several examples for implementing an AJAST request are found around the web, I found no fully functional stand-alone implementations. Dan Theurer's article on script requests provides code that can be used to create an implementation, but leaves the timeout problem unsolved. Toolkits such as Dojo also implement variations on the approach using IFrame requests, but they are a lot more hairy, and I really don't want a framework (or parts of it) bloating the web site I am creating just to be able to do AJAST. I want a library that can perform just the task that I want it to perform, and perform it well.

An AJAST library

So, I decided to create my own AJAST library, OX.AJAST, complete with the following features:
  • A fully encapsulated mechanism for making AJAST calls. You simply supply a URL, the name of the callback parameter that will be appended to the URL, and a callback function.
  • Support for timeouts. Remote requests can of course time out, and time outs need to be handled. Apart from the obvious security challenges involved with using AJAST (note that I'm not saying they're defects, they're challenges for us developers to handle) , this is the hardest challenge for AJAST requests. Without the ability of specifying timeouts, we're essentially in the dark with regards to whether or not a request will complete. OX.AJAST neatly supports timeouts by wrapping the supplied callbacks, putting on a timer, and checking for completion when the timer times out.
  • Guarantee that the callback function will be called. Whatever happens, and as a direct consequence of the timeout support, the library guarantees that the callback function will be called. For this reason, the callback function must accept two arguments, the first a boolean indicating if the request succeeded or not, the other a string containing the response from the call. If the first argument is false, the call may have timed out or failed.
Here it is in all its glory:

Using the AJAST call function

There are two ways of using OX.AJAST. The simplest is to use the call function.

The call function will execute the request by appending &callback=wrapper to the URL and injecting a <script> tag with the final URL as the src attribute. This will add a call to the DOM as soon as the data is received, which the browser will execute.

The function called from the injected script tag is a wrapper around the callCompleted function provided to the call function. The wrapper function is created by the call function, and handles timeouts and deletion of the script tag after the callCompleted function completes. As mentioned, by using this wrapper, the AJAST library can guarantee that callCompleted will be called, which significantly eases the handling of asynchronous calls for users of the library.

The function also allows you to specify how long the request will wait for a response before it times out. The default timeout is 5 seconds. Finally, you can pass an argument specifying if you want the response to be automatically decoded from JSON before it is passed to your callback function.

As stated above, all callback functions must be on the form callbackfunction(success, data){}, where success indicates whether or not the asynchronous call succeeded, and data is any data that was received from the call. It is also important to note that data may be undefined, but success will always be true or false.

Using the AJAST broker

The AJAST broker encapsulates a common pattern for REST requests using HTTP GET. Many RESTful services found online typically use some kind of root URL of the form http://xampl.com/rest as the base URL for all their REST services. The query string determines which service is requested, as well as the arguments for the service.

For the services that follow this pattern, the AJAST library provides a Broker class that encapsulates the process of calling the REST services.

The example below shows how the request from the first example can be made using the broker.

The broker also supports the specification of a timeout limit, automated JSON decoding, and also provides the option of passing a set of default arguments that will be passed with every request, such as a Flickr API key.
Now let's do something useful with it.

A real example: Flickr using AJAST

To keep the example as simple as possible, we'll create the functions necessary for a page which fetches the most recent photos from Flickr.

Luckily, Flickr supports REST and JSON callbacks in a lovely manner, so we'll use the broker for our calls.

We've told the broker to call a function named recentFetched`when the recent photos have been fetched, so let's implement that as well. To keep the example simple, we'll just append the photos to the body of the document.
Now we just have to call flickrGetRecent from somewhere in a document, and the most recent photos will be appended to the document.

As you can see, the OX.AJAST library is really easy to use, and enables you to do pure client-side REST service calls across domain boundaries with hardly any effort. I hope you find it useful. Drop a comment if you have problems or suggestions, or if you create improvements to it. Now start using AJAST!


  1. This looks very interesting.
    Do you have a working example?

  2. The article has been updated to include a working, real-life example. Hope it helps you!

  3. I don't seem to be able to getting this to work and I think I may have found a bug in your code:

    Shouldn't this line:

    s.setAttribute('id', 'oxajastcall' + OX.AJAST.Broker.callid++);

    be like this instead?!

    s.setAttribute('id', 'oxajastcall' + OX.AJAST.callid++);

  4. I got it to work Havard, I had a silly bug. It's working perfectly now, thanks.

  5. is there any way to make script injection asynchronous ...
    ie if i call 2 different urls using OX.AJAST.call then the callback function for second request waits for first request to get completed and executed...
    i want second callback function to be fired first in this case...
    or whichever(response) comes first

  6. bawa: This is how AJAST works. The callback of whichever request is completed first gets executed first. There is, however, a limitation in Firefox browsers that blocks execution of the next injected tag until the previous tag completes execution. This can be fixed by adding a timeout around the callback. AJAST does not currently do this. I'll see if I can get it fixed soon. :)

  7. Can AJAST be used for periodic refresh of a div, similar to prototype's Ajax.PeriodicalUpdater?

  8. Hi Havard,

    Thanks for your help. I am indeed running into the second injected tag issue with Firefox and was wondering how I can add a timeout and where to accomplish this in the certain cases I want to make back to back calls.

    Thanks again, great stuff here.

  9. its a good read.. but somehow the library didnt work

    error INVALID LABEL in FF 3.5........didnt work for me!

    im realy stuck between these two cross domains..

  10. AJAST works just fine in FF 3.5.5 (tested on my Mac).

    If anyone else experience problems, please let me know.

  11. Zohar: Thanks for the input, will fix and put up a revision soon (sorry for not providing a patched version on the site yet).

  12. Ali: This is weird. I suspect your issue is something else. Javascript always runs in a single thread (although the XHRs themselves are run asynchronously), so synchronization is not an issue.

  13. Great little code.
    Is it possible to change the request headers before the call? I'd like to prevent caching. I was thinking to use cache-control no-cache as request header. Please help me how to inject that.


  14. Hi. Nice code. But its raising to me: callback is not defined. I'm using OX.AJAST.call(url, 'callback', f1, 1000, false); and my url give me callback('data');
    I need some help.

  15. Thanks for sharing this. Works pretty fine for me. Also thanks to the people who already sent bugfixes.

  16. is there anyway to also use basic authentication with these commands?