XMLHTTP Request (XHR) is a browser level API which enables clients to script data transfers in a scripting language such as Java script. This is the technology behind the AJAX as well. Previously to send the status of a page we have to refresh it every time. But with this new technology even without refreshing the page we can fetch data dynamically.
- Browser automatically takes care of all the low level connection management, protocol negotiation, formatting of HTTP requests.
- The browser manages connection establishment, pooling, and termination.
- The browser determines the best HTTP(S) transport (HTTP 1.0, 1.1, 2.0).
- The browser handles HTTP caching, redirects, and content-type negotiation.
- The browser enforces security, authentication, and privacy constraints.
Those are some of characteristics of this new technology.
CROSS ORIGIN RESOURCE SHARING
XHR API allows the application to add custom HTTP headers (via the setRequestHeader() method), there are a number of protected headers that are off-limits to application code:
- Accept-Charset, Accept-Encoding, Access-Control-*
- Host, Upgrade, Connection, Referer, Origin
- Cookie, Sec-*, Proxy-*, and a dozen others…
The browser will refuse to override any of the unsafe headers, which guarantees that the
application cannot impersonate a fake user-agent, user, or the origin from where therequest is being made. In fact, protecting the origin header is especially important, as it
is the key piece of the “same-origin policy” applied to all XHR requests. In same-origin policy, the browser stores user data, such as authentication tokens, cookies, and other private metadata, which cannot be leaked across different applications. To address this specific problem, early versions of XHR were restricted to same-origin requests only, where the requesting origin had to match the origin of the requested resource. Alternatively, if the same origin precondition failed, then the browser would simply refuse to initiate the XHR request and raise an error.
However, while necessary, the same-origin policy also places severe restrictions on the
usefulness of XHR, what if the server wants to offer a resource to a script running in a
different origin? That’s where “Cross-Origin Resource Sharing” (CORS) comes in!
CORS provides a secure opt-in mechanism for client-side cross-origin requests.
The above picture shows a same origin XHR Request and a cross origin XHR Request.
Hope now you have a basic idea about the HXR. See you with another interesting topic. Thank You!