AsyncHttpEvalRequest: A New Primitive for Downloading Web Applications Incrementally and Securely Janne Kuuskeri and Tommi Mikkonen Tampere University of Technology Korkeakoulunkatu 1 FI-33720 Tampere, Finland {janne.kuuskeri, tommi.mikkonen}@tut.fi Antero Taivalsaari Sun Microsystems Laboratories P.O. Box 553 (TUT) FI-33101 Tampere, Finland antero.taivalsaari@sun.com Abstract—The evolution of the World Wide Web has progressed from simple, classic web pages with text and static images only to Web 2.0 pages with rich multimedia content, mashups and desktop-style applications. The cornerstone of Web 2.0 technologies is an API called XMLHttpRequest – an interface that allows network requests to be performed asynchronously without blocking the user interface of the web browser. In this paper we introduce a new operation called AsyncHttpEvalRequest that is the logical extension of XMLHttpRequest for web applications. The main benefit of the new operation is that it allows large web applications to be downloaded incrementally and more securely. Keywords-Web applications; asynchronous networking; XMLHttpRequest; AsyncHttpEvalRequest I. INTRODUCTION The World Wide Web has undergone a number of evolutionary phases. When the Web was originally introduced in the early 1990s, web pages were simple textual documents with limited user interaction capabilities based on hyperlinks. Soon, graphics support and form- based data entry were added. Gradually, with the introduction of DHTML [1] – the combination of HTML, Cascading Style Sheets (CSS), the JavaScript scripting language and the Document Object Model (DOM) – it became possible to create increasingly interactive web pages with built-in support for advanced graphics and animation. Various plug-in components and players, such as Flash, RealPlayer, Quicktime and Shockwave, were then introduced to make it possible to build web pages with visually rich, interactive multimedia content. Today, we are in the middle of another major evolutionary step towards desktop-style web applications, also known as Rich Internet Applications (RIAs) or simply web applications. The technologies intended for the creation of such applications are also often referred to collectively as “Web 2.0” technologies. Web 2.0 is mostly a marketing term, surrounded by a lot of hype, but there are some important aspects that will significantly change the way people will use the Web and software more generally. In particular, Web 2.0 technologies make it possible to build web sites that behave much like desktop applications, for example, by allowing web pages to be updated one user interface element at a time, in a piecemeal fashion, rather than requiring the entire page to be updated each time when something changes. In addition, Web 2.0 technologies commonly support “social” collaboration, i.e., allow a large number of people to collaborate and share the same data applications and/or services over the Web. An essential element of Web 2.0 technologies is XMLHttpRequest [2] – an API that can be used by JavaScript and other web browser scripting languages to transfer data between the web browser and a web server asynchronously. The XMLHttpRequest interface forms an important part of the Ajax web development technology [3], and it is used by numerous web sites and applications to improve the responsiveness of the web browser. Examples of web applications that make use of the XMLHttpRequest API include Google Maps, Windows Live Virtual Earth, the MapQuest dynamic map interface, and Facebook. In this paper we introduce AsyncHttpEvalRequest, a primitive operation that is the logical extension of XMLHttpRequest for web applications. With the proposed new operation, program code of large web applications can be loaded and evaluated incrementally and in a more modular fashion than has been possible conventionally. Furthermore, the new primitive makes it considerably easier to perform additional security checks, e.g., to ensure that the program has been loaded completely and that no errors have occurred during loading and evaluation. The structure of this paper is as follows. In Section 2, we introduce the standard fashion web applications are loaded. In Section 3, we summarize the existing methods for downloading executable source code asynchronously. In Section 4, we introduce our AsyncHttpEvalRequest primitive, and discuss its benefits and our experiences with the new primitive. Finally, Section 5 concludes the paper. II.LOADING EXECUTABLE CODE TO THE WEB BROWSER In order to run client side web applications, the web browser needs to provide an execution environment for dynamically downloaded code. The common mechanism in web browsers for this is support for the JavaScript language [4] and the <script> tag. To load JavaScript code to the web browser, the developer embeds <script> tags into the HTML page that hosts the application. When the page is visited, the browser first loads the HTML file and starts rendering its contents. The HTML code then initiates further downloads (e.g., of images and video clips) as necessary. Whenever the web browser runs into a <script> tag, it stops the processing of the HTML file until the script file or embedded script code has been evaluated. After that HTML file processing and page