The web technologies (javascript, HTML, CSS, HTTP and their ilk) are quite inviting to new-comers. There is an attempt to simplify creating your first web page and showing it in a browser. With just a couple of days in learning, you can achieve surprisingly significant work. Very unlike C++/algorithms/multi-threading, they absolutely have no such pretensions.
But it is a costly mistake to go any further (than developing an HTML "Hello World") without a sound understanding of the concepts. There is a vast technology stack that helps the web do what it can do and it should be systematically learnt.
Javascript, the currency of today's web development, is said to be the worlds most widely misunderstood and abused language. It works like a charm in small doses but any piece of code more than 2K lines can become a maintenance nightmare with numerous security vulnerabilities, unless developed correctly.
Web Security is a large topic by itself. A lot of serious vulnerabilities have surfaced due to a rush to introduce new functionality with security only coming in as an afterthought or post damages. Why does HTTP even exist when the technical chops for using HTTPS was already available ?
It's not just depth but also breadth of the technologies that complicate matters. We know that anything that looks particularly impressive and made using CSS wizardry, can break badly on some other browser. There is a whole matrix on browser compatibility for even HTML support.
Anyway, here is what I had to do as a first assignment : find a way to download/upload files from/to a web-server. I struggled to find a comprehensive resource that covered all the relevant issues involved here. I found myself looking at scattered bits of code all over StackOverflow that claimed to do what was required but each one had something missing. And very soon, I was reduced to testing and searching for what just "worked" instead of knowing what should work and why. Backward compatibility was found broken by Ext JS, a client-side javascript framework in terms of whether (and how) it allowed setting HTTP headers for form submits. Server code requirements were completely unspecified. Finally I got the following code working, notice how the code for downloads looks completely different from that for uploads. It uses Ext JS as a client framework so some specific API is used. The server is assumed to have a couple of REST APIs that manage the persistence of the files being transacted on, checks the CSRF token and does certain useful validations on allowable file sizes and file types.
Downloads :
Ext.define(
'Ext.form.action.StandardSubmit',
{
extend:'Ext.form.action.Submit',
alias: 'formaction.standardsubmit',
doSubmit: function() {
var formInfo = this.buildForm();
formInfo.formEl.submit();
this.cleanup(formInfo);
}
}
);
methodURL = 'SomeURL' + 'fetchAttachment'; // 'fetchAttachment is a particular REST API in my server.
methodParamsObject = { // this is an object required by the server code in my case
user: Ext.encode({
'userId':'1059',
'roleId':'1058',
'roleName':'Administrator',
'userName':'admin'
})
};
// Insert your CSRF token if used to the methodParamsObject here ...
fileDownloadForm = Ext.create(
'Ext.form.Panel',
{
standardSubmit: true,
url: methodURL,
method: 'POST'
}
);
fileDownloadForm.submit({params: methodParamsObject});
fileDownloadForm.close();
Uploads :
var file_content;
var new_form;
var file_name;
var fileChangeCallback = function (e) {
var file = file_content.files[0];
var reader = new FileReader();
alert("called");
reader.onloadend = function (e) {
alert("called CB loadend");
if (e.target.readyState == FileReader.DONE) {
var l_data = reader.result;
l_data = e.target.result;
new_form.submit();
} else {
alert("Failed to read file");
}
}
alert("called CB");
file_name.value = file.name;
reader.readAsArrayBuffer(file);
};
new_form = document.createElement("form");
new_form.name = 'file_upload';
new_form.method = 'POST';
new_form.action = 'some URL' + 'addAttachment'; // Again, one REST API in my server implementation.
new_form.enctype = 'multipart/form-data'; // required for correct file handling on server.
//
var csrf_dummy = {
};
// Insert CSRF token here if used to the csrf_dummy object In my case, CSRF was being checked by server so passing a token string with a particular key 'CSRFTOKEN' was essential.
var csrf_token = document.createElement('input');
csrf_token.type = 'hidden';
csrf_token.name = 'CSRFTOKEN';
csrf_token.value = csrf_dummy.CSRFTOKEN;
new_form.appendChild(csrf_token);
//
var user = document.createElement('input');
user.type = 'hidden';
user.name = 'user';
user.value = "{'userId':'1059','roleId':'1058','roleName':'Administrator','userName':'admin'}";
new_form.appendChild(user);
//
file_content = document.createElement('input');
file_content.type = 'file';
file_content.name = 'fileContents';
file_content.addEventListener('change', fileChangeCallback);
new_form.appendChild(file_content);
//
document.body.appendChild(new_form);
