Introduction:
XMLHttpRequest Object is used to interact (transactions from the data source (like XML Files)) with server from client side, to improve the performance of the application.

Description:
As deployment of XML data and web services becomes more widespread, you may occasionally find it convenient to connect an HTML presentation directly to XML data for interim updates without reloading the page. Thanks to the little-known XMLHttpRequest object, an increasing range of web clients can retrieve and submit XML data directly, all in the background. To convert retrieved XML data into render able HTML content, rely on the client-side Document Object Model (DOM) to read the XML document node tree and compose HTML elements that the user sees.

Security Issues:
When the XMLHttpRequest object operates within a browser, it adopts the same-domain security policies of typical JavaScript activity (sharing the same "sandbox," as it were). This has some important implications that will impact your application of this feature.

First, on most browsers supporting this functionality, the page that bears scripts accessing the object needs to be retrieved via http: protocol, meaning that you won't be able to test the pages from a local hard disk (file: protocol) without some extra security issues cropping up, especially in Mozilla and IE on Windows. In fact, Mozilla requires that you wrap access to the object inside UniversalBrowserRead security privileges. IE, on the other hand, simply displays an alert to the user that a potentially unsafe activity may be going on and offers a chance to cancel.

Second, the domain of the URL request destination must be the same as the one that serves up the page containing the script. This means, unfortunately, that client-side scripts cannot fetch web service data from other sources, and blend that data into a page. Everything must come from the same domain. Under these circumstances, you don't have to worry about security alerts frightening your users.

Some of the properties of the XMLHttpRequest Object which are used in the interacting with server are listed below as:

XMLHttpRequest Object Properties
1. Onreadystatechange: This is an Event handler for an event that fires at every state change.

2. readyState: This indicates that the object is in which state i.e.

o 0 = Uninitialized
o 1 = loading
o 2 = loaded
o 3 = interactive
o 4 = complete

3. responseText: This is the String version of data returned from server process.

4. responseXML: DOM-compatible document object of data returned from server process.

5. Status: Numeric code returned by server, such as 404 for "Not Found" or 200 for "OK".

6. statusText: String message accompanying the status code.

Some of the methods of XMLHttpRequest Object are:

1. abort(): This is used to stops the current request.

2. getAllResponseHeaders(): It will return the complete set of headers i.e. label's values as string.

3. setRequestHeader("label", "value"): This is used to assign a label/value pair to the header to be sent with a request.

It is essential that the data returned from the server be sent with a Content-Type set to text/xml. Content that is sent as text/plain or text/html is accepted by the instance of the request object however it will only be available for use via the responseText property.

For years, advanced client-side developers have frequently wanted a clean way to maintain a "connection" with the server so that transactions can occur in the background, and newly updated data gets inserted into the current page. Many have tortured themselves by using techniques such as hidden self-refreshing frames and "faceless" Java applets. In lieu of a W3C standard still under development, the Microsoft-born XMLHttpRequest object fills an important gap that should inspire application development creativity. The feature is a welcome addition to Safari.