Let the request entity body be data converted to Unicode and encoded as UTF-8.

If a Content-Type header is set using setRequestHeader() and its value is a valid MIME type and it has a charset parameter whose value is not an ASCII case-insensitive match for encoding , set all the charset parameters to encoding .

If no Content-Type header has been set using setRequestHeader() set a Content-Type request header with a value of mime ;charset= encoding .

Make a request to request URL , using HTTP method request method , user request username (if non-null) and password request password (if non-null), taking into account the request entity body , list of author request headers and the rules listed at the end of this section.

If there are cookies to be set, run the cookie steps .

While making the request also follow the same-origin request event rules .

The send() method call will now be returned by virtue of this algorithm ending.

While processing the request, as data becomes available and when the end user interferes with the request, queue tasks to follow the same-origin request event rules using the XMLHttpRequest networking task source as task source .

If the user agent allows the end user to configure a proxy it should modify the request appropriately; i.e. connect to the proxy host instead of the origin server, modify the Request-Line and send Proxy-Authorization headers as specified.

If the user agent supports HTTP Authentication and Authorization is not in the list of author request headers , it should consider requests originating from the XMLHttpRequest object to be part of the protection space that includes the accessed URIs and send Authorization headers and handle 401 Unauthorized requests appropriately. If authentication fails, and request username and request password are both null, user agents should prompt the end user for credentials. If authentication fails, and request username and request password are provided, user agents must not prompt the end user for credentials. [ RFC2617 ]

End users are not prompted if credentials are provided through the open() API so that authors can implement their own user interface.

If the user agent supports HTTP State Management it should persist, discard and send cookies (as received in the Set-Cookie and Set-Cookie2 response headers, and sent in the Cookie header) as applicable. [ COOKIES ]

If the user agent implements a HTTP cache it should respect Cache-Control request headers set by setRequestHeader() (e.g., Cache-Control: no-cache bypasses the cache). It must not send Cache-Control or Pragma request headers automatically unless the end user explicitly requests such behavior (e.g. by (force-)reloading the page).

For 304 Not Modified responses that are a result of a user agent generated conditional request the user agent must act as if the server gave a 200 OK response with the appropriate content. The user agent must allow setRequestHeader() to override automatic cache validation by setting request headers (e.g., If-None-Match , If-Modified-Since ), in which case 304 Not Modified responses must be passed through. [ RFC2616 ]

If the user agent implements server-driven content-negotiation it should set Accept-Encoding and Accept-Charset headers as appropriate. For Accept and Accept-Language the user agent must follow these constraints:

Both headers must not be modified if they are already set through setRequestHeader() .

If not set through setRequestHeader() Accept-Language should set as appropriate.

If not set through setRequestHeader() Accept must be set with as value */* .

Responses must have the content-encodings automatically decoded. [ RFC2616 ]

Besides the author request headers user agents should not include additional request headers other than those mentioned above or other than those authors are not allowed to set using setRequestHeader() . This ensures that authors have a reasonably predictable API.

4.6.4 Infrastructure for the send() method

The cookie steps are as follows:

Wait until ownership of the storage mutex can be taken.

Take ownership of the storage mutex .

Update the cookies. [ COOKIES ]

Release the storage mutex so that it is once again free.

If the redirect does not violate security (it is same origin for instance), infinite loop precautions, and the scheme is supported, transparently follow the redirect while observing the same-origin request event rules .

HTTP places requirements on the user agent regarding the preservation of the request method and request entity body during redirects, and also requires end users to be notified of certain kinds of automatic redirections.

Otherwise, this is a network error .

This is an abort error .

In case of DNS errors, TLS negotiation failure, or other type of network errors, this is a network error . Do not request any kind of end user interaction.

This does not include HTTP responses that indicate some type of error, such as HTTP status code 410.

Switch to the HEADERS_RECEIVED state .

Switch to the LOADING state .

Switch to the DONE state .

When something is said to be a network error run the request error steps for exception NETWORK_ERR .

When something is said to be an abort error run the request error steps for exception ABORT_ERR .

When something is said to be a request error for exception exception run these steps:

Set the response entity body to null.

Set the the error flag to true.

Empty the list of author request headers .

Switch the state to DONE .

If the asynchronous flag is false raise an exception exception and terminate the overall set of steps.

If the asynchronous flag is true queue a task to dispatch a readystatechange event .

Terminate the overall set of steps.

It is likely that a future version of this specification will dispatch an error / abort event here as well. (Depending on the type of error.)

When it is said to switch to the HEADERS_RECEIVED state run these steps:

Switch the state to HEADERS_RECEIVED .

Queue a task to dispatch a readystatechange event .

If the state is UNSENT , OPENED with the send() flag being false, or DONE go to the next step.

Otherwise run these substeps:

Switch the state to DONE .

Set the send() flag to false.

Dispatch a readystatechange event .

It is likely that a future version of this specification will dispatch an abort event here.

Switch the state to UNSENT .

No readystatechange event is dispatched.

4.7 Response

4.7.1 The status attribute

The status attribute must return the result of running these steps:

If the state is UNSENT or OPENED return 0 and terminate these steps.

If the error flag is true return 0 and terminate these steps.

Return the HTTP status code.

4.7.2 The statusText attribute

The statusText attribute must return the result of running these steps:

If the state is UNSENT or OPENED return the empty string and terminate these steps.

If the error flag is true return the empty string and terminate these steps.

Return the HTTP status text.

4.7.3 The getResponseHeader() method

When the getResponseHeader( header ) is invoked, the user agent must run these steps:

If the state is UNSENT or OPENED return null and terminate these steps.

If the error flag is true return null and terminate these steps.

If header is an ASCII case-insensitive match for Set-Cookie or Set-Cookie2 return null and terminate these steps.

If header is an ASCII case-insensitive match for multiple HTTP response headers, return the values of these headers as a single concatenated string separated from each other by a U+002C COMMA U+0020 SPACE character pair and terminate these steps.

If header is an ASCII case-insensitive match for a single HTTP response header, return the value of that header and terminate these steps.

Return null.

// The following script:
var client = new XMLHttpRequest();
client.open("GET", "test.txt", true);
client.send();
client.onreadystatechange = function() {
 if(this.readyState == 2) {
  print(client.getResponseHeader("Content-Type"));
// ...should output something similar to the following text:
Content-Type: text/plain; charset=utf-8

4.7.4 The getAllResponseHeaders() method

When the getAllResponseHeaders() method is invoked, the user agent must run the following steps:

If the state is UNSENT or OPENED return the empty string and terminate these steps.

If the error flag is true return the empty string and terminate these steps.

Return all the HTTP headers, excluding headers that are an ASCII case-insensitive match for Set-Cookie or Set-Cookie2 , as a single string, with each header line separated by a U+000D CR U+000A LF pair excluding the status line, and with each header name and header value separated by a U+003A COLON U+0020 SPACE pair.

// The following script:
var client = new XMLHttpRequest();
client.open("GET", "test.txt", true);
client.send();
client.onreadystatechange = function() {
 if(this.readyState == 2) {
  print(this.getAllResponseHeaders());
// ...should output something similar to the following text:
Date: Sun, 24 Oct 2004 04:58:38 GMT
Server: Apache/1.3.31 (Unix)
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/plain; charset=utf-8

4.7.5 Response Entity

The response entity body is the fragment of the entity body received so far ( LOADING state) or the complete entity body ( DONE state). If there is no entity body the response entity body is null.

The text response entity body is a DOMString representing the response entity body . The text response entity body is the return value of the following algorithm:

If the response entity body is null return the empty string and terminate these steps.

Let charset be null.

If there is no Content-Type header or there is a Content-Type header which contains a MIME type that is text/xml , application/xml or ends in +xml (ignoring any parameters) use the rules set forth in the XML specifications to determine the character encoding. Let charset be the determined character encoding. [ XML ]

If the Content-Type header contains a text/html MIME type follow the rules set forth in the HTML 5 specification to determine the character encoding. Let charset be the determined character encoding. [ HTML5 ]

If the MIME type specified by the Content-Type header contains a charset parameter and charset is null let charset be the value of that parameter.

The algorithms described by the XML and HTML specifications already take Content-Type into account.

If charset is null then, for each of the rows in the following table, starting with the first one and going down, if the first bytes of bytes match the bytes given in the first column, then let charset be the encoding given in the cell in the second column of that row. If there is no match charset remains null.

Return the result of decoding the response entity body using charset . Replace bytes or sequences of bytes that are not valid according to the charset with a single U+FFFD REPLACEMENT CHARACTER character.

Authors are strongly encouraged to encode their resources using UTF-8.

The XML response entity body is either a Document representing the response entity body or null. The XML response entity body is the return value of the following algorithm:

If the response entity body is null terminate these steps and return null.

If a Content-Type is present and it does not contain a MIME type (ignoring any parameters) that is text/xml , application/xml or ends in +xml terminate these steps and return null. (Do not terminate these steps if there is no Content-Type header at all.)

Parse the response entity body into a document tree following the rules from the XML specifications. Let the result be parsed document . If this fails (unsupported character encoding, namespace well-formedness error, et cetera) terminate these steps return null. [ XML ]

Scripts in the resulting document tree will not be executed, resources referenced will not be loaded and no associated XSLT will be applied.

Return an object implementing the Document interface representing the parsed document .

4.7.6 The responseText attribute

The responseText attribute must return the result of running these steps:

If the state is not LOADING or DONE return the empty string and terminate these steps.

Return the text response entity body .

4.7.7 The responseXML attribute

The responseXML attribute must return the result of running these steps:

If the state is not DONE return null and terminate these steps.

Return the XML response entity body .

5 Exceptions

Several algorithms in this specification may result in an exception being thrown. These exceptions are all part of the group ExceptionCode and use the DOMException object, which is defined in DOM Level 3 Core. In addition this specification extends the ExceptionCode group with several new constants as indicated below. [ DOM3Core ]

Thus, exceptions used by this specification and not defined in this section are defined by DOM Level 3 Core.

const unsigned short SECURITY_ERR = 18;
const unsigned short NETWORK_ERR = 19;
const unsigned short ABORT_ERR = 20;

The SECURITY_ERR exception is raised if an attempt is made to perform an operation or access some data in a way that would be a security risk or a violation of the user agent's security policy.

The NETWORK_ERR exception is raised when a network error occurs in synchronous requests.

The ABORT_ERR exception is raised when the user aborts a request in synchronous requests.

These exceptions will be folded into an update of DOM Level 3 Core in due course, as they are appropriate for other API specifications as well.

Not in this Specification

This section is non-normative.

This specification does not include the following features which are being considered for a future version of this specification: