27 Apr

Enabling Cross Domain Ajax Requests using CORS

Okay, I usually harped about the one main limitation of Ajax Requests – Same Origin Policy. This policy exists to restrict XSS (Cross Site Scripting) attacks and vulnerabilities. But that is also a big party pooper when you want to legally make an Ajax call from your site to another domain, directly from the browser in order to load content from the other domain. There are exceptions to this policy that allow for embedding of certain resources like images, scripts, stylesheets, media and some other types of content. Thus CDNs for loading scripts like jQuery and stylesheets from Bootstrap are quite common and actually recommended too. But that’s not Ajax. Ajax begins when an XMLHttpRequest object is created. And that object cannot normally be used to make a request to any other domain other than the one it is currently on.

Same Origin Policy

For example, if a script on a page on the domain http://DomainA.com wants make an Ajax request, it is limited to make the request to any resource only on the http://DomainA.com domain by the Same Origin Policy.  If the script tries to make a request to http://DomainB.com, it will be actively blocked by the browser. The policy applies to Port numbers, sub-domains and protocols too. This is a good thing to protect users from visiting untrusted sites and having those sites steal the users sessions from trusted websites. But to legally make a script load content from another domain, say like your recent tweets, your facebook posts or your flickr feed or weather data or stock info from an online API or Web Service, this policy restricts you to adopting one of the following techniques to achieve your goal:

  • Use a Server Side Proxy
  • Use JSONP (if the remote API supports it)

I will leave the JSONP technique for another day and get to my subject now. The W3C made CORS (Cross Origin Resource Sharing) a Recommendation in January 2014, a document that was in the works for some time now.

The CORS Recommendation allows a way around for web servers to allow for cross domain script requests. Servers can now do this by adding new headers in the HTTP response to a cross domain request, namely:

By sending this new header, the server can let the browser making the request know that it can allow the request and response to be used by the script, and hence not block the request. You can read more details about the CORS spec on W3.org and MDN. This is great for API developers who want to make a service available for consumption from simple Ajax requests from any domain.

I will jump to my demo now. https://sreenath.net/demos/CORSDemo.htm

To demonstrate this, I use the OpenWeatherMap’s REST API to provide me the cross domain content. And I use a standard XMLHttpRequest object pointed to the Open Weather Map API’s URL for retrieving the current weather data for the requested city.

For example, if I want to get the current weather conditions of New York, NY, my XHR’s URL will look like this:

and my request headers (on chrome) look like this:

And the response headers from the server look like this:

Yep, a 200 OK response alright. And since I didn’t specify a format, I would receive the default JSON format from the server containing the current weather conditions.

Observe the last three response headers. They are all from the CORS spec and there are more. To go deeper into this topic, Monsur Hossain has published a book “CORS In Action“, available Sept 2014 in print or now through MEAP. You can also visit Enable CORS website to get updated information and use this link to know about browser support for this new spec.

With ASP.NET Web API where it currently is, this development greatly enhances the idea of Service Oriented Applications and also emphasizes the role of JavaScript in the world of programming today. Get cracking!

Questions? Comment below ↓

03 Apr

JavaScript Animations and HTML5 Vibration APIs

HTML5 Logo

First checkout this demo link on your cell phone: https://sreenath.net/demos/animation.htm

On a normal desktop browser with no Vibration hardware, you will see a ball simply bouncing on a black background. On a device with Vibration hardware and a supporting browser, you will feel the ball bounce off the sides of the window with a short vibration.

That’s new in HTML5 and JavaScript. Here how its done:

It’s that simple. 100 here is the duration to vibrate. You can also pass in an array of milliseconds, duration of vibration followed by duration of silence and so on as follows:

Now about timing the vibrations with the animation:

I use a JSON object as a Singleton for storing data about the window height, width, position of the ball, direction etc.

I have the following event handlers attached to the window load event and the window resize event: (Note that this code wont gracefully degrade in IE8 and older browsers)

My startAnimation function:

It is important that the CSS for the box1 object to move is to set its position as absolute. Otherwise the best code won’t work on it. So here’s the CSS:

Finally my Animate function.

Its important to update the direction of the movement of the box once it hits the edge and to check the direction each time before moving the box to determine which way it should be headed – to decide whether to increment or decrement the left/top property.

And my setDimensions function, required for initial loading and handling browser resize events:

Known Issues with the demo:

  1. Doesn’t handle resize due to re-orientation event of your device.
  2. As of publishing time,  Safari doesn’t support the Vibration API. That leaves out all iOS devices from enjoying this demo.
03 Apr

Applying for an ITIN for a dependent on H4 for Tax Returns

Taxes due April 15

There are few things harder in life than dealing with a Governmental organization. And I was fortunate enough to have to deal with the IRS recently regarding my Tax Returns for the year 2013. Since I got married last year and have my wife here in the US on an H4 Dependent Visa status, I get to file my returns as Married Filing Jointly. I was aware that I will need to apply for an ITIN for her to be able to file my returns successfully. I also knew that it can’t be done preemptively since I need to do my returns and only then send that along with a filled in W-7 form which is the application for an ITIN. That wasn’t any problem to figure out. But my woes only began when I realized that TurboTax Online cannot do it for me. In fact, TurboTax gave up after filling in my 1040. My faithful friend who makes life so easy for millions in the country had given up on my after serving me so well the last two years. Okay so here’s the process for applying for an ITIN and the various options available for anyone wanting to do the same:

  1. Use TurboTax to help you fill your Federal and State Tax Return and generate the forms.
  2. You will not be able to file online so don’t bother paying for any additional services of TurboTax for e-Filing (i.e., if you can avoid it)
  3. Whenever TurboTax asks you for your spouse’s SSN, leave it empty. You will be warned about Errors but that’s OK since you are not going to e-File any way.
  4. Once your forms are completed, TurboTax will tell you that you will have to file by mail because of the errors above. Save all the forms to your computer or print them out if you have a printer available.

Now that you have your Federal Returns (Form 1040, Form 1040EZ) filled in an printed, you will have to mail that to the IRS ITIN Operations Division ( along with other documents. Note that this is not the address TurboTax and the return form tells you to mail the forms to. Amongst the documents you need to send to the IRS, the ORIGINAL Passport (of the H4 dependent) is the one standalone document that is sufficient for most H4 applicants. Other documents are listed here: http://www.irs.gov/Individuals/Revised-Application-Standards-for-ITINs Since I don’t feel comfortable mailing an original passport away, I wanted to find out if there was another way. And in my case, since we were planning to travel around soon, not having a passport in hand was a risk I could not take. So I found I had three options:

  1. File the return and apply for an ITIN at a Local IRS Office. Find one close to you here: http://apps.irs.gov/app/officeLocator/index.jsp
  2. File returns and apply for an ITIN through an acceptance agent. Find them by state here: http://www.irs.gov/Individuals/Acceptance-Agent-Program
  3. Mail a Copy of the Passport (H4 Applicant), endorsed by the issuing authority – The Embassy of the country that issued it – to the IRS ITIN Operations division, along with your returns.

Knowing me, I had to research all three options. Option 1 seemed the safest bet since there was a local IRS office only 20 minutes from my home. IRS offices work 8-30 to 4-30 on weekdays only so I went there one morning before work. I was there at 8-45 and the lady at the reception told me that a limited number of tokens are issued daily for the ITIN processing at that center and that they were out already. She told us that the line forms outside the office as early as 8AM. So we wanted to give it another shot, try come early and get in line. So we arrived another day at 7-30AM and found that we were about the 10th in line. So I figured we would get it done that day. To all my dismay, I later found out that the number of tokens they issue per day is a paltry 8! So the couple in front of me frowned and left and we followed suit, angry that they only process 8 ITIN applications a day. So I gave up Option 1 knowing that I am wasting time and effort on this with no guarantees of getting it done on any day. So I looked up Option 2: File through an acceptance agent. There are a bunch of acceptance agents near where I lived, including some H&R Block offices as well. So I called up a few – some said that their Acceptance Agent was no longer certified to process ITINs, some claimed an exorbitant fee upwards of $200 and few didn’t know the process. Before I settled to shell out a fourth of my returns on fees, I wanted to find out about the feasibility of Option 3: Send an endorsed copy of the passport to IRS by mail. Endorsing has to be done by the issuing authority of the document, which in the case of a passport is the embassy of the country that issued it. Luckily for me, the Embassy of India is in Washington DC and is quite approachable. So I looked up their website for the procedure for endorsing a passport and found that it was about a $13 affair plus the metro fare to and from DC. I asked my wife to visit the embassy and get her passport copy endorsed and she got that done in a day.  So that was easy and I sent across my Federal Returns, Form W-7, Endorsed copy of Passport of ITIN Applicant (with Visa and I-94 pages) to the ITIN Operations Center of IRS. More Links:

  • About ITIN: http://www.irs.gov/Individuals/Individual-Taxpayer-Identification-Number-(ITIN)
  • General ITIN Information: http://www.irs.gov/Individuals/General-ITIN-Information
  • Revised Application Standards 2013: http://www.irs.gov/Individuals/Revised-Application-Standards-for-ITINs
  • Additional ITIN Information: http://www.irs.gov/Individuals/Additional-ITIN-Information
  • IRS Local Office Locator: http://apps.irs.gov/app/officeLocator/index.jsp
  • IRS Acceptance Agents: http://www.irs.gov/Individuals/Acceptance-Agent-Program

Questions? Comment below.