The core of Eventsites is a single-page Javascript application.

On visiting the site, a user receives a bare-bones XHTML page that binds all relevant Javascript and CSS files. After loading these files, the script is used to perform the following operations:

1. Parse the event-ID from the URL, e.g. www.eventsites.co.uk/evdb/events/E0-001-000935917-5 equates to event ID E0-001-000935917-5. An invalid or non-event URL simply routes to the site homepage.
2. Pull event data from EVDB using a REST request. The REST URL for the Carson Future of Web Apps would be: http://api.evdb.com/rest/events/get? &id=E0-001-000935917-5&app_key=mCzrkKSxK43TMhtN
3. Parse data from the EVDB XML response
4. Construct and despatch a request for the event Flickr RSS feed. In the Carson case, this would be: http://www.flickr.com/services/feeds /photos_public.gne?&format=rss_200 &tags=futureofwebapps
5. Parse the Flickr feed to retrieve photo URL's
6. Construct the application XHTML interface
7. (on map select) create and initialise a Google Map with the event latitude / longitude
8. (on photos select) create an XHTML photo gallery using the URLs specified in the Flickr feed

<body onload="new Application()" />

All the XHTML in Eventsites is built using Javascript DOM methods. I'm not a fan of using getElementById to attach methods to existing XHTML. I don't like the approach because it lacks any formal binding between the code and the structure - change an ID in the XHTML file and your code can't bind to the interface.

Building the XHTML in the code ensures that interface and its behaviours are bound together by definition.

Making XHR cross-domain

Eventsites uses the XMLHttpRequest object to pull in data from EVDB and Flickr. Unfortunately, since XHR is limited to same-domain calls, we need a server proxy to redirect these externally.

The proxy script that is used in Eventisites is shown below:

<?php

$remoteURL = $_GET['url'];

$pos_int = strpos($remoteURL,'http://');

if($pos_int===0){
$fp   = fopen($remoteURL, 'r');

header('Content-type: text/xml');
if($fp){
fpassthru($fp);
}else{
echo
'<?xml version="1.0" encoding="UTF-8"?>
<root connection="false">
<eventsites_message>
Failed to connect
</eventsites_message>
</root>';
}
}
?>

This script simply sends a GET request to any address passed in the url argument and passes on the data that's returned.

You can see the script in action at: http://www.eventsites.co.uk/remote_proxy.php and its functionality can be seen by requesting the event's photo feed (URL encoded).

Handling URL's

As mentioned, Eventsites is a single-page application. This means that although the ID for an event is specified in its URL, e.g. www.eventsites.co.uk/evdb/ events/E0-001-000935917-5, all such URLs must still map to the same document on the server.

This could be done with mod_rewrite but since I haven't the faintest idea how mod_rewrite works, I worked the same magic using simple old .htaccess.

.htaccess allowed me to very simply specify the 404 error page as being the frontpage. All URL's that don't correspond to files present on the server just route back to root.

The root level .htaccess file for the domain is:

ErrorDocument 404 /

Once the frontpage has loaded, Javascript accesses the window.location object, and uses a regular expression to parse the event ID.

Next

Why XHR needs to become opt-in cross domain

Update:
As a number of people correctly pointed out, my server proxy originally gave full read access to the local file system. Although this was something I'd forbidden in earlier incarnations of the code, I filtered it out for the sake of making the essence of the code as understandable as possible. Not a smart thing to do though and all URL's are now filtered (as shown in the code) to make sure they're external.

Each mini-site includes the event details, a map to the location and photos that were taken there. You can see an example of this with the The Carson Workshops Summit.

Nothing new in that perhaps. What is unique about Eventsites is that it uses no server-logic and stores no data of its own.

Eventsites is simply a client to other web-services.

Clients on a componentised web

In the last post we looked at the potential that might be realised by componentising today's vertically-integrated web applications.

We also questioned what new applications might start to appear when fundamental functionality such as content management or authentication is available directly via web-services?

The coal face

In order to explore the theory we need to test it. The best way to test it is to build something from it.

The challenge was to build a dynamic website that let users both add and view data but stored no data of its own.

The result was Eventsites.

Eventsites uses EVDB for authentication and data storage, Google Maps for mapping and Flickr for photos. All the interface logic is done using AJAX in the browser.

Standing on the shoulders of giants

By using these third-party services we give ourselves the power to offer users extremely rich functionality whilst doing very little of the legwork in-house.

Not only do we save redeveloping existing functionality but we also benefit from what the other sites already offer.

Creating an event with Eventsites also creates a page on Eventful whilst photos on Eventsites are of course also viewable from Flickr.

Browser power

Scaling a traditional application from 10,000 users to a million is an intensive and expensive task. Servers become server-farms and databases spawn masters and slaves.

There is an irony in this though since not only does each user bring extra demands, they also bring an extra computer.

Every website visitor uses a browser and almost all of those browsers can execute Javascript, Java and Flash. Why not take advantage of this?

Since the heavy-lifting of Eventsites is done by EVDB, Google and Flickr, we can afford to do something unique with it.

By outsourcing all of our secure logic, we can afford to move the interface logic from the server and into the browser.

Desktop applications via the browser

By doing this, we have in essence created a desktop application that simply happens to be delivered via the web.

Web-services provide storage and all secure-logic, the browser powers the execution of the remaining interface logic and the server simply delivers flat files of code, CSS and XHTML.

Security and identity and cross-domain XHR

Taking such an extreme approach to mashing throws a floodlight on several issues including cross-domain AJAX, identity and security. In so doing, it becomes clear that all three have a number of serious problems.

However, it also becomes clear that with only a few small tweaks, some of these problems could easily be neutralised and that their disappearance might open the gates to a new and more powerful web-architecture.

Next

The architecture of Eventsites.

Across the world, websites everywhere brim with overlapping feature-sets.

Content management, tagging, RSS, spellchecking, authentication, search - millions of development-hours every year are spent re-implementing the same features in site after site after site.

For the Google's and Yahoos of this world, such end-to-end bespoke systems are built on rock-solid code and form a crucial part of both their competitive advantage and independence.

For these super-sites, key software has to be proprietary. Building off Google might have saved Microsoft a broken chair and a lot of cash but simply adding an MSN interface to Google-purchased searches could never have made strategic sense.

The long-suffering tail

The long tail of the internet tells a very different story though.

For most communities and businesses, a website is a means and not an end. For the millions of smaller sites that flesh the body of the internet, for these organisations, every line of code is not an asset but a liability.

In most businesses, purchasing bespoke website-engineering makes as much sense as purchasing bespoke truck-engineering. A custom, branded paint-job is a must but a customised chassis is only a scrape away from disaster.

A web-service-world

What if all this generic functionality was provided pre-packaged for us though? What if we could buy tagging or asset management wholesale via web-services?

What if Yahoo opened up their identity silos and we could authenticate users using only a single call to their API (they haven't and we can't by the way)?

Google CMS

How many of the 45% of small businesses that don't have websites might finally get one if the hard part is already done for them?

If Google were to release an API with raw CMS functionality, with versioning, hierarchy and permissions then the website-creation software that the web still so sorely lacks would finally become only an interface away.

furlFunctionality = new Delicious();

So many websites are nothing more than a new interface on a clone of existing functionality. They may well be adding value, but in this case, it's only in the interface. If the core functionality of a website was made available via an inexpensive API though, why bother redeveloping it?

Construction firms don't grow their own timber, they buy it. Different car manufacturers routinely add their own badge, and feature-specs to a the same core chassis. When all a website is adding is an interface, why not simply purchase the underlying functionality?

Could developers sell functionality in exactly the same way as the Amazon S3 sells storage?

Web-serfing

Ecologically-speaking, we are still in a subsistence web. Every application is the digital equivalent of a villager ploughing his own potatoes, butchering his own beef and bricking his own bothy.

We need to specialise. Economies grow richer and more efficient when the people within them become more skilled in specific areas and then trade those specialised, high-value skills.

The web will grow richer and more efficient when functionality can be bought by the call, through clean reliable and robust API's. Not just installable, hacked code-libraries but dependable web-services with service level agreements and fees to boot.

Tomorrows web application today

Do we have to wait for this functionality though or is it already here? Could these types of applications be built today on what's already in place?

Web 2.0 has brought a bloom of web-services and API's. Almost none are charged and few are commercially licensed but they are at least in existence.

A pure web-service application

In the next couple of days I'm going to release an application that takes the web-service / mashup model to the extreme. It is an application built entirely on web-services and constructed purely from AJAX.

The site allows people to create micro-websites for events. Even though those websites have associated maps, photos and data, the application stores no data of its own.

The micro-client

The website is in essence a client, a micro-client. It's a tailored, web-delivered interface to data and services from elsewhere.

Could this represent the future of web-apps? A scalable interface constructed within the browser that adds incremental value to data and services from other, external suppliers?

The questions

What are the technical limitations, what are the business implications, what does an API need in order to be truly useful?

In the next couple of days, I'll be releasing the application that pushes the edge of this approach and will also be following up on some of the issues around data, business and security that it throws up.