Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
This branch is 6 commits ahead, 3 commits behind pwnall:master.

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

XMLHttpRequest (Unsafe!) Emulation for node.js

This is an npm package that implements the W3C XMLHttpRequest specification on top of the node.js APIs.

The package is a fork of the original, which allows for unsafe headers and methods to be used.

Supported Platforms

This library is tested against the following platforms.

Keep in mind that the versions above are not hard requirements.

Installation and Usage

The preferred installation method is to add the library to the dependencies section in your package.json.

  "dependencies": {
    "xhr2-unsafe": "*"

Alternatively, npm can be used to install the library directly.

npm install xhr2-unsafe

Once the library is installed, require-ing it returns the XMLHttpRequest constructor.

var XMLHttpRequest = require('xhr2-unsafe');

The other objects that are usually defined in an XHR environment are hanging off of XMLHttpRequest.

var XMLHttpRequestUpload = XMLHttpRequest.XMLHttpRequestUpload;

MDN (the Mozilla Developer Network) has a great intro to XMLHttpRequest.

This library's CoffeeDocs can be used as quick reference to the XMLHttpRequest specification parts that were implemented.


The following standard features are implemented.

  • http and https URI protocols
  • Basic authentication according to the XMLHttpRequest specification
  • request and response header management
  • send() accepts the following data types: String, ArrayBufferView, ArrayBuffer (deprecated in the standard)
  • responseType values: text, json, arraybuffer
  • readystatechange and download progress events
  • overrideMimeType()
  • abort()
  • timeout
  • automated redirection following

The following node.js extensions are implemented.

  • send() accepts a node.js Buffer
  • Setting responseType to buffer produces a node.js Buffer
  • nodejsSet does XHR network configuration that is not exposed in browsers, for security reasons

The following standard features are not implemented.

  • FormData
  • Blob
  • file:// URIs
  • data: URIs
  • upload progress events
  • synchronous operation
  • Same-origin policy checks and CORS
  • cookie processing


The library aims to implement the W3C XMLHttpRequest specification, so the library's API will always be a (hopefully growing) subset of the API in the specification.


The following commands will get the source tree in a node-xhr2-unsafe/ directory and build the library.

git clone git://
cd node-xhr2-unsafe
npm install
npm pack

Installing CoffeeScript globally will let you type cake instead of node_modules/.bin/cake

npm install -g coffeescript

The library comes with unit tests that exercise the XMLHttpRequest API.

cake test

The tests themselves can be tested by running them in a browser environment, where a different XMLHttpRequest implementation is available. Both Google Chrome and Firefox deviate from the specification in small ways, so it's best to run the tests in both browsers and mentally compute an intersection of the failing tests.

cake webtest
BROWSER=firefox cake webtest

The library is Copyright (c) 2013 Victor Costan, and distributed under the MIT License.


XMLHttpRequest (unsafe) emulator for node.js







No packages published


  • CoffeeScript 98.5%
  • HTML 1.3%
  • Other 0.2%