New programming language automatically coordinates interactions between Web page components

December 23, 2014 by Larry Hardesty, Massachusetts Institute of Technology
Credit: iStock/MIT

A Web page today is the result of a number of interacting components—like cascading style sheets, XML code, ad hoc database queries, and JavaScript functions. For all but the most rudimentary sites, keeping track of how these different elements interact, refer to each other, and pass data back and forth can be a time-consuming chore.

In a paper being presented at the Association for Computing Machinery's Symposium on Principles of Programming Languages, Adam Chlipala, the Douglas Ross Career Development Professor of Software Technology, describes a new programming language, called Ur/Web, that lets developers write Web applications as self-contained programs. The language's compiler—the program that turns high-level instructions into machine-executable —then automatically generates the corresponding XML code and style-sheet specifications and embeds the JavaScript and code in the right places.

In addition to making Web applications easier to write, Ur/Web also makes them more secure. "Let's say you want to have a calendar widget on your Web page, and you're going to use a library that provides the calendar widget, and on the same page there's also an advertisement box that's based on code that's provided by the ad network," Chlipala says. "What you don't want is for the ad network to be able to change how the calendar works or the author of the calendar code to be able to interfere with delivering the ads." Ur/Web automatically prohibits that kind of unauthorized access between page elements.

Typing, scoping

Ur/Web's ability to both provide security protection and coordinate disparate Web technologies stems from two properties it shares with most full-blown , like C++ or Java. One is that it is "strongly typed." That means that any new variable that a programmer defines in Ur/Web is constrained to a particular data type. Similarly, any specification of a new function has to include the type of data the function acts on and the type of data it returns.

In computing the value to return, the function may need to create new variables. (A function that returned an average of values in a database, for instance, would first need to calculate their sum.) But those variables are inaccessible to the rest of the program. This is the second property, known as "variable scoping," because it limits the scope—the breadth of accessibility—of variables defined within functions.

"You might want to write a library that has inside of it as private state the database table that records usernames and passwords," Chlipala says. "You don't want any other part of your application to be able to just read and overwrite passwords. Most Web frameworks don't support that style. They assume that every part of your program has complete access to the database."

Typing helps with security, too. Many Web development frameworks generate database queries in such a way that someone ostensibly logging into a website can type code into the username field that in fact overwrites data in the database. With Ur/Web, usernames would constitute their own data type, which would be handled much differently than database queries.

Meeting expectations

Typing is also what enables coordination across Web technologies. Suppose that a bit of JavaScript code is supposed to act on data fetched from a database and that the result is supposed to be displayed on a Web page at a location determined by some XML code. If an Ur/Web programmer wrote a database query that extracted data of a type the JavaScript wasn't expecting, or if the JavaScript generated an output of a type that the XML page wasn't expecting, the compiler would register the discrepancy and flag the code as containing an error.

Often, code that isn't explicitly typed still has implicit consistency rules. For instance, if you write a query in the SQL database language that asks for the average numerical value of a bunch of text fields, the database server will tell you that it can't process your request. To enable Ur/Web to coordinate the flow of data between Web technologies, Chlipala had to create libraries of new data types for SQL, XML, and cascading style sheets (CSS) that embody these rules.

While the Ur/Web compiler does generate XML, JavaScript, and SQL code in its current version, it doesn't produce style sheets automatically. But, Chlipala says, "One thing the compiler can do is analyze your full program and say, 'Here is an exhaustive list of all the CSS classes that might be mentioned, and here is a description of the context in which each class might be used, which tells you what properties might be worth setting.' So, for instance, some particular class might never be used in a position where table properties would have any meaning, so you don't have to bother setting those."

Explore further: New programming language accommodates multiple languages in same program

More information: Paper: "Ur/Web: A simple model for programming the Web"

Related Stories

Google Dart debut sparks chatter of JavaScript coup

October 12, 2011

( -- When the news appeared earlier this week that Google was unveiling a new programming language, Dart, for developers. tech blogs ignited with talk of how Google is staging a JavaScript coup. The assumption ...

Google trumpets Dart release as first stable version

October 17, 2012

(—Google on Tuesday released its first stable version of Dart SDK. Dart is a programming language for Web applications that Google thinks will offer an improved, easy to learn, high performance environment for ...

Next for DARPA: 'Autocomplete' for programmers

November 5, 2014

Writing computer programs could become as easy as searching the Internet. A Rice University-led team of software experts has launched an $11 million effort to create a sophisticated tool called PLINY that will both "autocomplete" ...

How the love of one teenager brought Tweetdeck to its knees

June 13, 2014

TweetDeck, a Twitter app with millions of users, is back online after a rather surprising security scare. For several hours, the service was taken down all because a 19-year-old user tried to add a cute heart to his messages.

Recommended for you

The powerful meteor that no one saw (except satellites)

March 19, 2019

At precisely 11:48 am on December 18, 2018, a large space rock heading straight for Earth at a speed of 19 miles per second exploded into a vast ball of fire as it entered the atmosphere, 15.9 miles above the Bering Sea.

Revealing the rules behind virus scaffold construction

March 19, 2019

A team of researchers including Northwestern Engineering faculty has expanded the understanding of how virus shells self-assemble, an important step toward developing techniques that use viruses as vehicles to deliver targeted ...

OSIRIS-REx reveals asteroid Bennu has big surprises

March 19, 2019

A NASA spacecraft that will return a sample of a near-Earth asteroid named Bennu to Earth in 2023 made the first-ever close-up observations of particle plumes erupting from an asteroid's surface. Bennu also revealed itself ...

Nanoscale Lamb wave-driven motors in nonliquid environments

March 19, 2019

Light driven movement is challenging in nonliquid environments as micro-sized objects can experience strong dry adhesion to contact surfaces and resist movement. In a recent study, Jinsheng Lu and co-workers at the College ...


Adjust slider to filter visible comments by rank

Display comments: newest first

5 / 5 (2) Dec 24, 2014
Pass. Sorry, but HTML5, CSS3/CSS4/JSON and backends from C/C++/ObjC/ObjC++/Ruby/Python/Perl/PHP and many more are enough, never mind intermingling SQL within your Code is a major No-No.

The World doesn't need XML embedded in your functions/methods and sure as hell hated the XSLT/XML crap that was the late 90s early 2000s.

Complete waste of time.
not rated yet Dec 24, 2014
I have high hopes for this. Web dev is an absurd mess. For years I've dreamed about ways to clean it up - my best idea was to expand SQL into a full scripting language, since its all pretty much about db access anyway. But its something to go all in on: Too often, people create these higher level messes that translate back to the old languages, and as a result negate what people have already invested in learning html, sql, etc. You really have to start from the ground up.
not rated yet Dec 24, 2014
The description provided in this report indicates that Ur/Web is likely to solve a lot of problems and improve the security of web pages, which can't be bad in a malware-riddled environment.
As an engineer accustomed to "quick-and-dirty" programming to get quick answers, I've never been a fan of strongly-typed languages; but I can definitely see the value of strong typing in this "mix-and-match" situation.
My only gripe is this: if Ur/Web is really about creating *functional* web pages easily, please, please, PLEASE forget about trying to include CSS, because it introduces an unbelievably heavy processing load for all its "pretty" formatting code (and burns TONS more fuel to power the Internet when CSS pages are transmitted around the world).
not rated yet Dec 24, 2014
There are many, many frameworks trying to solve the problem of connecting databases to people through web browsers.

There's no escaping these frameworks ultimately rely on underlying HTTP, HTML, CSSs, Javascript, SQL, etc. Often used awkwardly, in ways never anticipated in the original design of those specs.

To degrees, frameworks hide the ugly and tedious. At the cost of learning the new framework. And, practically speaking, still having to be facile with all the underlying specs and protocols. Including all those annoying platform and version peculiarities.

Will this make for better web sites, web pages? My experience: people who code badly will do so in any language.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.