Metaprogramming AJAX Apps with Static Types

Through a combination of chance and design, modern Web browsers have evolved into rich hosts for applications that live “in the cloud.” For end users, the Web application experience can be seamless, coming across as a portable version of the desktop apps that users are accustomed to. Behind the scenes, a modern “AJAX” (Asynchronous JavaScript And XML) Web app is built by coupling a variety of languages that weren’t necessarily designed to play well together. We have HTML and CSS for describing static documents, JavaScript for scripting the Web browser, XML and JSON for marshaled communication between browsers and servers, SQL for accessing persistent databases, and a wide variety of more traditional programming languages for coding the server-side parts of applications.

Programming at the right level of abstraction can be tricky in this mishmash of technologies. To that end, a variety of integrated development tools have been proposed. In this talk, I’ll present mine, the Ur/Web programming language. At a high level, Ur is a general-purpose language mixing my favorite features from ML, Haskell, and Coq. Ur/Web adds a standard library and custom compiler optimizations in support of developing modern Web apps.

Probably the main difficulty in coding Web applications is orchestrating communication between parts that must be written in distinct languages. In Ur/Web, this difficulty is mitigated by a combination of compiler support and static typing of embedded syntax. Server- and client-side application pieces are written in the same language, and the compiler takes care of generating native code and JavaScript as needed. For languages like HTML and SQL, whose lack of Turing-completeness can be a critical part of their usefulness, Ur/Web applications still contain explicit embedded syntax. However, a rich type system is used to enforce that only valid syntax may be constructed. For instance, code injection attacks are ruled out statically. The typing regime that makes this work is based on extensible record types, with a limited facility for writing recursive programs at the type level, for describing tricky syntax requirements.

The other main part of Ur’s design is support for metaprogramming by recursion over the structure of record types. For instance, it is possible to write a function from a database table description to an application piece that accesses that table. That piece might be a traditional Web 1.0 “admin interface” for viewing and editing the set of rows in the table, or it might be an AJAX application implementing arbitrary patterns of information flow between clients and the database. In any case, the static type of such a generic component guarantees that it never generates application pieces with code injection vulnerabilities or other abstraction violations.

The bulk of the talk will be a live, in-browser demo showcasing the interesting design patterns that emerge in Ur/Web programming.