Mr Speaker

The Fonz uses XmlHttpRequest and AJAX to spy on you.


Everyone (who is a nerd) loves the XmlHTTPRequest. It's awesome is why. The web starts behaving like applications. Things work how they are supposed to, and mum and dad don't need to know anything about post-backs and submit buttons - "Submit? Submit to what?!"

There are a myriad of examples of Asynchronous Javascript and XML (errgh, ajax? I give it two thumbs down. But I'm too lazy to think of something better, so I'll shut up on that front) that show why it's the greatest thing since the 1 pixel gif. (Check out That's got some swanky stuff)

For all its goodness, however, something smells a little funny about this holy grail of web communication... like beer and chocolate before it, there is an evil side to what - on the surface - seems pure and innocent.

The evilness lies primarily in its newness. A whole swag of newly trackable data, sent at any time, sent without the user's knowledge, without the (average) user even knowing it's possible. Every keystroke, every mouse move, every click, every pause, can now be captured and sent to the web server and there is nothing you can do about it.

Like every technology, of course, it can be used for good and it can be used for evil. The evil, I think, will mostly be in the form of user-profiling. User profiling previously could only be done on posted data - data that the user wanted the server to see. Now, the user will be constantly monitored - especially for things like the "delete" key, or checking then unchecking boxes. And so on.

Not convinced? Not ready to rise up and strip the XmlHTTPRequest code from your browser? Perhaps this mighty text adventure proof of concept will chill you to your core... "The Search For Fonzie's Treasure" - can you save Fonzie's soul from everlasting damnation?

Good luck, but remember... although it seeeems like harmless client-side interaction, every four moves an XmlHTTPRequest is sent to my server and your moves saved. FOREVER. Don't make a typo. I'll know. Don't try something stupid like "eat jukebox". I'll know.

Scared yet? Check out day one's Fonz Requests.


  1. i dont know if its evil. seems like a good idea to me. cool game too.

    Monday, April 18, 2005 at 10:56 am | Permalink
  2. I’m not really sure that this is that big an issue – or, even if it is, that your proof of concept demonstrates it. I mean, in the text of your blog entry, you present a more compelling argument than the game itself. The idea that the server can transparently communicate exactly what the user is doing before she/he clicks any kind of link is interesting – I can know if the user mouses over a web banner, and but doesn’t click, etc… or (in theory) how long the user scrolls down a page, or something – but the game doesn’t deal with that. You’re still submitting data to the server, every time you run a move. This would be no different than writing this game in the regular HTML Form -> Server -> response page – it’s just nicer, because it’s XMLHttpRequest.

    And if you want to know about sensitive information being stored transparently in an Ajax application, my iPod bartender app stores temporary files containing drink recipes, named however the user specifies (although it is completely anonymous.) You should see what some of these people name their drink collections! :-)

    The game is cool, however. I hit the jukebox.

    Monday, April 18, 2005 at 12:04 pm | Permalink
  3. I don’t know about XmlHttpRequest being evil, but I know what is: a combination that starts with 0 and doesn’t work, leaving someone going around in circles for a long time X( Other than the run-around, I much enjoyed a walk around the set of one of my favorite TV shows =) Make me want to write one of these now, but I lack the patience…


    Monday, April 18, 2005 at 12:31 pm | Permalink
  4. CDFritz – Ill check that out… I saw your comments in your moves – nice lateral thinking there :)

    Andrew E – Yep, I fully agree (though, of course, this game is entirely client-side javascript, so you would not assume your data was being posted) I was going to write a more relevant proof-of-concept, but it was really really boring :)

    Also, I saw your iPod Bartender application a while ago and told all the iPodders in the office about it. I, unfortunately, am still iPoddless.

    Monday, April 18, 2005 at 1:37 pm | Permalink
  5. Ill never use the web again! They are watching me! Everyone watching me!

    Monday, April 18, 2005 at 2:00 pm | Permalink
  6. I have put together a resource site called AJAX Matters. I look forward to your suggestions.

    Tuesday, April 19, 2005 at 9:43 am | Permalink
  7. That was fun to play (reminded me of Shadowgate) and an impressive demonstration of Ajax use… congratulations !

    Sunday, April 24, 2005 at 4:29 am | Permalink
  8. was this done using ruby rails? or which ajax technology? is the source for this available? it’d be great to learn from it!

    Thursday, April 28, 2005 at 11:22 am | Permalink
  9. Hey scott, It just uses a very simple xmlhttprequest send to send data server. Its all in javascript, so check out the code for the game, and the remote scripting stuff in the javascript include.

    The send stuff is right at the bottom of the file. The wierd OnReadyStateChange function “readyChange” is to do with the “live help” stuff i implemented. (Check out the next blog entry here)

    Sunday, May 1, 2005 at 1:51 pm | Permalink
  10. Bug in game — don’t want to give up
    too much, but let’s say when the random
    number generator chooses a number like 080,
    the parser can’t understand it because it
    thinks it’s octal.

    Ran me crazy until I d/l the sourcecode and saw it : maybe
    the 1st number of the RNGenerator should just be 1-9 ?

    Wednesday, June 8, 2005 at 6:11 am | Permalink
  11. He he. Sorry about that Dave. Just making it a bit more um, challenging for you. I *PROMISE* I will fix this this real soon. PROMISE!

    Wednesday, June 8, 2005 at 8:43 am | Permalink
  12. No problem :) — forgot to add a) LOVE IT! Great Job!! and
    b) VERY COOL and useful!!

    Nice going!

    Thursday, June 9, 2005 at 3:47 am | Permalink
  13. Looks like fun. Sure wish I could see green on green. Or green at all for that matter.

    Friday, July 29, 2005 at 6:45 am | Permalink

    Wednesday, August 10, 2005 at 11:52 pm | Permalink
  15. Ummm, you rcorded my game? Ummm, the request to sniff Mrs C’s knickers was just to test the parameters of the game, uh, yea, honest guv!

    Monday, October 10, 2005 at 10:11 am | Permalink
  16. You can “Hit” the jukebox in any room!

    Wednesday, October 19, 2005 at 6:27 am | Permalink
  17. David – you are witnessing the power of the Fonz.

    Wednesday, October 19, 2005 at 8:31 am | Permalink
  18. I am a beginner trying to decide between frames or tables to use for a design that has one top bar, and then two vertically seperated equal frames/cells. A major component of the website though will be the ability to send friends links to specific pages, as well as bookmark. With frames it seems that this isn’t possible. But with tables, i also want to be able to allow the user to click on a link in one cell/frame that will request a document to open in the adjacent cell/frame. I was thinking that xmlhttprequest combined with tables might be a solution? I also thought i knew how to fix my car and its still in my garage.

    Friday, December 16, 2005 at 5:59 am | Permalink
  19. I don’t know the exact requirements of your project, but what you described sounds like what we in the biz call a “web site” – you shouldn’t use frames (un-bookmarkable, and sooo 1996), and you shouldn’t use tables (sooo 1999) – you should start to get your head around XHTML and CSS. They’re a bit fiddly to begin with, but its where its at. (There are even handy tools like The CSS Creator where you just enter: Top Nav, left column, centre column – and it spits out the xhtml and css)

    Using xmlHttpRequest to grab pages is generally considered bad – or at least overkill. And it wouldn’t be bookmarkable anyway. You shouldn’t be worried about having to reload the whole page each for each link – thats the internet – people expect it, and browsers cache all the images etc, so they load quickly anyhoo…

    One of the biggest complaints about AJAX is that people are using it for things that don’t need it. If you just want to experiment with it I’d say have a go. But use DIVs, not tables!

    Friday, December 16, 2005 at 8:09 am | Permalink
  20. they are using the web to train androids, dont touch anymore browsers

    Monday, February 13, 2006 at 3:30 am | Permalink
  21. I loved your post about this, however, I didn’t notice any tracking done when I viewed the site. It’s simple, i just disabled javascript. I have javascript always disabled, I only enable it on the site where I would want it. Hence, no user tracking unless I want you to.

    Tuesday, March 7, 2006 at 7:52 am | Permalink
  22. For sure Morder – thats why I use the no-script extension for firefox. But what with the whole Web2.0 thing goin’ strong, turning off javascript will soon make half the web un-seeable (or, you know, developers will start making ajax stuff gracefully degrade… haha!). Its a tricky one!

    Tuesday, March 7, 2006 at 7:59 am | Permalink
  23. Cool!

    Any chance of taking a look at the JavaScript or server side code?

    Saturday, March 11, 2006 at 5:39 am | Permalink
  24. Holy undigested matter batman. Im gonna be rich!

    Wednesday, April 12, 2006 at 1:07 pm | Permalink
  25. Hi,
    I am totally new to Ajax and only shifted from .Net User Controls to Ajax yesterday to perform a task that I need to do for my final year project.

    My final year project is a co-browsing application and one of its requirements is that, I should be able to share the contents of the application form on the client’s screen (e.g. filled textBoxes)on the (human) customer service agent’s copy of the same application form.

    And i need to do it without posting the page, maybe using a timer.. and i need it both ways, i.e. if the customer allows, the agent could help him out in filling the form by filling certain fields at his end.

    Can you let me know firstly, if this is possible in AJAX and secondly, if you could help me in actually implementing it..

    I shall be REALLY grateful.


    Saturday, April 22, 2006 at 11:13 pm | Permalink
  26. Wajih… Of course you can do it with AJAX. No need for a timer.
    Go read up on some tuts!

    Wednesday, April 26, 2006 at 12:44 am | Permalink
  27. @Wajih:
    Timers are also possible with AJAX. I understand what you need. AJAX is definately the correct solution.

    Tuesday, October 31, 2006 at 1:59 pm | Permalink
  28. huh?

    Not Found
    The requested URL /2005/04/17/the-fonz-and-ajax/FonzsTreasure/fonzWin.php was not found on this server.


    Apache/2.0.46 (Red Hat) Server at Port 80

    Thursday, February 8, 2007 at 6:49 am | Permalink
  29. Loved the flashback to Zork.

    Friday, July 13, 2007 at 8:51 am | Permalink
Captcha! Please type 'radical' here: *
How did you find this thingo? *