IO Utility Change History

IO Utility Change History


  • No changes.


  • Document return value of IO.send and ([#1882][]: @andrewnicols)


  • No changes.


  • No changes.


  • No changes.


  • Removed the unnecessary src attribute which caused an extra request to be made to the current page URL when the iframe was included on the page. (#1646: @goodforenergy)

  • Document usage of username/password in config. (#1572: @customcommander)


  • Fixed an issue in io-upload-iframe where an attempt to reset the attributes of the form element could have occured on a form that no longer existed on the page. (#1465: @andrewnicols)


  • No changes.


  • No changes.


  • [!] #1155 Deprecate io-xdr.
  • Move all related swf and as files from yui3 repository to yui3-swfs repository.


  • No changes.


  • Restore form attributes after successful upload in io-upload-iframe. [Ticket #2533186] [ipeychev]

  • Upgraded request module dependency for io-nodejs for compatibility with Node.js v0.10. [Pull Request #940]


  • [security] Hardened SWF file by filtering all data passed through ExternalInterface to fix XSS vulnerability.


  • No changes.


  • [security] Hardened SWF file by filtering all data passed through ExternalInterface to fix XSS vulnerability.


  • No changes.


  • No changes.


  • Normalized IO’s handling of falsy request and response bodies. A majority of the environments want request/response bodies to always be a string, so they use an empty string instead of undefined, null, etc.

    This specifically fixes two issues:

    • IE 10 converts a response body of undefined to the literal string: "undefined". No other environments do this, so a change has been made to default the request body to "" unless it has a non-falsy value.

    • IO’s node.js transport uses the Request npm module, which returns undefined when a response has no body. This normalize IO’s responseText to an empty string when Request returns a false response body.


  • Exposed IO’s form serialize via the new Y.IO.stringify() method. [Ticket #2529073] [Pull Request #351] [John Lindal]

  • Stringified request data is now passed to custom transport layers. [Ticket #2532594] [Pull Request #383] [John Lindal]


  • No changes.


  • Fixed issue in Chrome where form submits with upload: true were not working properly. [Ticket #2531860]

  • Add empty() method to io-queue which clears out all requests waiting to be sent. [Pull Request #282] [Julien Sanchez]


  • No changes.


  • No changes.


  • Prevent IO from maintaining cookies across requests in Node.js. [Ticket #2532676]

  • Remove “X-Requested-With” header from cross-domain XHRs. Setting any non-standard HTTP headers when performing a cross-domain request using CORS results in a required pre-flight OPTIONS request. Not adding this header by default allows the browser to communicate with a server which is not CORS-ready. [Ticket #2532673] [Clarence Leung]


  • Fixed issue when running in Node.js where wasn’t automatically stringified. [Ticket #2532390]


  • No changes.


  • Configuration data can now include an instance of FormData for HTTP POST requests. [Ticket #2531274]

  • Implemented FormData file upload in io-base. [Ticket #2531274]

  • Fixed transport error in io-base [Ticket #2531308, #2531941, #2531947]

  • Fixed IO loader meta-data [Ticket #2531320]

  • Fixed transport error in io-base [Ticket #2531308]

  • Implemented Node.js compatibility [Ticket #2531495]

  • Fixed transport error in io-base [Ticket #2531308]

  • Fixed API docs discrepancy for IO [Ticket #2531756]

  • Fixed error in sending an XML document as POST data. [Ticket #2531257]

  • success/failure/complete/etc callbacks that throw errors no longer hijack all future transactions. [Ticket #2532107]


  • HTTP 304 now treated as a success condition. [Ticket #2530931]

  • Fixed transport creation error when both io-xdr and io-upload-iframe modules are in use. [Ticket #2530999]

  • Querystring stringify added to io-upload-iframe. [Ticket #2531037]

  • Fixed request abort error in IE. [Ticket #2531038]

  • Add try/catch to io-upload-iframe response to handle failure cases where the document may be inaccessible. [Ticket #2531041]

  • Add IO support for XHR basic user authentication. [Ticket #2530023]

  • Revert Y.mix usage for synchronous requests. [Ticket #2531056]

  • Fixed io-upload-iframe transport destruction. [Ticket #2531058]


  • Added ability to get the configuration of a transaction. [Ticket #2528240]

  • Instantiable IO. [Ticket #2529314]

  • IO now uses event-custom and event facades. [Ticket #2529317]

  • Exposed more of the internals of IO for extensibility. [Ticket #2529447]

  • Fixed IO iframe upload to reset form attributes. [Ticket #2529553]

  • Add IO support for XHR basic user authentication. [Ticket #2530023]

  • IO will not send data for GET, HEAD and DELETE HTTP methods. [Ticket #2530091]

  • Fixed issue with IO doubling the URL query-params on a HTTP GET request when sending data together with form serialization. [Ticket #2530494]


  • When using io-xdr to load io.swf, a date-time stamp will appended, as a query-string, to the transport source for IE. [Ticket #2528898]

  • Implemented default HTTP headers can be suppressed in the transaction’s configuration object by setting the header with a value of disable. [Ticket #2529324]

    For example:

    var config = { headers: { "X-Requested-With": "disable" } };
  • Use without listening for the io:xdrReady event. [Ticket #2528710]

  • Fixed native XDR detection for IE8 in io-xdr. [Ticket #2529290]


  • Fixed malformed HTML entities in JSON response, when using io-upload-iframe. [Ticket #2528646]

  • Fixed configuration HTTP headers should override preset HTTP headers, when identical. [Ticket #2528893]


  • [!] Fixed security vulnerability in io-xdr when using the Flash transport. Removed: Security.allowDomain("*") setting from (source) and io.swf (compiled). The implementation reverts back to the version in 3.0.0.

    This reversion prevents third-party sites from being able to load io.swf from a disparate domain, and make HTTP requests with the SWF’s domain privileges, and passing the domain’s credentials. Only the domain serving io.swf will be permitted to load it, and call its fields.

    See the “Security Bulletin” for more details:


  • Fixed broken synchronous IO requests in IE. [Ticket #2528739]


  • YUI io now supports synchronous transactions for same-domain requests. To enable synchronous transactions, set the configuration property sync to true; the default behavior is false. During a synchronous request, all io events will fire, and response data are accessible through the events. Response data are also returned by io, as an alternative. [Ticket #2528181]

    For example:

    var request =, { sync: true });

    request will contain the following fields, when the tx is complete:

    • id
    • status
    • statusText
    • getResponseHeader()
    • getAllResponseHeaders()
    • responseText
    • responseXML
    • arguments

    When making synchronous requests:

    • The transaction cannot be aborted,
    • The transaction’s progress cannot be monitored.
  • arguments defined in the configuration object are now passed to io global event handlers, as well. [Ticket #2528393]

  • Only pass the value of the arguments property to listeners if defined. [Ticket #2528313]


  • Native cross-domain transactions are now supported in io-xdr. To specify an XDR transaction, set the config object with the following properties:

    • use: Specify either native or flash as the desired XDR transport.

    • credentials: Set to true if cookies are to be sent with the request. Does not work with XDomainRequest (e.g., IE8) or the Flash transport.

    • datatType: Set to xml if the response is an XML document.

    For example:

    var configuration.xdr = {
        use         : 'flash',  // Required -- 'flash` or 'native'.
        credentials : true,     // Optional.
        dataType    : 'xml'     // Optional.

    The use property is required. The others are optional or functionality-specific.

    When using the native transport, io will fallback to the Flash transport if the browser is not capable of supporting the native mode. Make sure the resource responds with the correct Access-Control-Allow-Origin header before attempting a native XDR request.

  • The sub-module datatype-xml is now a dependency for io-xdr, to support XML response data in XDR transactions.

  • XDR transport initialization is simplified to one required value – the path to Flash transport. For example:{ src:'io.swf' });


  • The io-queue sub-module now implements YUI Queue. The io queue interface allows transaction callback handlers to be processed in the order the transactions were sent, regardless of actual server response order. For example:

    • io queue is used to make three requests.

    • The actual server response order happens to be: transaction 2, 1, 3.

    • However, using the queue interface, the transaction callbacks are processed in the order of: transaction 1, 2, 3.

  • All transaction event flows now resolves to success or failure; the abort event is removed. Transaction abort and timeout conditions resolve to failure, and is distinguishable in the response data. Specifically, the response object’s status and statusText properties will be populated as:

    • response.status will be 0.

    • response.statusText will be set to timeout or abort to differentiate the two possible conditions.

  • A new end event is introduced in the transaction event flow; this is the terminal event for all transactions. Its event handler signature is the same as the start event, receiving the transaction id and user-defined arguments.

    • The global event name is io:end.

    • To subscribe to the transaction event, define the end property in the transaction’s configuration object. {on: {end: function(){…} } }.

3.0.0 PR2

  • YUI io is now comprised of several modules, allowing users to specify and implement only the needed modules. These modules are:

    • io-base: This is the IO base class, using XMLHttpRequest as the transport.

    • io-xdr: This sub-module extends IO to enable cross-domain transactions using Flash as the transport.

    • io-form: This sub-module extends IO to enable the serialization of an HTML form as transaction data.

    • io-upload-iframe: This sub-module extends IO, to allow file uploads with an HTML form, using an iframe transport.

    • io-queue: This sub-module extends IO to add transaction queuing capabilities.

  • If defined in the configuration object, user-specified, HTTP Content-Type headers will correctly override POST default headers, for HTTP POST transactions. [Ticket #SF2262707]

  • XML is not supported as a response datatype when using sub-modules io-xdr and io-upload-iframe.

3.0.0 PR1

  • Initial Release.

Make a Donation