Hypermedia controls
Hypermedia as the engine of application state
Dr Graeme StuartHypermedia as the engine of application state
Dr Graeme StuartTed Nelson, Brief Words on the Hypertext, 23 January 1967
“Hypertext is a recent coinage. Hyper- is used in the mathematical sense of extension and generality (as in hyperspace, hypercube) rather than the medical sense of excessive (hyperactivity).”
HyperText Transfer Protocol is the core mechanism for communicating between web clients (browsers) and web servers.
MDN has a great set of pages describing HTTP.
The architectural style of the web is known as REpresentational State Transfer (REST).

One of the key pillars of RESTful architecture is HyperMedia as the engine of application state (HATEOAS).
In HATEOAS, the client (browser) has no knowledge of your application. All it knows is the entry point URL (possibly a hyperlink from another site). It receives hypermedia controls embedded in HTML.
Hypermedia controls allow the user to make subsequent requests that change the state of the application.
This is Roy Fielding. He described REST in his PhD thesis in 2000.
HTML only allows two request methods, GET and POST. They imply a different intent.
GET requests are safe and idempotent.
They imply a read-only request for a representation of a given resource. They can be issued and reissued many times without any problem.
- GET /items (give me the items)
- GET /items/123 (give me item number 123)
POST requests are neither safe nor are they guaranteed to be idempotent
They imply a request to change server state. Issuing the same POST request multiple times may change the state each time. e.g. by adding duplicate records into a collection.
Fundamentally, they submit data for the resource to process.
HTTP semantics is about intent, GET requests are for read-only operations, POST requests modify state.
In a normal scenario, we load a page using a
GETrequest, e.g. with a hyperlink.
| |
It is also possible to load a page by submitting a form. Forms issue
GETrequests by default, but can have theirmethodattribute set toPOST.
| |
Anchors and forms are examples of hypermedia controls.
<input> elements are inline and void (i.e. they have no content and don’t need closing tags).
The <input> element is extremely versatile, attributes are used to change its behaviour.
The default
<input>is a text input like this:
| |
Adding placeholder text is easy:
| |
Default values can also be provided:
| |
We will only cover some of the basics.
For accessibility,
<input>elements should have an associated<label>element.
| |
| |
In some use cases, you may not want/need a visible
<label>. In this case, you can use anaria-labelattribute.
By default
<input>elements are generic text fields but they can be modified with thetypeattribute.
| |
| |
| |
There are many input field types available. Some of these were introduced with HTML5.
Getting dates and times.
| |
Make sure you use these where possible.
| |
| |
We can use
<fieldset>elements to organise<inputs>into groups.
Select boxes need nested options.
| |
Only one option can be
selected
Radio buttons need to be grouped using the
nameattribute.
| |
The
valueattribute will be submitted as the value of thenamekey.
Validation used to be really annoying, now its easy. Inputs with
type="tel",type="url"andtype="email"provide basic checking which is detected by the pseudo-classes:validand:invalid. We can also add therequiredattribute to activate the:invalidstate on empty values.
| |
Forms will only submit when all inputs are valid. They also have the same pseudo-classes so can also be styled.
Submitting forms passes data to the server only for elements with a name attribute.
| |
GETrequests will include data assearch parameterswithin the URL and are useful for adding detail to a request, e.g. filtering or sorting results.
POSTrequests include data in the requestbodyand (when served over HTTPS) can be used for sensitive data.
The web application server needs to understand what is being requested by interpreting the URL the method and the data.
Code
HTTP Response Codes should reflect the status of the processed request.
No problem, your request was processed successfully.
The result can be seen at another location. The browser will GET the provided URL.
This doesn’t make sense. Your request was not processed.
Poorly named as this really means unauthenticated, i.e “I don’t know who you are”.
I know you, but you can’t have the requested resource.
I’m not sure what you were trying to do because this resource doesn’t exist.
Wait… something went wrong. I don’t feel well.
The POST method is not idempotent so successful requests must be handled carefully.
Successful POST requests cannot return simple HTML responses with 200 OK. If they do, then the browser can refresh to reissue the same request.
Unsuccessful POST requests can be reissued safely so they can return an HTML response.
A common solution is to return a 303 See Other and add a Location header with a path to a resource which shows the change.
They can return a failure status code (such as 400, 404, 401 etc) to explain why they didn’t work. The HTML response should include advice as to how the user should proceed.
A browser receiving a 303 See Other status code will look for the Location header and immediately issue a GET request, thus loading a new resource.
If you have any questions, now is a good time to ask.
Thanks for listening
Dr Graeme Stuart