Friday, February 9th, 2007

POW: Excuse me sir, you seem to have a server in your client

Category: Announcements, Editorial

Ready to take your mind for a spin? David Kellog has created POW the Plain Old Webserver.

POW is a Firefox plugin that implements a full web server. That means that your browser client now has a server in it.

That just sounds goofy no? It can be useful though. needs a server to do an autoproxy with to do local storage. You could do that all via the extension.

The Plain Old Webserver uses Server-side Javascript (SJS) to run a server inside your browser. Use it to distribute files from your browser. It supports Server-side JS, GET, POST, uploads, Cookies, SQLite and AJAX. It has security features to password-protect your site. Users have created a wiki, chat room and search engine using SJS.

This version includes:

  • Documentation to show you how to build a Server-side Javascript program.
  • File uploading code
  • SQLite interface for easy saving of persistent data

POW has more WOW than Vista! :)

Posted by Dion Almaer at 6:31 am

4.1 rating from 46 votes


Comments feed TrackBack URI

Coupled with Firefox Portable, this could be very useful for delivery web apps on USB sticks. Good work!

Comment by Dave Searle — February 9, 2007

“ needs a server to do an autoproxy with to do local storage.”

Wrong, dojo offline toolkit needs a proxy, not

Comment by JB Boisseau — February 9, 2007

Good Point Dave! I have experimented with apps packaged on USB sticks using the .net ApplicationHost class. This is limited to serving pages requiring the host machine to have the .net framework installed.

This new idea offers a massive potential for platform independent applications.

Comment by Martyn Hawkins — February 9, 2007

Not sure how many people realize this, but you can make a simple webserver in Firefox with just a few lines of javascript code –
(second part – server sockets)

Comment by Alex Kaminski — February 9, 2007

Great idea! Intermitent internet connections can kill web-based apps, so this may provide a true alternative (specially when combined with dojo offline toolkit).

Now, why does it only support GET and POST methods? I want to create RESTful services, so PUT and DELETE should be also supported.

Moreover, a template-based JS engine would be really helpful… No mixed code would be a plus.

Comment by Rui Lopes — February 9, 2007

I thought there’s already something called httpd.js for Mozilla…

Comment by kourge — February 9, 2007

This is a most impressive application. I think this “JavaScript application server” could well evolve into something immensely useful.

I would like to see a function to enable easier server side XSL transforms.

I would like to see the speed of URL fetching mechanism improved; possibly it could make use of the browser file cache.

Longer term, I would like to see an application manager to help deploy applications (along the lines of Tomcat manager).

I would like to see this support the notion of storing variables in scopes (e.g. request, session, application) like other application servers do.

Comment by Mark McLaren — February 9, 2007

For Server Side JavaScript, also take a look at Phobos:

It can run embedded in a IDE, so in theory could run in Firefox, the tools support allows for server side JavaScript debugging.
Based on Grizzly and already highly performant. It contains jMaki Ajax library as well (, and you can use dojo both on client side and server side ).
Can be also deployed as a War web app to any relevant container.

Might be a good time to start doing a firefox plugin as well:-)
the Derby Java DB database can already run embedded in FireFox:


Comment by Ludo — February 9, 2007

Am I the only one who thinks “security nightmare” when I read this?

Comment by Greg Hughes — February 9, 2007


Comment by mikael bergkvist — February 9, 2007

Here’s the point of distinction. As far as I know, this is the only server that works in a browser. Also, it has a programming language (SJS) that is backed by wiki full of documentation. Yes, the possibilities are endless, and POW enables more interesting network applications than AJAX-to-static-server apps allow.

‘Am I the only one who thinks “security nightmare” when I read this?’

No. Your Plain Old Webserver is password protected.

Comment by Dave Kellogg — February 10, 2007

Yes, there is indeed an httpd.js:

The audience is totally different (Mozilla unit testing, possible part of a web developer extension, maybe, use by anyone who might want to embed it in existing code), tho, although I do intend for it to support many of the features POW has.

I didn’t look too closely, but I’ll hazard a guess that the server described here is in some ways more robust (it does request processing async, which I explicitly chose not to do to simplify the use model — Mozilla’s unit-testing community [well, bz :-) ] is starting to want async-enabled features, tho, so it’s on the list of things to implement fairly soon) and in some ways less robust (use of scriptable streams for reading requests is an abuse of JS strings, regexps for various functionality where I don’t believe they’re actually sufficient, etc.). My server also is intended for use as a component, which makes it much more tractable for use in existing code. Finally, I approached the server as though it actually cared about security, so input validation (incoming and outgoing from handlers) is a big concern. For an output example, pow_header has the same flaws as PHP’s header function with respect to allowing web authors to shoot themselves in the foot with respect to header syntax; I didn’t look to see whether or if POW handles incorrect use of the function, but the API is as dangerous as manually-constructed SQL queries compared to parameter-binding solutions.

But hey, it’s fun to see someone else had the same idea as I did. :-) I’ll be interested to see exactly where this goes.

Comment by Jeff Walden — February 10, 2007

+1 Ludo
POW’s exactly what a web client is never supposed to do.

Comment by Kroum — February 10, 2007

Also another difference, from what I can see: httpd.js is hard-coded to only open a loopback socket, so unless you manually change its source it’s only accessible to you on your computer. I’d be interested in making this configurable, defaulting to off, but I don’t know when or if that’ll actually happen. Doing so requires addressing a ton of other issues and auditing the code, and my time is limited.

Comment by Jeff Walden — February 10, 2007

Cool, but not new. KnowNow did this many, many years ago, running a Javascript httpd server in a browser. Sorry to disappoint you.

But the really cool thing about this new one is (I assume) it is available to the masses. The KnowNow one was only available as either part of a product, or as part of an SDK for which they required a pretty simple license, but still not totally open. But that’s based on my limited knowledge only as someone on the outside who played with it.

Looking at the KnowNow web site there is a product called LiveServer that looks like what I was playing with. Doesn’t have much detail, though, so I can’t tell if they are still using this approach.

Comment by Natch — February 10, 2007

Vista is awful, simply awful. I don’t know why you’d say any reference to it. You want people reading this and taking you seriously, right? More “WOW” than Vista? Jeez, that’s saying a whole lot.

Comment by LUke — February 10, 2007

Fair play for all the effort but, erm, why? Browsers are good at running remotely hosted apps, executables are good at running on the local machine. This is the fastest way to disappear up your own port 80.

Unless I’ve missed something. Which has been known.

Comment by Jerome — February 11, 2007

“Browsers are good at running remotely hosted apps”

No, servers run remotely hosted apps; browsers just make a request — unless you’re talking about scripts and applets, which need to be loaded into the local browser from the remote host and don’t have access to resources on the host (other than by making requests to the server).

“executables are good at running on the local machine”

executables run on the machine they are located on, and are the only things that do so (scripts and other interpreted code is run by some executable). This truism is irrelevant here, other than that the browser is a powerful executable that is being leveraged by POW.

“This is the fastest way to disappear up your own port 80.”

Perhaps you would miss less if you didn’t think in terms of meaningless cliches.

Comment by truth machine — June 20, 2007

Leave a comment

You must be logged in to post a comment.