473,554 Members | 2,935 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Cross domain scripting with xmlhttp

VA
This has come up before but I am not sure if the latest versions of IE
and FF change the answer.

A script running on a webpage served up by http://foo.something.com
should be able to do
xmlhttp.open("G ET","http://bar.something.c om",true)

But in Firefox 1.5, I get the Permission denied error

Why is this? The domain is something.com so I am not crossing domains,
so why is it complaining?

Thanks

Dec 9 '05 #1
25 3241
VA wrote:
[...]
A script running on a webpage served up by http://foo.something.com
should be able to do
xmlhttp.open("G ET","http://bar.something.c om",true)

But in Firefox 1.5, I get the Permission denied error

Why is this? The domain is something.com so I am not crossing domains,
You are. Read on the SOP (again):

<URL:http://www.mozilla.org/projects/security/components/same-origin.html>
so why is it complaining?


You forgot to do

document.domain = "something.com" ;

before.
HTH

PointedEars
Dec 9 '05 #2
VA
I had already tried that, I still get the Permission denied to call
method XMLHttpRequest. open in Firefox 1.5

Help? Thanks

Dec 9 '05 #3
VA wrote:
I had already tried that,
Tried what? Please quote the minimum of what you are replying to.

<URL:http://jibbering.com/faq/faq_notes/pots1.html#ps1P ost>
I still get the Permission denied to call
method XMLHttpRequest. open in Firefox 1.5

Help?


More real code is needed.
PointedEars
Dec 9 '05 #4
VA
Thomas 'PointedEars' Lahn wrote:

Tried what? Please quote the minimum of what you are replying to.
You suggested that I had forgot to do document.domain =something.com and
I responded that I had tried that. Didnt think I needed an attribution
for such a small post! Anyway, sorry.
More real code is needed.


Firefox 1.5

I am running a page served from http://foo.something.com

On that page is a script

document.domain ="something.com "
var x=new XMLHttpRequest( )
x.open("GET","h ttp://bar.something.c om/",false)
x.send(null)

The x.open throws the Permission denied exception inspite of the
shorter document.domain

Help? Thanks

Dec 9 '05 #5
VA wrote:
Thomas 'PointedEars' Lahn wrote:
More real code is needed.
Firefox 1.5


Too unspecific. Post the value of `navigator.user Agent' and
name the extensions you have installed with their versions.
I am running a page served from http://foo.something.com

On that page is a script

document.domain ="something.com "
var x=new XMLHttpRequest( )
x.open("GET","h ttp://bar.something.c om/",false)
x.send(null)
Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is syntactically
correct. However, I asked for _real_ code, preferably on a _real_ website.

| $ for i in foo.something.c om bar.something.c om; do host "$i"; done
| Host foo.something.c om not found: 3(NXDOMAIN)
| Host bar.something.c om not found: 3(NXDOMAIN)
("You don't say.")
Help?


<URL:http://www.google.com/search?q=firefo x+xmlhttpreques t+%22permission +denied%22>
PointedEars
Dec 9 '05 #6
VA
Thomas 'PointedEars' Lahn wrote:
Too unspecific. Post the value of `navigator.user Agent' and
name the extensions you have installed with their versions.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111
Firefox/1.5

Brand new profile, no extensions installed

Not sure why the userAgent and extensions and all that stuff matters
for this discussion.
Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is syntactically
correct. However, I asked for _real_ code, preferably on a _real_ website.


Cant do that, why is that relevant? How does that change your answer?
The code snippet I posted is as real as any, isnt it? The question is
how to get the xmlhttp.open() call to succeed when the URL is in a
different server in the same domain.
<URL:http://www.google.com/search?q=firefo x+xmlhttpreques t+%22permission +denied%22>

I did read all that but there seems to be no one-size-fits-all method
to get this working. Too many hacks.

Thanks for any help.

Dec 9 '05 #7
VA wrote:
Thomas 'PointedEars' Lahn wrote:
Too unspecific. Post the value of `navigator.user Agent' and
name the extensions you have installed with their versions.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111
Firefox/1.5

Brand new profile, no extensions installed

Not sure why the userAgent and extensions and all that stuff matters
for this discussion.


Because maybe you did not use the final version of Firefox 1.5 (as of
November 30, 2005) but a previous release candidate; I see that this does
not apply here, Gecko/20051111 indicates 1.5 RC3 which is identical to the
final release (the difference is just a renamed installer).

Because the used operating system and version (here: Windows Server 2003)
may be important.

Because the built-in language package used (here: en-US) may be important.

Because extensions can modify Firefox in a way that behaviour occurs
that is not reproducible without them.
Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is
syntactically correct. However, I asked for _real_ code, preferably
on a _real_ website.


Cant do that,


Then you probably cannot be helped.
why is that relevant? How does that change your answer?
Seeing the real code will allow to exclude any side-effects like invalid
markup or unsupported media types that may affect Firefox's behavior.
The code snippet I posted is as real as any, isnt it?
It is not.
<URL:http://www.google.com/search?q=firefo x+xmlhttpreques t+%22permission +denied%22>
I did read all that but there seems to be no one-size-fits-all method
to get this working. Too many hacks.


You are unwilling to help people help you, and you are unwilling to try.
What do you expect?
PointedEars
Dec 9 '05 #8
Thomas 'PointedEars' Lahn said the following on 12/8/2005 11:32 PM:
VA wrote:

Thomas 'PointedEars' Lahn wrote:
Too unspecific. Post the value of `navigator.user Agent' and
name the extensions you have installed with their versions.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111
Firefox/1.5

Brand new profile, no extensions installed

Not sure why the userAgent and extensions and all that stuff matters
for this discussion.

Because maybe you did not use the final version of Firefox 1.5 (as of
November 30, 2005) but a previous release candidate; I see that this does
not apply here, Gecko/20051111 indicates 1.5 RC3 which is identical to the
final release (the difference is just a renamed installer).


Possible.
Because the used operating system and version (here: Windows Server 2003)
may be important.
Nonsense.
Because the built-in language package used (here: en-US) may be important.
Nonsense.
Because extensions can modify Firefox in a way that behaviour occurs
that is not reproducible without them.
Possible.
Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is
syntacticall y correct. However, I asked for _real_ code, preferably
on a _real_ website.
Cant do that,

Then you probably cannot be helped.


Now you are being the typical Thomas.
why is that relevant? How does that change your answer?

Seeing the real code will allow to exclude any side-effects like invalid
markup or unsupported media types that may affect Firefox's behavior.


And if it can be made to work in any other environment, then it points
to the environment. That has nothing to do with invalid markup or
unsupported media types.
The code snippet I posted is as real as any, isnt it?

It is not.


It is real code. It just isn't server based code is all.

<URL:http://www.google.com/search?q=firefo x+xmlhttpreques t+%22permission +denied%22>
I did read all that but there seems to be no one-size-fits-all method
to get this working. Too many hacks.

You are unwilling to help people help you, and you are unwilling to try.
What do you expect?


For someone to actually try to help solve his problems instead of going
on with ramblings about irrelevant things like OS, Extensions, etc....
--
Randy
comp.lang.javas cript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Answer:It destroys the order of the conversation
Question: Why?
Answer: Top-Posting.
Question: Whats the most annoying thing on Usenet?

Please quote what you are replying to.

If you want to post a followup via groups.google.c om, don't use the
"Reply" link at the bottom of the article. Click on "show options" at
the top of the article, then click on the "Reply" at the bottom of the
article headers.

Dec 9 '05 #9
VK

VA wrote:
This has come up before but I am not sure if the latest versions of IE
and FF change the answer.

A script running on a webpage served up by http://foo.something.com
should be able to do
xmlhttp.open("G ET","http://bar.something.c om",true)

But in Firefox 1.5, I get the Permission denied error

Why is this? The domain is something.com so I am not crossing domains,
so why is it complaining?


Cross-domain security operates with *fully qualified domain name* - not
with its parts. There is a good reason for it because the same domain
name (something.com/org/net etc.) doesn't mean at all *the same
origin*. Think for example of hosting providers like prohosting.com
where the account is created like user.prohosting .com

IE allows you to fix a particular situation by setting document.domain
property in each involved document. Firefox decided that it is not
secure enough and I tend to believe that they have some reasons for
this decision.

Firefox way is to use signed HTML pages to bypass sandbox borders. You
may sign your page with self-issued certificate and add this
sertificate to each machine of the question.

You can also use server-side request redirection.

You can also drop AJAX all together and use <script> import technique
or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.

Dec 9 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
4356
by: Charles Crume | last post by:
Hello; My index.htm page (www.charlescrumesoftware.com for those interested in looking) contains 3 frames (left = content, top right = logo, bottom right = navigation). This domain name is registered with www.mydomain.com and is stealth forwarded to www.ccthecomputerguy.com (where my *real* web site currently lives). FWIW, I do this because...
0
12061
by: sonu | last post by:
I have following client side code which i have used in my asp.net project SummaryFeatured Resources from the IBM Business Values Solution Center WHITEPAPER : CRM Done Right Improve the likelihood of CRM success from less than 20 percent to 60 percent. WHITEPAPER :
11
4254
by: taoberly | last post by:
A few months ago I posted a question about using a file on my hard drive to perform cross-frame scripting and pull data from a server on my company's intranet. I eventually got this working using an HTA file and Internet Explorer. Now I'm tackling a similar issue, but really need to keep the IE menus, navigation buttons, etc. this time...
3
2518
by: aspmonger | last post by:
Hello, I really believe that IE 6 has a new (intentional?) bug that severely limits the capability of dhtml and cross domain scripting. Yesterday, I read an interesting article about the subject and it only supported my claim. The article explained why Microsoft will not be letting the IE DHTML Implementation get any more powerful than it already...
1
1782
by: torsten.reiners | last post by:
Hi, We try to implement a "web-application" where we have to access a general web-site -- loaded into a frame -- from another frame using JavaScript. We know that there are security issues concerning cross- domain-scripting. Our first soultion (which is working) uses the setting of the required privilege to have "Universal BrowserReas" ...
1
1225
dmjpro
by: dmjpro | last post by:
Basically we know that JavaScript does not support cross domain scripting. But today i heard that Google does support cross domain scripting. Is that true ..if true then please explain.
16
2965
by: Stevo | last post by:
I'm guessing this is a laughably obvious answer to many here, but it's not to me (and I don't have a server or any knowledge of PHP to be able to try it). It's not strictly a PHP question, but something that PHP guys would know the answer to. I can't think of a more appropriate forum to try. I've heard the ASP and JSP guys aren't as friendly...
9
7526
by: euroahmed | last post by:
I have written a Ajax code to get the data from the URL and i am able to get the output in the explorer but getting the below error in Mozilla firefox .Kindly anyone help me in this regards. Security Error: Content at http://localhost:8084/......../Login.do may not load data from http://platts-lng.demo.marklogic.com/request.xqy. Error:...
6
3971
by: ampo | last post by:
Hello. Can anyone help with cross-domain problem? I have HTML page from server1 that send xmlHTTPRequest to server2. How can I do it? Thanks.
0
7581
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7782
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8018
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
0
6123
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5423
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5142
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3533
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2006
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
0
823
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.