Help needed with .js and AJAX

Only reason to use the Privilege is for cross domain coding.

If you need it then you need to add the code in two places normally. I
wrote an example using it awhile back,
http://radio.javaranch.com/pascarell...=1120688860820

See if that gives you any light into the problem.

Eric Pascarello
Coauthor of Ajax In Action

sheadley wrote:

A script from http://www.mydomain.com was denied UniversalBrowse rRead
privileges. I am using firefox 1.5 and here is the code that is being
called:

function showConsumption Data(foodType) {
var url =
'http://mydomain.com/platePyramid.do ?foodType=' +
foodType+'&sysT ime='+new Date().getTime( );
if (window.XMLHttp Request) {
try {

netscape.securi ty.PrivilegeMan ager.enablePriv ilege("Universa lBrowserRead");

You are calling enablePrivilege here but your code is not trusted and
therefore the call gives that message that the requested privilege
UniversalBrowse rRead was denied.
With normal security settings code in a HTML document loaded from a HTTP
server is not not able to enable privileges, you would need to use
signed script.
Why do you need that call, or why do you think you need it?

If your HTML document with the script comes from
http://www.mydomain.com/ then your XMLHttpRequest object should be able
to access URLs on www.mydomain.com without any need to enable privileges.
--

Martin Honnen
http://JavaScript.FAQTs.com/

when I don't use the following code:
netscape.securi ty.PrivilegeMan ager.enablePriv ilege("Universa lBrowserRead
");
I get the following error:

XMLHttpRequest. open() failed permission denied.
I am using jboss and struts to server up these pages would that have an
impact??

*** Sent via Developersdex http://www.developersdex.com ***

Steven Headley wrote:

I am using jboss and struts to server up these pages would that have an
impact??

JBOSS or Perl script - it doesn't matter. What is matter is

(1) Same domain rule:

1) HTML page
2) .js script file
3) URL your're calling with AJAX
-----------------------
all three components have to be from the same domain where the "same
domain" means same protocol (http or https but not a mix), same
subdomain, same domain name and same first level domain:
[http://] [www.] [mycompany] [.com]
from above all squared components can be different or missing but it
has to be *identical* for all three sources (page, script, server call)

If it is true then you can at least use AJAX to call the server.

(2) If it is not true, or if you want to have extended privileges like
UniversalBrowse rRead:

Firefox implements three-tier security model from Netscape 4.x (but in
Firefox it is not Java, but native C++ code inside):

1) First all scripts *and pages* have to be contained in a signed .jar
file. The file has to be signed by a valid certificate. If it is, it
still doesn't give it any privileges: it only gives *a privilege to ask
for a privilege*.

2) over netscape.securi ty.PrivilegeMan ager methods your script asks for
a privilege. If the tier 1 above is passed OK, user will see the popup
asking for privilege. If tier 1 was not passed, no popup will be shown
and request will be automatically cancelled.

3) You using later JavaScript methods to access normally unavailable
information. Each method will ask every time for a privilege from
PrivilegeManage r on tier 2 above. But user will not be bothered anymore
with popups. If user granted privilege on tier 2, she also granted the
privilege to PrivilegeManage r to grant privileges to all methods on
tier 3.

More info and a working sample can be found here:
<http://www.mozilla.org/projects/security/components/signed-scripts.html>

Steven Headley wrote:

I am using jboss and struts to server up these pages would that have an
impact??

JBOSS or Perl script - it doesn't matter. What is matter is

(1) Same domain rule:

1) HTML page
2) .js script file
3) URL your're calling with AJAX
-----------------------
all three components have to be from the same domain where the "same
domain" means same protocol (http or https but not a mix), same
subdomain, same domain name and same first level domain:
[http://] [www.] [mycompany] [.com]
from above all squared components can be different or missing but it
has to be *identical* for all three sources (page, script, server call)

If it is true then you can at least use AJAX to call the server.

(2) If it is not true, or if you want to have extended privileges like
UniversalBrowse rRead:

Firefox implements three-tier security model from Netscape 4.x (but in
Firefox it is not Java, but native C++ code inside):

1) First all scripts *and pages* have to be contained in a signed .jar
file. The file has to be signed by a valid certificate. If it is, it
still doesn't give it any privileges: it only gives *a privilege to ask
for a privilege*.

2) over netscape.securi ty.PrivilegeMan ager methods your script asks for
a privilege. If the tier 1 above is passed OK, user will see the popup
asking for privilege. If tier 1 was not passed, no popup will be shown
and request will be automatically cancelled.

3) You using later JavaScript methods to access normally unavailable
information. Each method will ask every time for a privilege from
PrivilegeManage r on tier 2 above. But user will not be bothered anymore
with popups. If user granted privilege on tier 2, she also granted the
privilege to PrivilegeManage r to grant privileges to all methods on
tier 3.

More info and a working sample can be found here:
<http://www.mozilla.org/projects/security/components/signed-scripts.html>

Steven Headley wrote:

I am using jboss and struts to server up these pages would that have an
impact??

JBOSS or Perl script - it doesn't matter. What is matter is

(1) Same domain rule:

1) HTML page
2) .js script file
3) URL your're calling with AJAX
-----------------------
all three components have to be from the same domain where the "same
domain" means same protocol (http or https but not a mix), same
subdomain, same domain name and same first level domain:
[http://] [www.] [mycompany] [.com]
from above all squared components can be different or missing but it
has to be *identical* for all three sources (page, script, server call)

If it is true then you can at least use AJAX to call the server.

(2) If it is not true, or if you want to have extended privileges like
UniversalBrowse rRead:

Firefox implements three-tier security model from Netscape 4.x (but in
Firefox it is not Java, but native C++ code inside):

1) First all scripts *and pages* have to be contained in a signed .jar
file. The file has to be signed by a valid certificate. If it is, it
still doesn't give it any privileges: it only gives *a privilege to ask
for a privilege*.

2) over netscape.securi ty.PrivilegeMan ager methods your script asks for
a privilege. If the tier 1 above is passed OK, user will see the popup
asking for privilege. If tier 1 was not passed, no popup will be shown
and request will be automatically cancelled.

3) You using later JavaScript methods to access normally unavailable
information. Each method will ask every time for a privilege from
PrivilegeManage r on tier 2 above. But user will not be bothered anymore
with popups. If user granted privilege on tier 2, she also granted the
privilege to PrivilegeManage r to grant privileges to all methods on
tier 3.

More info and a working sample can be found here:
<http://www.mozilla.org/projects/security/components/signed-scripts.html>

Steven Headley wrote:

I am using jboss and struts to server up these pages would that have an
impact??

JBOSS or Perl script - it doesn't matter. What is matter is

(1) Same domain rule:

1) HTML page
2) .js script file
3) URL your're calling with AJAX
-----------------------
all three components have to be from the same domain where the "same
domain" means same protocol (http or https but not a mix), same
subdomain, same domain name and same first level domain:
[http://] [www.] [mycompany] [.com]
from above all squared components can be different or missing but it
has to be *identical* for all three sources (page, script, server call)

If it is true then you can at least use AJAX to call the server.

(2) If it is not true, or if you want to have extended privileges like
UniversalBrowse rRead:

Firefox implements three-tier security model from Netscape 4.x (but in
Firefox it is not Java, but native C++ code inside):

1) First all scripts *and pages* have to be contained in a signed .jar
file. The file has to be signed by a valid certificate. If it is, it
still doesn't give it any privileges: it only gives *a privilege to ask
for a privilege*.

2) over netscape.securi ty.PrivilegeMan ager methods your script asks for
a privilege. If the tier 1 above is passed OK, user will see the popup
asking for privilege. If tier 1 was not passed, no popup will be shown
and request will be automatically cancelled.

3) You using later JavaScript methods to access normally unavailable
information. Each method will ask every time for a privilege from
PrivilegeManage r on tier 2 above. But user will not be bothered anymore
with popups. If user granted privilege on tier 2, she also granted the
privilege to PrivilegeManage r to grant privileges to all methods on
tier 3.

More info and a working sample can be found here:
<http://www.mozilla.org/projects/security/components/signed-scripts.html>

"Steven Headley" <st************ @yahoo.com> wrote in message
news:Mc******** *********@news. uswest.net...

when I don't use the following code:
netscape.securi ty.PrivilegeMan ager.enablePriv ilege("Universa lBrowserRead
");
I get the following error:

XMLHttpRequest. open() failed permission denied.

In your original post, you said that your script (and pages) was coming from
http://www.mydomain.com, but your code calls http://mydomain.com.

Even if thos two resolves to the same ip-address, they are not seen as the
same domain from the browsers point of view.

I am using jboss and struts to server up these pages would that have an
impact??

no

--
Dag.

Steven Headley wrote:

I get the following error:

XMLHttpRequest. open() failed permission denied.

You need to make sure that you only access URLs from the same origin, if
you can't do that then install some server-side "URL fetcher" script so
that you can make all requests to the original server passing the URL on
another server in the query string where the server-side script then
makes the access to the other servers and returns the result to your
client-side code.
--

Martin Honnen
http://JavaScript.FAQTs.com/