469,360 Members | 1,807 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,360 developers. It's quick & easy.

XMLHTTPRequest security model

Hi all,

Through local testing I think I've determined a different between the
ie 6 (winxpsp2) and Firefox security models for XMLHTTPRequest objects
but would like to make sure I didn't conclude improperly.

Scenario: An HTML page in domain A references a Javascript file, via a
script tag, from domain B. That script creates a XMLHTTPRequest object
and tries to download some content from domain B.

In Firefox this works as the script is downloading from the domain
which was the source of the script.

In ie, this does not work and fails with a Permission Denied error.
However, the ie code does appear to work if the scipt downloads an
object from domain A.

For anyone who uses XMLHTTPRequest in a multi-domain setting, ss this
consistent with your experience?

Thanks,

Mark

Jul 23 '05 #1
1 1303
On 9 May 2005 11:55:34 -0700, "maui" <mm****@gmail.com> wrote:
Scenario: An HTML page in domain A references a Javascript file, via a
script tag, from domain B. That script creates a XMLHTTPRequest object
and tries to download some content from domain B.

In Firefox this works as the script is downloading from the domain
which was the source of the script.


Er, this is a security concern and should not be happening. The
security context should be the URL of the page, not the URL of the
script.

I would recommend you raise this as an error in Mozilla.

Jim.
Jul 23 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

20 posts views Thread by Gaz | last post: by
1 post views Thread by geevaa | last post: by
9 posts views Thread by torso | last post: by
1 post views Thread by CARIGAR | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.