Cross domain scripting with xmlhttp

VA wrote:

[...]
A script running on a webpage served up by http://foo.something.com
should be able to do
xmlhttp.open("GET","http://bar.something.com",true)

But in Firefox 1.5, I get the Permission denied error

Why is this? The domain is something.com so I am not crossing domains,
You are. Read on the SOP (again):

<URL:http://www.mozilla.org/projects/security/components/same-origin.html>
so why is it complaining?

You forgot to do

document.domain = "something.com";

before.
HTH

PointedEars

I had already tried that, I still get the Permission denied to call
method XMLHttpRequest.open in Firefox 1.5

Help? Thanks

VA wrote:

I had already tried that,
Tried what? Please quote the minimum of what you are replying to.

<URL:http://jibbering.com/faq/faq_notes/pots1.html#ps1Post>
I still get the Permission denied to call
method XMLHttpRequest.open in Firefox 1.5

Help?

More real code is needed.
PointedEars

Thomas 'PointedEars' Lahn wrote:

Tried what? Please quote the minimum of what you are replying to.
You suggested that I had forgot to do document.domain=something.com and
I responded that I had tried that. Didnt think I needed an attribution
for such a small post! Anyway, sorry.
More real code is needed.

Firefox 1.5

I am running a page served from http://foo.something.com

On that page is a script

document.domain="something.com"
var x=new XMLHttpRequest()
x.open("GET","http://bar.something.com/",false)
x.send(null)

The x.open throws the Permission denied exception inspite of the
shorter document.domain

Help? Thanks

VA wrote:

Thomas 'PointedEars' Lahn wrote:

More real code is needed.
Firefox 1.5

Too unspecific. Post the value of `navigator.userAgent' and
name the extensions you have installed with their versions.
I am running a page served from http://foo.something.com

On that page is a script

document.domain="something.com"
var x=new XMLHttpRequest()
x.open("GET","http://bar.something.com/",false)
x.send(null)
Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is syntactically
correct. However, I asked for _real_ code, preferably on a _real_ website.

| $ for i in foo.something.com bar.something.com; do host "$i"; done
| Host foo.something.com not found: 3(NXDOMAIN)
| Host bar.something.com not found: 3(NXDOMAIN)
("You don't say.")
Help?

<URL:http://www.google.com/search?q=firefox+xmlhttprequest+%22permission+deni ed%22>
PointedEars

Thomas 'PointedEars' Lahn wrote:

Too unspecific. Post the value of `navigator.userAgent' and
name the extensions you have installed with their versions.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111
Firefox/1.5

Brand new profile, no extensions installed

Not sure why the userAgent and extensions and all that stuff matters
for this discussion.
Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is syntactically
correct. However, I asked for _real_ code, preferably on a _real_ website.

Cant do that, why is that relevant? How does that change your answer?
The code snippet I posted is as real as any, isnt it? The question is
how to get the xmlhttp.open() call to succeed when the URL is in a
different server in the same domain.
<URL:http://www.google.com/search?q=firefox+xmlhttprequest+%22permission+deni ed%22>

I did read all that but there seems to be no one-size-fits-all method
to get this working. Too many hacks.

Thanks for any help.

VA wrote:

Thomas 'PointedEars' Lahn wrote:

Too unspecific. Post the value of `navigator.userAgent' and
name the extensions you have installed with their versions.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111
Firefox/1.5

Brand new profile, no extensions installed

Not sure why the userAgent and extensions and all that stuff matters
for this discussion.

Because maybe you did not use the final version of Firefox 1.5 (as of
November 30, 2005) but a previous release candidate; I see that this does
not apply here, Gecko/20051111 indicates 1.5 RC3 which is identical to the
final release (the difference is just a renamed installer).

Because the used operating system and version (here: Windows Server 2003)
may be important.

Because the built-in language package used (here: en-US) may be important.

Because extensions can modify Firefox in a way that behaviour occurs
that is not reproducible without them.

Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is
syntactically correct. However, I asked for _real_ code, preferably
on a _real_ website.

Cant do that,

Then you probably cannot be helped.
why is that relevant? How does that change your answer?
Seeing the real code will allow to exclude any side-effects like invalid
markup or unsupported media types that may affect Firefox's behavior.
The code snippet I posted is as real as any, isnt it?
It is not.
<URL:http://www.google.com/search?q=firefox+xmlhttprequest+%22permission+deni ed%22>
I did read all that but there seems to be no one-size-fits-all method
to get this working. Too many hacks.

You are unwilling to help people help you, and you are unwilling to try.
What do you expect?
PointedEars

Thomas 'PointedEars' Lahn said the following on 12/8/2005 11:32 PM:

VA wrote:

Thomas 'PointedEars' Lahn wrote:

Too unspecific. Post the value of `navigator.userAgent' and
name the extensions you have installed with their versions.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111
Firefox/1.5

Brand new profile, no extensions installed

Not sure why the userAgent and extensions and all that stuff matters
for this discussion.

Because maybe you did not use the final version of Firefox 1.5 (as of
November 30, 2005) but a previous release candidate; I see that this does
not apply here, Gecko/20051111 indicates 1.5 RC3 which is identical to the
final release (the difference is just a renamed installer).

Possible.
Because the used operating system and version (here: Windows Server 2003)
may be important.
Nonsense.
Because the built-in language package used (here: en-US) may be important.
Nonsense.
Because extensions can modify Firefox in a way that behaviour occurs
that is not reproducible without them.
Possible.

Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is
syntactically correct. However, I asked for _real_ code, preferably
on a _real_ website.
Cant do that,

Then you probably cannot be helped.

Now you are being the typical Thomas.

why is that relevant? How does that change your answer?

Seeing the real code will allow to exclude any side-effects like invalid
markup or unsupported media types that may affect Firefox's behavior.

And if it can be made to work in any other environment, then it points
to the environment. That has nothing to do with invalid markup or
unsupported media types.

The code snippet I posted is as real as any, isnt it?

It is not.

It is real code. It just isn't server based code is all.

<URL:http://www.google.com/search?q=firefox+xmlhttprequest+%22permission+deni ed%22>

I did read all that but there seems to be no one-size-fits-all method
to get this working. Too many hacks.

You are unwilling to help people help you, and you are unwilling to try.
What do you expect?

For someone to actually try to help solve his problems instead of going
on with ramblings about irrelevant things like OS, Extensions, etc....
--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Answer:It destroys the order of the conversation
Question: Why?
Answer: Top-Posting.
Question: Whats the most annoying thing on Usenet?

Please quote what you are replying to.

If you want to post a followup via groups.google.com, don't use the
"Reply" link at the bottom of the article. Click on "show options" at
the top of the article, then click on the "Reply" at the bottom of the
article headers.

VA wrote:

This has come up before but I am not sure if the latest versions of IE
and FF change the answer.

A script running on a webpage served up by http://foo.something.com
should be able to do
xmlhttp.open("GET","http://bar.something.com",true)

But in Firefox 1.5, I get the Permission denied error

Why is this? The domain is something.com so I am not crossing domains,
so why is it complaining?

Cross-domain security operates with *fully qualified domain name* - not
with its parts. There is a good reason for it because the same domain
name (something.com/org/net etc.) doesn't mean at all *the same
origin*. Think for example of hosting providers like prohosting.com
where the account is created like user.prohosting.com

IE allows you to fix a particular situation by setting document.domain
property in each involved document. Firefox decided that it is not
secure enough and I tend to believe that they have some reasons for
this decision.

Firefox way is to use signed HTML pages to bypass sandbox borders. You
may sign your page with self-issued certificate and add this
sertificate to each machine of the question.

You can also use server-side request redirection.

You can also drop AJAX all together and use <script> import technique
or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.

VK wrote:

You can also use server-side request redirection.
That is an interesting idea, I will look into that, thanks for the tip.
Probably use mod_rewrite for this.
You can also drop AJAX all together and use <script> import technique
Not sure what you mean here, can you please elaborate?
or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.

Ditto. Can you please elaborate?

Thanks

On 2005-12-09, VA <us****@vikas.mailshell.com> wrote:

This has come up before but I am not sure if the latest versions of IE
and FF change the answer.

A script running on a webpage served up by http://foo.something.com
should be able to do
xmlhttp.open("GET","http://bar.something.com",true)

But in Firefox 1.5, I get the Permission denied error

Why is this?

It must be the same server... (same FQDN or IP and same port)
you can serve script, stylesheets, and images etc from a
different server but the requests mus go back to the source
of the page.

Bye.
Jasen

On 2005-12-09, VK <sc**********@yahoo.com> wrote:

You can also drop AJAX all together and use <script> import technique
or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.

how does this stuff work? does it work with IE4?

Bye.
Jasen

Jasen Betts said the following on 12/9/2005 3:32 PM:

On 2005-12-09, VK <sc**********@yahoo.com> wrote:

You can also drop AJAX all together and use <script> import technique
or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.

how does this stuff work? does it work with IE4?

Yes, dynamically loading .js files works with IE4. It also works with
the antique NN4 series browsers also.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

On 2005-12-10, Randy Webb <Hi************@aol.com> wrote:

Jasen Betts said the following on 12/9/2005 3:32 PM:

On 2005-12-09, VK <sc**********@yahoo.com> wrote:

You can also drop AJAX all together and use <script> import technique
or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.

how does this stuff work? does it work with IE4?

Yes, dynamically loading .js files works with IE4. It also works with
the antique NN4 series browsers also.

where can I see some examples? is it only supported by old browsers?

Bye.
Jasen

>>> You can also drop AJAX all together and use <script> import technique

or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.

how does this stuff work? does it work with IE4?

Yes, dynamically loading .js files works with IE4. It also works with
the antique NN4 series browsers also.

Be aware that when you use the script tag hack, you are giving the
other site's script the same authority as your script. It can access
and change your cookies. It can use your password to access your server.

Do Not Use the script tag hack if you have any form of user
authentication on your site. It is not secure.

http://www.crockford.com/javascript

Douglas Crockford said the following on 12/10/2005 9:49 AM:

You can also drop AJAX all together and use <script> import technique
or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.
how does this stuff work? does it work with IE4?

Yes, dynamically loading .js files works with IE4. It also works with
the antique NN4 series browsers also.

Be aware that when you use the script tag hack, you are giving the other
site's script the same authority as your script. It can access and
change your cookies. It can use your password to access your server.

That drawback also exist with the HTTPRequest Object. Both have benefits
over the other, both have drawbacks.
Do Not Use the script tag hack if you have any form of user
authentication on your site. It is not secure.

Do not use the HTTPRequest Object either then.

And it is not because of the "hack" as you call it.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

VA wrote:

VK wrote:

You can also use server-side request redirection.

That is an interesting idea, I will look into that, thanks for the tip.
Probably use mod_rewrite for this.

OK I put a rewrite rule on my Apache config to say

RewriteRule ^/r=(.+)/(.+)$ http://$1/$2

This way, I can pass /r=something/foo to my source server and get it
redirected to the other server.

Works like a charm in IE 6+

But FF 1.5 still throws an error. Content at ... may not access data
from ....

Help? Thanks

VA wrote:

VA wrote:

VK wrote:

> You can also use server-side request redirection.

[...]

OK I put a rewrite rule on my Apache config to say

RewriteRule ^/r=(.+)/(.+)$ http://$1/$2

This way, I can pass /r=something/foo to my source server and get it
redirected to the other server.

Works like a charm in IE 6+

But FF 1.5 still throws an error. Content at ... may not access data
from ....

URL Rewriting is not redirection, hence it is transparent to the AOM/DOM.
Try

RedirectMatch ^.+?/r=(.+)/(.+)$ http://$1/$2

instead.
PointedEars

Thomas:

Thanks, I tried that but FF 1.5 still throws

Error: uncaught exception: Security Error: Content at
http://foo.something.com/bar may not load data from
http://bar.something.com

Help? Thanks

VA wrote:

Thanks, I tried that but [...]
Tried what?
Error: uncaught exception: Security Error: Content at
http://foo.something.com/bar may not load data from
http://bar.something.com

Tough luck. And still not the truth as there is no
foo.something.com or bar.something.com.

This will be my last reply to one of your postings until further
notice since you are either unwilling or not capable of adhering
to the newsgroup's agreed posting guidelines although they have
been pointed out to you before. You had been warned.
PointedEars

I'm pulling for you because I've got the exact same question at the
exact same time. Brian McLean Chevrolet in Courtenay BC Canada is who
I'm working on, they're a used car and new GM dealer. I am not much of
a programmer but have a fair share of php hacking and javascript
scooping in my time.

I'm starting to follow this thread and I see that you're dabbling into
apache config when it may not be totally neccesary, if you re-read the
thread perhaps you'll agree?

Anywhoo, I am looking to submit a form remotely, so that when someone
clicks on 'search for used chevy trucks' on a page i'm creating on
http://www.brianmclean.ca , they get the results output by a javascript
form on this page:

http://www.brianmcleanchev.gmcanada....etUsedVeh.List

- the form on the gmcanada site is javascript, and there's an option
for chevy trucks in the form.

Can you say if this is possible?

Thomas: You are obviously a brilliant and helpful person, why do you
have to be such a holier-than-thou PIA?

I am giving you the gist of the error message. How does it matter what
my actual server names are?

Tried what? What you suggested, of course.

I took out the RewriteRule and added the RedirectMatch to my Apache
config.

It didnt work.

Can someone else please help me?

Thanks

VA said the following on 12/12/2005 6:47 PM:

Thomas: You are obviously a brilliant and helpful person,
That is very debateable.
why do you have to be such a holier-than-thou PIA?
Because he knows no better yet. He thinks it makes him look smart or
something but it doesn't.

I am giving you the gist of the error message. How does it matter what
my actual server names are?
It doesn't, it just gives him something else to be pedantic about.
Tried what? What you suggested, of course.

Naturally. But it is always a good idea to quote what you are replying to.

Have the page request the resource from its own server. Then have the
server request it from serverB then return it to the browser.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Randy Webb wrote:

Have the page request the resource from its own server. Then have the
server request it from serverB then return it to the browser.

Unfortunately, I cannot do this. The resource I am requesting (a
webservice) requires NTLM authentication and the webserver my browser
is talking to doesn't have the necessary credentials to get that NTLM
resource. The request has to come directly from my browser to ServerB.
Hence my quest to get this darn cross-domain scripting working with
XMLHTTP.

All the various techniques we discussed in this thread and in other
threads on the Internet work fine with IE, but no matter what I do,
Firefox refuses to allow this kind of thing!

I guess Firefox does the NTLM negotiation (4-way handshake stuff) fine
with URLs requested interactively from the location bar and as part of
user-initiated browsing activity, but for XMLHTTP, it gives up at the
first HTTP 401 it receives (it does not respond with the
WWW-Authenticate, blah, blah handshake). Sigh, I give up.

I guess I am going to have to advertise this feature in my application
as a "IE only" feature and leave it at that.

Thanks

VA wrote:

All the various techniques we discussed in this thread and in other
threads on the Internet work fine with IE, but no matter what I do,
Firefox refuses to allow this kind of thing!

Please see my post at:
<http://groups.google.com/group/comp.lang.javascript/browse_frm/thread/7b258f4850f6e8b1/ba928eb7084820fd#ba928eb7084820fd>