Cross domain scripting with xmlhttp

V

VA

This has come up before but I am not sure if the latest versions of IE
and FF change the answer.

A script running on a webpage served up by http://foo.something.com
should be able to do
xmlhttp.open("GET","http://bar.something.com",true)

But in Firefox 1.5, I get the Permission denied error

Why is this? The domain is something.com so I am not crossing domains,
so why is it complaining?

Thanks
 
T

Thomas 'PointedEars' Lahn

VA said:
[...]
A script running on a webpage served up by http://foo.something.com
should be able to do
xmlhttp.open("GET","http://bar.something.com",true)

But in Firefox 1.5, I get the Permission denied error

Why is this? The domain is something.com so I am not crossing domains,

You are. Read on the SOP (again):

so why is it complaining?

You forgot to do

document.domain = "something.com";

before.


HTH

PointedEars
 
V

VA

I had already tried that, I still get the Permission denied to call
method XMLHttpRequest.open in Firefox 1.5

Help? Thanks
 
T

Thomas 'PointedEars' Lahn

VA said:
I had already tried that,

Tried what? Please quote the minimum of what you are replying to.

I still get the Permission denied to call
method XMLHttpRequest.open in Firefox 1.5

Help?

More real code is needed.


PointedEars
 
V

VA

Thomas said:
Tried what? Please quote the minimum of what you are replying to.

You suggested that I had forgot to do document.domain=something.com and
I responded that I had tried that. Didnt think I needed an attribution
for such a small post! Anyway, sorry.
More real code is needed.

Firefox 1.5

I am running a page served from http://foo.something.com

On that page is a script

document.domain="something.com"
var x=new XMLHttpRequest()
x.open("GET","http://bar.something.com/",false)
x.send(null)

The x.open throws the Permission denied exception inspite of the
shorter document.domain

Help? Thanks
 
T

Thomas 'PointedEars' Lahn

VA said:
Firefox 1.5

Too unspecific. Post the value of `navigator.userAgent' and
name the extensions you have installed with their versions.
I am running a page served from http://foo.something.com

On that page is a script

document.domain="something.com"
var x=new XMLHttpRequest()
x.open("GET","http://bar.something.com/",false)
x.send(null)

Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is syntactically
correct. However, I asked for _real_ code, preferably on a _real_ website.

| $ for i in foo.something.com bar.something.com; do host "$i"; done
| Host foo.something.com not found: 3(NXDOMAIN)
| Host bar.something.com not found: 3(NXDOMAIN)
("You don't say.")

<URL:http://www.google.com/search?q=firefox+xmlhttprequest+"permission+denied">


PointedEars
 
V

VA

Thomas said:
Too unspecific. Post the value of `navigator.userAgent' and
name the extensions you have installed with their versions.

Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111
Firefox/1.5

Brand new profile, no extensions installed

Not sure why the userAgent and extensions and all that stuff matters
for this discussion.
Even though semicolons should always be included explicitly to avoid
side-effects with automatic semicolon insertion, the code is syntactically
correct. However, I asked for _real_ code, preferably on a _real_ website.

Cant do that, why is that relevant? How does that change your answer?
The code snippet I posted is as real as any, isnt it? The question is
how to get the xmlhttp.open() call to succeed when the URL is in a
different server in the same domain.


<URL:http://www.google.com/search?q=firefox+xmlhttprequest+"permission+denied">

I did read all that but there seems to be no one-size-fits-all method
to get this working. Too many hacks.

Thanks for any help.
 
T

Thomas 'PointedEars' Lahn

VA said:
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8) Gecko/20051111
Firefox/1.5

Brand new profile, no extensions installed

Not sure why the userAgent and extensions and all that stuff matters
for this discussion.

Because maybe you did not use the final version of Firefox 1.5 (as of
November 30, 2005) but a previous release candidate; I see that this does
not apply here, Gecko/20051111 indicates 1.5 RC3 which is identical to the
final release (the difference is just a renamed installer).

Because the used operating system and version (here: Windows Server 2003)
may be important.

Because the built-in language package used (here: en-US) may be important.

Because extensions can modify Firefox in a way that behaviour occurs
that is not reproducible without them.
Cant do that,

Then you probably cannot be helped.
why is that relevant? How does that change your answer?

Seeing the real code will allow to exclude any side-effects like invalid
markup or unsupported media types that may affect Firefox's behavior.
The code snippet I posted is as real as any, isnt it?

It is not.
I did read all that but there seems to be no one-size-fits-all method
to get this working. Too many hacks.

You are unwilling to help people help you, and you are unwilling to try.
What do you expect?


PointedEars
 
R

Randy Webb

Thomas 'PointedEars' Lahn said the following on 12/8/2005 11:32 PM:
VA wrote:




Because maybe you did not use the final version of Firefox 1.5 (as of
November 30, 2005) but a previous release candidate; I see that this does
not apply here, Gecko/20051111 indicates 1.5 RC3 which is identical to the
final release (the difference is just a renamed installer).
Possible.

Because the used operating system and version (here: Windows Server 2003)
may be important.
Nonsense.

Because the built-in language package used (here: en-US) may be important.
Nonsense.

Because extensions can modify Firefox in a way that behaviour occurs
that is not reproducible without them.
Possible.



Then you probably cannot be helped.

Now you are being the typical Thomas.
Seeing the real code will allow to exclude any side-effects like invalid
markup or unsupported media types that may affect Firefox's behavior.

And if it can be made to work in any other environment, then it points
to the environment. That has nothing to do with invalid markup or
unsupported media types.
It is not.

It is real code. It just isn't server based code is all.
You are unwilling to help people help you, and you are unwilling to try.
What do you expect?

For someone to actually try to help solve his problems instead of going
on with ramblings about irrelevant things like OS, Extensions, etc....


--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Answer:It destroys the order of the conversation
Question: Why?
Answer: Top-Posting.
Question: Whats the most annoying thing on Usenet?

Please quote what you are replying to.

If you want to post a followup via groups.google.com, don't use the
"Reply" link at the bottom of the article. Click on "show options" at
the top of the article, then click on the "Reply" at the bottom of the
article headers.
 
V

VK

VA said:
This has come up before but I am not sure if the latest versions of IE
and FF change the answer.

A script running on a webpage served up by http://foo.something.com
should be able to do
xmlhttp.open("GET","http://bar.something.com",true)

But in Firefox 1.5, I get the Permission denied error

Why is this? The domain is something.com so I am not crossing domains,
so why is it complaining?

Cross-domain security operates with *fully qualified domain name* - not
with its parts. There is a good reason for it because the same domain
name (something.com/org/net etc.) doesn't mean at all *the same
origin*. Think for example of hosting providers like prohosting.com
where the account is created like user.prohosting.com

IE allows you to fix a particular situation by setting document.domain
property in each involved document. Firefox decided that it is not
secure enough and I tend to believe that they have some reasons for
this decision.

Firefox way is to use signed HTML pages to bypass sandbox borders. You
may sign your page with self-issued certificate and add this
sertificate to each machine of the question.

You can also use server-side request redirection.

You can also drop AJAX all together and use <script> import technique
or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.
 
V

VA

VK said:
You can also use server-side request redirection.

That is an interesting idea, I will look into that, thanks for the tip.
Probably use mod_rewrite for this.
You can also drop AJAX all together and use <script> import technique

Not sure what you mean here, can you please elaborate?
or the old good hidden form submission which is one year later still
stays the most hassle free and reliable way.

Ditto. Can you please elaborate?

Thanks
 
R

Randy Webb

Jasen Betts said the following on 12/9/2005 3:32 PM:
how does this stuff work? does it work with IE4?

Yes, dynamically loading .js files works with IE4. It also works with
the antique NN4 series browsers also.
 
D

Douglas Crockford

Yes, dynamically loading .js files works with IE4. It also works with
the antique NN4 series browsers also.

Be aware that when you use the script tag hack, you are giving the
other site's script the same authority as your script. It can access
and change your cookies. It can use your password to access your server.

Do Not Use the script tag hack if you have any form of user
authentication on your site. It is not secure.

http://www.crockford.com/javascript
 
R

Randy Webb

Douglas Crockford said the following on 12/10/2005 9:49 AM:
Be aware that when you use the script tag hack, you are giving the other
site's script the same authority as your script. It can access and
change your cookies. It can use your password to access your server.

That drawback also exist with the HTTPRequest Object. Both have benefits
over the other, both have drawbacks.
Do Not Use the script tag hack if you have any form of user
authentication on your site. It is not secure.

Do not use the HTTPRequest Object either then.

And it is not because of the "hack" as you call it.
 
V

VA

VA said:
That is an interesting idea, I will look into that, thanks for the tip.
Probably use mod_rewrite for this.

OK I put a rewrite rule on my Apache config to say

RewriteRule ^/r=(.+)/(.+)$ http://$1/$2

This way, I can pass /r=something/foo to my source server and get it
redirected to the other server.

Works like a charm in IE 6+

But FF 1.5 still throws an error. Content at ... may not access data
from ....

Help? Thanks
 
T

Thomas 'PointedEars' Lahn

VA said:
VA said:
VK said:
You can also use server-side request redirection.
[...]
OK I put a rewrite rule on my Apache config to say

RewriteRule ^/r=(.+)/(.+)$ http://$1/$2

This way, I can pass /r=something/foo to my source server and get it
redirected to the other server.

Works like a charm in IE 6+

But FF 1.5 still throws an error. Content at ... may not access data
from ....

URL Rewriting is not redirection, hence it is transparent to the AOM/DOM.
Try

RedirectMatch ^.+?/r=(.+)/(.+)$ http://$1/$2

instead.


PointedEars
 
T

Thomas 'PointedEars' Lahn

VA said:
Thanks, I tried that but [...]

Tried what?
Error: uncaught exception: Security Error: Content at
http://foo.something.com/bar may not load data from
http://bar.something.com

Tough luck. And still not the truth as there is no
foo.something.com or bar.something.com.

This will be my last reply to one of your postings until further
notice since you are either unwilling or not capable of adhering
to the newsgroup's agreed posting guidelines although they have
been pointed out to you before. You had been warned.


PointedEars
 
V

VA

Thomas: You are obviously a brilliant and helpful person, why do you
have to be such a holier-than-thou PIA?

I am giving you the gist of the error message. How does it matter what
my actual server names are?

Tried what? What you suggested, of course.

I took out the RewriteRule and added the RedirectMatch to my Apache
config.

It didnt work.

Can someone else please help me?

Thanks
 
C

CobaltHarv

I'm pulling for you because I've got the exact same question at the
exact same time. Brian McLean Chevrolet in Courtenay BC Canada is who
I'm working on, they're a used car and new GM dealer. I am not much of
a programmer but have a fair share of php hacking and javascript
scooping in my time.

I'm starting to follow this thread and I see that you're dabbling into
apache config when it may not be totally neccesary, if you re-read the
thread perhaps you'll agree?

Anywhoo, I am looking to submit a form remotely, so that when someone
clicks on 'search for used chevy trucks' on a page i'm creating on
http://www.brianmclean.ca , they get the results output by a javascript
form on this page:

http://www.brianmcleanchev.gmcanada.com/weblogic/gwn/dws/InternetUsedVeh.List

- the form on the gmcanada site is javascript, and there's an option
for chevy trucks in the form.

Can you say if this is possible?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top