Help needed with .js and AJAX

[sheadley]

Hi all,
When using AJAX and javascript I get the following error when
talking to my server:

A script from http://www.mydomain.com was denied UniversalBrowserRead
privileges. I am using firefox 1.5 and here is the code that is being
called:

function showConsumptionData(foodType) {
var url =
'http://mydomain.com/platePyramid.do?foodType=' +
foodType+'&sysTime='+new Date().getTime();
if (window.XMLHttpRequest) {
try {

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
req = new XMLHttpRequest();
req.onreadystatechange = processSCRequest;
req.open("GET", url, false);
req.send(null);
}
catch (e)
{
alert("(Mozilla)-"+e);
}
} else if (window.ActiveXObject) {
req = new ActiveXObject("Microsoft.XMLHTTP");
req.onreadystatechange = processSCRequest;
req.open("GET", url, false);
req.send(null);
}
}

The .js files is contained in its own file, being called by the .hrml
file. Could this be causing the problem? I am stumped. Any help would
be appreciated


Regards,

Steven H.

 

[alienfrog]

Only reason to use the Privilege is for cross domain coding.

If you need it then you need to add the code in two places normally. I
wrote an example using it awhile back,
http://radio.javaranch.com/pascarel...ion?entry=1119626686861&comment=1120688860820

See if that gives you any light into the problem.

Eric Pascarello
Coauthor of Ajax In Action

 

[Martin Honnen]

sheadley wrote:

A script from http://www.mydomain.com was denied UniversalBrowserRead
privileges. I am using firefox 1.5 and here is the code that is being
called:

function showConsumptionData(foodType) {
var url =
'http://mydomain.com/platePyramid.do?foodType=' +
foodType+'&sysTime='+new Date().getTime();
if (window.XMLHttpRequest) {
try {

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");

You are calling enablePrivilege here but your code is not trusted and
therefore the call gives that message that the requested privilege
UniversalBrowserRead was denied.
With normal security settings code in a HTML document loaded from a HTTP
server is not not able to enable privileges, you would need to use
signed script.
Why do you need that call, or why do you think you need it?

If your HTML document with the script comes from
http://www.mydomain.com/ then your XMLHttpRequest object should be able
to access URLs on www.mydomain.com without any need to enable privileges.

 

[Steven Headley]

when I don't use the following code:


netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead
");


I get the following error:

XMLHttpRequest.open() failed permission denied.


I am using jboss and struts to server up these pages would that have an
impact??

 

[VK]

I am using jboss and struts to server up these pages would that have an
impact??

JBOSS or Perl script - it doesn't matter. What is matter is

(1) Same domain rule:

1) HTML page
2) .js script file
3) URL your're calling with AJAX
-----------------------
all three components have to be from the same domain where the "same
domain" means same protocol (http or https but not a mix), same
subdomain, same domain name and same first level domain:
[http://] [www.] [mycompany] [.com]
from above all squared components can be different or missing but it
has to be *identical* for all three sources (page, script, server call)

If it is true then you can at least use AJAX to call the server.

(2) If it is not true, or if you want to have extended privileges like
UniversalBrowserRead:

Firefox implements three-tier security model from Netscape 4.x (but in
Firefox it is not Java, but native C++ code inside):

1) First all scripts *and pages* have to be contained in a signed .jar
file. The file has to be signed by a valid certificate. If it is, it
still doesn't give it any privileges: it only gives *a privilege to ask
for a privilege*.

2) over netscape.security.PrivilegeManager methods your script asks for
a privilege. If the tier 1 above is passed OK, user will see the popup
asking for privilege. If tier 1 was not passed, no popup will be shown
and request will be automatically cancelled.

3) You using later JavaScript methods to access normally unavailable
information. Each method will ask every time for a privilege from
PrivilegeManager on tier 2 above. But user will not be bothered anymore
with popups. If user granted privilege on tier 2, she also granted the
privilege to PrivilegeManager to grant privileges to all methods on
tier 3.

More info and a working sample can be found here:
<http://www.mozilla.org/projects/security/components/signed-scripts.html>

 

[VK]

I am using jboss and struts to server up these pages would that have an
impact??

JBOSS or Perl script - it doesn't matter. What is matter is

(1) Same domain rule:

1) HTML page
2) .js script file
3) URL your're calling with AJAX
-----------------------
all three components have to be from the same domain where the "same
domain" means same protocol (http or https but not a mix), same
subdomain, same domain name and same first level domain:
[http://] [www.] [mycompany] [.com]
from above all squared components can be different or missing but it
has to be *identical* for all three sources (page, script, server call)

If it is true then you can at least use AJAX to call the server.

(2) If it is not true, or if you want to have extended privileges like
UniversalBrowserRead:

Firefox implements three-tier security model from Netscape 4.x (but in
Firefox it is not Java, but native C++ code inside):

1) First all scripts *and pages* have to be contained in a signed .jar
file. The file has to be signed by a valid certificate. If it is, it
still doesn't give it any privileges: it only gives *a privilege to ask
for a privilege*.

2) over netscape.security.PrivilegeManager methods your script asks for
a privilege. If the tier 1 above is passed OK, user will see the popup
asking for privilege. If tier 1 was not passed, no popup will be shown
and request will be automatically cancelled.

3) You using later JavaScript methods to access normally unavailable
information. Each method will ask every time for a privilege from
PrivilegeManager on tier 2 above. But user will not be bothered anymore
with popups. If user granted privilege on tier 2, she also granted the
privilege to PrivilegeManager to grant privileges to all methods on
tier 3.

More info and a working sample can be found here:
<http://www.mozilla.org/projects/security/components/signed-scripts.html>

 

[VK]

I am using jboss and struts to server up these pages would that have an
impact??

JBOSS or Perl script - it doesn't matter. What is matter is

(1) Same domain rule:

1) HTML page
2) .js script file
3) URL your're calling with AJAX
-----------------------
all three components have to be from the same domain where the "same
domain" means same protocol (http or https but not a mix), same
subdomain, same domain name and same first level domain:
[http://] [www.] [mycompany] [.com]
from above all squared components can be different or missing but it
has to be *identical* for all three sources (page, script, server call)

If it is true then you can at least use AJAX to call the server.

(2) If it is not true, or if you want to have extended privileges like
UniversalBrowserRead:

Firefox implements three-tier security model from Netscape 4.x (but in
Firefox it is not Java, but native C++ code inside):

1) First all scripts *and pages* have to be contained in a signed .jar
file. The file has to be signed by a valid certificate. If it is, it
still doesn't give it any privileges: it only gives *a privilege to ask
for a privilege*.

2) over netscape.security.PrivilegeManager methods your script asks for
a privilege. If the tier 1 above is passed OK, user will see the popup
asking for privilege. If tier 1 was not passed, no popup will be shown
and request will be automatically cancelled.

3) You using later JavaScript methods to access normally unavailable
information. Each method will ask every time for a privilege from
PrivilegeManager on tier 2 above. But user will not be bothered anymore
with popups. If user granted privilege on tier 2, she also granted the
privilege to PrivilegeManager to grant privileges to all methods on
tier 3.

More info and a working sample can be found here:
<http://www.mozilla.org/projects/security/components/signed-scripts.html>

 

[VK]

I am using jboss and struts to server up these pages would that have an
impact??

JBOSS or Perl script - it doesn't matter. What is matter is

(1) Same domain rule:

1) HTML page
2) .js script file
3) URL your're calling with AJAX
-----------------------
all three components have to be from the same domain where the "same
domain" means same protocol (http or https but not a mix), same
subdomain, same domain name and same first level domain:
[http://] [www.] [mycompany] [.com]
from above all squared components can be different or missing but it
has to be *identical* for all three sources (page, script, server call)

If it is true then you can at least use AJAX to call the server.

(2) If it is not true, or if you want to have extended privileges like
UniversalBrowserRead:

Firefox implements three-tier security model from Netscape 4.x (but in
Firefox it is not Java, but native C++ code inside):

1) First all scripts *and pages* have to be contained in a signed .jar
file. The file has to be signed by a valid certificate. If it is, it
still doesn't give it any privileges: it only gives *a privilege to ask
for a privilege*.

2) over netscape.security.PrivilegeManager methods your script asks for
a privilege. If the tier 1 above is passed OK, user will see the popup
asking for privilege. If tier 1 was not passed, no popup will be shown
and request will be automatically cancelled.

3) You using later JavaScript methods to access normally unavailable
information. Each method will ask every time for a privilege from
PrivilegeManager on tier 2 above. But user will not be bothered anymore
with popups. If user granted privilege on tier 2, she also granted the
privilege to PrivilegeManager to grant privileges to all methods on
tier 3.

More info and a working sample can be found here:
<http://www.mozilla.org/projects/security/components/signed-scripts.html>

 

[Dag Sunde]

when I don't use the following code:


netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead
");


I get the following error:

XMLHttpRequest.open() failed permission denied.

In your original post, you said that your script (and pages) was coming from
http://www.mydomain.com, but your code calls http://mydomain.com.

Even if thos two resolves to the same ip-address, they are not seen as the
same domain from the browsers point of view.

I am using jboss and struts to server up these pages would that have an
impact??

no

 

[Martin Honnen]

I get the following error:

XMLHttpRequest.open() failed permission denied.

You need to make sure that you only access URLs from the same origin, if
you can't do that then install some server-side "URL fetcher" script so
that you can make all requests to the original server passing the URL on
another server in the query string where the server-side script then
makes the access to the other servers and returns the result to your
client-side code.