XML HTTP Request Object Use With Cross-Domain Scripting

Discussion in 'Javascript' started by Winston Smith, American Patriot, Nov 16, 2011.

  1. [previously posted in mozilla.support.firefox, where one responder
    recommended posting it to a low traffic group mozilla.dev.extensions]



    I ran into an issue where my interactive web document presents a form to the
    user, and the form processes the user input by making an HTTP request to a
    server with a scientific database, that is NOT the same server that served
    the interactive web document (this is apparently the cross-domain problem).

    The Firefox browser does not alert the developer/user of this violation in a
    helpful way. When one initializes the XmlHttpRequest object in the usual
    way (calls to .open() method, calls to .setRequestHeader() method, then
    finally the .send() method), the XmlHttpRequest.readyState attains a value
    of 4 (the COMPLETE condition), but the XmlHttpRequest.status value is ZERO
    instead of the expected 3-digit HTTP status value (preferably 200 in a
    successfully completed HTTP request). In going through Google search
    results to answer my "WTF is going on" question, the cross-domain security
    issue came up. I then used IE9, and sure enough, it at least reported a
    PERMISSION error at the call to the XmlHttpRequest.open() method.

    I have two questions.

    (1) Numerous methods of the XmlHttpRequest object do not return values to
    indicate success (true) or failure (false) with respect to execution of the
    method. The mechanism of informing the caller of an error in using the
    method appears to be the throwing of exceptions, according to a "standard"
    regarding the XmlHttpRequest object found at W3C. Thus to detect errors---
    or rather exceptions---in the use of object methods, it is sensible to make
    method calls in try/catch blocks (correct?). Like so:

    try {
    requestObject.open(method, url, isSetAsynchronous);
    } catch (exception) {
    if (console && console.log) // if Firebug is working
    console.log("Exception raised @ open() method" +
    " to XML HTTP Request object\n" + exception.toString());
    else
    alert("Exception raised @ open() method to" +
    " XML HTTP Request object\n" + exception.toString());
    }
    try {
    requestObject.setRequestHeader("Content-Type",
    "application/x-www-form-urlencoded");
    } catch (exception) {
    // same use of Firebug console.log() or alert() as above
    }

    Curiously, whereas IE9 stopped at an .open() method call when it was NOT
    wrapped in try/catch, it does not execute the catch block code that I can
    see but instead steps through it (apparently executing the try block
    statement successfully??) and then stops on the .setRequestHeader() method
    call that follows it. When that gets wrapped in try/catch block, it then
    steps over that to the next .setRequestHeader() call in the code again not
    wrapped in try/catch and stops on that. Firefox, which did not adequately
    note the exception anyway but still returns readyState == COMPLETE and
    status == 0, does not run the catch block either.

    (2) Even if I solve this problem above, it does not address the workarounds
    to the cross-domain problem. HTTP clients should allow users to give
    scripts permission to get around the cross-domain problem, as it seems they
    did in the past. There is a lot of confusing information about workarounds
    to the cross-domain problem with changing HTML versions it seems. Does
    anyone know of the definitive resource or explanation on the use of the
    XmlHttpRequest object and how to troubleshoot its use in development?
     
    Winston Smith, American Patriot, Nov 16, 2011
    #1
    1. Advertising

  2. On Wed, 16 Nov 2011 15:51:02 +0000, Winston Smith, American Patriot wrote:

    > (2) Even if I solve this problem above, it does not address the
    > workarounds to the cross-domain problem.


    The work around to the cross domain problem is easy. Use an
    xtmlHTTPRequest request to your own server, and use curl on your server
    to interrogate the other domain.

    Rgds

    Denis McMahon
     
    Denis McMahon, Nov 16, 2011
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CJD

    Cross-Domain scripting solution

    CJD, Oct 19, 2004, in forum: Javascript
    Replies:
    7
    Views:
    137
    Robert
    Oct 25, 2004
  2. Replies:
    1
    Views:
    125
    Dietmar Meier
    Apr 22, 2005
  3. VA
    Replies:
    22
    Views:
    251
  4. Jacob JKW
    Replies:
    3
    Views:
    150
    Martin Honnen
    Aug 13, 2006
  5. Cross-Domain-Scripting

    , Mar 6, 2007, in forum: Javascript
    Replies:
    1
    Views:
    110
    töff
    Mar 6, 2007
Loading...

Share This Page