Security-glitch in IE Using XMLHttp?

Dag Sunde · Sep 7, 2005

I have this little test-page using Ajax to
grab a simple date-string from the server.
This works as expected in IE, FF, NS, etc.

This morning I changed the path to my little
server-side "date-script", so it pointed to
another web-server. Ie. Not the same site
as the page containing my ajax script came from.

As expected, FF, Opera and NS now failed with
a "security permission", *but* IE plodded
happily along and executed the now cross-domain
call and gave me the result. No errors, no warnings...

Is this a well nown fact, or have I discovered
something here?

Jim Ley · Sep 7, 2005

As expected, FF, Opera and NS now failed with
a "security permission", *but* IE plodded
happily along and executed the now cross-domain
call and gave me the result. No errors, no warnings...

It's a security setting "Access Data Sources across domains" you've
got lowered security for whatever zone you accessed the page in.

Jim.

Dag Sunde · Sep 7, 2005

Jim Ley said:
It's a security setting "Access Data Sources across domains" you've
got lowered security for whatever zone you accessed the page in.

Ah... Interesting...

Is there similar settings in any of the other browsers?
(Mainly interested in FF, NS7.x and Opera).

This may be an interesting feature in intranet applications.

Martin Honnen · Sep 7, 2005

Dag said:
Is there similar settings in any of the other browsers?
(Mainly interested in FF, NS7.x and Opera).

No, first of all neither Firefox (current versions) nor Netscape 7 have
any security zone model and frankly allowing such access in general
seems not a good idea.
For IE you can set that setting for different zones so you could savely
configure the normal internet zone but for intranet zone or trusted
sites you could lower the settings.

If you wanted to do anything with script in Mozilla browsers that is not
allowed by normal settings then you would need to use signed script and
then that script still needs to ask the user for certain rights which
pops up a dialog where the user can grant the right or not. Script
signing requires a certificate which a certificate authority usually
charges money for every year you need the certificate.
Mozilla also as far as I am currently aware does not distiguish between
http://localhost/ access and access to real remote hosts.

IE; xmlhttp; 302 redirect	0	Nov 6, 2005
Don't understand flow using xmlhttp	6	Feb 21, 2008
MIME type in the XMLHTTP activeX object	0	Nov 29, 2005
Problem with XMLHTTP responseText empty	2	Sep 5, 2007
xmlhttp req without ActiveX on IE 5/6	2	May 8, 2006
xmlhttp problem using Mozilla ... responseText is always null	9	May 23, 2005
Integrated Security problem on XMLHTTP Request - Finaly IE Crash	0	Oct 19, 2006
xmlHTTP Request returns 403 in FireFox when Post used	14	Mar 30, 2007

Security-glitch in IE Using XMLHttp?

Dag Sunde

Jim Ley

Dag Sunde

Martin Honnen

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads