XML HTTP Request Object Use With Cross-Domain Scripting

[It has been recommended I post this in mozilla.dev.extensions, although 
this is really a general use of Javascript in Firefox, and not actually any 
add-on I am developing for the HTTP client.]


I ran into an issue where my interactive web document presents a form to the 
user and processes the form data by sending HTTP request to a server with a 
scientific database.

Although I would get an XmlHttpRequest.readyState == COMPLETE condition, the 
XmlHttpRequest.status value was zero and not the usual 3-digit code 
(preferably 200).

I kept saying "WTF" until numerous google result searches appeared to 
indicate it was a security issue.  I switched to using IE9 to see what was 
going on, and sure enough, IE9 reported a PERMISSION error at the call to 
the XmlHttpRequest.open() method.

Here are my questions:

(1) Numerous methods of the XmlHttpRequest object do not return values to 
indicate success (true) or failure (false).  The mechanism appears to be the 
throwing of exceptions, according to a "standard" I am reading at W3C.  So I 
to deal with development problems, I am wrapping XmlHttpRequest method calls 
with exceptions in try/catch blocks, but the exception is not being caught 
it seems.  Look at this script fragment:

 try {
   requestObject.setRequestHeader("Content-Type", 
      "application/x-www-form-urlencoded");
 } catch (exception) {
   if (console && console.log) // if Firebug is working
     console.log("Exception raised @ setRequestHeader() method" +
        " to XML HTTP Request object\n" + exception.toString());
   else
     alert("Exception raised @ setRequestHeader() method to" + 
         " XML HTTP Request object\n" + exception.toString());
 }

Basically I get some kind of alert, either to a Firebug console or even an 
alert window if there is an exception.  But FF raises no exception, and IE9 
does not even show an alert window, but proceeds to report an error at a 
XmlHttpRequest object method (.setRequestHeader()) which is not wrapped in a 
try/catch block.

Why is this happening?

(2) What is the definitive way now to secure permission from a user or to 
allow cross-domain requests?   I am informed now that there are either HTTP 
Request headers, or maybe that the server providing the form must include 
HTTP response headers that inform the client that it should enable 
permissions for script to access other domains.  How does this work in FF 
and perhaps other clients?

0
SMH
11/16/2011 5:15:59 AM
mozilla.dev.extensions 5694 articles. 0 followers. Post Follow

0 Replies
674 Views

Similar Articles

[PageSpeed] 47
Get it on Google Play
Get it on Apple App Store

Reply:

Similar Artilces:

focus event using http request or xml request using javascipt
i want lost focus event using http request or xml request using javascipt how to call code file (.cs file) using ajax and javascript i have one asp.net server control  Nothing is really over,untill the moment stop trying for it...Amitsp(MCTS,MCP)sqlreporting.blogspot.com You can capture the event in the javascript and then call the cs function in the page from the javascript. You can also call the button in the page (with style=display:none) . In the javascript you can call the click event of the button which will call the server side code.Vikram www.vikramlakhotia.comPlease mark the...

Opinion for using XML HTTP Request Object
I am currently experimenting 'Client-side server call backs' using the XML HTTP Request Object to a web service. I currently trying different selects, inserts and updates to invoke the web service using this object and change the form data using the DOM. So far successful, a little bit more code to write client-site, but the result is eliminating the browser to server post-back or refresh (re-render) the html. This is similar to AJAX and what Google seems to use on G-Mail. I was seeing if anyone else is utilizing this object or similar and what were your thoughts. Some issues tha...

superreview requested: [Bug 278821] Access key conflict in Preferences->Advanced->HTTP Networking: both Use HTTP 1.1 and Help use 'H' : [Attachment 171622] Fixed accesskey for Use HTTP 1.1 (H -> E).
Giacomo Magnini <giacomo.magnini@portalis.it> has asked neil@parkwaycc.co.uk <neil.parkwaycc.co.uk@myrealbox.com> for superreview: Bug 278821: Access key conflict in Preferences->Advanced->HTTP Networking: both Use HTTP 1.1 and Help use 'H' https://bugzilla.mozilla.org/show_bug.cgi?id=278821 Attachment 171622: Fixed accesskey for Use HTTP 1.1 (H -> E). For visibility reasons, I've also changed 2 other accesskeys: Enable Keep-Alive (L -> A) and Enable Pipelining (I -> N) https://bugzilla.mozilla.org/attachment.cgi?id=171622&action=edit ...

superreview requested: [Bug 182758] freebl PRNG hashes netstat and /dev/urandom data rather than just using /dev/urandom : [Attachment 235522] On Solaris, use only /dev/urandom if it is available. If
Julien Pierre <julien.pierre.bugs@sun.com> has asked Wan-Teh Chang <wtchang@redhat.com> for superreview: Bug 182758: freebl PRNG hashes netstat and /dev/urandom data rather than just using /dev/urandom https://bugzilla.mozilla.org/show_bug.cgi?id=182758 Attachment 235522: On Solaris, use only /dev/urandom if it is available. If not, use libkstat https://bugzilla.mozilla.org/attachment.cgi?id=235522&action=edit ------- Additional Comments from Julien Pierre <julien.pierre.bugs@sun.com> In the libkstat case, I am feeding all kernel statistics to the PRNG, 4 KB ...

superreview requested: [Bug 248827] Support HTTP/1.1 408 response code [was: 408 request timeout on a used, persistent, keep-alive connection is mistakenly used as the response on a subsequent request
Darin Fisher <darin@meer.net> has asked Boris Zbarsky <bzbarsky@mit.edu> for superreview: Bug 248827: Support HTTP/1.1 408 response code [was: 408 request timeout on a used, persistent, keep-alive connection is mistakenly used as the response on a subsequent request] https://bugzilla.mozilla.org/show_bug.cgi?id=248827 Attachment 182294: v2 patch https://bugzilla.mozilla.org/attachment.cgi?id=182294&action=edit ...

Http post request cross domain retaining session variables
Hi all, I have an asp page with an httppost request to bypass login for another .net page on another domain.  This works fine and returns the results as expected.  I am having difficulty when navigating away from the resulting page as the post request I have made is simply response.write of the xml returned so the page stays on the old domain without a redirect to the new site.  Therefore any links I have on the new page do not work without using the fullpath to the page, same goes for any buttons which do postback as the page does not exist...

XML to OBJECT and OBJECT to XML
Hello, I have to create an ASP.NET application wich will we very rich in components and controls. I have webservices wich return data in xml format. Do you happen to know if there is A WAY  to  do something like the following??I have the XML:<data>    <customers>       <customer id="the_ID1" name="..." surname="..." phone="..." />       <customer id="the_ID2" name="..." surname="..." phone="..." />    &n...

Cross Domain mail sending using smtpclient object and drop folder
 Hi,Can anyone helpme with a problem i was struggling for 2 weeks. I was asked to check the fastest way to send the emails from our web server which is load balanced between two servers. I tried and find out that drop folder is the fastest way to send mails. So now i need to send the email to the dropbox in a different server outside that domain, so that they only have to monitor one smtp service. I could able to send the mails in the same domain. but not able to send the mails to other domain.If you see the code below. The error being bad username or password.Any help wi...

What s the purpose of using http prefix before the names of objects like httpSession, httpApplication, httpException and so on instead of using just the nnames without http
some properties have httpxxxx like httpSession, httpApplication, httpException …and the same objects can be declared and used without http prefixCan u explain what the role of the prefix http is please and what happens if we don’t use it.Thank youThanks a lot, I appreciate your taking the time to help me. HttpApplication is base type of HttpApplication objects which work within ASP.NET pipeline (esentially HttpApplication is base class for global.asax-derived class) and you access it via Context.ApplicationInstance. It is not the same as Application dictionary used on Page (wh...

If i use an object in my extension, will there be an object for each window?
Thnx in advance ...

superreview requested: [Bug 302656] Not exposing language type from HTTP or meta content-language : [Attachment 190966] Use nsIDocument:::GetHeaderData() which says it will use either HTTP or HTML m
Aaron Leventhal <aaronleventhal@moonset.net> has asked neil@parkwaycc.co.uk <neil.parkwaycc.co.uk@myrealbox.com> for superreview: Bug 302656: Not exposing language type from HTTP or meta content-language https://bugzilla.mozilla.org/show_bug.cgi?id=302656 Attachment 190966: Use nsIDocument:::GetHeaderData() which says it will use either HTTP or HTML meta tags https://bugzilla.mozilla.org/attachment.cgi?id=190966&action=edit ...

superreview granted: [Bug 248827] Support HTTP/1.1 408 response code [was: 408 request timeout on a used, persistent, keep-alive connection is mistakenly used as the response on a subsequent request]
Boris Zbarsky <bzbarsky@mit.edu> has granted Darin Fisher <darin@meer.net>'s request for superreview: Bug 248827: Support HTTP/1.1 408 response code [was: 408 request timeout on a used, persistent, keep-alive connection is mistakenly used as the response on a subsequent request] https://bugzilla.mozilla.org/show_bug.cgi?id=248827 Attachment 182294: v2 patch https://bugzilla.mozilla.org/attachment.cgi?id=182294&action=edit ------- Additional Comments from Boris Zbarsky <bzbarsky@mit.edu> >Index: nsHttpConnection.cpp >+ // trigger the transactions...

superreview requested: [Bug 178993] MSIE-extension: HttpOnly cookie attribute for cross-site scripting vulnerability prevention
Michael Kaply (IBM) (mkaply) <mozilla@kaply.com> has asked for superreview: Bug 178993: MSIE-extension: HttpOnly cookie attribute for cross-site scripting vulnerability prevention https://bugzilla.mozilla.org/show_bug.cgi?id=178993 Attachment 256810: Patch with nsCookie2 change https://bugzilla.mozilla.org/attachment.cgi?id=256810&action=edit ------- Additional Comments from Michael Kaply (IBM) (mkaply) <mozilla@kaply.com> darin ...

Web resources about - XML HTTP Request Object Use With Cross-Domain Scripting - mozilla.dev.extensions

Cross-domain solution - Wikipedia, the free encyclopedia
... by established models of computer , network , and data security , e.g., Bell–LaPadula model and Clark–Wilson model . Unified Cross Domain Management ...

faroo_p2p: Our Web Search API now supports cross domain access for JSON, XML and RSS via CORS (Cross-Origin ...
faroo_p2p: Our Web Search API now supports cross domain access for JSON, XML and RSS via CORS (Cross-Origin Resource Sharing). http://t.

Cross Domain Canonical Tag - Flickr - Photo Sharing!
www.seroundtable.com/archives/021363.html

MRC Accredits comScore vCE Validation, Including Cross-Domain iFrame Measurement
... of AdXpose, we knew that there was a “Great White Whale” looming in the measurement and reporting on ad visibility: the unfriendly, cross-domain ...

MRC Accredits comScore vCE Validation, Including Cross-Domain iFrame Measurement
Today comScore announced that the validation component of validated Campaign Essentials™ (vCE™) has received MRC accreditation. vCE is the first ...

Fix Cross-Domain Duplicate Content
Back in February, Google, Yahoo and then-Live premiered a solution to on-site duplicate content: a canonical URL element that let ...

Canonical Tag 2.0: Google To Add Cross Domain Support
Many site owners have wanted the recently introduced canonical tag to work across domains. Now their wishes will come true. Google announced ...

New: Cross Domain Canonical Tag Google Support
The canonical tag was jointly introduced by Google, Yahoo and Microsoft earlier this year. Google hinted they would soon support cross domain ...

Cross Domain Silverlight XAP Access in Silverlight 2 - testingReflections.com
Unlike the case where your xap file is served up from the same host, the Silverlight runtime checks the MIME type in the HTTP header of your ...

Lauren Cross - Domain - brisbanetimes.com.au
Skip to navigation Skip to content Help using this website - Accessibility statement JavaScript disabled. Please enable JavaScript to use My ...

Resources last updated: 12/24/2015 1:03:41 AM