XML HTTP Request Object Use With Cross-Domain Scripting

I ran into an issue where my interactive web document presents a form to the 
user and processes the form data by sending HTTP request to a server with a 
scientific database.

Although I would get an XmlHttpRequest.readyState == COMPLETE condition, the 
XmlHttpRequest.status value was zero and not the usual 3-digit code 
(preferably 200).

I kept saying "WTF" until numerous google result searches appeared to 
indicate it was a security issue.  I switched to using IE9 to see what was 
going on, and sure enough, IE9 reported a PERMISSION error at the call to 
the XmlHttpRequest.open() method.

Here are my questions:

(1) Numerous methods of the XmlHttpRequest object do not return values to 
indicate success (true) or failure (false).  The mechanism appears to be the 
throwing of exceptions, according to a "standard" I am reading at W3C.  So I 
to deal with development problems, I am wrapping XmlHttpRequest method calls 
with exceptions in try/catch blocks, but the exception is not being caught 
it seems.  Look at this script fragment:

 try {
   requestObject.setRequestHeader("Content-Type", 
      "application/x-www-form-urlencoded");
 } catch (exception) {
   if (console && console.log) // if Firebug is working
     console.log("Exception raised @ setRequestHeader() method" +
        " to XML HTTP Request object\n" + exception.toString());
   else
     alert("Exception raised @ setRequestHeader() method to" + 
         " XML HTTP Request object\n" + exception.toString());
 }

Basically I get some kind of alert, either to a Firebug console or even an 
alert window if there is an exception.  But FF raises no exception, and IE9 
does not even show an alert window, but proceeds to report an error at a 
XmlHttpRequest object method (.setRequestHeader()) which is not wrapped in a 
try/catch block.

Why is this happening?

(2) What is the definitive way now to secure permission from a user or to 
allow cross-domain requests?   I am informed now that there are either HTTP 
Request headers, or maybe that the server providing the form must include 
HTTP response headers that inform the client that it should enable 
permissions for script to access other domains.  How does this work in FF 
and perhaps other clients?

0
SMH
11/16/2011 1:33:43 AM
mozilla.support.firefox 24319 articles. 10 followers. Post Follow

1 Replies
768 Views

Similar Articles

[PageSpeed] 50
Get it on Google Play
Get it on Apple App Store

My bloviated meandering follows what SMH graced us with on 11/15/2011 
5:33 PM:
> I ran into an issue where my interactive web document presents a form to the 
> user and processes the form data by sending HTTP request to a server with a 
> scientific database.
> 
> Although I would get an XmlHttpRequest.readyState == COMPLETE condition, the 
> XmlHttpRequest.status value was zero and not the usual 3-digit code 
> (preferably 200).
> 
> I kept saying "WTF" until numerous google result searches appeared to 
> indicate it was a security issue.  I switched to using IE9 to see what was 
> going on, and sure enough, IE9 reported a PERMISSION error at the call to 
> the XmlHttpRequest.open() method.
> 
> Here are my questions:
> 
> (1) Numerous methods of the XmlHttpRequest object do not return values to 
> indicate success (true) or failure (false).  The mechanism appears to be the 
> throwing of exceptions, according to a "standard" I am reading at W3C.  So I 
> to deal with development problems, I am wrapping XmlHttpRequest method calls 
> with exceptions in try/catch blocks, but the exception is not being caught 
> it seems.  Look at this script fragment:
> 
>  try {
>    requestObject.setRequestHeader("Content-Type", 
>       "application/x-www-form-urlencoded");
>  } catch (exception) {
>    if (console && console.log) // if Firebug is working
>      console.log("Exception raised @ setRequestHeader() method" +
>         " to XML HTTP Request object\n" + exception.toString());
>    else
>      alert("Exception raised @ setRequestHeader() method to" + 
>          " XML HTTP Request object\n" + exception.toString());
>  }
> 
> Basically I get some kind of alert, either to a Firebug console or even an 
> alert window if there is an exception.  But FF raises no exception, and IE9 
> does not even show an alert window, but proceeds to report an error at a 
> XmlHttpRequest object method (.setRequestHeader()) which is not wrapped in a 
> try/catch block.
> 
> Why is this happening?
> 
> (2) What is the definitive way now to secure permission from a user or to 
> allow cross-domain requests?   I am informed now that there are either HTTP 
> Request headers, or maybe that the server providing the form must include 
> HTTP response headers that inform the client that it should enable 
> permissions for script to access other domains.  How does this work in FF 
> and perhaps other clients?
> 
You might find better resources by posting this on the 
mozilla.dev.extensions group.

-- 
Sailfish - Netscape Champion
Netscape/Mozilla Tips: http://www.ufaq.org/ , http://ilias.ca/
Rare Mozilla Stuff: https://www.projectit.com/
0
Sailfish
11/16/2011 1:59:43 AM
Reply:

Similar Artilces:

focus event using http request or xml request using javascipt
i want lost focus event using http request or xml request using javascipt how to call code file (.cs file) using ajax and javascript i have one asp.net server control  Nothing is really over,untill the moment stop trying for it...Amitsp(MCTS,MCP)sqlreporting.blogspot.com You can capture the event in the javascript and then call the cs function in the page from the javascript. You can also call the button in the page (with style=display:none) . In the javascript you can call the click event of the button which will call the server side code.Vikram www.vikramlakhotia.comPlease mark the...

Opinion for using XML HTTP Request Object
I am currently experimenting 'Client-side server call backs' using the XML HTTP Request Object to a web service. I currently trying different selects, inserts and updates to invoke the web service using this object and change the form data using the DOM. So far successful, a little bit more code to write client-site, but the result is eliminating the browser to server post-back or refresh (re-render) the html. This is similar to AJAX and what Google seems to use on G-Mail. I was seeing if anyone else is utilizing this object or similar and what were your thoughts. Some issues tha...

superreview requested: [Bug 248827] Support HTTP/1.1 408 response code [was: 408 request timeout on a used, persistent, keep-alive connection is mistakenly used as the response on a subsequent request
Darin Fisher <darin@meer.net> has asked Boris Zbarsky <bzbarsky@mit.edu> for superreview: Bug 248827: Support HTTP/1.1 408 response code [was: 408 request timeout on a used, persistent, keep-alive connection is mistakenly used as the response on a subsequent request] https://bugzilla.mozilla.org/show_bug.cgi?id=248827 Attachment 182294: v2 patch https://bugzilla.mozilla.org/attachment.cgi?id=182294&action=edit ...

superreview granted: [Bug 248827] Support HTTP/1.1 408 response code [was: 408 request timeout on a used, persistent, keep-alive connection is mistakenly used as the response on a subsequent request]
Boris Zbarsky <bzbarsky@mit.edu> has granted Darin Fisher <darin@meer.net>'s request for superreview: Bug 248827: Support HTTP/1.1 408 response code [was: 408 request timeout on a used, persistent, keep-alive connection is mistakenly used as the response on a subsequent request] https://bugzilla.mozilla.org/show_bug.cgi?id=248827 Attachment 182294: v2 patch https://bugzilla.mozilla.org/attachment.cgi?id=182294&action=edit ------- Additional Comments from Boris Zbarsky <bzbarsky@mit.edu> >Index: nsHttpConnection.cpp >+ // trigger the transactions...

superreview requested: [Bug 278821] Access key conflict in Preferences->Advanced->HTTP Networking: both Use HTTP 1.1 and Help use 'H' : [Attachment 171622] Fixed accesskey for Use HTTP 1.1 (H -> E).
Giacomo Magnini <giacomo.magnini@portalis.it> has asked neil@parkwaycc.co.uk <neil.parkwaycc.co.uk@myrealbox.com> for superreview: Bug 278821: Access key conflict in Preferences->Advanced->HTTP Networking: both Use HTTP 1.1 and Help use 'H' https://bugzilla.mozilla.org/show_bug.cgi?id=278821 Attachment 171622: Fixed accesskey for Use HTTP 1.1 (H -> E). For visibility reasons, I've also changed 2 other accesskeys: Enable Keep-Alive (L -> A) and Enable Pipelining (I -> N) https://bugzilla.mozilla.org/attachment.cgi?id=171622&action=edit ...

superreview requested: [Bug 443284] Firefox 3 crashes when trying to login to an ActivClient smartcard using acpkcs11.dll : [Attachment 328829] don't kill object before using it...
Kai Engert (:kaie, kengert@redhat.com) <kaie@kuix.de> has asked Daniel Veditz <dveditz@cruzio.com> for superreview: Bug 443284: Firefox 3 crashes when trying to login to an ActivClient smartcard using acpkcs11.dll https://bugzilla.mozilla.org/show_bug.cgi?id=443284 Attachment 328829: don't kill object before using it... https://bugzilla.mozilla.org/attachment.cgi?id=328829&action=edit ------- Additional Comments from Kai Engert (:kaie, kengert@redhat.com) <kaie@kuix.de> Dan, this is a one-line patch, obvious correctness fix, could you please review? Than...

The requested FTP command is not supported when using HTTP proxy
Hi, I am trying to upload files on FTP and used the code below:                       Dim request As FtpWebRequest                       request = WebRequest.Create("ftp://ftp...../test.txt")                       request.Method = WebRequestMethods.Ftp.UploadFile   ...

XML to OBJECT and OBJECT to XML
Hello, I have to create an ASP.NET application wich will we very rich in components and controls. I have webservices wich return data in xml format. Do you happen to know if there is A WAY  to  do something like the following??I have the XML:<data>    <customers>       <customer id="the_ID1" name="..." surname="..." phone="..." />       <customer id="the_ID2" name="..." surname="..." phone="..." />    &n...

Http post request cross domain retaining session variables
Hi all, I have an asp page with an httppost request to bypass login for another .net page on another domain.  This works fine and returns the results as expected.  I am having difficulty when navigating away from the resulting page as the post request I have made is simply response.write of the xml returned so the page stays on the old domain without a redirect to the new site.  Therefore any links I have on the new page do not work without using the fullpath to the page, same goes for any buttons which do postback as the page does not exist...

Fix Request: Support UpdatePanel PostBack on FireFox, application/xhtml+xml
Hi, We have encountered and kind of “fixed” a problem with the RC1’s UpdatePanel on FireFox running in application/xhtml+xml mode. Is it possible to get this fix included in the RTM of ASP.NET Ajax? The problem: When a page containing an UpdatePanel is served to FireFox with the application/xhtml+xml mime, postback data is not properly sent to the server. The reason: One of the external JavaScripts included by the ScriptManager contains a function Sys$WebForms$PageRequestManager$_onFormElementClick which locate PostBack data from the pages form using constrcuts like if (element.tagNa...

Cross Domain mail sending using smtpclient object and drop folder
 Hi,Can anyone helpme with a problem i was struggling for 2 weeks. I was asked to check the fastest way to send the emails from our web server which is load balanced between two servers. I tried and find out that drop folder is the fastest way to send mails. So now i need to send the email to the dropbox in a different server outside that domain, so that they only have to monitor one smtp service. I could able to send the mails in the same domain. but not able to send the mails to other domain.If you see the code below. The error being bad username or password.Any help wi...

What s the purpose of using http prefix before the names of objects like httpSession, httpApplication, httpException and so on instead of using just the nnames without http
some properties have httpxxxx like httpSession, httpApplication, httpException …and the same objects can be declared and used without http prefixCan u explain what the role of the prefix http is please and what happens if we don’t use it.Thank youThanks a lot, I appreciate your taking the time to help me. HttpApplication is base type of HttpApplication objects which work within ASP.NET pipeline (esentially HttpApplication is base class for global.asax-derived class) and you access it via Context.ApplicationInstance. It is not the same as Application dictionary used on Page (wh...

superreview requested: [Bug 61839] add support for application/rdf+xml MIME type for RDF, deprecate text/rdf : [Attachment 155435] patch (support application/rdf+xml)
Alex Vincent <ajvincent@juno.com> has asked Johnny Stenback (on vacation 8/1 to 8/16) <jst@mozilla.jstenback.com> for superreview: Bug 61839: add support for application/rdf+xml MIME type for RDF, deprecate text/rdf http://bugzilla.mozilla.org/show_bug.cgi?id=61839 Attachment 155435: patch (support application/rdf+xml) http://bugzilla.mozilla.org/attachment.cgi?id=155435&action=edit ------- Additional Comments from Alex Vincent <ajvincent@juno.com> Not tested for Firefox. ...

Web resources about - XML HTTP Request Object Use With Cross-Domain Scripting - mozilla.support.firefox

Cross-domain solution - Wikipedia, the free encyclopedia
... by established models of computer , network , and data security , e.g., Bell–LaPadula model and Clark–Wilson model . Unified Cross Domain Management ...

faroo_p2p: Our Web Search API now supports cross domain access for JSON, XML and RSS via CORS (Cross-Origin ...
faroo_p2p: Our Web Search API now supports cross domain access for JSON, XML and RSS via CORS (Cross-Origin Resource Sharing). http://t.

Cross Domain Canonical Tag - Flickr - Photo Sharing!
www.seroundtable.com/archives/021363.html

MRC Accredits comScore vCE Validation, Including Cross-Domain iFrame Measurement
... of AdXpose, we knew that there was a “Great White Whale” looming in the measurement and reporting on ad visibility: the unfriendly, cross-domain ...

MRC Accredits comScore vCE Validation, Including Cross-Domain iFrame Measurement
Today comScore announced that the validation component of validated Campaign Essentials™ (vCE™) has received MRC accreditation. vCE is the first ...

Fix Cross-Domain Duplicate Content
Back in February, Google, Yahoo and then-Live premiered a solution to on-site duplicate content: a canonical URL element that let ...

Canonical Tag 2.0: Google To Add Cross Domain Support
Many site owners have wanted the recently introduced canonical tag to work across domains. Now their wishes will come true. Google announced ...

New: Cross Domain Canonical Tag Google Support
The canonical tag was jointly introduced by Google, Yahoo and Microsoft earlier this year. Google hinted they would soon support cross domain ...

Cross Domain Silverlight XAP Access in Silverlight 2 - testingReflections.com
Unlike the case where your xap file is served up from the same host, the Silverlight runtime checks the MIME type in the HTTP header of your ...

Lauren Cross - Domain - brisbanetimes.com.au
Skip to navigation Skip to content Help using this website - Accessibility statement JavaScript disabled. Please enable JavaScript to use My ...

Resources last updated: 12/21/2015 6:44:12 AM