Firefox and cross domain ajax calls
in [JavaScript]
|
From: sameergn on 24 Nov 2009 01:30 On Nov 23, 10:16 am, Duncan Booth <duncan.bo...(a)invalid.invalid> wrote: > "samee...(a)gmail.com" <samee...(a)gmail.com> wrote: > > We believe this is not a cross domain issue. b.js is loaded from > > localhost:8081 and fetching a resource on same server using AJAX. FF > > 3.5.5 does not show any error in Error Console, allows the AJAX call > > and even gets a 200 response code and content length is also set > > properly as seen in Tamper Data. Not sure why it returns 0 as response > > code and sets responseText to blank. > > It is a cross domain issue. The calling page ishttp://localhost:8080which > is a different domain thanhttp://localhost:8081(the protocol and port > number both matter here). > > It doesn't matter that you loaded the b.js from the same domain as the > page you are trying to access from Javascript: it's the domain of the page > a.html that matters. > > If you want to know why Firefox sends the request even though it is cross- > domain readhttps://developer.mozilla.org/en/HTTP_access_control Understood the purpose of sending the request; To send 'Origin:' header and to check the 'Access-Control-Allow-Origin:' response header.
From: Thomas 'PointedEars' Lahn on 24 Nov 2009 09:49 sameergn(a)gmail.com wrote: > We have a script at http://localhost:8080/a.html which loads > http://localhost:8081/b.js using script tag. A button defined in > a.html invokes a function from b.js. The function makes AJAX call to > http://localhost:8081/c.html You should review your notions of the existence of a "script tag" and an "AJAX call". > [...] But in AJAX callback the response code is 0 You mean the response _status_ code? But `0' does not indicate success (except with `file://' where it is a pseudo-request); 200 does. Review your HTTP knowledge (among other things). > when readyState becomes 4 So the response was fully received. > and responseText is blank. > > Same behavior in Chrome. IE7 shows "Access is Denied" error. Works as designed, see below. > IE8 executes fine and response code is 200 in AJAX callback and > responseText is properly set. Looks like a security leak not fixed, or a DNS-resolution based instead of a hostname-based SOP implementation (which is flawed, of course), or a library working around. > We believe this is not a cross domain issue. Strictly speaking, it is not. However: > b.js is loaded from localhost:8081 and fetching a resource on same server > using AJAX. It is a same-origin issue. To meet the Same Origin Policy, the resource requested must be accessed with the same protocol, host name, *and* port as the requesting resource. URI of requesting resource: http://localhost:8080/a.html URI of requested resource: http://localhost:8081/c.html You will notice that the URI of the script that makes the XHR does not matter as long as it (the script) is requested through conventional means (here: `script' element). IOW: 8080 != 8081, SOP not met, access denied. > FF 3.5.5 does not show any error in Error Console, I can confirm that for Iceweasel 3.5.5 and Firebug 1.4X.5. > allows the AJAX call That term again ... > and even gets a 200 response code and content length is also set > properly as seen in Tamper Data. Not sure why it returns 0 as response > code and sets responseText to blank. Security measure. But you have already seen that it is at the discretion of the implementation how to handle this case. Some throw exceptions, others do not. > Anybody faced similar issue? Plenty of people, and solutions have been posted even in greater numbers. If you only had bothered to RTFM, STFW or STFFAQ before you posted ... <http://jibbering.com/faq/#posting> PointedEars -- Prototype.js was written by people who don't know javascript for people who don't know javascript. People who don't know javascript are not the best source of advice on designing systems that use javascript. -- Richard Cornford, cljs, <f806at$ail$1$8300dec7(a)news.demon.co.uk>
First
|
Prev
|
Pages: 1 2 Prev: Positioning DIV for Predictive-Test/LOV/Suggest-list Next: scroll bar of body tag |