Closed
Bug 450141
Opened 16 years ago
Closed 16 years ago
Changing document.domain doesn't affect XMLHttpRequest
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: wilde825, Unassigned)
References
()
Details
(Keywords: dom1, dom2)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 My script are running from two subdomains, lets say: dynamic.domain.tld static.domain.tld Now I'd like to use XMLHttpRequest to exchange some data. Because they're both on the domain.tld-server, they should be able to interact to eachother because of the document.domain I added to every script. This according to the Mozilla documentation: 'JavaScript Security: Same Origin' http://www.mozilla.org/projects/security/components/same-origin.html This is not working properly as described at the URL Reproducible: Always Steps to Reproduce: 1. Set the document.domain var 2. Place scripts on differents subdomains 3. Let them query Actual Results: Access Denied Error: Fout: uncaught exception: [Exception... "Access to restricted URI denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)" location: "http://static.domain.tld/js/class.xmlmessage.js Line: 49"] Expected Results: Just loading the request file. Example file http:// service . sove . nl / index will change after getting a resolution for the bug (so it's not static).
Reporter | ||
Updated•16 years ago
|
Comment 1•16 years ago
|
||
This was done intentionally in bug 290100. Scripts on other subdomains (or domain.com) can opt in to sharing by setting document.domain themselves, but XMLHttpRequest responses cannot. You can work around this easily by doing the XMLHttpRequest from the correct frame. Future versions of Firefox may have ways for hosts to opt into sharing XMLHttpRequest responses with particular hostnames.
Blocks: 290100
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
Summary: document.domain doens't effect 'The Same Origin Policy' as supposed to. → Changing document.domain doesn't affect XMLHttpRequest
Reporter | ||
Comment 2•16 years ago
|
||
Thanks, the page was found by using Google search on some XHR related terms. As already noticed above, some planned features will provide similar functionality; so far I found: Something about 'UniversalBrowserRead' http://www.google.nl/search?hl=nl&q=universalbrowserread&btnG=Google+zoeken&meta= Signed Scripts http://www.mozilla.org/projects/security/components/signed-scripts.html Working with Proxy in mod_rewrite (Apache) http://www.google.com/search?hl=en&q=mod_rewrite+proxy+xhr Combining with hidden frames http://www.google.com/search?hl=en&q=xhr+hidden+frame Some kind of XHR-gateway programmed in a code you like http://www.google.com/search?hl=en&q=xhr+gateway+cross-domain
Comment 3•16 years ago
|
||
See http://developer.mozilla.org/en/docs/Cross-Site_XMLHttpRequest
You need to log in
before you can comment on or make changes to this bug.
Description
•