Closed Bug 450141 Opened 16 years ago Closed 16 years ago

Changing document.domain doesn't affect XMLHttpRequest

Categories

(Firefox :: Security, defect)

3.0 Branch
x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: wilde825, Unassigned)

References

()

Details

(Keywords: dom1, dom2)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

My script are running from two subdomains, lets say:

dynamic.domain.tld
static.domain.tld

Now I'd like to use XMLHttpRequest to exchange some data. Because they're both on the domain.tld-server,  they should be able to interact to eachother because of the document.domain I added to every script. This according to the Mozilla documentation:

'JavaScript Security: Same Origin'
http://www.mozilla.org/projects/security/components/same-origin.html

This is not working properly as described at the URL

Reproducible: Always

Steps to Reproduce:
1. Set the document.domain var
2. Place scripts on differents subdomains
3. Let them query
Actual Results:  
Access Denied Error:

Fout: uncaught exception: [Exception... "Access to restricted URI denied"  code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)"  location: "http://static.domain.tld/js/class.xmlmessage.js Line: 49"]

Expected Results:  
Just loading the request file.

Example file
http:// service . sove . nl / index
will change after getting a resolution for the bug (so it's not static).
Keywords: dom1, dom2
Version: unspecified → 3.0 Branch
This was done intentionally in bug 290100.  Scripts on other subdomains (or domain.com) can opt in to sharing by setting document.domain themselves, but XMLHttpRequest responses cannot.  You can work around this easily by doing the XMLHttpRequest from the correct frame.

Future versions of Firefox may have ways for hosts to opt into sharing XMLHttpRequest responses with particular hostnames.
Blocks: 290100
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
Summary: document.domain doens't effect 'The Same Origin Policy' as supposed to. → Changing document.domain doesn't affect XMLHttpRequest
Thanks, the page was found by using Google search on some XHR related terms.

As already noticed above, some planned features will provide similar functionality; so far I found:

Something about 'UniversalBrowserRead'
http://www.google.nl/search?hl=nl&q=universalbrowserread&btnG=Google+zoeken&meta=

Signed Scripts
http://www.mozilla.org/projects/security/components/signed-scripts.html

Working with Proxy in mod_rewrite (Apache)
http://www.google.com/search?hl=en&q=mod_rewrite+proxy+xhr

Combining with hidden frames
http://www.google.com/search?hl=en&q=xhr+hidden+frame

Some kind of XHR-gateway programmed in a code you like
http://www.google.com/search?hl=en&q=xhr+gateway+cross-domain
You need to log in before you can comment on or make changes to this bug.