XMLHttpRequest and different port gives permission denied.

RESOLVED WONTFIX

Status

()

Core
Security: CAPS
--
major
RESOLVED WONTFIX
14 years ago
12 years ago

People

(Reporter: Erik Arvidsson, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: WONTFIX?)

(Reporter)

Description

14 years ago
I find this odd that I could not find a previous bug about this.

If I have a page that is located at http://www.server.com and try to use
XMLHttpRequest to http://www.server.com:8080 (or some other port) I get a
permission denied error. This scenario is very common because lots of web
servers are conifgured so that jsp and other services are available on specific
ports.

This works in MSXML

I just realized that this is the same for cross frame scripting so I guess it is
intentional. I really hope not.

Comment 1

14 years ago
Related for understanding: Bug 105694 Comment 0 (more at the end) and Bug 105694
So as i see this this behaviour is intended (at least for normal websites, for
xmlhttprequest this might need to be changed).

Comment 2

14 years ago
Reassigning to "Security: CAPS" though I'm not sure if that is the right
component for this.
Assignee: darin → security-bugs
Component: Networking: HTTP → Security: CAPS
QA Contact: core.networking.http
This is actually a known feature, and I would be somewhat reluctant to fix this.
In Mozilla we think that a different port means a different server, and we deny
access to different servers on purpose to prevent security violations. This
limitation has been mentioned here: http://www.mozilla.org/xmlextras/

There has been some work to let higher level web services access resources on
other servers, so if you are doing some SOAP and higher level stuff you should
check out http://www.mozilla.org/projects/webservices/ and probably talk to
doron on #mozilla. It is not straight forward, and requires some (as of yet)
non-standard things to be done on servers.

I vote to wontfix this. Any arguments that work in 100% of cases as to why it
would not be a security hole?
Whiteboard: WONTFIX?
(Reporter)

Comment 4

14 years ago
(In reply to comment #3)
> This is actually a known feature, and I would be somewhat reluctant to fix this.
> In Mozilla we think that a different port means a different server, and we deny
> access to different servers on purpose to prevent security violations. This
> limitation has been mentioned here: http://www.mozilla.org/xmlextras/

I knew I had read that this was the desired behavior somewhere but searching
through bugzilla and n.p.m.* did not give any clear answer.

Personally I think this is a limitation and complicates lots of real world usage
but I'm not a security expert and thus someone who is should have the final word
on this.

Comment 5

13 years ago
At my company, we are trying to include support for Firefox in our web app
architecture. Our system uses two servers living on different ports on the same
IP address: one ordinary HTTP server serving static HTML pages (and doesn't
require any sophisticated web server at all), and an application server, also
using HTTP, but only via POST, and communicating to the client in a style
somewhat similar to Gmail.

We don't understand the rationale for why a different port means a different
server. 

Our application server supports sophisticated run-time / design-time development
features, along with integrated debugging. Short of developing a separate web
server too, this limitation leaves us stuck.
(In reply to comment #5)
> We don't understand the rationale for why a different port means a different
> server. 

Different ports can be different servers administered by different people. So,
in effect, same thing as if they were totally different hosts. Cross-site
scripting is prevented for security reasons.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WONTFIX

Comment 7

13 years ago
> (In reply to comment #5)
> > We don't understand the rationale for why a different port means a different
> > server. 
> 
> Different ports can be different servers administered by different people. So,
> in effect, same thing as if they were totally different hosts. Cross-site
> scripting is prevented for security reasons.

There is a very big difference between two indepedendant DNS names, and the same
DNS name but different ports, from the point of view of cross-site scripting.
The distinction is lost in Firefox. I hope some recognition of this difference
is added to the browser some time in the future.

Comment 8

13 years ago
(In reply to comment #6)
> > We don't understand the rationale for why a different port means a different
> > server. 
> 
> Different ports can be different servers administered by different people.

Also, consider something like ASP.NET: different subdirectories on the same port
on the same server can be administrated by different people. Where's your
justification then?
*** Bug 340568 has been marked as a duplicate of this bug. ***

Comment 10

12 years ago
> I vote to wontfix this. Any arguments that work in 100% of cases as to why it
> would not be a security hole?

 Well, you can bypass the port limitation by writing your own XMLHttpRequest in java and calling it from javascript. Applets are allowed to access *any* port on its originating host.
 I believe you could also use a hidden iframe pointing to the desired address and then recover the data using DOM.

 I think that by precluding XMLHttpRequest to access a different port on the *same* server you're not raising security by a noticeable amount, you're just making developers feel miserable. ;)

 Since applets have been around for some time and I've never heard of a security hole regarding its connection policies I would love to hear some arguments as to why this is such a threat.

Best regards,

That's one of the many reasons I have Java turned off on all my machines and why I refuse to turn it back on.
You need to log in before you can comment on or make changes to this bug.