Closed Bug 297396 Opened 20 years ago Closed 19 years ago

XMLHTTPRequest.responseXML object attributes unavailable (permission denied) despite enabled UniversalBrowserRead privilege

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Version:
1.0 Branch
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: chemboy, Unassigned)

Details

(Keywords: testcase)

Attachments

(1 file)

test case/demonstration HTML file
2.16 KB, text/html
Details 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Situation: in a local page, an XMLHTTPRequest object is being used to retrieve
ticker information from a remote website.  This requires enabling the
UniversalBrowserRead privilege (with user confirmation).  Once this is done, the
request proceeds.  However, after the request (presumably) succeeds, attempts to
read from request.responseXML (that is, view its attributes or call its methods)
raise an exception along the lines of  "Permission denied to call method
XMLDocument.getElementsByTagName".  If the original page is also on a remote
server, the issue does not arise (since no security lockout is needed).


Reproducible: Always

Steps to Reproduce:
1.  Download (hopefully) attached HTML document.
2.  Read it, since it's about to ask for security privileges.
3.  Click on the link "this is a bug" link.
4.  OK the UniversalBrowserRead privilege.
5.  View the resulting alert.
6.  Click the other link to see what should have happened.
Actual Results:  
Alert noting the exception that was raised.

Expected Results:  
Displayed an alert with a count of matching elements in the requested XML.

Bug also confirmed using Firefox 1.0.2 on Gentoo Linux (PPC), and 1.0.4 (I
believe) on Windows XP.

Workaround: create a new element node (DIV or SPAN are the obvious choices) and
set its innerHTML attribute to request.responseText, then treat it as you would
the request.responseXML object.  This is ugly, but functional.

    
  
Assignee: nobody → xml
Component: General → XML
Keywords: testcase
Product: Firefox → Core
QA Contact: general → ashshbhatt
Version: unspecified → 1.0 Branch

    
    

    
  
The enablePrivilege model is that it enables the privilege for the current
function.  You need expanded privileges to do the XMLHttpRequest at all, but you
also need them to access data in a different-domain document, as here... So you
need to call it again in the other method.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: