web-scripts-access.xml does not allow cross domain script access



13 years ago
a year ago


(Reporter: david.l.small, Unassigned)


Firefox Tracking Flags

(Not tracked)




13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20060124 Firefox/
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20060124 Firefox/

I have a page from one site that contains an IFRAME that points to another site. Within the IFRAME, I have JavaScript that needs to access the DOM on the parent window. To overcome the cross site scripting security, I followed the directions from this page -> http://developer.mozilla.org/en/docs/Mozilla_Web_Services_Security_Model. I put together the web-scripts-access.xml file who's contents I've specified below in the Additional Information field. I've put the file in the root of the parent window's site.

Regardless, I still get the same JavaScript error in the console -> Error: uncaught exception: Permission denied to get property <Object>.

Reproducible: Always

<wsa:webScriptAccess xmlns:wsa="http://www.mozilla.org/2002/soap/security">
	<wsa:allow type="any" from="http://hostname-of-the-service" />
Assignee: nobody → web-services
Component: General → Web Services
Product: Firefox → Core
QA Contact: general → doronr
Version: unspecified → Trunk

Comment 1

13 years ago
Read the document - you can only do cross domain Web Services calls, aka SOAP/WSDL with it.
Last Resolved: 13 years ago
Resolution: --- → INVALID

Comment 2

13 years ago
Part of the "allow" element is a "type" attribute. It takes values of "load" or "any" amongst others. The "load" type states usage of the XMLHttpRequest object, which is similar in nature to iframe. It also states "Not implemented!". Are there plans to implement this in the future?


a year ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.