Changing document.domain doesn't affect XMLHttpRequest

RESOLVED WONTFIX

Status

()

Firefox
Security
RESOLVED WONTFIX
9 years ago
9 years ago

People

(Reporter: Robert de Wilde, Unassigned)

Tracking

({dom1, dom2})

3.0 Branch
x86
Windows XP
dom1, dom2
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

My script are running from two subdomains, lets say:

dynamic.domain.tld
static.domain.tld

Now I'd like to use XMLHttpRequest to exchange some data. Because they're both on the domain.tld-server,  they should be able to interact to eachother because of the document.domain I added to every script. This according to the Mozilla documentation:

'JavaScript Security: Same Origin'
http://www.mozilla.org/projects/security/components/same-origin.html

This is not working properly as described at the URL

Reproducible: Always

Steps to Reproduce:
1. Set the document.domain var
2. Place scripts on differents subdomains
3. Let them query
Actual Results:  
Access Denied Error:

Fout: uncaught exception: [Exception... "Access to restricted URI denied"  code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)"  location: "http://static.domain.tld/js/class.xmlmessage.js Line: 49"]

Expected Results:  
Just loading the request file.

Example file
http:// service . sove . nl / index
will change after getting a resolution for the bug (so it's not static).
(Reporter)

Updated

9 years ago
Keywords: dom1, dom2
Version: unspecified → 3.0 Branch

Comment 1

9 years ago
This was done intentionally in bug 290100.  Scripts on other subdomains (or domain.com) can opt in to sharing by setting document.domain themselves, but XMLHttpRequest responses cannot.  You can work around this easily by doing the XMLHttpRequest from the correct frame.

Future versions of Firefox may have ways for hosts to opt into sharing XMLHttpRequest responses with particular hostnames.
Blocks: 290100
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WONTFIX
Summary: document.domain doens't effect 'The Same Origin Policy' as supposed to. → Changing document.domain doesn't affect XMLHttpRequest
(Reporter)

Comment 2

9 years ago
Thanks, the page was found by using Google search on some XHR related terms.

As already noticed above, some planned features will provide similar functionality; so far I found:

Something about 'UniversalBrowserRead'
http://www.google.nl/search?hl=nl&q=universalbrowserread&btnG=Google+zoeken&meta=

Signed Scripts
http://www.mozilla.org/projects/security/components/signed-scripts.html

Working with Proxy in mod_rewrite (Apache)
http://www.google.com/search?hl=en&q=mod_rewrite+proxy+xhr

Combining with hidden frames
http://www.google.com/search?hl=en&q=xhr+hidden+frame

Some kind of XHR-gateway programmed in a code you like
http://www.google.com/search?hl=en&q=xhr+gateway+cross-domain

Comment 3

9 years ago
See http://developer.mozilla.org/en/docs/Cross-Site_XMLHttpRequest
You need to log in before you can comment on or make changes to this bug.