Closed Bug 583159 Opened 15 years ago Closed 15 years ago

"XML Parsing Error: no element found" if Access-Control-Allow-Origin ends with slash

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: hyperhacker, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8 When XMLHTTPRequest fetches XML from another domain, and that domain returns an Access-Control-Allow-Origin header ending with a slash, Mozilla discards the body of the response and throws a "no element found" error. The linked page is an example (see the "status" widget at the right) of the client code; having the server return "Access-Control-Allow-Origin: http://segment6.blogspot.com/" causes this error. When the trailing slash is removed, it works as expected. Reproducible: Always Steps to Reproduce: 1. Use XMLHTTPRequest to request XML from another domain using GET method. 2. Have server return an Access-Control-Allow-Origin URL ending with a slash. Actual Results: Response is empty; Firebug console shows a parse error. Expected Results: Response should contain the XML document sent from the server.
The origin "http://segment6.blogspot.com/" doesn't match the requesting page, so the cross-site access is denied, right? Sounds like the behavior is correct to me... And to be clear, origins are NOT URIs. Valid values of the Access-Control-Allow-Origin header are a concatenation of a scheme, the literal string "://", a hostname, and an optional ':' followed by a port number. A trailing '/' makes the value invalid.
And specifically, having a trailing '/' doesn't match the origin-list-or-null production from section 5 of http://tools.ietf.org/html/draft-abarth-origin-07 which is what the draft CORS specification references for the values of this header.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
OK, but the error message doesn't make sense. Shouldn't the request fail with a "permission denied" error rather than appear to succeed and return an empty body?
I don't see that behavior with a trunk build....
You need to log in before you can comment on or make changes to this bug.