Closed Bug 596634 Opened 14 years ago Closed 14 years ago

accessing XMLHttpRequest.statusText throws NS_ERROR_NOT_AVAILABLE exception when doing cross-origin requests and getting a 500 server response

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 597301

People

(Reporter: nicolas.ramz, Unassigned)

References

(
URL
)

Details

User-Agent: Opera/9.80 (Windows NT 6.0; U; fr) Presto/2.6.35 Version/10.70 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729) When doing XHR level 2 cross-origin requests and getting a 500 server response, it's not possible to access xhr.statusText. It throws this exception: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIXMLHttpRequest.statusText] Note that status is incorrectly set to 0, and responseText is empty (although the server sent something). Notes: - XHR level 1 (same domain) and 500 server response work as expected (statusText can be accessed, status is set to 500 and responseText isn't empty, as expected) - problem happens in both POST and GET requests - Here is an example of server response that shows the problem: http://www.warpdesign.fr/tests/response.php?type=500 Reproducible: Always Steps to Reproduce: 1. send an XHR to the following address ttp://www.warpdesign.fr/tests/response.php?type=500 2. try to access xhr.statusText 3. Actual Results: Throws the exception: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIXMLHttpRequest.statusText] And status is set to 0, responseText is empty Expected Results: Getting the actual value of xhr.statusText, having status set to 500, and responseText should contain the server response Notes: - XHR level 1 (same domain) and 500 server response work as expected (statusText can be accessed, status is set to 500 and responseText isn't empty, as expected) - problem happens in both POST and GET requests - Here is an example of server response that shows the problem: http://www.warpdesign.fr/tests/response.php?type=500
Summary: accessing statusText throws an exception when doing cross-origina requests and getting a 500 server response → accessing statusText throws an exception when doing cross-origin requests and getting a 500 server response
Can you reproduce on Firefox 4 beta? Could you attach a test page?
Component: General → DOM: Mozilla Extensions
Product: Firefox → Core
QA Contact: general → general
Summary: accessing statusText throws an exception when doing cross-origin requests and getting a 500 server response → accessing XMLHttpRequest.statusText throws NS_ERROR_NOT_AVAILABLE exception when doing cross-origin requests and getting a 500 server response
This is done on purpose, for failed cross-site requests: 1317 if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) { 1318 // Make sure we don't leak status information from denied cross-site 1319 // requests. 1320 if (mChannel) { 1321 nsresult status; 1322 mChannel->GetStatus(&status); 1323 if (NS_FAILED(status)) { 1324 return NS_ERROR_NOT_AVAILABLE; 1325 } 1326 } 1327 } See also bug 552090. The xpec probably needs to be updated to handle this; right now it seems to require a security hole.
Actually, this should get fixed by the patch in bug 597301. The spec now explicitly says that a non-2xx responses can still pass the security checks. As long as they have the appropriate headers of course.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Component: DOM: Mozilla Extensions → DOM
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.