NIGHTLY: XMLHttpRequest.open fails on urls including "http://"

RESOLVED INVALID

Status

()

Core
DOM: Core & HTML
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: Ditmar Wendt, Unassigned)

Tracking

Trunk
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130408 Firefox/23.0
Build ID: 20130408030928

Steps to reproduce:

var myxhr = new XMLHttpRequest();
myxhr.open("GET", "http://google.com", true);



Actual results:

[Exception... ""  nsresult: "0x805e0006 (<unknown>)"  location: "JS frame :: Web Console :: <TOP_LEVEL> :: line 1"  data: no]



Expected results:

It should've sent a GET request to google.com and processed whatever xhr.open usually does.

This works as intended if "http://" doesn't prefix the second argument of xhr.open(). The third argument doesn't change this, neither does the first.
It working when the http:// is present makes sense, since that goes to the local domain. Also, you don't see the error when calling open, do you? I would expect the error to appear when calling send.
(Reporter)

Comment 2

5 years ago
(In reply to Josh Matthews [:jdm] from comment #1)
> It working when the http:// is present makes sense, since that goes to the
> local domain. Also, you don't see the error when calling open, do you? I
> would expect the error to appear when calling send.

It does not work when "http://" is present. It occurs when the example code is executed.
The web console runs in the context of the page that's currently loaded. If that page is not on google.com, it can't do XHR to google.com, right?

What am I missing?
Flags: needinfo?(dwendt)
(Reporter)

Comment 4

5 years ago
(In reply to Boris Zbarsky (:bz) from comment #3)
> The web console runs in the context of the page that's currently loaded. If
> that page is not on google.com, it can't do XHR to google.com, right?
> 
> What am I missing?

It works fine when the argument is "google.com" and DOES NOT WORK PERIOD for "http://google.com"

Isn't this really clear?
Flags: needinfo?(dwendt)
It's clear, yes.  "google.com" is a relative URL, resolved relative to the page.  So if I were to do that on this very web page, it would be loading "http://bugzilla.mozilla.org/google.com".  That's a same-origin load, and is allowed.  Loading "http://google.com" from this web page is a cross-origin load, and is not allowed.

Sounds like I'm not missing anything, then.  The behavior is what it's supposed to be.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
(Reporter)

Comment 6

5 years ago
Sorry, it appears I misdescribed this bug. 

Shouldn't cross domain requests be permitted if the target in argument 2 has the "Access-Control-Allow-Origin *" header set?

Rather than http://google.com, the example argument in this case would be http://ericflin.com/scripts/restproxy.php?m=GET

Example code that should not throw an exception if this is the case..
function reqListener () {
  console.log(this.responseText);
};
 
var oReq = new XMLHttpRequest();
oReq.onload = reqListener;
oReq.open("get", "http://ericflin.com/scripts/restproxy.php?m=GET", true);
oReq.send();
Ah, good catch.

The example in comment 6 works fine for me if run on an http:// page.

On an https:// page (like this bug page), it's blocked by the "do not allow http loads from https pages" security policy, which is somewhat new in nightly.
You need to log in before you can comment on or make changes to this bug.