dcsimg
www.webdeveloper.com
Page 1 of 3 123 LastLast
Results 1 to 15 of 31

Thread: Cross domain + XMLHTTPRequest + Permission Denied issue

  1. #1
    Join Date
    Jul 2007
    Posts
    7

    Cross domain + XMLHTTPRequest + Permission Denied issue

    Hi,

    I am facing a major problem in one of the application I am working on.

    My query is -
    I have a Server in ASP.NET. I have hosted a JS file on my server which sends XmlHTTPRequest to my aspx pages.
    e.g., I have a domain - www.mydomain.com, which has a server.aspx page in it and a JS file like
    www.mydomain.com/request.js
    which sends a request to www.mydomain.com/server.aspx using XmlHTTPRequest.

    This request.JS is included using a script tag in an HTML page of another client e.g., www.otherserver.html.

    When my JS calls Request.open, browser gives me "Permission Denied" error.
    I tried this on IE 6.0 / 7.0 & Firefox too.

    Could someone please help me?

    Thanks

  2. #2
    Join Date
    Feb 2003
    Location
    Michigan, USA
    Posts
    5,774
    This sounds like the correct process. Can you post the JavaScript involved here? You might also want to check the file permissions on your aspx file to make sure the WWW can access it.

    You also need to be careful that the AJAX function from your server isn't named the same as an AJAX function elsewhere on your page, as one would over write the other. But other than that, we'll need to see the JavaScript for the page, and more information on how this AJAX request is created -- like what link or button is clicked, or event happens to create the AJAX request.

  3. #3
    Join Date
    May 2007
    Location
    Cleveland, OH
    Posts
    1,403
    How are you including this file on your page? Is it a script tag in the head, or with an ASP include?

  4. #4
    Join Date
    Jul 2007
    Posts
    7

    Cross domain XmlHTTPRequest + Permission Denied error

    Hi,

    Thanks for your quick reply
    I have attached request.zip file with this reply for your reference. Also, the code is pasted below -

    function sendRequest()
    {
    var xmlhttp = null;
    if (typeof XMLHttpRequest != 'undefined')
    {
    try
    {
    netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
    xmlhttp = new XMLHttpRequest(); // instantiate it
    }
    catch (err)
    {
    alert("Error initializing XMLHttpRequest.\n"+ err); // show error
    }
    }
    else
    { // else assume this is IE and
    var msobj = new Array("Msxml2.XMLHTTP.6.0",
    "Msxml2.XMLHTTP.4.0",
    "Msxml2.XMLHTTP.3.0",
    "Msxml2.XMLHTTP",
    "Microsoft.XMLHTTP");
    var x, len = msobj.length;
    for(x=0; x<len; ++x)
    { // try each MS ActiveX object in turn
    try
    {
    xmlhttp = new ActiveXObject(msobj[x]);
    break;
    }
    catch (err)
    {
    alert("Error initializing XMLHttpRequest : IE : \n"+ err.message); // show error
    };
    }
    }

    xmlhttp.onreadystatechange = function(){
    if( xmlhttp.readyState == 4 && xmlhttp.status == 200 ) {
    alert(xmlhttp.responseText);
    }
    }

    try
    {
    xmlhttp.open('GET', url, true); // open server interface
    }
    catch (err)
    {
    alert("XMLHttpRequest.open() failed.\n"+err.message); // -- I am getting error here - Permission Denied
    return;
    }
    xmlhttp.send( null );
    }

    I am able to access server.aspx from www as if I paste the url directly in browser the request gets completed successfully without any error. However, if the same request URL I send it through XmlHTTPRequest it gives me "Permission Denied" error.

    Thanks,
    Poonam
    Attached Files Attached Files

  5. #5
    Join Date
    Jul 2007
    Posts
    7
    Hi TJ111,

    Client HTML Page can include this file using a script tag in their HTML page

    <script type="text/javascript" src="http://mydomain/Request.js"></script>

    Thanks

  6. #6
    Join Date
    Feb 2003
    Location
    Michigan, USA
    Posts
    5,774
    I think it's actually the netscape.security.PrivilegeManager.enablePrivilege function calls that generate the permission denied errors. A remote JavaScript file, I imagine, is not allowed to alter browser permissions and settings. Those enablePrivilege function calls are probably leftover code from when you were testing the application, perhaps on a local server. Removing those lines of code might do the trick.

  7. #7
    Join Date
    Jul 2007
    Posts
    7
    Hi Toicontien,

    "netscape.security.PrivilegeManager.enablePrivilege" I had done now while just surfing for the solution to the problem. Even when I didnt have this line of code, it was still giving me the same problem. My initial code was as follows -

    function sendRequest()
    {
    var XmlHttp;

    // Creating object of XMLHTTP in IE
    try
    {
    XmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
    }
    catch(e)
    {
    try
    {
    XmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch(oc)
    {
    XmlHttp = null;
    }
    }

    // Creating object of XMLHTTP in Mozilla and Safari
    if(!XmlHttp && typeof XMLHttpRequest != "undefined")
    {
    XmlHttp = new XMLHttpRequest();
    }

    XmlHttp.onreadystatechange = function()
    {
    if( XmlHttp.readyState == 4 && xmlhttp.status == 200 )
    {
    alert(XmlHttp.responseText);
    }
    var url = 'www.mydomain.com/server.aspx?action=display';
    try
    {
    xmlhttp.open('GET', url, true); // open server interface
    }
    catch (err)
    {
    alert("XMLHttpRequest.open() failed.\n"+err.message); // show error
    return;
    }

    xmlhttp.send( null );
    }


    Thanks,
    Poonam

  8. #8
    Join Date
    Feb 2003
    Location
    Michigan, USA
    Posts
    5,774

  9. #9
    Join Date
    May 2004
    Location
    FL
    Posts
    3,453
    @PoonamAgarwal, please don't cross post. I have removed the other one.

  10. #10
    Join Date
    Jul 2007
    Posts
    386
    As far as I know AJAX is not allowed to do cross-domain requests due to security issues.

    Can this security measure be deactivated or by-passed?

  11. #11
    Join Date
    May 2007
    Location
    Cleveland, OH
    Posts
    1,403
    I think it depends on the server firewall/security settings.

  12. #12
    Join Date
    Jul 2007
    Posts
    386
    As far as I know it is a component security; ie. Msxml2.XMLHTTP, Microsoft.XMLHTTP and XMLHttpRequest are the ones that have the security measures.

  13. #13
    Join Date
    May 2007
    Location
    Cleveland, OH
    Posts
    1,403
    If you maintain control over both servers you could set it up to allow SSI from the IP of the other server. The have an external server-side script on the server your calling it from "print" the file then use that. However that may be quite overly elaborate, you could always just copy+paste as well. My knowledge of XmlHTTP security is pretty limited.

  14. #14
    Join Date
    Jul 2007
    Posts
    386
    Even if it is a server security issue, it would be too risky to allow such thing. You could easily be attacked with XSS.

  15. #15
    Join Date
    May 2007
    Location
    Cleveland, OH
    Posts
    1,403
    I will agree with that. My point was that, without knowing much about XmlHTTP security measures, it technically is possible to do. Whether you should or not is a different issue. My vote: copy+paste.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles