Closed Bug 450141 Opened 16 years ago Closed 16 years ago

Changing document.domain doesn't affect XMLHttpRequest

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
3.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: wilde825, Unassigned)

References

(
URL
)

Details

(Keywords: dom1, dom2)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 My script are running from two subdomains, lets say: dynamic.domain.tld static.domain.tld Now I'd like to use XMLHttpRequest to exchange some data. Because they're both on the domain.tld-server, they should be able to interact to eachother because of the document.domain I added to every script. This according to the Mozilla documentation: 'JavaScript Security: Same Origin' http://www.mozilla.org/projects/security/components/same-origin.html This is not working properly as described at the URL Reproducible: Always Steps to Reproduce: 1. Set the document.domain var 2. Place scripts on differents subdomains 3. Let them query Actual Results: Access Denied Error: Fout: uncaught exception: [Exception... "Access to restricted URI denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)" location: "http://static.domain.tld/js/class.xmlmessage.js Line: 49"] Expected Results: Just loading the request file. Example file http:// service . sove . nl / index will change after getting a resolution for the bug (so it's not static).
Keywords: dom1, dom2
Version: unspecified → 3.0 Branch
This was done intentionally in bug 290100. Scripts on other subdomains (or domain.com) can opt in to sharing by setting document.domain themselves, but XMLHttpRequest responses cannot. You can work around this easily by doing the XMLHttpRequest from the correct frame. Future versions of Firefox may have ways for hosts to opt into sharing XMLHttpRequest responses with particular hostnames.
Blocks: 290100
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
Summary: document.domain doens't effect 'The Same Origin Policy' as supposed to. → Changing document.domain doesn't affect XMLHttpRequest
Thanks, the page was found by using Google search on some XHR related terms. As already noticed above, some planned features will provide similar functionality; so far I found: Something about 'UniversalBrowserRead' http://www.google.nl/search?hl=nl&q=universalbrowserread&btnG=Google+zoeken&meta= Signed Scripts http://www.mozilla.org/projects/security/components/signed-scripts.html Working with Proxy in mod_rewrite (Apache) http://www.google.com/search?hl=en&q=mod_rewrite+proxy+xhr Combining with hidden frames http://www.google.com/search?hl=en&q=xhr+hidden+frame Some kind of XHR-gateway programmed in a code you like http://www.google.com/search?hl=en&q=xhr+gateway+cross-domain
You need to log in before you can comment on or make changes to this bug.