XMLHttpRequest.open on Firefox 3b5

[network_noadle]

Hi all,
I'm struggling to get this resolved, and I hope someone can tell me
how to fix it.

I have installed Bob McElrath's 'Plugin: jsMath' in my 2.3.0 TW file,
and put jsMath into a sub-directory, alongside the TW file. When I
load my TW in Firefox 2, it Just Works. When I load it in Firefox 3 I
get the error message 'Permission denied to call method
XMLHttpRequest.open' in the jsMath plugin alert box.

I've added a stack trace to the alert box text (see below) and it
appears that TW is not allowed to call the request object's open
method. So far so good, except that I used the 'Manage Firefox
Privileges' plugin to enable all the available privs for my TW file:
CapabilityPreferencesAccess, UniversalBrowserRead,
UniversalBrowserWrite, UniversalFileRead, UniversalPreferencesRead,
UniversalPreferencesWrite, UniversalXPConnect.

Any suggestions?
Is it something that should be added to the FAQs generally?

Other than that, everyhting seems to work fine in FF3b5.

----
jsMath was not found: you must place the 'jsMath' directory in the
same place as this file. The error was:
Error: Permission denied to call method XMLHttpRequest.open
open("GET","file:///F:/TiddlyWiki/jsMath/jsMath.js",false)@:0
("file:///F:/TiddlyWiki/jsMath/jsMath.js")@file:///F:/TiddlyWiki/
TiddlyWiki-2.3.html:17913
loadPlugins()@file:///F:/TiddlyWiki/TiddlyWiki-2.3.html:17924
loadPlugins()@file:///F:/TiddlyWiki/TiddlyWiki-2.3.html:17864
main()@file:///F:/TiddlyWiki/TiddlyWiki-2.3.html:17759
onload([object Event])@file:///F:/TiddlyWiki/TiddlyWiki-2.3.html:1
----

[Davide P. Cervone]

Firefox3 implements a stricter same-origin policy for local files
(those with file:// URLs) than did Firefox2, and it looks like that
may be what is behind your problem. They seem to still be working on
how they want to handle this (see https://bugzilla.mozilla.org/show_bug.cgi?id=429467
for example), and the behaviour has changed from beta 4 to beta 5.
Remember that you ARE using beta-test software, and some things may
not work properly. On the other hand, it's true that the tighter same-
origin policy will be in the final release, and will probably affect
you. It certainly caused problems for jsMath, but I have worked
around these in jsMath v3.5 (the latest version).

You should try turning off the stricter policy and see if that makes
it work for you again. Enter "about:config" as the URL and you should
get a list of all the configuration options for Firefox. Look for
security.fileuri.strict_origin_policy and change that from true to
false. Then see if you can load the plugin.

Although jsMath itself contains workarounds for the tighter same-
origin policy so that it works properly with Firefox3beta, the jsMath
plugin for TiddlyWiki probably doesn't. This new security feature
does make it much harder to do AJAX-based scripting within files
stored locally.

Davide

On Apr 25, 11:29 am, network_noadle <wj.n...@ntlworld.com> wrote:
> Hi all,
> I'm struggling to get this resolved, and I hope someone can tell me
> how to fix it.
>
> I have installed Bob McElrath's 'Plugin:jsMath' in my 2.3.0 TW file,

> and putjsMathinto a sub-directory, alongside the TW file.  When I

> load my TW in Firefox 2, it Just Works.  When I load it in Firefox 3 I
> get the error message 'Permission denied to call method

> XMLHttpRequest.open' in thejsMathplugin alert box.

>
> I've added a stack trace to the alert box text (see below) and it
> appears that TW is not allowed to call the request object's open
> method.  So far so good, except that I used the 'Manage Firefox
> Privileges' plugin to enable all the available privs for my TW file:
> CapabilityPreferencesAccess, UniversalBrowserRead,
> UniversalBrowserWrite, UniversalFileRead, UniversalPreferencesRead,
> UniversalPreferencesWrite, UniversalXPConnect.
>
> Any suggestions?
> Is it something that should be added to the FAQs generally?
>
> Other than that, everyhting seems to work fine in FF3b5.
>

> ----jsMathwas not found: you must place the 'jsMath' directory in the

[Davide P. Cervone]

PS, see http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
for details about the security.fileuri.strict_origin_policy preference.

[network_noadle]

On 27 Apr, 12:23, "Davide P. Cervone" <d...@union.edu> wrote:
> Firefox3 implements a stricter same-origin policy for local files

<snip>

I though it might be something like this, but I was struggling to work
it out - I'm not an expert in JavaScript, AJAX or Firefox internals.

I'll try what you have suggested, and retest once FF is out of beta.
Basically I wanted to check that my TW would still work properly under
the new version, and not crash immediately.

> You should try turning off the stricter policy and see if that makes

<snip>

I'll give it a try, and see what happens.

> Although jsMath itself contains workarounds for the tighter same-

<snip>

What is the structure of the workaround? I could probably patch it
into the jsMath plugin for testing, even if I don't do a very neat
job.

Thank you for your efforts Davide - I find jsMath to be a
fantastically useful tool.

network_noadle

[Davide P. Cervone]

> > Although jsMath itself contains workarounds for the tighter same-
> <snip>
>
> What is the structure of the workaround?  I could probably patch it

> into thejsMathplugin for testing, even if I don't do a very neat
> job.

It is more complicated than I wish that it were, and is based on the
window.postMessage() mechanism that is new in Firefox3. (See
http://developer.mozilla.org/en/docs/DOM:window.postMessage) This
apparentl comes from a WHATWG specification that is part of HTML5.

JsMath uses a hidden IFRAME to access a file in the jsMath directory,
and that file loads the required javascript (using XMLHttpRequest,
which now works since the javascript file is in the same directory as
the loading file). The loader passes the javascript back to the
original window via postMessage(), where it is executed using eval().
Ugly, but works.

You need to set up an event listener in the main window to receive the
postMessage event(). Unfortunately, such a listener receives EVERY
message posted to the window, regardless of origin, so you need to be
sure to mark your messages, so that you can identify them from other
messages that may be sent to the window, and act only on the ones you
actually sent, ignoring anything else. I have marked jsMath's
messages by staring them all with "jsM" followed by a two letter code
(one of "LD", "AL" or "CP" identifying the loader, autoloader and
control panel loader) followed by a colon followed by a three letter
command followed by another colon followed by the actual contents of
the message.

You can see the listener in jsMath/uncompressed/jsMath.js (look for
"jsMath.Post =" and see the listener that it contains). The
corresponding poster is in jsMath/jsMath-loader-post.html, but there
is more in that file than you need, since it is used for several
purposes. On the other hand, you could probably use this loader to
load jsMath.js itself if you mimicked the listener as part of the
TiddlyWiki plugin. There is some handshaking going on between the
poster and listener that you probably wouldn't need if you were
writing your own loader for jsMath, but they shouldn't really get in
the way.

I suspect that other TiddlyWiki plugins are going to have to deal with
similar issues, and that a common solution would be possible.

> Thank you for your efforts Davide - I find jsMath to be a
> fantastically useful tool.

I appreciate your kind words. Thanks.

Davide

[FND]

Thanks for the explanation, Davide!

> Firefox3 implements a stricter same-origin policy for local files
> (those with file:// URLs) than did Firefox2

Is this something that might affect the TiddlyWiki core?
It'd be quite bad if there were any TW core issues with FF3...

-- F.

[Davide P. Cervone]

> Is this something that might affect the TiddlyWiki core?
> It'd be quite bad if there were any TW core issues with FF3...

I don't use TiddlyWiki myself (I just answer questions about jsMath
when I can), so I'm not familiar with its inner workings. But the
changes to Firefox3 do affect inter-window scripting and
XMLHttpRequest calls on local documents (file:// URLs) in a way that
is not backwards compatible. (They were fully aware of that, but felt
that the security issues involved in allowing free access to the local
disk outweighed that. But they are still ironing out the details and
may yet come up with something that is more compatible.)

If TiddlyWiki uses AJAX techniques for loading components, or if any
of its components do (as with the jsMath plugin), then yes, they will
likely be affected by this change.

Davide

[FND]

> the changes to Firefox3 do affect inter-window scripting and
> XMLHttpRequest calls on local documents (file:// URLs) in a way that
> is not backwards compatible.

As I understand it now, this merely means that local HDD access via the
file:// protocol is restricted to the respective file's directory (or
subdirectories thereof).
This wouldn't actually be harmful to TiddlyWiki - in fact, we welcome
the increased security.

Either way, thanks for the info, Davide - we'll keep watching this!

-- F.

[Davide P. Cervone]

> As I understand it now, this merely means that local HDD access via the
> file:// protocol is restricted to the respective file's directory (or
> subdirectories thereof).

The "or subdirectories thereof" part seems to be under debate (see
https://bugzilla.mozilla.org/show_bug.cgi?id=402983) due to the
asymmetry of the situation. (A file in the top level directory can
access a file in the subdirectory, but that file can not access the
top-level one in return.) It looks from the original posters message
that access to subdirectories may NOT be allowed, since otherwise
there should not have been a problem accessing jsMath.js. I think
we'll have to wait and see how this settles out in the final release.

Davide

[Xavier Verges]

Davide, I'm not familiar with jsMath, but I'm now wondering if it
would be feasible and simpler to load the additional scripts adding
<script> elements to the DOM instead of XMLHttpRequest.

Just in case that you are not familiar with that technique you can
look at the code at
http://xdexavier.googlepages.com/yoursearch.html

-Xv

On Apr 28, 2:32 pm, "Davide P. Cervone" <d...@union.edu> wrote:
> > > Although jsMath itself contains workarounds for the tighter same-
> > <snip>
>
> > What is the structure of the workaround? I could probably patch it
> > into thejsMathplugin for testing, even if I don't do a very neat
> > job.
>
> It is more complicated than I wish that it were, and is based on the

> window.postMessage() mechanism that is new in Firefox3. (Seehttp://developer.mozilla.org/en/docs/DOM:window.postMessage) This

[Davide P. Cervone]

You're right, that can be used for loading JavaScript, but not
everything jsMath needs to load is JavaScript. For example, the
control panel is HTML (with some JavaScript besides), so I needed to
work out the method for handling that anyway. But for TiddlyWiki's
loading of jsMath.js, that is probably a better approach. Thanks for
the link.

When I first wrote jsMath, this technique didn't work (at least not
universally enough), and so I worked out other means. I should
probably re-evaluate it now.

Davide

[network_noadle]

On Apr 25, 4:29 pm, network_noadle <wj.n...@ntlworld.com> wrote:
> Hi all,
> I'm struggling to get this resolved, and I hope someone can tell me
> how to fix it.
>
> I have installed Bob McElrath's 'Plugin: jsMath' in my 2.3.0 TW file,
> and put jsMath into a sub-directory, alongside the TW file.  When I
> load my TW in Firefox 2, it Just Works.  When I load it in Firefox 3 I
> get the error message 'Permission denied to call method
> XMLHttpRequest.open' in the jsMath plugin alert box.

Well, I have installed the release version of Firefox 3.0 and, despite
the problems I had with the beta, it all works seemlessly.

Thanks to everyone for their efforts previously.

network_noadle

[FND]

> Well, I have installed the release version of Firefox 3.0 and, despite
> the problems I had with the beta, it all works seemlessly.

That's great to hear - thanks for letting us know!

-- F.