Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problem with UniversalBrowserRead: "Permission denied to call method XMLHttpRequest.open"

130 views
Skip to first unread message

Charlie

unread,
Mar 16, 2007, 4:09:28 PM3/16/07
to
I am trying to make an XMLHttpRequest which violates the default "same-
origin"policy in Firefox. I checked the archives and found a method
that should work but it does not. Below is the test code I isolated. I
set signed.applets.codebase_principal_support true and seemed to get
the UniversalBrowserRead permission but then the open still failed
with the same old "Permission denied to call method
XMLHttpRequest.open" error. Can someone tell me what I did wrong?
Thanks, Charlie Crowley

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<!-- I added the line
user_pref("signed.applets.codebase_principal_support", true);
to my "Prefs.js" file and it shows up as true in "about:config" when
I check -->
<script>

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
console.log("Got UniversalBrowserRead permission, about to call
req.open()");
var req = new XMLHttpRequest();
req.open("GET", "http://s3.amazonaws.com/", false);
console.log("req.open() did not fail");
</script>
</head>
<body></body>
</html>

Charlie

unread,
Mar 17, 2007, 10:42:30 PM3/17/07
to
I looked into this further on the Firefox boards and found a solution.
As far as I know it only works on Firefox. You need to establish a
security policy that allows XMLHttpRequest.open to any site. This web
site is useful: http://kb.mozillazine.org/Security_Policies

The solution is to add these three lines to to the "user.js"
preferences file. Actually on my Mac it is called the "prefs.js". Here
are the lines to add:

user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open",
"allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://
localhost");
user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");

This names a policy, XMLHttpRequestToAnySite, you can use any name
that doesn't conflict with another one already defined. You give the
list of sites where this policy applies. that is, sites where the HTML
file that loads the JavaScript that wants to do the XMLHttpRequest
comes from. And the allAccess means that you can open any web site.

The Firefox site gives information on editing the "user.js" (or
"prefs.js") files. See http://www.mozilla.org/support/firefox/edit.

--Charlie Crowley

0 new messages