Issue 1880 in google-caja: CORS requests fail in Firefox

[googl...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium Component-Other

New issue 1880 by ekoleda...@google.com: CORS requests fail in Firefox
http://code.google.com/p/google-caja/issues/detail?id=1880

What revision of the cajoler exhibits the problem? On what browser and OS?

Rev 5643, Firefox 26.0, Ubuntu

What steps will reproduce the problem?
1. Run the following code in the Caja playground (ES5 mode)

<h1>CORS Test</h1>
<div id="result"></div>

<script
src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script>
$(document).ready(function() {
$('#result').text('Running...');
$.support.cors = true;
$.ajax({
url: 'https://cors-test.appspot.com/test'
}).done(function() {
$('#result').text('It worked!');
}).fail(function(jqXHR, textStatus, errorThrown) {
$('#result').text('It failed: ' + errorThrown);
});
});
</script>

What is the expected output? What do you see instead?

Expected: It worked!
Actual: It failed: NS_ERROR_DOM_BAD_URI: Access to restricted URI denied

Please provide any additional information below.

The same code works fine in Chrome, or in Firefox outside of Caja.

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[googl...@googlecode.com]

Comment #1 on issue 1880 by felix8a: CORS requests fail in Firefox
http://code.google.com/p/google-caja/issues/detail?id=1880

$.support.cors is not meant to be settable, but it looks harmless to set it.

Here's a testcase that demonstrates the problem without jquery:

<script>
var xhr = new XMLHttpRequest();
xhr.open('get', 'https://cors-test.appspot.com/test', true);
xhr.onreadystatechange = function() {
alert([xhr.readyState, xhr.responseText, xhr.statusText].join(':'));
};
try {
xhr.send();
} catch (e) {
alert('fail:' + e);
}
</script>

Side note: jquery 2.x will not use onreadystatechange. It needs onload and
onerror, which aren't supported by caja yet.

[googl...@googlecode.com]

Comment #2 on issue 1880 by ekoleda...@google.com: CORS requests fail
in Firefox
http://code.google.com/p/google-caja/issues/detail?id=1880

You are correct, $.support.cors is a flag indicating whether or not the
environment appears to support CORS. In thise case jQuery thinks it does
not, but if we override this setting it tries and succeeds in Chrome but
fails in Firefox.

[googl...@googlecode.com]

Comment #3 on issue 1880 by s...@cuedio.com: CORS requests fail in Firefox
https://code.google.com/p/google-caja/issues/detail?id=1880

Only Chrome browser seems to handle this case. Both Firefox(v30) and IE
(v11) are still affected by this.

Firefox throws : NS_ERROR_DOM_BAD_URI: Access to restricted URI denied
IE 11 throws - xml error: InvalidAccessError:InvalidAccessError

I am facing this issue when trying to control a windows native application
through our webapp which is a Apps Script using HtmlService.

Not having CORS working on firefox and IE for our webapp severely cripples
it.

Please bump up this priority and severity.

[googl...@googlecode.com]

Comment #4 on issue 1880 by james.ke...@wishabi.com: CORS requests fail in
Firefox
https://code.google.com/p/google-caja/issues/detail?id=1880

PR opened: https://github.com/google/caja/pull/1965