Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FF 3.5 Cross Domain XMLHttpRequest Support

99 views
Skip to first unread message

kjh21

unread,
Jul 3, 2009, 6:56:28 PM7/3/09
to
I have an AJAX application running under FireFox that makes Cross-
Domain XMLHttpRequests. Prior to FireFox 3.5, I was using the
netscape.security.PrivilegeManager to enable the appropriate
privilege.

I was pleased to learn that FF 3.5 supports the W3C's newly proposed
Access Control for Cross-Site Requests recommendation, which provides
a way for web servers to support cross-site access controls that
enable secure cross-site data transfers. Of particular note is that
FF 3.5 claims support for this capabilitiy with XMLHttpRequest (see
https://developer.mozilla.org/en/HTTP_access_control)

I'm having a problem though getting working in accordance with the
standard the following code which which uses XMLHttpRequest to
generate an HTTP POST.

var xhr = new XMLHttpRequest( );

var someURL = "http://some-domain-here.com/
some_resource_here.html";
var params = "parameter=value goes here."
xhr.open("POST", someURL, true);

xhr.setRequestHeader("Content-type", "application/x-www-
form-urlencoded");
xhr.setRequestHeader("Content-length", params.length);
xhr.setRequestHeader("Connection", "close");

xhr.onerror = errorHandler;
xhr.onreadystatechange =
function() {
if(xhr.readyState == 4 && xhr.status == 200) {
alert(xhr.responseText);
}
};

xhr.send(params);


function errorHandler( e ) {
alert( "Error processing XmlHttpRequest: " +
e.target.status );
}

Contradictory to the expected behavior, the code leads to a
"preflighted" request that first sends an HTTP OPTIONS request header
to the resource on the other domain, in order to determine whether the
actual request is safe to send. The documentation states

=============================================================
In particular, a request is preflighted if:

* It uses methods other than GET or POST. Also, if POST is used to
send request data with a Content-Type other than application/x-www-
form-urlencoded, multipart/form-data, or text/plain, e.g. if the POST
request sends an XML payload to the server using application/xml or
text/xml, then the request is preflighted.

* It sets custom headers in the request (e.g. the request uses a
header such as X-PINGOTHER)

==============================================================

I'm doing a POST but using Content-Type: application/x-www-form-
urlencoded
and am not setting any custom headers.

Why the preflighted request?

Any help would be appreciated.


Jonas Sicking

unread,
Jul 9, 2009, 7:09:54 PM7/9/09
to
We decided to be a bit more strict than what the standard requires, as
you've noticed. Only when Content-Type is "text/plain" for POSTs we
don't require a preflight.

Could you use that? Or simply use a GET even?

/ Jonas

Thiago Oliveira

unread,
Jul 14, 2009, 7:15:44 PM7/14/09
to

I'm experiencing this exact same thing. A request is NOT preflighted
only if it is "text/plain". However, my requirement is a non-
preflighted request with Content-Type of "application/x-www-form-
urlencoded". Has anyone found a workaround to this yet? I can't use
GET or POST with Content-Type of "text/plain" because the server won't
recognize the post data that way. Is there anyway Firefox could change
their code to support the standard?

0 new messages