Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Help needed with .js and AJAX

1 view
Skip to first unread message

sheadley

unread,
Dec 19, 2005, 1:44:17 PM12/19/05
to
Hi all,
When using AJAX and javascript I get the following error when
talking to my server:

A script from http://www.mydomain.com was denied UniversalBrowserRead
privileges. I am using firefox 1.5 and here is the code that is being
called:

function showConsumptionData(foodType) {
var url =
'http://mydomain.com/platePyramid.do?foodType=' +
foodType+'&sysTime='+new Date().getTime();
if (window.XMLHttpRequest) {
try {

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
req = new XMLHttpRequest();
req.onreadystatechange = processSCRequest;
req.open("GET", url, false);
req.send(null);
}
catch (e)
{
alert("(Mozilla)-"+e);
}
} else if (window.ActiveXObject) {
req = new ActiveXObject("Microsoft.XMLHTTP");
req.onreadystatechange = processSCRequest;
req.open("GET", url, false);
req.send(null);
}
}

The .js files is contained in its own file, being called by the .hrml
file. Could this be causing the problem? I am stumped. Any help would
be appreciated


Regards,

Steven H.

alie...@gmail.com

unread,
Dec 19, 2005, 1:54:28 PM12/19/05
to
Only reason to use the Privilege is for cross domain coding.

If you need it then you need to add the code in two places normally. I
wrote an example using it awhile back,
http://radio.javaranch.com/pascarello/replyToComment.action?entry=1119626686861&comment=1120688860820

See if that gives you any light into the problem.

Eric Pascarello
Coauthor of Ajax In Action

Martin Honnen

unread,
Dec 19, 2005, 2:12:03 PM12/19/05
to

sheadley wrote:


> A script from http://www.mydomain.com was denied UniversalBrowserRead
> privileges. I am using firefox 1.5 and here is the code that is being
> called:
>
> function showConsumptionData(foodType) {
> var url =
> 'http://mydomain.com/platePyramid.do?foodType=' +
> foodType+'&sysTime='+new Date().getTime();
> if (window.XMLHttpRequest) {
> try {
>
> netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");

You are calling enablePrivilege here but your code is not trusted and
therefore the call gives that message that the requested privilege
UniversalBrowserRead was denied.
With normal security settings code in a HTML document loaded from a HTTP
server is not not able to enable privileges, you would need to use
signed script.
Why do you need that call, or why do you think you need it?

If your HTML document with the script comes from
http://www.mydomain.com/ then your XMLHttpRequest object should be able
to access URLs on www.mydomain.com without any need to enable privileges.


--

Martin Honnen
http://JavaScript.FAQTs.com/

Steven Headley

unread,
Dec 19, 2005, 2:53:16 PM12/19/05
to
when I don't use the following code:


netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead
");


I get the following error:

XMLHttpRequest.open() failed permission denied.


I am using jboss and struts to server up these pages would that have an
impact??

*** Sent via Developersdex http://www.developersdex.com ***

Message has been deleted
Message has been deleted

VK

unread,
Dec 19, 2005, 5:06:24 PM12/19/05
to

Steven Headley wrote:
> I am using jboss and struts to server up these pages would that have an
> impact??

JBOSS or Perl script - it doesn't matter. What is matter is

(1) Same domain rule:

1) HTML page
2) .js script file
3) URL your're calling with AJAX
-----------------------
all three components have to be from the same domain where the "same
domain" means same protocol (http or https but not a mix), same
subdomain, same domain name and same first level domain:
[http://] [www.] [mycompany] [.com]
from above all squared components can be different or missing but it
has to be *identical* for all three sources (page, script, server call)

If it is true then you can at least use AJAX to call the server.

(2) If it is not true, or if you want to have extended privileges like
UniversalBrowserRead:

Firefox implements three-tier security model from Netscape 4.x (but in
Firefox it is not Java, but native C++ code inside):

1) First all scripts *and pages* have to be contained in a signed .jar
file. The file has to be signed by a valid certificate. If it is, it
still doesn't give it any privileges: it only gives *a privilege to ask
for a privilege*.

2) over netscape.security.PrivilegeManager methods your script asks for
a privilege. If the tier 1 above is passed OK, user will see the popup
asking for privilege. If tier 1 was not passed, no popup will be shown
and request will be automatically cancelled.

3) You using later JavaScript methods to access normally unavailable
information. Each method will ask every time for a privilege from
PrivilegeManager on tier 2 above. But user will not be bothered anymore
with popups. If user granted privilege on tier 2, she also granted the
privilege to PrivilegeManager to grant privileges to all methods on
tier 3.

More info and a working sample can be found here:
<http://www.mozilla.org/projects/security/components/signed-scripts.html>

Message has been deleted

Dag Sunde

unread,
Dec 20, 2005, 3:58:12 AM12/20/05
to
"Steven Headley" <steven_...@yahoo.com> wrote in message
news:McEpf.1598$DB5....@news.uswest.net...

> when I don't use the following code:
>
>
> netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead
> ");
>
>
> I get the following error:
>
> XMLHttpRequest.open() failed permission denied.
>

In your original post, you said that your script (and pages) was coming from
http://www.mydomain.com, but your code calls http://mydomain.com.

Even if thos two resolves to the same ip-address, they are not seen as the
same domain from the browsers point of view.

>
> I am using jboss and struts to server up these pages would that have an
> impact??

no

--
Dag.


Martin Honnen

unread,
Dec 20, 2005, 7:14:11 AM12/20/05
to

Steven Headley wrote:

> I get the following error:
>
> XMLHttpRequest.open() failed permission denied.

You need to make sure that you only access URLs from the same origin, if
you can't do that then install some server-side "URL fetcher" script so
that you can make all requests to the original server passing the URL on
another server in the query string where the server-side script then
makes the access to the other servers and returns the result to your
client-side code.

Jasen Betts

unread,
Dec 20, 2005, 1:46:17 PM12/20/05
to
On 2005-12-19, VK <school...@yahoo.com> wrote:

>
> Steven Headley wrote:
>> I am using jboss and struts to server up these pages would that have an
>> impact??
>
> JBOSS or Perl script - it doesn't matter. What is matter is
>
> (1) Same domain rule:
>
> 1) HTML page
> 2) .js script file
> 3) URL your're calling with AJAX
> -----------------------

> all three components have to be from the same domain where the "same
> domain" means same protocol (http or https but not a mix), same
> subdomain, same domain name and same first level domain:
> [http://] [www.] [mycompany] [.com]
> from above all squared components can be different or missing but it
> has to be *identical* for all three sources (page, script, server call)

which browser enforces that .js comes from the same place as the HTML?
(not mozilla and not IE)

you missed out same (optional) port number.


Bye.
Jasen

0 new messages