From: sameergn on 24 Nov 2009 01:30
On Nov 23, 10:16 am, Duncan Booth <duncan.bo...(a)invalid.invalid>
> "samee...(a)gmail.com" <samee...(a)gmail.com> wrote:
> > We believe this is not a cross domain issue. b.js is loaded from
> > localhost:8081 and fetching a resource on same server using AJAX. FF
> > 3.5.5 does not show any error in Error Console, allows the AJAX call
> > and even gets a 200 response code and content length is also set
> > properly as seen in Tamper Data. Not sure why it returns 0 as response
> > code and sets responseText to blank.
> It is a cross domain issue. The calling page ishttp://localhost:8080which
> is a different domain thanhttp://localhost:8081(the protocol and port
> number both matter here).
> It doesn't matter that you loaded the b.js from the same domain as the
> a.html that matters.
> If you want to know why Firefox sends the request even though it is cross-
> domain readhttps://developer.mozilla.org/en/HTTP_access_control
Understood the purpose of sending the request; To send 'Origin:'
header and to check the 'Access-Control-Allow-Origin:' response
From: Thomas 'PointedEars' Lahn on 24 Nov 2009 09:49
> We have a script at http://localhost:8080/a.html which loads
> http://localhost:8081/b.js using script tag. A button defined in
> a.html invokes a function from b.js. The function makes AJAX call to
You should review your notions of the existence of a "script tag" and an
> [...] But in AJAX callback the response code is 0
You mean the response _status_ code? But `0' does not indicate success
(except with `file://' where it is a pseudo-request); 200 does. Review your
HTTP knowledge (among other things).
> when readyState becomes 4
So the response was fully received.
> and responseText is blank.
> Same behavior in Chrome. IE7 shows "Access is Denied" error.
Works as designed, see below.
> IE8 executes fine and response code is 200 in AJAX callback and
> responseText is properly set.
Looks like a security leak not fixed, or a DNS-resolution based instead of a
hostname-based SOP implementation (which is flawed, of course), or a library
> We believe this is not a cross domain issue.
Strictly speaking, it is not. However:
> b.js is loaded from localhost:8081 and fetching a resource on same server
> using AJAX.
It is a same-origin issue. To meet the Same Origin Policy, the resource
requested must be accessed with the same protocol, host name, *and* port as
the requesting resource.
URI of requesting resource: http://localhost:8080/a.html
URI of requested resource: http://localhost:8081/c.html
You will notice that the URI of the script that makes the XHR does not
matter as long as it (the script) is requested through conventional means
(here: `script' element). IOW: 8080 != 8081, SOP not met, access denied.
> FF 3.5.5 does not show any error in Error Console,
I can confirm that for Iceweasel 3.5.5 and Firebug 1.4X.5.
> allows the AJAX call
That term again ...
> and even gets a 200 response code and content length is also set
> properly as seen in Tamper Data. Not sure why it returns 0 as response
> code and sets responseText to blank.
Security measure. But you have already seen that it is at the discretion of
the implementation how to handle this case. Some throw exceptions, others
> Anybody faced similar issue?
Plenty of people, and solutions have been posted even in greater numbers.
If you only had bothered to RTFM, STFW or STFFAQ before you posted ...
-- Richard Cornford, cljs, <f806at$ail$1$8300dec7(a)news.demon.co.uk>
First | Prev |
Pages: 1 2
Prev: Positioning DIV for Predictive-Test/LOV/Suggest-list
Next: scroll bar of body tag