Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.javascript > #8368

XML HTTP Request Object Use With Cross-Domain Scripting

Show all headers | View raw

[previously posted in mozilla.support.firefox, where one responder 
recommended posting it to a low traffic group mozilla.dev.extensions]



I ran into an issue where my interactive web document presents a form to the 
user, and the form processes the user input by making an HTTP request to a 
server with a scientific database, that is NOT the same server that served 
the interactive web document (this is apparently the cross-domain problem).

The Firefox browser does not alert the developer/user of this violation in a 
helpful way.  When one initializes the XmlHttpRequest object in the usual 
way (calls to .open() method, calls to .setRequestHeader() method, then 
finally the .send() method), the XmlHttpRequest.readyState attains a value 
of 4 (the COMPLETE condition), but the XmlHttpRequest.status value is ZERO 
instead of the expected 3-digit HTTP status value (preferably 200 in a 
successfully completed HTTP request).  In going through Google search 
results to answer my "WTF is going on" question, the cross-domain security 
issue came up.  I then used IE9, and sure enough, it at least reported a 
PERMISSION error at the call to the XmlHttpRequest.open() method.

I have two questions.

(1) Numerous methods of the XmlHttpRequest object do not return values to 
indicate success (true) or failure (false) with respect to execution of the 
method.  The mechanism of informing the caller of an error in using the 
method appears to be the throwing of exceptions, according to a "standard" 
regarding the XmlHttpRequest object found at W3C.  Thus to detect errors---
or rather exceptions---in the use of object methods, it is sensible to make 
method calls in try/catch blocks (correct?).  Like so:

 try {
   requestObject.open(method, url, isSetAsynchronous);
 } catch (exception) {
   if (console && console.log) // if Firebug is working
     console.log("Exception raised @ open() method" +
        " to XML HTTP Request object\n" + exception.toString());
   else
     alert("Exception raised @ open() method to" + 
         " XML HTTP Request object\n" + exception.toString());
 }
 try {
   requestObject.setRequestHeader("Content-Type", 
      "application/x-www-form-urlencoded");
 } catch (exception) {
    // same use of Firebug console.log() or alert() as above
 }

Curiously, whereas IE9 stopped at an .open() method call when it was NOT 
wrapped in try/catch, it does not execute the catch block code that I can 
see but instead steps through it (apparently executing the try block 
statement successfully??) and then stops on the .setRequestHeader() method 
call that follows it.  When that gets wrapped in try/catch block, it then 
steps over that to the next .setRequestHeader() call in the code again not 
wrapped in try/catch and stops on that.  Firefox, which did not adequately 
note the exception anyway but still returns readyState == COMPLETE and 
status == 0, does not run the catch block either.

(2) Even if I solve this problem above, it does not address the workarounds 
to the cross-domain problem.  HTTP clients should allow users to give 
scripts permission to get around the cross-domain problem, as it seems they 
did in the past.  There is a lot of confusing information about workarounds 
to the cross-domain problem with changing HTML versions it seems.  Does 
anyone know of the definitive resource or explanation on the use of the 
XmlHttpRequest object and how to troubleshoot its use in development?

Back to comp.lang.javascript | Previous | Next — Next in thread | Find similar | Unroll thread

Thread

XML HTTP Request Object Use With Cross-Domain Scripting "Winston Smith, American Patriot" <FranzKafka@Oceania.WhiteHouse.GOV.invalid> - 2011-11-16 15:51 +0000
  Re: XML HTTP Request Object Use With Cross-Domain Scripting Denis McMahon <denismfmcmahon@gmail.com> - 2011-11-16 22:02 +0000

csiph-web