function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
CliffwalkCliffwalk 

AJAX & Cross-Domain Data

I've been working with AJAX in our company's browser of choice which is IE and admittedly I am nearly as familiar with the config settings in Firefox, however, I'd really like to use it because of the Venkman debugger that has made things a lot easier on me.... HOWEVER, when I go to work with my control I'm getting this error:

Error: uncaught exception: Permission denied to call method XMLHttpRequest.open

I'm guessing that Firefox needs to be told that it can do cross-domain data but I can't find a config option for that.

Secondly: Will this configuration requirement being going away at some point? Having this particular configuration change in place has some security risks.

Thanks

-Dave
DevAngelDevAngel

Hi Cliffwalk, If you are writing an SControl then this should not be a problem. If you are using the AJAX toolkit from your own website this is a problem.

For firefox what you will need to to is to edit the prefs.js file that firefox uses to store preferences. Add a policy called salesforce:

user_pref("capability.policy.policynames", "salesforce");

Give that policy all access to the open method of XMLHttpRequest:

user_pref("capability.policy.salesforce.XMLHttpRequest.open", "allAccess");

Specify the sites that are to be members of that policy:

user_pref("capability.policy.salesforce.sites", "https://www.salesforce.com https://na1-api.salesforce.com http://localhost");

The last step above assumes that you get na1 back on a login call for your account.

Oh, and don't forget to shut down Firefox before you edit prefs.js, or else it'll just overwrite your settings.

Now, I've also seen something a little more dynamic and might not apply to XMLHttpRequest (which is the basis of the sforce AJAX toolkit), but haven't tried it yet. Here is a snippet from a blog post:

Cross-domain security woes

You're developing an Ajax-based application. You have an application server at example.com which serves up all your JavaScript, HTML and CSS, and a data server at xml.example.com which delivers all the XML data to the application via a hidden IFRAME.

You know that cross-domain security will prevent any JavaScript from accessing the data in the IFRAME. so, you configure the data server to set the security domain of the IFRAME to "example.com" — the common suffix between the two domains — with a small piece of JavaScript:

<script type="text/javascript">
  document.domain="example.com";
</script>

Having done this, you test your application and get a "permission denied" error. What happened?

Depending on your browser, it may not be enough to only set the security domain of the IFRAME. You must set all of the frames and windows to the same domain, too. This is true even if the domain name you're trying to set already matches the domain of the server that's currently serving the page. For example, if you have two frames with pages served from example.com and you use JavaScript to set the security domain of one frame to "example.com" the frames will be unable to communicate.

Older browsers might let you get away with this.

Message Edited by DevAngel on 10-25-2005 10:41 AM
DevAngelDevAngel
I have an update to the previous post:

It seems you need to enable alot more properties. Below is a list that works for one of my more complex scontrols, but it is probably not complete.

user_pref("capability.policy.policynames", "salesforce");
user_pref("capability.policy.salesforce.Element.childNodes", "allAccess");
user_pref("capability.policy.salesforce.Element.firstChild", "allAccess");
user_pref("capability.policy.salesforce.Element.getAttribute", "allAccess");
user_pref("capability.policy.salesforce.Element.getElementsByTagName", "allAccess");
user_pref("capability.policy.salesforce.Element.localName", "allAccess");
user_pref("capability.policy.salesforce.Element.nodeType", "allAccess");
user_pref("capability.policy.salesforce.Element.nodeValue", "allAccess");
user_pref("capability.policy.salesforce.Element.parentNode", "allAccess");
user_pref("capability.policy.salesforce.HTMLCollection.length", "allAccess");
user_pref("capability.policy.salesforce.HTMLCollection.item", "allAccess");
user_pref("capability.policy.salesforce.Text.nodeType", "allAccess");
user_pref("capability.policy.salesforce.Text.nodeValue", "allAccess");
user_pref("capability.policy.salesforce.XMLDocument.getElementsByTagName", "allAccess");
user_pref("capability.policy.salesforce.XMLHttpRequest.open", "allAccess");
user_pref("capability.policy.salesforce.sites", "https://www.salesforce.com http://localhost https://na1-api.salesforce.com");
CliffwalkCliffwalk
Thank you, this was EXACTLY what I was looking for.

Dave
CliffwalkCliffwalk
I'm running this as an S-Control and I still get XmlHttp permission issues unless I set my browser to allow X-Domain Data.

Any clues where I should start looking for my issue? I tried setting the doc domain and this didn't help.

-Dave
DevAngelDevAngel
Right, in IE you need to allow cross domain data.
fedevelapsfedevelaps
If you have access to your apache web server, you can enable silent redirect and everything will work transparently to everyone, i added this to my httpd.conf file and it all worked:

Code:
Options +FollowSymLinks
RewriteEngine On
RewriteRule ^/salesforce(/.*)— http://na3.salesforce.com/$1 [P]  

Now i can do things like

Code:
<script src="http://www.mydomain.org/salesforce/soap/ajax/9.0/connection.js" type="text/javascript"> </script>
<script language="javascript">
        function start () {
            sforce.connection.serverUrl = "http://www.mydomain.org/salesforce/services/Soap/u/9.0";
        }
</script>


And everything is redirected transparently!!! Works like a charm!!!

hope it helps someone!

Message Edited by fedevelaps on 04-30-2007 07:42 AM