Cross Domain XHR with Firefox 2
Warning
This article is old and may contain information that is outdated, irrelevant, or—dare I say it—no longer accurate. Read with care!
By now know you know that trying to do an XMLHttpRequest (XHR or AJAX) call to a domain that is different from the domain of the hosted JavaScript in Firefox will throw an exception.
Error: uncaught exception: Permission denied to call method XMLHttpRequest.open
If you don’t want a history of the past solutions, page down to see the final solution.
The web has solutions to this problem, but most of them involve changing your JavaScript code, which I thought to be less than ideal. A common solution involves setting the UniversalBrowserRead security property in your JavaScript code [Dion Almaer, of Ajaxian fame]:
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
The problem with that solution (obviously) lies in single browser proprietary JavaScript polluting your code. And you have to set this property inside the scope of any usage (ie: inside your library file that does your AJAX calls and inside your callbacks, etc).
Why can’t it just be as easy as Internet Explorer? They just pop-up a little security dialog asking you if you want to allow this access (which is also what the enablePrivilege
function does as well).
Another solution involves setting the capability.policy.default.XMLHttpRequest.open
preference inside your prefs.js Firefox preference file [Mike Dirolf]. This worked as desired and allowed the AJAX call, but anytime you attempt to access the resulting XML you received a nice exception as well. It turns out this is the solution we wanted, it’s just incomplete.
The Final Solution #
Close Firefox. It will overwrite your changes to the prefs.js file if you have it open.
Optional step: This approach will open up your Firefox security quite a bit, so I’d recommend setting up a separate profile in Firefox to use when testing. It will **not **pop up a security dialog when a cross-domain AJAX call is made.
Find your prefs.js file. In Windows, it is typically located in the
C:Documents and Settings{YOUR_USERNAME}ApplicationDataMozillaFirefoxProfiles{YOUR_TEST_USER_PROFILE_ID}prefs.js
Open it up and add the following lines:
user_pref("capability.policy.default.XMLHttpRequest.open", "allAccess"); user_pref("capability.policy.default.CDATASection.nodeValue", "allAccess"); user_pref("capability.policy.default.Element.attributes", "allAccess"); user_pref("capability.policy.default.Element.childNodes", "allAccess"); user_pref("capability.policy.default.Element.firstChild", "allAccess"); user_pref("capability.policy.default.Element.getElementsByTagName", "allAccess"); user_pref("capability.policy.default.Element.tagName", "allAccess"); user_pref("capability.policy.default.HTMLCollection.length", "allAccess"); user_pref("capability.policy.default.HTMLCollection.item", "allAccess"); user_pref("capability.policy.default.Text.nodeValue", "allAccess"); user_pref("capability.policy.default.XMLDocument.documentElement", "allAccess"); user_pref("capability.policy.default.XMLDocument.getElementsByTagName", "allAccess"); user_pref("capability.policy.default.XMLHttpRequest.channel", "allAccess"); user_pref("capability.policy.default.XMLHttpRequest.open", "allAccess"); user_pref("capability.policy.default.XMLHttpRequest.responseText", "allAccess"); user_pref("capability.policy.default.XMLHttpRequest.responseXML", "allAccess"); user_pref("capability.policy.default.XMLHttpRequest.send", "allAccess"); user_pref("capability.policy.default.XMLHttpRequest.setRequestHeader", "allAccess");
This code was copied (with the exception of 1 line) from a source repository at [kryogenix.org]
used in jackfield. It wasn’t intended to be used for this purpose, but it works.
If you still get Error: uncaught exception: Permission denied to call method _________
errors, you can add the method to your prefs.js. I would appreciate a comment with any commonly used methods not included above. Thanks.
Update: Because this article is deprecated (applies to an older version of Firefox), I’m updating the blog title in the interest of minimizing the number of disappointed users. Some might think this is a stupid thing to do, since it’s the most popular page on my blog, but I’m more interested in helping people than getting traffic.
18 Replies
alberto Disqus
30 Oct 2007 at 09:03AMZach Leatherman Disqus
30 Oct 2007 at 09:56PMShaun Disqus
26 Jan 2008 at 12:16PMZach Leatherman Disqus
06 Feb 2008 at 11:27PMChristian Fecteau Disqus
10 Feb 2008 at 09:30PMChristian Fecteau Disqus
16 Feb 2008 at 02:54AMJeremy Disqus
09 May 2008 at 10:58PMZach Leatherman Disqus
10 May 2008 at 03:25AMZach Leatherman Disqus
10 May 2008 at 06:10PMArian Hojat Disqus
18 Jun 2008 at 02:37PMZach Leatherman Disqus
18 Jun 2008 at 10:24PMmark Disqus
09 Jul 2008 at 05:46PMSean Disqus
12 Aug 2008 at 11:31AMZach Leatherman Disqus
12 Aug 2008 at 12:19PMvenkat Disqus
12 Feb 2009 at 12:30PMZach Leatherman Disqus
12 Feb 2009 at 04:16PM