Cross Domain XHR with Firefox 2

August 30, 2007

Warning

This article is old and may contain information that is outdated, irrelevant, or—dare I say it—no longer accurate. Read with care!

By now know you know that trying to do an XMLHttpRequest (XHR or AJAX) call to a domain that is different from the domain of the hosted JavaScript in Firefox will throw an exception.

Error: uncaught exception: Permission denied to call method XMLHttpRequest.open

If you don’t want a history of the past solutions, page down to see the final solution.

The web has solutions to this problem, but most of them involve changing your JavaScript code, which I thought to be less than ideal. A common solution involves setting the UniversalBrowserRead security property in your JavaScript code [Dion Almaer, of Ajaxian fame]:

netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');

The problem with that solution (obviously) lies in single browser proprietary JavaScript polluting your code. And you have to set this property inside the scope of any usage (ie: inside your library file that does your AJAX calls and inside your callbacks, etc).

Why can’t it just be as easy as Internet Explorer? They just pop-up a little security dialog asking you if you want to allow this access (which is also what the enablePrivilege function does as well).

Another solution involves setting the capability.policy.default.XMLHttpRequest.open preference inside your prefs.js Firefox preference file [Mike Dirolf]. This worked as desired and allowed the AJAX call, but anytime you attempt to access the resulting XML you received a nice exception as well. It turns out this is the solution we wanted, it’s just incomplete.

The Final Solution #

Close Firefox. It will overwrite your changes to the prefs.js file if you have it open.
Optional step: This approach will open up your Firefox security quite a bit, so I’d recommend setting up a separate profile in Firefox to use when testing. It will **not **pop up a security dialog when a cross-domain AJAX call is made.
Find your prefs.js file. In Windows, it is typically located in the C:Documents and Settings{YOUR_USERNAME}ApplicationDataMozillaFirefoxProfiles{YOUR_TEST_USER_PROFILE_ID}prefs.js

Open it up and add the following lines:

user_pref("capability.policy.default.XMLHttpRequest.open", "allAccess");
user_pref("capability.policy.default.CDATASection.nodeValue", "allAccess");
user_pref("capability.policy.default.Element.attributes", "allAccess");
user_pref("capability.policy.default.Element.childNodes", "allAccess");
user_pref("capability.policy.default.Element.firstChild", "allAccess");
user_pref("capability.policy.default.Element.getElementsByTagName", "allAccess");
user_pref("capability.policy.default.Element.tagName", "allAccess");
user_pref("capability.policy.default.HTMLCollection.length", "allAccess");
user_pref("capability.policy.default.HTMLCollection.item", "allAccess");
user_pref("capability.policy.default.Text.nodeValue", "allAccess");
user_pref("capability.policy.default.XMLDocument.documentElement", "allAccess");
user_pref("capability.policy.default.XMLDocument.getElementsByTagName", "allAccess");
user_pref("capability.policy.default.XMLHttpRequest.channel", "allAccess");
user_pref("capability.policy.default.XMLHttpRequest.open", "allAccess");
user_pref("capability.policy.default.XMLHttpRequest.responseText", "allAccess");
user_pref("capability.policy.default.XMLHttpRequest.responseXML", "allAccess");
user_pref("capability.policy.default.XMLHttpRequest.send", "allAccess");
user_pref("capability.policy.default.XMLHttpRequest.setRequestHeader", "allAccess");

This code was copied (with the exception of 1 line) from a source repository at [kryogenix.org]
used in jackfield. It wasn’t intended to be used for this purpose, but it works.

If you still get Error: uncaught exception: Permission denied to call method _________ errors, you can add the method to your prefs.js. I would appreciate a comment with any commonly used methods not included above. Thanks.

Update: Because this article is deprecated (applies to an older version of Firefox), I’m updating the blog title in the interest of minimizing the number of disappointed users. Some might think this is a stupid thing to do, since it’s the most popular page on my blog, but I’m more interested in helping people than getting traffic.

Zach is a builder for the web with Netlify. He’s currently fixated on web fonts and static site generators. His public speaking résumé includes talks in eight different countries at events like Beyond Tellerrand, Smashing Conference, CSSConf, and The White House. He is an emeritus of Filament Group, NEJS CONF, and still helps out with NebraskaJS. Read more about Zach » Twitter GitHub RSS

Previous: Write More Efficient Javascript in YUI with CSS Selectors
Next: Namespacing outside of the YAHOO Namespace

18 Replies

alberto Disqus
30 Oct 2007 at 09:03AM
this method works as well but when I need to read the response xml i get this exception:uncaught exception: Permission denied to get property XMLDocument.firstChildany solution?? i don't want to use ie6/7 again for this purpose...
Zach Leatherman Disqus
30 Oct 2007 at 09:56PM
If you read the solution carefully you will see that you can add that exact property to your prefs.js like so:user_pref("capability.policy.default.XMLDocument.firstChild", "allAccess");Anytime you get a "Permission denied" exception, this solution should work
Shaun Disqus
26 Jan 2008 at 12:16PM
Rather than set these preferences on the default profile, set them on a custom one that's only available for your development site:user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://YOURDEVHOSTHERE");user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");Here's the final list I ended up using, which includes a few new ones than the OP:user_pref("capability.policy.XMLHttpRequestToAnySite.CDATASection.nodeValue", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Element.attributes", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Element.childNodes", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Element.firstChild", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getAttribute", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getElementsByTagName", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeType", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeName", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Element.tagName", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.length", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.item", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.ProcessingInstruction.nodeType", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.ProcessingInstruction.nodeName", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeType", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeName", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Text.data", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeValue", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.documentElement", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.getElementsByTagName", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.nodeType", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.nodeName", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.channel", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseText", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseXML", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.send", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.setRequestHeader", "allAccess");user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open", "allAccess");
Zach Leatherman Disqus
06 Feb 2008 at 11:27PM
Great comment Shaun! That will definitely tighten the security up.
Christian Fecteau Disqus
10 Feb 2008 at 09:30PM
Shaun or Zach, how would I do the same for UniversalXPConnect? I'm trying to make myself a Firefox favelet that would search this French dictionnary automatically with my clipboard text:http://atilf.atilf.fr/dendi...I'm so close but I'm still getting this error:uncaught exception: Un script de « http://atilf.atilf.fr » s'est vu refuser des privilèges UniversalXPConnect.I've tried these with no luck in user.js:user_pref("capability.principal.codebase.p0.granted", "UniversalXPConnect");user_pref("capability.principal.codebase.p0.id", "http://atilf.atilf.fr");user_pref("capability.principal.codebase.p0.subjectName", "");user_pref("capability.principal.codebase.p1.granted", "UniversalXPConnect");user_pref("capability.principal.codebase.p1.id", "http://dell");user_pref("capability.principal.codebase.p1.subjectName", "");user_pref("capability.policy.policynames", "allowclipboard");user_pref("capability.policy.allowclipboard.sites", "file:// http://dell http://atilf.atilf.fr");user_pref("capability.policy.allowclipboard.Clipboard.cutcopy", "allAccess");user_pref("capability.policy.allowclipboard.Clipboard.paste", "allAccess");/*user_pref("capability.policy.allowclipboard.UniversalXPConnect.QueryInterface", "allAccess");user_pref("capability.policy.allowclipboard.UniversalXPConnect.createInstance", "allAccess");user_pref("capability.policy.allowclipboard.UniversalXPConnect.equals", "allAccess");user_pref("capability.policy.allowclipboard.UniversalXPConnect.getService", "allAccess");user_pref("capability.policy.allowclipboard.UniversalXPConnect.initialize", "allAccess");*/and my favelet:function getClipboardText() {if (window.clipboardData) // IEreturn (window.clipboardData.getData('Text'));if (!window.netscape) // promt for text if not Mozillareturn prompt();// ask permission to Mozillanetscape.security.PrivilegeManager.enablePrivilege('UniversalXPConnect');// go on with XUL codevarclip = Components.classes['@mozilla.org/widget/clipboard;1'].createInstance(Components.interfaces.nsIClipboard),trans = Components.classes['@mozilla.org/widget/transferable;1'].createInstance(Components.interfaces.nsITransferable),str = {},len = {};trans.addDataFlavor('text/unicode');clip.getData(trans, clip.kGlobalClipboard);trans.getTransferData('text/unicode', str, len);str =Components.interfaces.nsISupportsWString? str.value.QueryInterface(Components.interfaces.nsISupportsWString): str.value.QueryInterface(Components.interfaces.nsISupportsString);return(str.data.substring(0, len.value / 2));}var clip = getClipboardText();console.log(clip);//document.form1.elements.mot.value = clip;//verif1();Thanks for the XHR code. I've added it to my FF dev profile. Now I can code cross-domain ajax.
Christian Fecteau Disqus
16 Feb 2008 at 02:54AM
Problem solved. A Firefox search engine xml file has been made for this dictionnary (and more):http://www.cnrtl.fr/portail...
Jeremy Disqus
09 May 2008 at 10:58PM
If you want to ensure that what you are developing works for other users who will not want to do this to their firefox use this:try{// IE understands this var xml = $(response.responseXML) var codes = xml.documentElement.getElementsByTagName("code")}catch(e){//firefox understands this try{ var xml = (new DOMParser()).parseFromString( response.responseXML, "text/xml"); var codes = xml.documentElement.getElementsByTagName("code") }catch(ee){ }}
Zach Leatherman Disqus
10 May 2008 at 03:25AM
Dude, what?To me that says:I can parse an XML document.OR if I can't, try a new way.That doesn't have anything to do with XHR, other than supplying using it to supply an XML document.
Zach Leatherman Disqus
10 May 2008 at 06:10PM
Also, please keep in mind that this is NOT a production solution. It's a development solution for individual development machines.
Arian Hojat Disqus
18 Jun 2008 at 02:37PM
Heard this was a viable production solution:use php to pull the xml, and feed it into the javascript.http://www.phpfour.com/blog...
Zach Leatherman Disqus
18 Jun 2008 at 10:24PM
Sure, this method is a client-side only solution. It's fairly trivial (and common) to use a server side language to act as a proxy for your ajax calls.
mark Disqus
09 Jul 2008 at 05:46PM
hi board!y have this error, Permiso para obtener la propiedad Element.childNodes denegadoin englishPermission denied to get property Element.childNodesand i create prefs.js file, and i have this error yet... i am using V 3.0tks for u help.
Sean Disqus
12 Aug 2008 at 11:31AM
I've read that the above technique will not work under Firefox 3. My tests seem to confirm this. And, there's this thread:http://groups.google.com/gr...So, is it game over?
Zach Leatherman Disqus
12 Aug 2008 at 12:19PM
Never say die.http://developer.mozilla.or...Looks like you could make a plugin that enables this for the web :) Have at it!
venkat Disqus
12 Feb 2009 at 12:30PM
Hi,Many thanks to you. But my firefox doent get updated with the new user prefs. im running 3.0.6. Any clues.
1. Zach Leatherman Disqus
  12 Feb 2009 at 04:16PM
  If you're having trouble modifying your prefs, you probably still have Firefox open. You must close Firefox when editing prefs.js. Also, the above code was tested only with Firefox 2, as stated below the headline.
Animal Disqus
09 May 2009 at 03:40PM
SoRRy, BuT None Of ThIS WOrks.
1. Zach Leatherman Disqus
  10 May 2009 at 02:58PM
  Again, please keep in mind that this post should be considered deprecated, as it does not apply to the current version of Firefox.