Bug Tracker

Opened 12 years ago

Closed 12 years ago

Last modified 8 years ago

#3146 closed bug (invalid)

cross-site ajax over http post

Reported by: davidcornish Owned by:
Priority: major Milestone: 1.3
Component: ajax Version: 1.2.6
Keywords: Cc:
Blocked by: Blocking:


Attempting to do an ajax call cross-site using JSONP over http post fails in Firefox with:

Permission denied to call method XMLHttpRequest.open

in Firefox 3 with

Access to restricted URI denied

and hangs in IE 7.

This is with the patch from #3045 applied to detect change in protocol.

It works fine with type: "GET", just not type: "POST"

Change History (7)

comment:1 Changed 12 years ago by flesler

Component: coreajax

comment:2 Changed 12 years ago by flesler

Your details are not quite enough to be able to handle this. Could you provide a test case ? a minimalistic html file with the requires html and js to reproduce the problem. Thanks.

comment:3 Changed 12 years ago by davidcornish

Sure, sorry for not doing so before.

There's a test page at http://www.ivpbooks.com/test/3146.html The javascript is at http://www.ivpbooks.com/test/3146.js

The PHP script I'll include below.

It can be tested without cross-site calling at:

https://www.ivpbooks.com/test/3146.html (which works on both get and post)

or with cross-site calling at:

http://www.ivpbooks.com/test/3146.html (which only works on get, not post - the subject of this bug)

It looks to me that the code which supports cross-site JSONP explicitly is checking for GET, but I'm too new to all this to follow its logic correctly.

Let me know if I can let you have anything else. Thanks for your help.



$email = $_REQUESTu? ; $pwd = $_REQUESTp? ; $jsonp = $_REQUESTjsoncb? ;

We really only want alphanumeric callback functions if(preg_match("/[a-zA-Z0-9_]+$/",$jsonp) == 0)

$jsonp = "";

Just a tiny script for bug reporting

if($email == "test@…" and $pwd == "test")

echo "$jsonp({\"success\":true})";


echo "$jsonp({\"success\":false})";


comment:4 Changed 12 years ago by flesler

One question, I might be getting this wrong, but I don't think JSONP works with POST. The idea is explicitely using a script tag with a callback to load JSON. And you can send POST variables with a script.

comment:5 Changed 12 years ago by davidcornish

I've looked at it more and no, you can't do JSONP over POST for the reason you say.

It might be good to put this in the docs and throw an exception if it is attempted.

I wonder if it might be possible to implement by generating a form which posts the data into a generated iframe, then reading back the contents of the generated iframe?

comment:6 Changed 12 years ago by flesler

Resolution: invalid
Status: newclosed

Eh... I don't think there's a real need for this. And your proposed technique seems like a LOT of work(code) for such a specific situation.

comment:7 Changed 12 years ago by davidcornish

I think it would help if it were clarified more clearly that it is GET only in


but I appreciate the lack of intention to implement a workaround

The scenario for use, for what it is worth, is posting data over an HTTPS connection which you don't want sniffed from an HTTP original page.

Note: See TracTickets for help on using tickets.