#3146 closed bug (invalid)
cross-site ajax over http post
Reported by: | davidcornish | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | 1.3 |
Component: | ajax | Version: | 1.2.6 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
Attempting to do an ajax call cross-site using JSONP over http post fails in Firefox 2.0.0.15 with:
Permission denied to call method XMLHttpRequest.open
in Firefox 3 with
Access to restricted URI denied
and hangs in IE 7.
This is with the patch from #3045 applied to detect change in protocol.
It works fine with type: "GET", just not type: "POST"
Change History (7)
comment:1 Changed 15 years ago by
Component: | core → ajax |
---|
comment:2 Changed 15 years ago by
comment:3 Changed 15 years ago by
Sure, sorry for not doing so before.
There's a test page at http://www.ivpbooks.com/test/3146.html The javascript is at http://www.ivpbooks.com/test/3146.js
The PHP script I'll include below.
It can be tested without cross-site calling at:
https://www.ivpbooks.com/test/3146.html (which works on both get and post)
or with cross-site calling at:
http://www.ivpbooks.com/test/3146.html (which only works on get, not post - the subject of this bug)
It looks to me that the code which supports cross-site JSONP explicitly is checking for GET, but I'm too new to all this to follow its logic correctly.
Let me know if I can let you have anything else. Thanks for your help.
3146.php:
<?php
$email = $_REQUESTu? ; $pwd = $_REQUESTp? ; $jsonp = $_REQUESTjsoncb? ;
We really only want alphanumeric callback functions if(preg_match("/[a-zA-Z0-9_]+$/",$jsonp) == 0)
$jsonp = "";
Just a tiny script for bug reporting
if($email == "[email protected]…" and $pwd == "test")
echo "$jsonp({\"success\":true})";
else
echo "$jsonp({\"success\":false})";
?>
comment:4 Changed 15 years ago by
One question, I might be getting this wrong, but I don't think JSONP works with POST. The idea is explicitely using a script tag with a callback to load JSON. And you can send POST variables with a script.
comment:5 Changed 15 years ago by
I've looked at it more and no, you can't do JSONP over POST for the reason you say.
It might be good to put this in the docs and throw an exception if it is attempted.
I wonder if it might be possible to implement by generating a form which posts the data into a generated iframe, then reading back the contents of the generated iframe?
comment:6 Changed 15 years ago by
Resolution: | → invalid |
---|---|
Status: | new → closed |
Eh... I don't think there's a real need for this. And your proposed technique seems like a LOT of work(code) for such a specific situation.
comment:7 Changed 15 years ago by
I think it would help if it were clarified more clearly that it is GET only in
http://docs.jquery.com/Ajax/jQuery.ajax#options
but I appreciate the lack of intention to implement a workaround
The scenario for use, for what it is worth, is posting data over an HTTPS connection which you don't want sniffed from an HTTP original page.
Your details are not quite enough to be able to handle this. Could you provide a test case ? a minimalistic html file with the requires html and js to reproduce the problem. Thanks.