Skip to main content

Bug Tracker

Side navigation

#3146 closed bug (invalid)

Opened July 09, 2008 04:13PM UTC

Closed August 03, 2008 03:03AM UTC

Last modified March 14, 2012 05:20PM UTC

cross-site ajax over http post

Reported by: davidcornish Owned by:
Priority: major Milestone: 1.3
Component: ajax Version: 1.2.6
Keywords: Cc:
Blocked by: Blocking:

Attempting to do an ajax call cross-site using JSONP over http post fails in Firefox with:

Permission denied to call method

in Firefox 3 with

Access to restricted URI denied

and hangs in IE 7.

This is with the patch from #3045 applied to detect change in protocol.

It works fine with type: "GET", just not type: "POST"

Attachments (0)
Change History (7)

Changed July 09, 2008 09:26PM UTC by flesler comment:1

component: coreajax

Changed July 09, 2008 09:29PM UTC by flesler comment:2

Your details are not quite enough to be able to handle this.

Could you provide a test case ? a minimalistic html file with the requires html and js to reproduce the problem.


Changed July 10, 2008 09:36AM UTC by davidcornish comment:3

Sure, sorry for not doing so before.

There's a test page at

The javascript is at

The PHP script I'll include below.

It can be tested without cross-site calling at:

(which works on both get and post)

or with cross-site calling at:

(which only works on get, not post - the subject of this bug)

It looks to me that the code which supports cross-site JSONP explicitly is checking for GET, but I'm too new to all this to follow its logic correctly.

Let me know if I can let you have anything else. Thanks for your help.



$email = $_REQUEST['u'] ;

$pwd = $_REQUEST['p'] ;

$jsonp = $_REQUEST['jsoncb'] ;

// We really only want alphanumeric callback functions

if(preg_match("/^[a-zA-Z0-9_]+$/",$jsonp) == 0)

$jsonp = "";

// Just a tiny script for bug reporting

if($email == "" and $pwd == "test")

echo "$jsonp({\\"success\\":true})";


echo "$jsonp({\\"success\\":false})";


Changed July 15, 2008 02:28AM UTC by flesler comment:4

One question, I might be getting this wrong, but I don't think JSONP works with POST.

The idea is explicitely using a script tag with a callback to load JSON. And you can send POST variables with a script.

Changed July 22, 2008 04:36PM UTC by davidcornish comment:5

I've looked at it more and no, you can't do JSONP over POST for the reason you say.

It might be good to put this in the docs and throw an exception if it is attempted.

I wonder if it might be possible to implement by generating a form which posts the data into a generated iframe, then reading back the contents of the generated iframe?

Changed August 03, 2008 03:03AM UTC by flesler comment:6

resolution: → invalid
status: newclosed

Eh... I don't think there's a real need for this. And your proposed technique seems like a LOT of work(code) for such a specific situation.

Changed August 11, 2008 02:23PM UTC by davidcornish comment:7

I think it would help if it were clarified more clearly that it is GET only in

but I appreciate the lack of intention to implement a workaround

The scenario for use, for what it is worth, is posting data over an HTTPS connection which you don't want sniffed from an HTTP original page.