views:

889

answers:

1

I'm working on a FireFox extension that uses XMLHttpRequest to grab data from a remote server.

The javascript code is as follows:

function _PostBackObject(data) {
    var postBack = new XMLHttpRequest();
    postBack.onreadystatechange =
        function(){
            if (postBack.readyState == 4) {
                if (postBack.status == 200) {
                    // Success
                    return;
                }

                _ErrorOccured(postBack.status);
            }
        };

    postBack.open("POST", postBackUrl, true, user, password);  //This is line #51
    postBack.send(data);
}

I get the following error in the FireFox console:

Error: uncaught exception: [Exception... "Access to restricted URI denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)" location: "chrome://my_ext/content/context.js Line: 51"]

The postBackUrl can be anything (for testing purposes I've been using local machine [127.0.0.1] and a server sitting on my local network [so 192.168.*.*], both on port 8088) as it is user entered.

It looks like I'm tripping over XSS security measures. How would I work around this?

Some additional details:

  • FireFox 3.5.3 (it's acceptable to restrict to this and newer)
  • Unsigned extension (I would self-sign it, but that's quite a hassle and gains you nothing as far as I can tell)
  • I have complete control over the remote server (its a custom setup, not Apache or IIS, written in C# for .NET 3.5)
+2  A: 

First, if you're calling this from chrome, your code shouldn't hit any cross-site checks. Chrome code is allowed to do cross-site XHR by default. Are you calling this directly from chrome, or are you injecting this into content somehow? http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#1736

Second, there are only three places in the XHR code that return that specific error code: http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#491 http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#1581 http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#2996

They all have to do with preflighting requests: http://www.w3.org/TR/access-control/#preflight-request

Is your server getting one of these, and mishandling it?

Ted Mielczarek
I was omitting the `Access-Control-Request-Method` header.
Kevin Montrose