views:

2391

answers:

4

I have written an XMLHttpRequest which runs fine but returns an empty responseText.

The javascript is as follows:

  var anUrl = "http://api.xxx.com/rates/csv/rates.txt";
  var myRequest = new XMLHttpRequest();

  callAjax(anUrl);

  function callAjax(url) {
     myRequest.open("GET", url, true);
     myRequest.onreadystatechange = responseAjax;
                 myRequest.setRequestHeader("Cache-Control", "no-cache");
     myRequest.send(null);
  }

  function responseAjax() {
     if(myRequest.readyState == 4) {
        if(myRequest.status == 200) {
            result = myRequest.responseText;
            alert(result);
            alert("we made it");
        } else {
            alert( " An error has occurred: " + myRequest.statusText);
        }
     }
  }

The code runs fine. I can walk through and I get the readyState == 4 and a status == 200 but the responseText is always blank.

I am getting a log error (in Safari debug) of Error dispatching: getProperties which I cannot seem to find reference to.

I have run the code in Safari and Firefox both locally and on a remote server.

The URL when put into a browser will return the string and give a status code of 200.

I wrote similar code to the same URL in a Mac Widget which runs fine, but the same code in a browser never returns a result.

+4  A: 

Is http://api.xxx.com/ part of your domain? If not, you are being blocked by the same origin policy.

You may want to check out the following Stack Overflow post for a few possible workarounds:

Daniel Vassallo
i had a feeling that might be it. The puzzling aspect of this is that in a Mac Widget i used the XMLHttpRequest to do the same thing and it works. I am assuming that in the widget's case i am not in a browser so not blocked.
PurplePilot
Actually this has nothing to do with xss, which is caused by failure to validate user input. Using XHR to access another domain is a violation of the Same Origin Policy: http://code.google.com/p/browsersec/wiki/Part2
Rook
@The Rook: Thanks for the note. Fixed my answer.
Daniel Vassallo
+1  A: 

Browser is preventing you from cross-site scripting.

If the url is outside of your domain, then you need to do this on the server side or move it into your domain.

Jacob Relkin
A: 

PROBLEM RESOLVED

in my case the problem was that i do the ajax call (with $.ajax, $.get or $.getJSON methods from jQuery) with full path in the url param:

url: "http://mydomain.com/site/cgi-bin/serverApp.php"

but the correct is pass the value of url as:

url: "site/cgi-bin/serverApp.php"

some browser don't conflict and no distiction between one text or another, but in Firefox 3.6 for Mac OS take this full path as "cross site scripting"... another thing, in the same browser there is a distiction between:

http: //mydomain.com/site/index.html

and put

http: //www.mydomain.com/site/index.html

in fact it is the correct point view but most implementations make no distinction, so the solution was remove all the text that specify the full path to the script in the methods that do the ajax request AND.... remove any BASE tag in the index.html file

base href="http://mydomain.com/" <--- bad idea, remove it!

if don't remove it, this version of browser for this system, may take your ajax's request like if they are cross site request!

.

.

i have the same problem but only is on the Mac OS machine, the problem is that Firefox treat the ajax response as an "cross site" call, in any other machine/browser works fine, im not find any help about this (i think that is a firefox's implementation issue),but i going to prove the next code in the server side:

header('Content-type: application/json');

to ensure that browser get the data as "json data" ...

Ivan David
A: 

I am facing the same problem. Did somebody find a solution? @albert? I tried using ajax object too: var ajaxRequest = new ajaxObject(URL); ajaxRequest.callback = function (responseText) { JSONData = responseText.parseJSON(); processData(JSONData); }

if i say alert(responseText); it does not give anything. the alert box even doesnt appear!

encryptor