Error: uncaught exception: Permission denied to call method XMLHttpRequest.open FireFox/Mozilla browser fix / solution:
- Go to address “about:config” in Firefox (i.e. type that in the address bar and hit Enter)
- Search for “signed” in the filter bar
- Double click the item “signed.applets.codebase_principal_support” to change its value to “true”
- Create (or edit if already present) the “user.js” file found in the below directories. By default this file does not exist so create a new blank user.js file if you don’t find it in the following paths (as specified on Mozilla.org):
- On Windows Vista/XP/2000, the path is usually
%AppData%\Mozilla\Firefox\Profiles\xxxxxxxx.default\, where xxxxxxxx is a random string of 8 characters. Just browse toC:\Documents and Settings\[User Name]\Application Data\Mozilla\Firefox\Profiles\on Windows XP/2000 orC:\users\[User Name]\AppData\Roaming\Mozilla\Firefox\Profiles\on Windows Vista, and the rest should be obvious. - On Windows 95/98/Me, the path is usually
C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\xxxxxxxx.default\ - On Linux, the path is usually
~/.mozilla/firefox/xxxxxxxx.default/ - On Mac OS X, the path is usually
~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default/
- On Windows Vista/XP/2000, the path is usually
- Place the following lines within user.js:
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://localhost.com:3000");
user_pref("capability.policy.XMLHttpRequestToAnySite.CDATASection.nodeValue", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.attributes", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.childNodes", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.firstChild", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getAttribute", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getElementsByTagName", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.lastChild", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeName", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeType", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.parentNode", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.tagName", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nextSibling", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Element.previousSibling", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.length", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.item", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.attributes", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.childNodes", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.firstChild", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.getAttribute", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.getElementsByTagName", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.lastChild", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeName", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeType", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.parentNode", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.tagName", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nextSibling", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.Text.previousSibling", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.documentElement", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.getElementsByTagName", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.channel", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseText", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseXML", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.send", "allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.setRequestHeader", "allAccess");
user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");
- Edit the line containing “http://localhost.com:3000″ and replace that URI with whatever URI you are developing on (or publishing to). For me it happens to be localhost.com:3000. Normally it would be just “localhost” for most people or localhost:3000 for Rails project developers.
- Save the user.js file
- Exit out of Firefox or other Mozilla based browser. If on Mac OS X, fully quit Firefox by hitting Cmd+Q, don’t just close the current browser window (which leaves Firefox still running in the background).
- Launch FireFox again.
- Exit out of Firefox again. The config file that Firefox actually uses to control the browser is called “prefs.js”, not “user.js”. user.js is the file that we, the end user, are supposed to make changes to, which are then copied over to prefs.js when Firefox is loaded. For whatever reason, the prefs.js file will not be updated with the contents of user.js until you exit Firefox, launch it, exit again (at which point prefs.js will be updated), then launch Firefox once more and your changes are ready for use.
After the above steps are completed, you should be able to make XMLHttpRequest calls cross-site / cross-domain with your AJAX code without Firefox/Mozilla security getting in the way.
The bevy of user_pref settings above creates a new site security policy that allows the listed XML HTTP Request commands to be performed from “http://localhost.com:3000″ to any address. Normally, Firefox will only allow XMLHTTP Request calls within the same domain. For example if you were on microserf.com domain, Firefox would not allow the website http://www.microserf.com to make XMLHTTPRequest calls to http://www.hackmehard.com since this was a major exploit that crackers would use to hide their evildoings in the background of apparently benign sites.
In general the security policy that Firefox has setup by default is a good idea. Setting up a new security policy as we have done above is generally safe as it only allows the site “http://localhost.com:3000″ to make cross-site/cross-domain XMLHTTPRequest calls of any sort listed. Any other domain would not be allowed to use this site policy.
This post originally started out due to the desire to develop Salesforce.com AJAX Toolkit based s-controls outside of their Ajax Tools IDE (yeah, their naming schemes leave something to be desired), which runs on their Force.com “no software” platform. Of course I ran into huge problems with Camino / Firefox and cross domain XMLHTTPRequest scripting security issues. The result of which is this post on how to get around the cross site scripting issues and develop javascript based s-controls on your local machine, using your preferred IDE (go go Textmate).
Related posts:
Tags: Ajax, browser security, cross-domain, cross-site, firefox, XHR, XMLHttpRequest permission denied
New Aluminum MacBook
Subscribe by RSS
8 comments
Comments feed for this article
Trackback link
http://installingcats.com/2008/01/29/how-to-fix-ajax-error-uncaught-exception-permission-denied-to-call-method-xmlhttprequestopen/trackback/
January 29, 2008 at 2:28 pm
Pingback from XMLHttpRequest permission denied fix - Salesforce.com Ajax Toolkit « Mac OS X Leopard & Tiger Dual Boot
May 28, 2008 at 2:25 pm
Pingback from ramseyramos.net » Blog Archive » uncaught exception: Permission denied to call method XMLHttpRequest.open
June 4, 2008 at 1:41 pm
Chris Mumford
Thanks for the info. This works in Firefox 2.X and also in 3.0b5. However, when I upgraded to Firefox 3.0 RC1 it no longer works nor can I find a solution as of yet.
June 16, 2008 at 8:33 am
Al Feersum
Can’t get it to work in FF 2.0.0.14 - although prefs.js updated, can’t see the entries in about:config.
July 1, 2008 at 4:12 pm
Chris Mumford
I just noticed this comment in the Firefox 3.0 release notes, “Support for Cross-Site XmlHttpRequest has been removed until the specification becomes more stable and the security model is improved (bug 424923)”.
November 12, 2008 at 5:14 am
Erica Harris
Thanks for this, it worked for me using Firefox 2. Will my users have to do the same to run my code from their browsers? I’m making the call from salesforce, at the moment in an scontrol, to push XML API requests to another hosted system’s server and get responses from it.
November 12, 2008 at 5:27 am
Ben Lam
Hi Erica,
Your users, if using your Salesforce app under Firefox, would have to make the same change in their browser to avoid this security based error. It basically prevents malicious code from being executed from an innocent looking domain/website.
See Mozilla’s notes on Firefox 3 and cross site scripting for more information on this later version.
I’m not familiar enough with Internet Explorer’s latest versions to say if the same is true of them.
Best of luck,
Ben
November 12, 2008 at 7:20 am
Erica Harris
Many thanks, Ben, this has been a huge help to me. Thanks for the pointer to the Mozilla development site too.