How to fix Ajax Error: uncaught exception: Permission denied to call method XMLHttpRequest.open

By | January 29, 2008

Error: uncaught exception: Permission denied to call method XMLHttpRequest.open FireFox/Mozilla browser fix / solution:

  • Go to address “about:config” in Firefox (i.e. type that in the address bar and hit Enter)
  • Search for “signed” in the filter bar
  • Double click the item “signed.applets.codebase_principal_support” to change its value to “true”
  • Create (or edit if already present) the “user.js” file found in the below directories. By default this file does not exist so create a new blank user.js file if you don’t find it in the following paths (as specified on Mozilla.org):
    • On Windows Vista/XP/2000, the path is usually %AppData%MozillaFirefoxProfilesxxxxxxxx.default, where xxxxxxxx is a random string of 8 characters. Just browse to C:Documents and Settings[User Name]Application DataMozillaFirefoxProfiles on Windows XP/2000 or C:users[User Name]AppDataRoamingMozillaFirefoxProfiles on Windows Vista, and the rest should be obvious.
    • On Windows 95/98/Me, the path is usually C:WINDOWSApplication DataMozillaFirefoxProfilesxxxxxxxx.default
    • On Linux, the path is usually ~/.mozilla/firefox/xxxxxxxx.default/
    • On Mac OS X, the path is usually ~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default/
  • Place the following lines within user.js:

    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://localhost.com:3000");
    user_pref("capability.policy.XMLHttpRequestToAnySite.CDATASection.nodeValue", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.attributes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.childNodes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.firstChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getAttribute", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getElementsByTagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.lastChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeType", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.parentNode", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.tagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nextSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.previousSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.length", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.item", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.attributes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.childNodes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.firstChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.getAttribute", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.getElementsByTagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.lastChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeType", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.parentNode", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.tagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nextSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.previousSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.documentElement", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.getElementsByTagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.channel", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseText", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseXML", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.send", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.setRequestHeader", "allAccess");
    user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");
  • Edit the line containing “http://localhost.com:3000” and replace that URI with whatever URI you are developing on (or publishing to). For me it happens to be localhost.com:3000. Normally it would be just “localhost” for most people or localhost:3000 for Rails project developers.
  • Save the user.js file
  • Exit out of Firefox or other Mozilla based browser. If on Mac OS X, fully quit Firefox by hitting Cmd+Q, don’t just close the current browser window (which leaves Firefox still running in the background).
  • Launch FireFox again.
  • Exit out of Firefox again. The config file that Firefox actually uses to control the browser is called “prefs.js”, not “user.js”. user.js is the file that we, the end user, are supposed to make changes to, which are then copied over to prefs.js when Firefox is loaded. For whatever reason, the prefs.js file will not be updated with the contents of user.js until you exit Firefox, launch it, exit again (at which point prefs.js will be updated), then launch Firefox once more and your changes are ready for use.

After the above steps are completed, you should be able to make XMLHttpRequest calls cross-site / cross-domain with your AJAX code without Firefox/Mozilla security getting in the way.

The bevy of user_pref settings above creates a new site security policy that allows the listed XML HTTP Request commands to be performed from “http://localhost.com:3000” to any address. Normally, Firefox will only allow XMLHTTP Request calls within the same domain. For example if you were on microserf.com domain, Firefox would not allow the website http://www.microserf.com to make XMLHTTPRequest calls to http://www.hackmehard.com since this was a major exploit that crackers would use to hide their evildoings in the background of apparently benign sites.

In general the security policy that Firefox has setup by default is a good idea. Setting up a new security policy as we have done above is generally safe as it only allows the site “http://localhost.com:3000” to make cross-site/cross-domain XMLHTTPRequest calls of any sort listed. Any other domain would not be allowed to use this site policy.

This post originally started out due to the desire to develop Salesforce.com AJAX Toolkit based s-controls outside of their Ajax Tools IDE (yeah, their naming schemes leave something to be desired), which runs on their Force.com “no software” platform.  Of course I ran into huge problems with Camino / Firefox and cross domain XMLHTTPRequest scripting security issues.  The result of which is this post on how to get around the cross site scripting issues and develop javascript based s-controls on your local machine, using your preferred IDE (go go Textmate).


Related Articles:

12 thoughts on “How to fix Ajax Error: uncaught exception: Permission denied to call method XMLHttpRequest.open

  1. Pingback: XMLHttpRequest permission denied fix - Salesforce.com Ajax Toolkit « Mac OS X Leopard & Tiger Dual Boot

  2. Pingback: ramseyramos.net » Blog Archive » uncaught exception: Permission denied to call method XMLHttpRequest.open

  3. Chris Mumford

    Thanks for the info. This works in Firefox 2.X and also in 3.0b5. However, when I upgraded to Firefox 3.0 RC1 it no longer works nor can I find a solution as of yet.

    Reply
  4. Al Feersum

    Can’t get it to work in FF 2.0.0.14 – although prefs.js updated, can’t see the entries in about:config.

    Reply
  5. Chris Mumford

    I just noticed this comment in the Firefox 3.0 release notes, “Support for Cross-Site XmlHttpRequest has been removed until the specification becomes more stable and the security model is improved (bug 424923)”.

    Reply
  6. Erica Harris

    Thanks for this, it worked for me using Firefox 2. Will my users have to do the same to run my code from their browsers? I’m making the call from salesforce, at the moment in an scontrol, to push XML API requests to another hosted system’s server and get responses from it.

    Reply
  7. Ben Lam

    Hi Erica,

    Your users, if using your Salesforce app under Firefox, would have to make the same change in their browser to avoid this security based error. It basically prevents malicious code from being executed from an innocent looking domain/website.

    See Mozilla’s notes on Firefox 3 and cross site scripting for more information on this later version.

    I’m not familiar enough with Internet Explorer’s latest versions to say if the same is true of them.

    Best of luck,

    Ben

    Reply
  8. Erica Harris

    Many thanks, Ben, this has been a huge help to me. Thanks for the pointer to the Mozilla development site too.

    Reply
  9. GG

    I have this permission denied issue for IE8 on my few customers’ PC, but works fine on most of my customers’ PC.

    Anyone has any idea?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *