How to fix Ajax Error: uncaught exception: Permission denied to call method

By | January 29, 2008

Error: uncaught exception: Permission denied to call method FireFox/Mozilla browser fix / solution:

  • Go to address “about:config” in Firefox (i.e. type that in the address bar and hit Enter)
  • Search for “signed” in the filter bar
  • Double click the item “signed.applets.codebase_principal_support” to change its value to “true”
  • Create (or edit if already present) the “user.js” file found in the below directories. By default this file does not exist so create a new blank user.js file if you don’t find it in the following paths (as specified on
    • On Windows Vista/XP/2000, the path is usually %AppData%MozillaFirefoxProfilesxxxxxxxx.default, where xxxxxxxx is a random string of 8 characters. Just browse to C:Documents and Settings[User Name]Application DataMozillaFirefoxProfiles on Windows XP/2000 or C:users[User Name]AppDataRoamingMozillaFirefoxProfiles on Windows Vista, and the rest should be obvious.
    • On Windows 95/98/Me, the path is usually C:WINDOWSApplication DataMozillaFirefoxProfilesxxxxxxxx.default
    • On Linux, the path is usually ~/.mozilla/firefox/xxxxxxxx.default/
    • On Mac OS X, the path is usually ~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default/
  • Place the following lines within user.js:

    user_pref("", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "");
    user_pref("capability.policy.XMLHttpRequestToAnySite.CDATASection.nodeValue", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.attributes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.childNodes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.firstChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getAttribute", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getElementsByTagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.lastChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeType", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.parentNode", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.tagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nextSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.previousSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.length", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.item", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.attributes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.childNodes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.firstChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.getAttribute", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.getElementsByTagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.lastChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeType", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.parentNode", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.tagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nextSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.previousSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.documentElement", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.getElementsByTagName", "allAccess");
    user_pref("", "allAccess");
    user_pref("", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseText", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseXML", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.send", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.setRequestHeader", "allAccess");
    user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");
  • Edit the line containing “” and replace that URI with whatever URI you are developing on (or publishing to). For me it happens to be Normally it would be just “localhost” for most people or localhost:3000 for Rails project developers.
  • Save the user.js file
  • Exit out of Firefox or other Mozilla based browser. If on Mac OS X, fully quit Firefox by hitting Cmd+Q, don’t just close the current browser window (which leaves Firefox still running in the background).
  • Launch FireFox again.
  • Exit out of Firefox again. The config file that Firefox actually uses to control the browser is called “prefs.js”, not “user.js”. user.js is the file that we, the end user, are supposed to make changes to, which are then copied over to prefs.js when Firefox is loaded. For whatever reason, the prefs.js file will not be updated with the contents of user.js until you exit Firefox, launch it, exit again (at which point prefs.js will be updated), then launch Firefox once more and your changes are ready for use.

After the above steps are completed, you should be able to make XMLHttpRequest calls cross-site / cross-domain with your AJAX code without Firefox/Mozilla security getting in the way.

The bevy of user_pref settings above creates a new site security policy that allows the listed XML HTTP Request commands to be performed from “” to any address. Normally, Firefox will only allow XMLHTTP Request calls within the same domain. For example if you were on domain, Firefox would not allow the website to make XMLHTTPRequest calls to since this was a major exploit that crackers would use to hide their evildoings in the background of apparently benign sites.

In general the security policy that Firefox has setup by default is a good idea. Setting up a new security policy as we have done above is generally safe as it only allows the site “” to make cross-site/cross-domain XMLHTTPRequest calls of any sort listed. Any other domain would not be allowed to use this site policy.

This post originally started out due to the desire to develop AJAX Toolkit based s-controls outside of their Ajax Tools IDE (yeah, their naming schemes leave something to be desired), which runs on their “no software” platform.  Of course I ran into huge problems with Camino / Firefox and cross domain XMLHTTPRequest scripting security issues.  The result of which is this post on how to get around the cross site scripting issues and develop javascript based s-controls on your local machine, using your preferred IDE (go go Textmate).

Related Articles:

12 thoughts on “How to fix Ajax Error: uncaught exception: Permission denied to call method

  1. Pingback: XMLHttpRequest permission denied fix - Ajax Toolkit « Mac OS X Leopard & Tiger Dual Boot

  2. Pingback: » Blog Archive » uncaught exception: Permission denied to call method

  3. Chris Mumford

    Thanks for the info. This works in Firefox 2.X and also in 3.0b5. However, when I upgraded to Firefox 3.0 RC1 it no longer works nor can I find a solution as of yet.

  4. Al Feersum

    Can’t get it to work in FF – although prefs.js updated, can’t see the entries in about:config.

  5. Chris Mumford

    I just noticed this comment in the Firefox 3.0 release notes, “Support for Cross-Site XmlHttpRequest has been removed until the specification becomes more stable and the security model is improved (bug 424923)”.

  6. Erica Harris

    Thanks for this, it worked for me using Firefox 2. Will my users have to do the same to run my code from their browsers? I’m making the call from salesforce, at the moment in an scontrol, to push XML API requests to another hosted system’s server and get responses from it.

  7. Ben Lam

    Hi Erica,

    Your users, if using your Salesforce app under Firefox, would have to make the same change in their browser to avoid this security based error. It basically prevents malicious code from being executed from an innocent looking domain/website.

    See Mozilla’s notes on Firefox 3 and cross site scripting for more information on this later version.

    I’m not familiar enough with Internet Explorer’s latest versions to say if the same is true of them.

    Best of luck,


  8. Erica Harris

    Many thanks, Ben, this has been a huge help to me. Thanks for the pointer to the Mozilla development site too.

  9. GG

    I have this permission denied issue for IE8 on my few customers’ PC, but works fine on most of my customers’ PC.

    Anyone has any idea?


Leave a Reply

Your email address will not be published. Required fields are marked *