How to fix Ajax Error: uncaught exception: Permission denied to call method

Error: uncaught exception: Permission denied to call method FireFox/Mozilla browser fix / solution:

  • Go to address “about:config” in Firefox (i.e. type that in the address bar and hit Enter)
  • Search for “signed” in the filter bar
  • Double click the item “signed.applets.codebase_principal_support” to change its value to “true”
  • Create (or edit if already present) the “user.js” file found in the below directories. By default this file does not exist so create a new blank user.js file if you don’t find it in the following paths (as specified on
    • On Windows Vista/XP/2000, the path is usually %AppData%MozillaFirefoxProfilesxxxxxxxx.default, where xxxxxxxx is a random string of 8 characters. Just browse to C:Documents and Settings[User Name]Application DataMozillaFirefoxProfiles on Windows XP/2000 or C:users[User Name]AppDataRoamingMozillaFirefoxProfiles on Windows Vista, and the rest should be obvious.
    • On Windows 95/98/Me, the path is usually C:WINDOWSApplication DataMozillaFirefoxProfilesxxxxxxxx.default
    • On Linux, the path is usually ~/.mozilla/firefox/xxxxxxxx.default/
    • On Mac OS X, the path is usually ~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default/
  • Place the following lines within user.js:

    user_pref("", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "");
    user_pref("capability.policy.XMLHttpRequestToAnySite.CDATASection.nodeValue", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.attributes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.childNodes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.firstChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getAttribute", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.getElementsByTagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.lastChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nodeType", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.parentNode", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.tagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.nextSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Element.previousSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.length", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.HTMLCollection.item", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.attributes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.childNodes", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.firstChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.getAttribute", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.getElementsByTagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.lastChild", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nodeType", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.parentNode", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.tagName", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.nextSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.Text.previousSibling", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.documentElement", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLDocument.getElementsByTagName", "allAccess");
    user_pref("", "allAccess");
    user_pref("", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseText", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.responseXML", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.send", "allAccess");
    user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.setRequestHeader", "allAccess");
    user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");
  • Edit the line containing “” and replace that URI with whatever URI you are developing on (or publishing to). For me it happens to be Normally it would be just “localhost” for most people or localhost:3000 for Rails project developers.
  • Save the user.js file
  • Exit out of Firefox or other Mozilla based browser. If on Mac OS X, fully quit Firefox by hitting Cmd+Q, don’t just close the current browser window (which leaves Firefox still running in the background).
  • Launch FireFox again.
  • Exit out of Firefox again. The config file that Firefox actually uses to control the browser is called “prefs.js”, not “user.js”. user.js is the file that we, the end user, are supposed to make changes to, which are then copied over to prefs.js when Firefox is loaded. For whatever reason, the prefs.js file will not be updated with the contents of user.js until you exit Firefox, launch it, exit again (at which point prefs.js will be updated), then launch Firefox once more and your changes are ready for use.

After the above steps are completed, you should be able to make XMLHttpRequest calls cross-site / cross-domain with your AJAX code without Firefox/Mozilla security getting in the way.

The bevy of user_pref settings above creates a new site security policy that allows the listed XML HTTP Request commands to be performed from “” to any address. Normally, Firefox will only allow XMLHTTP Request calls within the same domain. For example if you were on domain, Firefox would not allow the website to make XMLHTTPRequest calls to since this was a major exploit that crackers would use to hide their evildoings in the background of apparently benign sites.

In general the security policy that Firefox has setup by default is a good idea. Setting up a new security policy as we have done above is generally safe as it only allows the site “” to make cross-site/cross-domain XMLHTTPRequest calls of any sort listed. Any other domain would not be allowed to use this site policy.

This post originally started out due to the desire to develop AJAX Toolkit based s-controls outside of their Ajax Tools IDE (yeah, their naming schemes leave something to be desired), which runs on their “no software” platform.ย  Of course I ran into huge problems with Camino / Firefox and cross domain XMLHTTPRequest scripting security issues.ย  The result of which is this post on how to get around the cross site scripting issues and develop javascript based s-controls on your local machine, using your preferred IDE (go go Textmate).


12 responses to “How to fix Ajax Error: uncaught exception: Permission denied to call method”

  1. […] January 21, 2008 at 11:56 pm (fixes, instructions) (Mozilla Hidden preferences, permission denied, XMLHttpRequest) Update: This post has been superseded by How to Fix Ajax Error: permission denied to call method […]

  2. […] Latest browser will not allow to do this job. If it is a cross domain issue then the only solution are change the configurations of your Mozilla/Firefox or avoid the approach you are going on and […]

  3. Chris Mumford Avatar

    Thanks for the info. This works in Firefox 2.X and also in 3.0b5. However, when I upgraded to Firefox 3.0 RC1 it no longer works nor can I find a solution as of yet.

  4. Al Feersum Avatar
    Al Feersum

    Can’t get it to work in FF – although prefs.js updated, can’t see the entries in about:config.

  5. Chris Mumford Avatar
    Chris Mumford

    I just noticed this comment in the Firefox 3.0 release notes, “Support for Cross-Site XmlHttpRequest has been removed until the specification becomes more stable and the security model is improved (bug 424923)”.

  6. Erica Harris Avatar
    Erica Harris

    Thanks for this, it worked for me using Firefox 2. Will my users have to do the same to run my code from their browsers? I’m making the call from salesforce, at the moment in an scontrol, to push XML API requests to another hosted system’s server and get responses from it.

  7. Ben Lam Avatar
    Ben Lam

    Hi Erica,

    Your users, if using your Salesforce app under Firefox, would have to make the same change in their browser to avoid this security based error. It basically prevents malicious code from being executed from an innocent looking domain/website.

    See Mozilla’s notes on Firefox 3 and cross site scripting for more information on this later version.

    I’m not familiar enough with Internet Explorer’s latest versions to say if the same is true of them.

    Best of luck,


  8. Erica Harris Avatar
    Erica Harris

    Many thanks, Ben, this has been a huge help to me. Thanks for the pointer to the Mozilla development site too.

  9. Jesse Hu Avatar
    Jesse Hu

    Works for me on Firefox 3/2 . Thanks a lot.

  10. Mansi Purohit Avatar
    Mansi Purohit

    Error: uncaught exception: Permission denied to call method

    This error might be comming because of tag you use in your html header. tag does not support certain events like onload, onunload
    remove this tag from your html and your jscript will run properly


    if this solution helps you plz reply on: [email protected]


  11. Punit Pandey Avatar

    Didn’t work for me in Firefox 3.6.2. Any other pointers?

  12. GG Avatar

    I have this permission denied issue for IE8 on my few customers’ PC, but works fine on most of my customers’ PC.

    Anyone has any idea?

Leave a Reply

Your email address will not be published. Required fields are marked *