Changes

Jump to: navigation, search

Cross Site XMLHttpRequest

752 bytes added, 01:59, 24 January 2007
no edit summary
Unfortunately gecko architecture forces us to create a document before we create an nsExpatDriver. In fact, I'm not sure there is a way to even know that an nsExpatDriver will be created other than by calling [http://lxr.mozilla.org/mozilla/source/content/base/public/nsIDocument.h#148 StartDocumentLoad] on the document. We could possibly set up a dummy document until we get word from the nsExpatDriver that the access checks were successful and if they are set up a real document and restart the load.
 
If we set up a dummy document it might be possible to do all this inside the nsIRequestObserver wrapper if we expand it into an nsIStreamListener.
=== Issues ===
* Should we try to follow these specs even when accessing files on the same domain? From the sites point of view they can't rely on that anyway since all browsers don't support the access-control spec (and old versions never will).
<references/>* What are the security implications of setting up the "real" document before knowing if access checks will succeed or not. We could easily make sure the page doesn't get access to the document, but there might be other worries. * We have to make sure to not notify the onreadystatechange listener or any other listeners until we've done all access control checks. Otherwise it would be possible to check for the availability of files on other servers though you couldn't actually read the content. * We have to make sure to not put data in .responseText until we've passed access control checks even for XML files.
Sicking
Confirm
716
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/47324"

Navigation menu