XMLHttpRequest Permission Denied Error

Update: I'm now using xmlDocument instead of the div since the div does not support XSL transforms. You can find the new code with sample usage at the end at xmlreq.js

When I upgraded Firefox (I don't remember which version), the call I was using to XMLHttpRequest stopped working. I would get a "Permission denied to call method XMLDocument.getElementsByTagName" error when accessing the XML document. Yet, it worked in IE. The problem might be that I'm using a synchronous call instead of an asynchronous call. I have to use a syncronous call because the call is made from the onsubmit event handler. I have to wait for an answser so that I can continue checking the form or return a false to stop the submit. Or maybe it's that the javascript file is in a different directory. All I know is that is stopped working.

A few days ago I looked at the problem. I don't remember where I got the code I had modified to use a synchronous call. Here is the code I was using.

function loadXMLDoc(url) {
	var req = null;
	
	// branch for native XMLHttpRequest object
	if(window.XMLHttpRequest) {
		try {
			req = new XMLHttpRequest();
		} catch(e) {
			req = null;
		}
	// branch for IE/Windows ActiveX version
	} else if(window.ActiveXObject) {
		try {
			req = new ActiveXObject("Msxml2.XMLHTTP");
		} catch(e) {
			try {
				req = new ActiveXObject("Microsoft.XMLHTTP");
			} catch(e) {
				req = null;
			}
		}
	}
	if(req) {
		req.open("GET", url, false);
		req.send(null);
	}
	
	return req.responseXML;
}

I added an alert after the send and noticed that the status was a 200 which means that the data was retrieved. I then added an alert to see if I could access responseText. I was able to see responseText but not access responseXML. Thinking about this I realized that responseXML is just a DOM. Using that information I created a div, added responseText to the innerHTML of the div and returned the div if the browser was not using the ActiveX version of XMLHttpRequest which is working. I was surprised to see that it worked! Here's what I came up with.

function xloadXMLDoc(url) {
	var req = null;
	var bActiveX = false;
	
	// branch for native XMLHttpRequest object
	if(window.XMLHttpRequest) {
		try {
			req = new XMLHttpRequest();
		} catch(e) {
			req = null;
		}
	// branch for IE/Windows ActiveX version
	} else if(window.ActiveXObject) {
		bActiveX = true;
		try {
			req = new ActiveXObject("Msxml2.XMLHTTP");
		} catch(e) {
			try {
				req = new ActiveXObject("Microsoft.XMLHTTP");
			} catch(e) {
				req = null;
			}
		}
	}
	if(req) {
		req.open("GET", url, false);
		req.send(null);
	}
	
	if(bActiveX)
		return req.responseXML;

	// This is to catch IE 7, which supports the XMLHttpRequest object.
	try {
		if(typeof req.responseXML.firstChild != "undefined"){
			return req.responseXML;
		}
	}catch(e){
		// Done really need to catch the error.
	}

	// Because Firefox doesn't work with responseXML, create a div
	// and put responseText in the innerHTML. This does not work with
	// IE 7.
	var doc = document.createElement("div");
	doc.innerHTML = req.responseText;
	return doc;
}

I generally don't like hacks like this because eventually they will stop working. But for now, I need to access the data and I'm going to use this hack to make it work. If you use this hack, be aware that it may stop working in the future.

Update 20 Oct 2006: Turns out IE 7 supports the XMLHttpRequest object but didn't like the returned div. So I added code which I should've done in the first place to see if firstChild can be accessed. If firstChild can be accessed then return responseXML.

10 Comments

Gravatar Image1. Posted at 1/2/2007 7:24:30 AM by Tobias

Have you verified that the response is sent with MIME type 'text/xml'? This is required before the responseXML property will be available in most browsers.

See also: { Link }

Gravatar Image2. Posted at 1/2/2007 2:33:48 PM by Tanny O'Haley

Hi Tobias,

I just checked and under Page Info in Firefox the type is text/xml. The program sets content-type: text/xml, I wonder if it needs to do more?

Gravatar Image3. Posted at 3/7/2007 1:35:23 AM by poot

First of all, status 200 does not mean that you actually got any data, I think it's just that http request succeeded but content is not guaranteed.

To get your fox behaving properly try adding these lines inside the function you make the xmlhttp request:

try {

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead")

} catch (e) {

alert("Permission UniversalBrowserRead denied.")

}

That should fix the problem.

Gravatar Image4. Posted at 6/21/2007 1:01:51 AM by Artiz

You can try to load received .responseText to new XML document - for Firefox it can be implemented as:

var doc = (new DOMParser()).parseFromString( req.responseTex, "text/xml");

Gravatar Image5. Posted at 9/2/2007 9:40:50 PM by hackit

Thanks a lot. I had the exact same problem and your hack got me going. Wish I knew what the root problem is though.

Gravatar Image6. Posted at 9/6/2007 10:24:02 AM by Tanny O'Haley

I'm now using xmlDocument instead of the div since the div does not support XSL transforms. You can find the new code with sample usage at the end.

xmlreq.js

Gravatar Image7. Posted at 9/12/2007 3:37:37 PM by FranciscoCampos.com

This was a boost to the solution of my problem.

var doc = (new DOMParser()).parseFromString( req.responseTex, "text/xml");

I will post my javascript and ASP code:

var oXMLHTTP;

function GetHtmlFromRequest(oXMLHTTP)

{

var result;

var textHtml;

var mXML;

if (oXMLHTTP.responseXML)

{

result = oXMLHTTP.responseXML;

mXML = result.getElementsByTagName("xmlresult");

textHtml = mXML.item(0).text

}

else

{

result = (new DOMParser()).parseFromString( oXMLHTTP.responseText, "text/xml");

mXML = result.getElementsByTagName("xmlresult");

textHtml = mXML.item(0).childNodes[1].childNodes[0].nodeValue;

}

return textHtml;

}

function newXmlHttpRequest()

{

var req = false;

if(window.ActiveXObject)

{

try { req = new ActiveXObject("Microsoft.XMLHTTP");

} catch(e) {

try { req = new ActiveXObject("MSXML2.XMLHTTP.3.0");

} catch(e) { req = false; }

}

}

else if(window.XMLHttpRequest) {

try { req = new XMLHttpRequest();

} catch(e) { req = false; }

}

if(req.overrideMimeType)

{

req.overrideMimeType("text/plain; charset=ISO-8859-1");

}

return req;

}

function validateMenuCountry(id)

{

PleaseWait(1);

oXMLHTTP = newXmlHttpRequest();

var sURL = serverActual + "src/validateMenuCountry.asp?id=" + id

oXMLHTTP.open( "GET", sURL, false);

oXMLHTTP.setRequestHeader("Content-Type","text/xml");

oXMLHTTP.send(false);

var textHtml = GetHtmlFromRequest(oXMLHTTP);

document.getElementById("divMain").innerHTML = textHtml;

PleaseWait(0);

}

function PleaseWait(state)

{

if (state == 1)

{

document.body.style.cursor="wait";

// document.getElementById("pleasewait").innerHTML = "Please wait...";

}

else

{

document.body.style.cursor="default";

// document.getElementById("pleasewait").innerHTML = "";

}

}

function validateMenuCountry(id)

{

PleaseWait(1);

oXMLHTTP = newXmlHttpRequest();

var sURL = serverActual + "src/validateMenuCountry.asp?id=" + id

oXMLHTTP.open( "GET", sURL, false);

oXMLHTTP.setRequestHeader("Content-Type","text/xml");

oXMLHTTP.send(false);

var textHtml = GetHtmlFromRequest(oXMLHTTP);

document.getElementById("divMain").innerHTML = textHtml;

PleaseWait(0);

}

----------------------------

NOW VBSCRIPT / ASP

----------------------------

<%@ Language=VBScript %>

<%

response.ContentType = "text/xml"

wrt "<?xml version=""1.0"" encoding=""iso-8859-1"" ?>" & chr(10)

wrt "<xmlresult>" & chr(10)

wrt "<htmltext>" & chr(10)

Dim htmltext

'Construct your HTML here

htmltext = htmltext & "<table.... "

htmltext = htmltext & "... and so on"

'end of the page

htmltext = Html2XML(htmltext)

wrt htmltext

wrt "</htmltext>" & chr(10)

wrt "</xmlresult>" & chr(10)

function Html2XML(htmltext)

htmltext = Replace(htmltext,"&", "&")

htmltext = Replace(htmltext,"""", """)

htmltext = Replace(htmltext,"'", "'")

htmltext = Replace(htmltext,"<", "<")

htmltext = Replace(htmltext,">", ">")

Html2XML = htmltext

end function

------------------------------------------

Include your javascript / ASP functions in external files for reusing them.

If you have any questions, message me at franciscoantoniocampos@gmail.com

And check this working at the site { Link }

FranciscoCampos.com

Gravatar Image8. Posted at 2/13/2008 2:52:21 PM by Rohan

I tried following thing

try {

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead")

} catch (e) {

alert("Permission UniversalBrowserRead denied.")

}

It worker for me but every time it shows me popUp to allow access to the site... stating that i am accesing unsafe stuff ....

How do i avoid this popUp..... Please provide your help

Gravatar Image9. Posted at 8/15/2008 11:50:55 AM by Acai Berry Weight Loss

Thanks for this info. I'm stuck right now where

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead")

works in FF, but in IE 7 I receive the

alert("Permission UniversalBrowserRead denied.")

instead. Trying to find a fix for that at this point. Thanks for the helpful dialog in the meantime.

Gravatar Image10. Posted at 9/11/2008 3:47:18 PM by Tanny O'Haley

I couldn't get the enablePrivilege line to work until I went into about:config and modified:

signed.applets.codebase_principal_support

I changed its value from false to true. Once I did that, I get a dialog box asking:

A script from {url} is requesting enhanced abilities that are UNSAFE and could be used to compromise your machine or data:

Read private data from any site or window

Allow these abilities only if you trust this source to be free of viruses or malicious programs.

With an Allow and Deny button. I click Allow and my code works. I don't think this is a very good solution for a user web application, but for development it works.

I don't have access to the data and can't access the resource from a proxy to get rid of the cross domain error, because it requires IIS integrated authentication and I'd have to pass the user's ID and password (which I don't have).

If I did have access to the data I could user a server side page in my domain to get the data.

If the data provider is willing, I've found if they will return the data in JSON format with a mime type of text/javascript and call your callback function with the data, you can use DOM methods to dynamically add a script element to your page. I've done this at work and it is a great solution and even works in older browsers.

Add a comment

Discussion for this entry is now closed.