I am trying to make an XMLHttpRequest which violates the default "same-
origin"policy in Firefox. I checked the archives and found a method
that should work but it does not. Below is the test code I isolated. I
set signed.applets.codebase_principal_support true and seemed to get
the UniversalBrowserRead permission but then the open still failed
with the same old "Permission denied to call method
XMLHttpRequest.open" error. Can someone tell me what I did wrong?
Thanks, Charlie Crowley

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<!-- I added the line
user_pref("signed.applets.codebase_principal_suppo rt", true);
to my "Prefs.js" file and it shows up as true in "about:config" when
I check -->
<script>

netscape.security.PrivilegeManager.enablePrivilege ("UniversalBrowserRead");
console.log("Got UniversalBrowserRead permission, about to call
req.open()");
var req = new XMLHttpRequest();
req.open("GET", "http://s3.amazonaws.com/", false);
console.log("req.open() did not fail");
</script>
</head>
<body></body>
</html>

I looked into this further on the Firefox boards and found a solution.
As far as I know it only works on Firefox. You need to establish a
security policy that allows XMLHttpRequest.open to any site. This web
site is useful: http://kb.mozillazine.org/Security_Policies

The solution is to add these three lines to to the "user.js"
preferences file. Actually on my Mac it is called the "prefs.js". Here
are the lines to add:

user_pref("capability.policy.XMLHttpRequestToAnySi te.XMLHttpRequest.open",
"allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySi te.sites", "http://
localhost");
user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");

This names a policy, XMLHttpRequestToAnySite, you can use any name
that doesn't conflict with another one already defined. You give the
list of sites where this policy applies. that is, sites where the HTML
file that loads the JavaScript that wants to do the XMLHttpRequest
comes from. And the allAccess means that you can open any web site.

The Firefox site gives information on editing the "user.js" (or
"prefs.js") files. See http://www.mozilla.org/support/firefox/edit.

--Charlie Crowley

On Mar 16, 2:09 pm, "Charlie" <cpcrow...@gmail.comwrote:

Quote:

I am trying to make an XMLHttpRequest which violates the default "same-
origin"policy in Firefox. I checked the archives and found a method
that should work but it does not. Below is the test code I isolated. I
set signed.applets.codebase_principal_support true and seemed to get
the UniversalBrowserRead permission but then the open still failed
with the same old "Permission denied to call method
XMLHttpRequest.open" error. Can someone tell me what I did wrong?
Thanks, Charlie Crowley
>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<!-- I added the line
user_pref("signed.applets.codebase_principal_suppo rt", true);
to my "Prefs.js" file and it shows up as true in "about:config" when
I check -->
<script>
>
netscape.security.PrivilegeManager.enablePrivilege ("UniversalBrowserRead");
console.log("Got UniversalBrowserRead permission, about to call
req.open()");
var req = new XMLHttpRequest();
req.open("GET", "http://s3.amazonaws.com/", false);
console.log("req.open() did not fail");
</script>
</head>
<body></body>
</html>