I'm trying to use jQuery Form Plugin to handle file uploads in an ajax form.
Everything works as long as I don't have an input[type=file] in the form.
When I add a file input type to the form, it will upload the file and work as it is supposed to in FireFox, but I get this error in Chrome:
Unsafe JavaScript attempt to access
frame with URL
http://swbdev.net:8888/inc/ajax/edit_page/
from frame with URL
http://swbdev.net:8888/site-pages-edit/19d8bb79c95e164f736f324d1b09a33e/1/#add_elements.
Domains, protocols and ports must
match.
It clearly states the Domain, protocols and ports must match. Am I missing something, in that same error it shows the two URLs and the domain, protocol and port all match?
Here is the JavaScript calling the plugin:
<script type="text/javascript">
$(document).ready(function() {
var options = {
success: function(data) {
alert(data);
},
dataType: 'html',
url: '/inc/ajax/edit_page/'
};
$('#add_elements_form').ajaxForm(options);
});
</script>
MORE INFO:
It's now failing in FireFox as well, not sure why it worked earlier, but here is the error in FireFox:
Permission denied for
http://swbdev.net:8888 to get
property Location.href
It points to this area of code in the plugin:
function cb() {
if (xhr.aborted) {
return;
}
var doc = io.contentWindow ? io.contentWindow.document : io.contentDocument ? io.contentDocument : io.document;
if (!doc || doc.location.href == s.iframeSrc) {
// response not received yet
if (!timedOut) return;
}
io.detachEvent ? io.detachEvent('onload', cb) : io.removeEventListener('load', cb, false);
var ok = true;
Specifically, this line:
if (!doc || doc.location.href == s.iframeSrc
I recently ran into the same issue with jquery file upload. Error was same as David B had
"Unsafe JavaScript attempt to access frame with URL http://swbdev.net:8888/inc/ajax/edit_page/ from frame with URL http://swbdev.net:8888/site-pages-edit/19d8bb79c95e164f736f324d1b09a33e/1/#add_elements. Domains, protocols and ports must match."
In my case both calling page url and file-upload url were pointed to xxx.mydomain.com, but when the calling page was loaded, one javascript was setting document.domain to mydomain.com and was causing the error. Checking for document.domain after the calling page was loaded, revealed the issue and fixed by removing the document.domain line in javascript for xxx.mydomain.com
Definitely weird. I would try setting the whole thing to "POST" since the input[type=file] will require that. Of course it should work even mixed, but give this a try.
$(document).ready(function() {
var options = {
success: function(data) {
alert(data);
},
dataType: 'html',
type: 'POST', // <-- This was added
url: '/inc/ajax/edit_page/'
};
$('#add_elements_form').ajaxForm(options);
});
Related
We are loading yammer embedded feed on our page using an Open Graph snippet. We are attempting to load it on the window.onload event. Intermittently it seems to be throwing an HTTP 404. These are examples:
"HTTP404: NOT FOUND - The server has not found anything matching the
requested URI (Uniform Resource Identifier). POST -
https://www.yammer.com/office365 "
"HTTP404: NOT FOUND - The server has not found anything matching the requested URI (Uniform Resource Identifier). (XHR)GET - https://www.yammer.com/api/v1/open_graph_objects?url=myurl&properties%5Burl%5D=myurl&properties%5Btitle%5D=mytitle&properties%5Btype%5D=page&properties%5Bimage%5D=&properties%5Bdescription%5D=&properties%5Bsite_name%5D=&properties%5Bfetch%5D=true&properties%5Bignore_canonical_url%5D=false&properties%5Bprivate%5D=true&private=false&_=1556012959748 "
This is the snippet that we are using:
var attach = function () {
var yammerGroupId = "";
if (window.location.href.indexOf('mydomain.sharepoint.com') > 0) {
yammerGroupId = 0000000;
}
else {
yammerGroupId = 0000000;
}
myDescription = "";
yam.connect.embedFeed({
container: "#embedded-feed",
feedType: "open-graph",
config: {
use_sso: true,
header: false,
footer: false,
showOpenGraphPreview: false,
defaultToCanonical: false,
hideNetworkName: false,
defaultGroupId: yammerGroupId,
promptText: "Comment on this page..."
},
objectProperties: {
type: "page",
url:window.location.href,
fetch: true,
title:document.title,
private: true,
ignore_canonical_url: false,
description: ""
}
});
}
if (window.addEventListener) {
window.addEventListener('load', attach, false)
} else if (window.attachEvent) {
window.attachEvent('onload', attach)
}
Please note that the Window onload is getting fired as expected. It works fine 7/10 times, but gives 404 error intermittently on Edge, IE, and Chrome.
It's expected that you get a 404 from /api/v1/open_graph_objects per the documentation when the URL passed as a parameter isn't an Open Graph Object (OGO) in the Yammer network. Check the URL parameter is actually valid.
For example, you set url: myUrl, but you are probably best to set this directly with "url": "window.location.href" since the value doesn't seem to be set right from your code. Use the configuration tool to work out better JavaScript to use since your code looks invalid.
My question regards the Apps CSP https://developer.mozilla.org/en-US/Apps/CSP
Here it says that all the remote script, inline script, javascript URIs, and other security issues won't work on a Firefox OS app.
So, I tried to download a script that is necessary for my app (Flurry and Ad service) and neither would work on the device. The way I made the call was with AJAX, that way I would avoid the remote and inline scripting that both scripts ment. In the simulator works perfectly, but on the device the ads never show and the Flurry session never starts.
Here is the part of my code where I make the AJAX call for Flurry:
$.ajax({
url: 'https://cdn.flurry.com/js/flurry.js',
dataType: "script",
xhrFields: {
mozSystem: true
},
success: function(msg){
console && console.log("Script de Flurry: luego de la descarga en AJAX "+msg);
flurryLibrary = true;
FlurryAgent.startSession("7ZFX9Z4CVT66KJBVP7CF");
},
error:function(object,status,errortxt){
console && console.log("The script wasn't downloaded as text. The error:" +errortxt);
flurryLibrary = false;
},
always: function(object,status,errortxt){
console && console.log("The script may or may not be downloaded or executed. The error could be:" +errortxt);
}
});
In my app I use the systemXHR permission and make the calls for other websites using this line:
request = new XMLHttpRequest({ mozSystem: true });
Wich is the same as using the xhrFields{mozSystem:true} in the AJAX call.
I believe it's not a cross domain problem because in the rest of my app I make calls for xml files that are not in my domain, and the calls are returned succesfully.
So, my question is, can a Firefox OS app execute scripts that are downloaded via AJAX? Is there a way to get around this problem?
Thank you for your time.
PS: I forgot to add that my app is privileged, just in case you ask
I believe that is a security feature and the short answer to your question would be NO. To quote the CSP doc that you linked to yourself:
You cannot point a at a remote JavaScript file. This means that all JS files that you reference must be included in your app's package.
If you load a JS file using ajax from a remote server, that JS is not included in your app package. You should be careful to obey CSP restrictions. It is possible to get many things working in the simulator or even the phone while developing without fully complying to CSP, but that does not mean it is OK. When you submit your app in future to any credible marketplace (such as Firefox Marketplace), it will be reviewed carefully to make sure it does not violate CSP restrictions. As a general rule of thumb, I would say any attempt at dynamically evaluating JS code will be a security risk and most likely banned by CSP regulations.
First, I'll point out that your two examples are not equivalent.
$.ajax({
xhrFields: {
mozSystem: true
},
});
Is the same as
request = new XMLHttpRequest();
request.mozSystem = true;
which is not the same as
request = new XMLHttpRequest({ mozSystem: true });
Instead, we can follow the advice in the linked bug report and run the following at application load time:
$.ajaxSetup( {
xhr: function() {
return new window.XMLHttpRequest( {
mozSystem: true
} );
}
} );
This alone should fix your problem. However, if it doesn't work, then the next workaround here is to fetch the script resource as plain text and then load that text content as a script.
However, inline scripts and data: URLs are off-limits for privileged Firefox OS apps. We might still accomplish this goal through a blob: URL, however:
window.URL = window.URL || window.webkitURL;
var request = new XMLHttpRequest({ mozSystem: true });
request.open("GET", "https://cdn.flurry.com/js/flurry.js");
// when the Ajax request resolves, load content into a <script> tag
request.addEventListener("load", function() {
// make a new blob whose content is the script
var blob = new Blob([request.textContent], {type: 'text/javascript'});
var script = document.createElement('script');
script.src = window.URL.createObjectURL(blob);
// after the script finishes, do something else
script.addEventListener("load", function() {
flurryLibrary = true;
FlurryAgent.startSession("7ZFX9Z4CVT66KJBVP7CF");
});
document.body.appendChild(script);
});
However, if the script itself does something not allowed by the CSP, then you're definitely out of luck.
You must use mozSystem and mozAnon properties, example:
var xMLHttpRequest = new XMLHttpRequest({
mozAnon: true,
mozSystem: true
});
Its a shame this is a problem, I was hoping on getting loadScript working, as firefoxOS is an environment, and in my app all the application code is HTML5 and local, the current rule is all the scripts need to be loaded in memory in one shot, unless you url load a full page, which means you can not have a persisten wrapper around the site, and ajax inthe pages with assosiated scripts when needed. you would have thought that firefox would have enabled local lazy load for scripts at least. works in chrome, but not in firefox.
I am developing a website which loads html from a template page then loads content from XML. for instance these are called in the document.ready function
$.ajax({
type : "GET",
url : "template.html",
dataType : "html",
success : function(html) {
var ndoc = document.createElement('html');
ndoc.innerHTML = html;
page = $('body', ndoc);
$('body').html(page.html());
$.ajax({
type : "GET",
url : "XML/content.xml",
dataType : "xml",
success : function(xml) {
page = $(xml).find('chisiamo').find('dialogue')[0];
setupPage(page);
}
});
}
});
This works well in Firefox and Safari. But in Chrome i get a 'Origin null is not allowed by Access-Control-Allow-Origin' when it tries to load template.html. How can I solve this problem? thank you very much.
Try to start Google Chrome with this arguments :
google-chrome --disable-web-security --allow-file-access-from-files
You should be able to create a Chrome Web App and set the permissions in the manifest to allow it access to read files from the file:// scheme.
http://code.google.com/chrome/extensions/manifest.html
You have to add permissions to the page you are requesting in the manifest. Also try using $.getJSON instead ;)
I have an iframe using the jQuery 1.4.2 script. The same iframe is injected into both http and https sites. The jQuery script is included in the main HTML file as a relative path (e.g., /scripts/jquery-1.4.2.min.js).
When an AJAX call is made, Internet Explorer denies access. The AJAX is calling on another subdomain, but it's using the right protocol. All other browsers work but Internet Explorer gives the following error:
SCRIPT5: Access is denied.
jquery-1.4.2.min.js, line 127 character 344
I heard this error is from cross-domain AJAX calls. But why is IE the only one giving me crap? Is there an IE solution?
Also, this is my AJAX:
$.ajax({
url: thisURL,
dataType: "json",
data: {cmd : 'getMessage', uurl: urlVar, t: Math.random()},
success: function(ret){
callback(ret)
}
});
IE requires you to use XDomainRequest instead of XHR for cross site, you can try something like...
if ($.browser.msie && window.XDomainRequest) {
// Use Microsoft XDR
var xdr = new XDomainRequest();
xdr.open("get", url);
xdr.onload = function() {
// XDomainRequest doesn't provide responseXml, so if you need it:
var dom = new ActiveXObject("Microsoft.XMLDOM");
dom.async = false;
dom.loadXML(xdr.responseText);
};
xdr.send();
} else {
// your ajax request here
$$.ajax({
url: thisURL,
dataType: "json",
data: {cmd : 'getMessage', uurl: urlVar, t: Math.random()},
success: function(ret){
callback(ret)
}
});
}
Reference
http://forum.jquery.com/topic/cross-domain-ajax-and-ie
not sure whether it fits your scenario
xdr = new XDomainRequest();
xdr.onload=function()
{
alert(xdr.responseText);
}
xdr.open("GET", thisUrl); //thisURl ->your cross domain request URL
//pass your data here
xdr.send([data]);
you can find some more guidance here
This solved the issue gracefully for me:
https://github.com/MoonScript/jQuery-ajaxTransport-XDomainRequest
Just install/compile after jQuery and before your script and use the $.ajax method as you normally would, the rest is handled behind the automatically.
Have you try to use the lastest of JQuery(> jquery-1.8.0)? Since the version 1.8.0, they solved some IE9's bugs. Perhaps this one too.
http://blog.jquery.com/2012/08/30/jquery-1-8-1-released/
I had a similar problem and the solution for me was to use jsonp instead of json. That way I didn't have to break out a customer version for IE.
You can only do this if the json server host supports the callback request variable or you have access to the server and can add support. Here is a page that helped me understand the process. Its .net mvc focused, but it gives a good over view of the diffrence between json and jsonp.
http://blogorama.nerdworks.in/entry-EnablingJSONPcallsonASPNETMVC.aspx
Check the domain you are accessing, following response headers should be there
"Access-Control-Allow-Methods" : "POST, GET, OPTIONS"
"Access-Control-Allow-Origin" : "http://www.mydomain.com" or "*"
the other domain should allow your script request. One more header to be added to your response is P3P header.
"p3p" : "CP=IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
it should help you out.
I was facing similar issue.
I was using file upload control but it was hidden and I had another element trying to control the file upload and events to upload file in ajax way
try using the file upload control directly. this solved issue in my application.
I get this bug (and thus google here) but the reason was very different. So if you don't have cross site and still get this access denied error: double check the value sent
let's say that you affect one of you variable with the bad following expression:
urlVar = $("theID").val // without () this was the error!
[...]ajax call:
data: {cmd : 'getMessage', uurl: urlVar, t: Math.random()},
Google/FF have no problem with this (check what is receive server side...) BUT IE refuse to send this!
I changed my JQuery from version 1.10.1 to 1.10.2 and it seems to have solved this problem for me.
It seems that MS is finding its own way of doing things, rather than adopting industry recommendations. I found the solution here:
https://github.com/MoonScript/jQuery-ajaxTransport-XDomainRequest/blob/master/jQuery.XDomainRequest.js
Simply add 'callback=?' on your ajax URL request like here:
http://wsvdmeer.blogspot.com.es/2012/08/bugfix-getjson-not-working-in-ie.html
function populateGroups(){
var p =1;
var groupNames = new Array();
$.ajax({
type: "GET",
url: "http://okcmonprd103/iMon/findgroups.pl",
dataType: "text/xml",
success: function parseGroupNames(xml){
$(xml).find('group').each(function(){
groupNames[p] = $(this).find('name').text();
p++;
});
groupNames.sort(arraySort);
for(p=0;p<groupNames.length-1;p++){
$('#Groups').append('<option value="'+p+1+'">'+groupNames[p]+'</option>');
$('#dutyGroups').append('<option value="'+p+'">'+groupNames[p]+'</option>');
}
}
});
}
I send this ajax call to a server on our network that runs a Perl script that returns XML data. This works fine on my machine in IE8, and in my Windows 7 Gadget (which is what this is mainly for) but whenever other people in the company try to use it, they get the "Permission Denied" error. Do I need to set up a proxy page in order to make this work?
It does work on my machine, I just don't see how other people on the same network wouldn't be able to use this...
It turned out that it was a Windows 7 issue. When you right clicked on the HTML file name, under security, it would say something like "this file is blocked because it came from another computer"
All you had to do was press the "Unblock" button and all of a sudden it worked.