Bug 26773 - XMLHttpRequest should throw an exception when making cross-domain requests
Summary: XMLHttpRequest should throw an exception when making cross-domain requests
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Nobody
URL: http://nick-santos.com/tests/xhropen....
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-27 13:57 PDT by Nick Santos
Modified: 2009-06-30 06:30 PDT (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Santos 2009-06-27 13:57:31 PDT
Execute the following JS:
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://www.notmydomain.com/');

Expected result:
The XHR should throw an exception, like firefox and IE.

Actual result:
It does not throw an exception.

From the spec: 
http://www.w3.org/TR/XMLHttpRequest/#xmlhttprequest
If stored url is not of the same-origin as the origin of the Document pointer the user agent should raise a SECURITY_ERR exception and terminate these steps.

See the attached demo page for a live test.
Comment 1 Mark Rowe (bdash) 2009-06-27 14:08:40 PDT
This is expected behavior.  We've implemented support for cross-origin requests per the "Cross-Origin Resource Sharing" specification at <http://www.w3.org/TR/access-control/>.  Firefox 3.5 also supports this specification and behaves similarly on your test case.
Comment 2 Alexey Proskuryakov 2009-06-30 02:36:01 PDT
More specifically, please see <http://dev.w3.org/2006/webapi/XMLHttpRequest-2/>, which works in tandem with access control.
Comment 3 Nick Santos 2009-06-30 06:30:48 PDT
Thanks for the response. Glad to hear this is happening.