4

I'm trying to do an XMLHttpRequest from a local file (file://) using JQuery.ajax to something on http:// and from what I can see it looks like the request is going out (the success callback is called and Firebug shows the request) but there is simply no response coming back.

Here's basically what I'm doing:

$.ajax({
    url: "https://stackoverflow.com/users/63736/bruce-van-der-kooij",
    dataType: "text",
    success: function(text) {
        alert(text)
    }
})

Note I'm using datatype: "text" but it doesn't really matter what you use.

This will show an empty alert.

Now, if I had to guess I'd have to say this has something to do with the same origin policy, but I'm not getting the typical NS_ERROR_DOM_SECURITY_ERR exception (there's nothing at all in the error console).

So does anybody have an explanation for what's going on?

Related

UPDATE:

So I came across a July 2009 article at hacks.mozilla.org that seems to explain what is going. Apparently Firefox >= 3.5 implements the Cross-Origin Resource Sharing (CORS) specification which provides a mechanism to allow you to make cross-site requests. What is happening in this case is explained in the article:

In Firefox 3.5 and Safari 4, a cross-site XMLHttpRequest will not successfully obtain the resource if the server doesn’t provide the appropriate CORS headers (notably the Access-Control-Allow-Origin header) back with the resource, although the request will go through.

Note that in my case the request is sent out with a header Origin: null and a 200 OK response is returned. However, the server isn't sending back the appropriate headers so the response body is not retrieved.

Also see:

Community
  • 1
  • 1
Bruce van der Kooij
  • 2,192
  • 1
  • 18
  • 29
  • 1
    Trying to link some questions that essentially describe the same issue. http://stackoverflow.com/questions/3595515/xmlhttprequest-error-origin-null-is-not-allowed-by-access-control-allow-origin http://stackoverflow.com/questions/5138057/cross-origin-resource-sharing-and-file – BlackShift Jan 03 '12 at 14:21

2 Answers2

2

(Answering my own question)

The reason the request goes out is because Firefox >= 3.5 implements the Cross-Origin Resource Sharing (CORS) specification which provides a mechanism to allow you to make cross-site HTTP requests. By default these requests will not send along any credentials (HTTP Cookies and HTTP Authentication information).

However a cross-site HTTP request will not successfully obtain the resource if the server doesn't provide the appropriate CORS headers (notably Access-Control-Allow-Origin) back with the resource. The response will simply be ignored by the browser.

Here's an example of a successful cross-site request (it retrieves my YouTube profile):

$.ajax({
    url: "http://gdata.youtube.com/feeds/api/users/brucevdk?v=2&alt=json",
    dataType: "json",
    success: function(response) {
        alert(response)
    }
})

If you take a look at the response headers you'll see:

Access-Control-Allow-Origin: *

Which means "allow requests from any origin".

Resources

Bruce van der Kooij
  • 2,192
  • 1
  • 18
  • 29
0

Additional Notes:

* Due to browser security restrictions, most "Ajax" requests are

subject to the same origin policy; the request can not successfully retrieve data from a different domain, subdomain, or protocol.

That is from the page you've mentioned. jQuery ajax requests does not support cross-domain requests out of the box. There are some workarounds that a Google search can provide though...

Hari Pachuveetil
  • 10,294
  • 3
  • 45
  • 68
  • Note that I referred to the same origin policy in my question, but how do you explain then why it isn't throwing the NS_ERROR_DOM_SECURITY_ERR exception? I have a suspicion why (I'll be updating my answer in a second). – Bruce van der Kooij Sep 09 '10 at 00:01
  • My bad. I didn't read your question fully. The update you've given on the question seems to be reason indeed. So any other browser (that doesn't implement CORS) could give NS_ERROR_DOM_SECURITY_ERR then, probably. – Hari Pachuveetil Sep 09 '10 at 00:36