0

I have two servers (under my control) and do AJAX requests from domain_a to domain_b. The cross domain AJAX request works as expected, since domain_b puts a Access-Control-Allow-Origin: * (the * is just for testing purposes) into the HTTP response header. The HTTP method is GET.

Now I want to access a htaccess protected URI on domain_b. I use exactly the same code with one single modification: I use the 4th and 5th parameter (username and passwort) in the XMLHttpRequest.open() method, but in Firefox I get following error in console:

NS_ERROR_DOM_BAD_URI: Access to restricted URI denied

What makes me curios is that even if I use the unprotected URI on domain_b (which works when not sending username & password!) I get the same error in the console. So exactly same code and same URI which both works - but if using the forth and fifth parameter, the browser doesn't even seem to send the request (I think) - although server_b still answers with Access-Control-Allow-Origin: *.

Example code

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html" charset="UTF-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
        <title>AJAX HTTP Auth Test</title>
        <script>

            var uri = "http://user25163.hol.es/";
            //var uri = "http://user25163.hol.es/protected/";

            function foo() 
            {
                // Initialize the Http request.
                var xhr = new XMLHttpRequest();
                //xhr.open("GET", uri, true);  // works
                xhr.open("GET", uri, true, 'testuser', 'letmein');  // nope
                xhr.onreadystatechange = function() {
                    if (this.readyState == 4 && this.status == 200) {
                        alert(this.responseText);
                    }
                };
                xhr.send();
            }

        </script>
    </head>
    <body>
        <button type="button" onclick="foo();">Send AJAX request</button><br>
    </body>
</html>

So even for same target URI (unprotected). The first xhr.open(...) line works, but the second with username + password does not. The same with SSL/TLS URIs.

Is this an additional protection or exception in the CORS rules? Or do I something wrong?

Please no jQuery. And please read carefully what I'm asking before writing something generic like "AJAX not possible for cross site" (except, it is really not possible when sending HTTP Auth credentials in the HTTP request header - then it's ok).

Edit: Tested with Chrome - seem to work (I get the response). Okidoki... this doesn't seem to be consistent.

StanE
  • 2,704
  • 29
  • 38
  • This may help you http://stackoverflow.com/questions/2558977/ajax-cross-domain-call – M14 Nov 18 '16 at 05:12
  • @SirajAbbas Hmm. But what does this has to do with my question? I cannot use JSONP, since HTTP Auth through URI does not work with IE (and it is a dirty solution anyway, which has nothing to do with AJAX actually). And I want to use HTTP authentication (through `XMLHttpRequest.open()` which has 2 parameters exactly for this), not sending credentials as GET or POST params. – StanE Nov 18 '16 at 05:25

0 Answers0