"Cannot make request to different domain" a bit too drastic #69

Closed
matthieu opened this Issue Jan 30, 2011 · 3 comments

Comments

Projects
None yet
2 participants
@matthieu

An API I use (socket.io) issues some XHR calls using URLs that look like http://:8000/socket.io/... The implemenation of open in xhr.coffee, when testing for cross site request, ends up trying to compare ":8000" with "localhost:8000".

I've ended up adding the following:
url.hash = null
+url.host = window.location.host.split(':')[0] + url.host if url.host[0] == ':'
throw new core.DOMException(core.SECURITY_ERR, "Cannot make request to different domain") unless url.host == window.location.h

I'm not quite sure that changing url.host is the best option here though.

@matthieu

This comment has been minimized.

Show comment Hide comment
@matthieu

matthieu Jan 30, 2011

Even then it can still break on port 80, url.host ends up looking like 'localhost:80' while window.location.host is just 'localhost'. I had to add an additional condition in the unless to obtain the following patch:

-url = URL.parse(URL.resolve(window.location, url))
+url = URL.parse(URL.resolve(window.location.href, url))
 url.hash = null
-throw new core.DOMException(core.SECURITY_ERR, "Cannot make request to different domain") unless url.host == window.location.host
+url.host = window.location.host.split(':')[0] + url.host if url.host[0] == ':'
+throw new core.DOMException(core.SECURITY_ERR, "Cannot make request to different domain") unless url.host == window.location.host || url.host == window.location.host+':80'

Even then it can still break on port 80, url.host ends up looking like 'localhost:80' while window.location.host is just 'localhost'. I had to add an additional condition in the unless to obtain the following patch:

-url = URL.parse(URL.resolve(window.location, url))
+url = URL.parse(URL.resolve(window.location.href, url))
 url.hash = null
-throw new core.DOMException(core.SECURITY_ERR, "Cannot make request to different domain") unless url.host == window.location.host
+url.host = window.location.host.split(':')[0] + url.host if url.host[0] == ':'
+throw new core.DOMException(core.SECURITY_ERR, "Cannot make request to different domain") unless url.host == window.location.host || url.host == window.location.host+':80'
@assaf

This comment has been minimized.

Show comment Hide comment
@assaf

assaf Feb 2, 2011

Owner

Closed by c637066 incorrectly resolving partial URLs in XHR requests.

Owner

assaf commented Feb 2, 2011

Closed by c637066 incorrectly resolving partial URLs in XHR requests.

@assaf

This comment has been minimized.

Show comment Hide comment
@assaf

assaf Feb 2, 2011

Owner

Fixed. The problem was the URL not resolving properly: http://:8000 means use current hostname, but change port to 8000, so the hostname should be localhost not empty.

Owner

assaf commented Feb 2, 2011

Fixed. The problem was the URL not resolving properly: http://:8000 means use current hostname, but change port to 8000, so the hostname should be localhost not empty.

djanowski pushed a commit to djanowski/zombie that referenced this issue Jun 12, 2015

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment