Well, I guess the title of this post is a *bit* unfair, but it's close enough for me. First some background. I'm studying cross site scripting right now for my final independent study at school. As part of this I'm messing around with a book on AJAX to learn more about javascript and how this whole Web 2.0 booya works. Tonight I'm banging on one of the early examples in the book. I created the HTML and javascript files on my local machine and hit them via Firefox. The javascript makes an XMLHttpRequest to the author's web site since there is almost zero info on server side code in the book. Firebug immediately starts complaining to me with "Permission denied to call method XMLHttpRequest.open". What the heck?? Time to troll google.
Sure enough, I find some answers the the issue. The problem is that I am running the files at http://localhost/foo.html and the XMLHttpRequest is calling http://authors.website.com/his/webservice to get some AJAXy result back. Firefox looks at this and decides that isn't cool at all and blocks the request. Hurray for the Firefox team. I like it that they thought of this. However, now what am I supposed to do? I don't have the server side code and while I could toss this on my public server, I'd really rather not. Back to google. Maybe there's a hack for this...
Well, sure enough there is. I found this post on Google Groups with details on how to work around the issue. Here's what the post has to say. Find user.js inside your firefox profile. If it's not there, create it. Open it up and add the following three lines to it:
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open","allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://localhost");
user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");
One problem, it allows any file running at localhost to call any other site in the background via XMLHttpRequest. From what I can see I have now configured Firefox to be much more open to XSS. So I'm just going to move this file out of my profile and shut firefox down whenever I'm done studying. I'm not frustrated at Firefox at all in this. I just wish I had the source to the server code used in the book so I could run through things without asking to get pwn3d. *sigh*
