Archive of UserLand's first discussion group, started October 5, 1998.

Alex Hopmann explains..

Author:Dave Winer
Posted:2/6/1999; 6:19:47 AM
Topic:www.xml-rpc.com
Msg #:2725 (In response to 2715)
Prev/Next:2724 / 2726

From Alex Hopmann, alexhop@exchange.microsoft.com:

The issue in this case is that we have implemented cross domain security. This is the same security mechanism that is used several places in the script support throughout IE. The idea is to prevent a scenario like this one:

I go visit http://www.hacker.com/. While I'm there I visit an innocent looking page. However, invisibly, that page does a bunch of network requests inside my internal network (to http://salesfigures.microsoft.com/ or whatever). Since the user potentially has access rights to the site salesfigures.microsoft.com, this might not even cause a security dialog, or if it did, the user might not realize that they are authorizing this page from www.hacker.com to access salesfigures.microsoft.com.

There is a setting in the "Security Settings" control panel in IE to adjust this. It is in the Miscellaneous category and it reads "Access data sources across domains". By default this is set to "disable" for the Internet because of the degree of problem this could cause. In this case "www.venuemedia.com" is trying to access "www.mailtothefuture.com" and triggering the security restriction.

Bottom line, you should never see this problem on a site that accesses data locally to it, but I don't really think there is a safe way to support the sort of cross domain requests that David is trying to do from a browser. If you build a local HTML application, these security measures are also disabled. For example, you can save David's page as "test.hta", and open it as a file and succesfuly run it.

David also needs to get the .text property from the XMLDOM object- In my browser it just displays [object] as the number of messages.

There are responses to this message:

This page was archived on 6/13/2001; 4:47:47 PM.

© Copyright 1998-2001 UserLand Software, Inc.