Monday, September 5th, 2005

XMLHttpRequest – Bypassing Security for Development

Category: Articles

Julien Couvreur has run into the development pain of having to have an ajaxian page hosted on the same area as you return data from. You would like to just use file:// but it often isn’t practical, and you end up doing a lot of security checks.

Julien explains how he wrote a GreaseMonkey user script to get around this problem:


Firefox does offer a way of expanding the privileges of a script, allowing it to make requests to different hosts. But it requires you to sign your scripts, which seems like a hassle.

Greasemonkey has its own XMLHttpRequest API, which is more powerful than that available to web pages. It bypasses the same origin policy, thus allowing user scripts to truly compose and remix websites.
XMLHttpRequest – Bypass Security replaces the regular XMLHttpRequest API from Firefox with an unsafe version based on Greasemonkey GM_xmlHttpRequest. It allows the local page that you are developing to make requests to an online service.


When you install the user script and browse the web page you’re hacking locally, XMLHttpRequest will continue to work. The unsafe version of XMLHttpRequest that is injected supports the most common XMLHttpRequest APIs, although not all. The missing APIs are setRequestHeaders, responseHeaders, setting a username/password and data (for posts). Ping me if you really need them, I’ll update the user script.

Download the user script

How do you deal with issues such as these?

Posted by Dion Almaer at 12:54 am
Comment here

3 rating from 5 votes

Comments Here »

Comments feed

Leave a comment

You must be logged in to post a comment.