Possible cross-domain scripting issue - Access Denied

Jun 5, 2012 at 12:21 AM
Edited Jun 5, 2012 at 12:21 AM

Under certain conditions, I am receiving an "Access Denied" error without the SP web service call even being performed. The SPServices call is as follows:

$().SPServices({
    operation:"GetListItems",
    webUl: webUrl,
    async: false
,
    listName: listName,
    CAMLQuery: camlQuery,
    completefunc:
function (xData, Status) {
        $(xData.responseXML).SPFilterNode("z:row").each(function () {
             itemId = $(
this).attr("ows_ID");
        });
        viewItemUrl +=
"?ID=" + itemId;
        editItemUrl +=
"?ID=" + itemId;
    }

 });

 and on page load, we are allowing cross-site scriptiog with the following on the document.ready function:

jQuery.support.cors = true;

 

 

 

 

I am able to get the call to work between the dev environment for this page (http) and the production SP instance (http) by putting both domains in the Trusted Sites. But this doesn't work between the production environment for this page (https) and the production SP instance (http).

 Is there more to enabling cross-site scripting when it is from a secure site (where SPServices is run) and a SharePoint site that is not secure?

When it fails, I just receive "error" in status and responseXML is undefined on xData. If also checked with Fiddler and can see that the SP web service call is not even made.

Jun 5, 2012 at 3:54 AM

Hi,

YOu might need to change the security settings in IE to allow cross domain access.

For IE, Tools > Options > Security >Custom Level > Misselaneous > Access data across domains to be enabled.This is seperate for intranet and internet zones.

 

Thanks

Janesh

Jun 5, 2012 at 1:29 PM
I've done that in the Trusted Sites zone. This made it work between the dev environment for the page and the production SP site, but they are both HTTP. That IE setting does not help between production environment for the page, which is HTTPS and production SP site.
Do you know of a good resource for debugging browser security issues?

Sent from Ron's Windows Phone 7.5

From: janeshh
Sent: 6/4/2012 9:54 PM
To: rauger@5280solutions.com
Subject: Re: Possible cross-domain scripting issue - Access Denied [SPServices:358340]

From: janeshh

Hi,

YOu might need to change the security settings in IE to allow cross domain access.

For IE, Tools > Options > Security >Custom Level > Misselaneous > Access data across domains to be enabled.This is seperate for intranet and internet zones.

Thanks

Janesh


---------------------------------------------------------------------------
The information in this email may be confidential and is the
property of 5280 Solutions LLC. Access to this email by
anyone other than the intended recipient(s) is unauthorized.
Forwarding, copying or reproduction of confidential
information without the express permission of 5280 Solutions
LLC is strictly prohibited. If you have received this
communication in error, please contact the sender
immediately (by reply email) and delete the confidential
information from any computer immediately.
---------------------------------------------------------------------------

Coordinator
Jun 12, 2012 at 12:10 PM

My $.02 on this (and that's about what it's worth) is to look at the Net traffic in Firebug or Fiddler to see where it is hanging up and then get your network people involved. The issues are very often more to do with the network topology and how trusts are set up than the actual script calls.

M.

Jun 12, 2012 at 2:47 PM

Update:

It seems there is no solution to this -- browser security does not allow cross-protocol traffic and there is no IE setting to circumvent the policy. I had to change SP site collection to be secure (HTTPS).

This is the pertinent documentation at http://msdn.microsoft.com/en-us/library/ie/ms536648(v=vs.85).aspx mentions:

 

Security Warning:   Cross-domain, cross-port, and mixed protocol requests are not allowed. The bstrUrl parameter may only specify files in the same domain, using the same port and protocol method, as that from which the page is served.