Opened 10 years ago

Closed 8 years ago

Last modified 8 years ago

#8546 closed defect (fixed)

[patch] [cla] loader_xd doesn't understand protocol-relative URLs

Reported by: danc86 Owned by: James Burke
Priority: high Milestone: 1.5.1
Component: Core Version: 1.2.3
Keywords: Cc:
Blocked By: Blocking:

Description

The dojo._xdIsXDomainPath function, which is supposed to identify whether a request crosses domains, doesn't work properly when dojo is loaded from a protocol-relative URL.

For example when the page at http://www.example.com/ includes dojo from static.example.com/dojo.js (note the missing protocol, making this a protocol-relative URL), dojo._xdIsXDomainPath will return false for relative paths, even though they are in fact cross-domain. As a result the browser denies the request with an error along the lines of:

[Exception... "Access to restricted URI denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)" ...]

This function is incorrectly assuming that request URLs are either path-relative, or are absolute using the http: protocol (it looks like it doesn't handle https: URLs either, due to the hardcoded "http://").

Attachments (1)

schemeless.diff (388 bytes) - added by bill 9 years ago.
patch file (just that one line change)

Download all attachments as: .zip

Change History (15)

comment:1 Changed 10 years ago by Adam Peller

Owner: changed from anonymous to James Burke

comment:2 Changed 10 years ago by James Burke

Component: GeneralCore
Milestone: tbd1.4

Good to consider. Moving it to 1.4 to allow for more testing.

comment:3 Changed 10 years ago by James Burke

Milestone: 1.4future

Would want to get this, but it would need more testing. I am also hoping to avoid the need for this function completely in a Dojo 2.0.

Changed 9 years ago by bill

Attachment: schemeless.diff added

patch file (just that one line change)

comment:4 Changed 9 years ago by bill

Summary: loader_xd doesn't understand protocol-relative URLs[patch] [cla] loader_xd doesn't understand protocol-relative URLs

comment:5 Changed 9 years ago by dylan

Milestone: future1.5

I nominate this for 1.5.

comment:6 Changed 9 years ago by James Burke

Milestone: 1.5future

Ideally the patch would be more than what is attached -- it would mean pulling off the domain in the relative path and comparing it with the location.host as is done for the baseUrl in that function. Also, the location.host testing in the baseUrl path looks like it needs some work too.

This can be worked around by setting a full URL in the modulePaths, or just setting the protocol. Not ideal, but works.

Not comfortable doing this change close to the 1.5 release.

comment:7 Changed 9 years ago by dylan

Milestone: future1.6

Ok, my issue is this. It's been open for 18 months, and it was pointed out to me as a bug by a large user of Dojo and jQuery. They reported the issue to jQuery, and it was fixed in 2 weeks, and we're going on 18 months. It's an issue for large sites which operate in mixed mode, and don't have control over all of their content. I'm going to mark it 1.6, but I'm hoping we can get this resolved right after the 1.5 release in trunk.

comment:8 Changed 9 years ago by James Burke

dylan, I want to be sure I am not missing something. jQuery does not have a code loader, besides perhaps calling jQuery.getScript(). Was the user using dojo.io.script() to load scripts or using dojo.require() to load scripts to see the problem?

comment:9 Changed 9 years ago by dylan

Yes, for jQuery it was with getScript. I believe they were using dojo.require with the x-domain version of Dojo.

comment:10 Changed 9 years ago by mbaierl

Too bad to see that this is still not fixed in 1.5.... especially since our fix against 1.4.2 works perfectly fine.

For jQuery it has been .getScript which failed (as it did an XHR request cross-domain in case of scheme-less URLs).

For Dojo it is dojo.require() which fails with an XD-build in case scheme-less URLs are used.

comment:11 Changed 9 years ago by James Burke

(In [22829]) Refs #8546, allow using protocol-relative URLs with xd loader (backport to 1.5 branch)

comment:12 Changed 9 years ago by James Burke

Milestone: 1.61.5.1

Hmm, robot missed this, but fixed in trunk in [22828]

comment:13 Changed 8 years ago by Adam Peller

Resolution: fixed
Status: newclosed

comment:14 Changed 8 years ago by Karl Tiedt

Just wanted to ping this ticket... a user in #dojo was just experience this problem with https from Google CDN on 1.6.1... So was a little confused after finding this ticket was fixed.

The djConfig work around solved their problem but... curiosity got the better of me

Note: See TracTickets for help on using tickets.