X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

HTTPS XMLHttpRequests at localhost return no data

Posted

I made myself an userscript that gathers certain data from websites I browse and stores them in cache on localhost.

First I used to make standart cross-site HTTP XMLHttpRequests, however the firefox has implemented another XHR restriction that prevents me from doing so - mixed content blocking.

However, on firefox blog I saw information, that HTTPS requests are considered safe and are not blocked. So I added security exception for localhost, and changed requests to https requests. (and even https requests from localhost to localhost behave that way)

Now the requests are being sent properly, but no data are received from server. Why is that? How many security policies has firefox put in front of me?

Oh and sorry guys, I've forgotten to specify error messages upon each situation:

a) Cross-site http request: "Blocked mixed content..." Normal http request within localhost works.

b) Cross-site and normal https request: "Certificate not trusted beacuse its self signed"

c) Cross-site and normal https request with certificate exception: nothing. Not even a notice.

Modified by Jakub Mareda

Post a Reply

Additional System Details

Installed Plug-ins

  • Google Update
  • Shockwave Flash 11.9 r900
  • 3.0.40624.0
  • Adobe PDF Plug-In For Firefox and Netscape

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0

More Information

{
"application": {
"name": "Firefox",
"version": "25.0.1",
"userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0",
"supportURL": "https://support.mozilla.org/1/firefox/25.0.1/WINNT/en-US/"
},
"javaScript": {
"incrementalGCEnabled": true
},
"accessibility": {
"isActive": false,
"forceDisabled": 0
},
"libraryVersions": {
"NSPR": {
"minVersion": "4.10.2",
"version": "4.10.2"
},
"NSS": {
"minVersion": "3.15.3 Basic ECC",
"version": "3.15.3 Basic ECC"
},
"NSSUTIL": {
"minVersion": "3.15.3",
"version": "3.15.3"
},
"NSSSSL": {
"minVersion": "3.15.3 Basic ECC",
"version": "3.15.3 Basic ECC"
},
"NSSSMIME": {
"minVersion": "3.15.3 Basic ECC",
"version": "3.15.3 Basic ECC"
}
},
"userJS": {
"exists": false
},
"extensions": [
{
"name": "Adblock Plus",
"version": "2.2.3",
"isActive": true,
"id": "{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}"
},
{
"name": "Awesome screenshot: Capture and Annotate",
"version": "2.4.0",
"isActive": true,
"id": "jid0-GXjLLfbCoAx0LcltEdFrEkQdQPI@jetpack"
},
{
"name": "ColorZilla",
"version": "2.8",
"isActive": true,
"id": "{6AC85730-7D0F-4de0-B3FA-21142DD85326}"
},
{
"name": "Dictionnaires français",
"version": "4.10",
"isActive": true,
"id": "fr-dicollecte@dictionaries.addons.mozilla.org"
},
{
"name": "Element Hiding Helper for Adblock Plus",
"version": "1.2.3",
"isActive": true,
"id": "elemhidehelper@adblockplus.org"
},
{
"name": "Firebug",
"version": "1.12.0",
"isActive": true,
"id": "firebug@software.joehewitt.com"
},
{
"name": "FireSSH",
"version": "0.94.2",
"isActive": true,
"id": "firessh@nightlight.ws"
},
{
"name": "Greasemonkey",
"version": "1.8",
"isActive": true,
"id": "{e4a8a97b-f2ed-450b-b12d-ee082ba24781}"
},
{
"name": "Stylish",
"version": "1.3.1",
"isActive": true,
"id": "{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}"
},
{
"name": "Troubleshooter",
"version": "1.1a",
"isActive": true,
"id": "troubleshooter@mozilla.org"
}
]
}

jscher2000
  • Top 10 Contributor
2345 solutions 20793 answers

Could you check the Browser Console (Ctrl+Shift+j) for any specific error messages about the request.

What is the security exception for localhost?

By the way, if you are using different ports on localhost, I believe CORS headers are required in that scenario.

Also, it's not cross-browser, but if you are running your script in Greasemonkey, the GM_xmlHttpRequest method historically has been able to bypass cross-domain security restrictions. (I think it lies to the destination site and tells it that it also is the requesting host site.)

Was this helpful to you? 8
Reply

Helpful Reply

About error messages: I'm sorry, I've forgotten to mention this. I'm actually posting here because I did not receive any error for the last situation.

The security exception for localhost is just standart exception that is made by hitting site with "https://" in the adress bar. If you do this for a site, evil dialog will ask you whether you know what are you doing and if you say that you do, you get that exception/

Maybe I'll try to make a demo for this problem, but I'm not ure how it's gonna behave online.

Modified by Jakub Mareda

Was this helpful to you? 9
Reply
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.