On Fri, Apr 3, 2009 at 7:56 AM, Charles L. <[email protected]> wrote: > I am designing a user script that retrieves a remove list of items > from http://www.example.com/list.txt, parses the list and compares the > list of items with the source of the current web page. I'm using XHR > to retrieve the remote list. However, I'm getting this error message > because the list isn't hosted on the same web site as the page that > I'm visiting: > > "Unsafe JavaScript attempt to access frame with URL http://www.example.com/ > from frame with URL chrome-ui://inspector/inspector.html. Domains, > protocols and ports must match".
First of all, this error message is buggy. I assume your page is not being served from chrome-ui://inspector/inspector.html. > How is my practice unsafe? I think this security measure is too > carried away, don't you think so? We should remove this restriction > from Chrome IMO. Cross-origin XHR is not allowed in web pages because it would allow malicious web pages to read an interact with other sites the user has access to. I believe that dev versions of Chrome currently have support for Cross-Origin Resource Sharing, which allows hosts that want to to opt-into cross-origin XHR access [http://dev.w3.org/2006/waf/access-control/]. You could try that, but it's pretty bleeding edge, so I'd expect rough patches. - a --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
