How to carry out Cross Domain request in a Webbrowser Control?

StackOverflow https://stackoverflow.com/questions/415926

Question

As you know doing Cross Domain XMLHTTP requests is not allowed for security reasons under Internet Explorer.

I have a WebBrowser Control and I'm using DocumentText instead of Navigate to a URL. Since the current domain is about:blank when the page tries to do a request to itself or other domain I'm getting Access is denied Javascript error.

Even when I use Navigate if the Javascript do a request to another domain it doesn't work.

How can I get around this?

This HTML code should work with WebBrowser Control:

<body>

<a href="javascript:getit('http://www.google.com')">this should work</a>
<div id="x"></div>

</body>

<script>
function XHConn()
{
  var xmlhttp, bComplete = false;
  try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
  catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
  catch (e) { try { xmlhttp = new XMLHttpRequest(); }
  catch (e) { xmlhttp = false; }}}
  if (!xmlhttp) return null;
  this.connect = function(sURL, sMethod, sVars, fnDone)
  {
    if (!xmlhttp) return false;
    bComplete = false;
    sMethod = sMethod.toUpperCase();

    try {
      if (sMethod == "GET")
      {
        xmlhttp.open(sMethod, sURL+"?"+sVars, true);
        sVars = "";
      }
      else
      {
        xmlhttp.open(sMethod, sURL, true);
        xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
        xmlhttp.setRequestHeader("Content-Type",
          "application/x-www-form-urlencoded");
      }
      xmlhttp.onreadystatechange = function(){
        if (xmlhttp.readyState == 4 && !bComplete)
        {
          bComplete = true;
          fnDone(xmlhttp);
        }};
      xmlhttp.send(sVars);
    }
    catch(z) { return false; }
    return true;
  };
  return this;
}

function getit(url){
    var xmlhttp = new XHConn();
    var fnWhenDone = function (oXML) { document.getElementById('x').innerHTML = oXML.responseText; alert(oXML.responseText); };
    xmlhttp.connect(url, "GET", "", fnWhenDone);
}

</script>
Was it helpful?

Solution

I found a dirty workaround, load a local HTML (c:\temp\temp.html) and then modify the content of it via javascript.

After this point there is no more CrossDomain restrictions however using document.write causing other nasty problems such as JQuery .ready functions won't work.

OTHER TIPS

Check this, it worked for me like a charm. http://support.microsoft.com/default.aspx?scid=kb;en-us;246227

I don't understand on which domain you don't have access to the Javascript... Have you tried using the script tag to get the data that you want from a different domain? You can use the JSONP idiom to namespace the data... 

var head = document.getElementsByTagName("head")[0];
var script = document.createElement("script");
script.src = "anotherdomain.com/data?callback=myFunction";
head.appendChild(script);

And then on "/data":

myFunction({
    // data here
});

URLACTION-CROSS-DOMAIN-DATA seems to be the right direction: Read this to find out why

The only way to do this is to make sure your code runs in the trusted zone (or higer like HTA). By default, anything running inside the WebBrowser control runs in the zone that the files which are being served come from. (i.e. the standard IE security policies are being used.)

To change this behaviour, you'll need to change the application which is hosting the WebBrowser control and implement a few interfaces on that WebBrowser control. (IInternetHostSecurityManager, IInternetZoneManager and IInternetSecurityMgrSite are the ones that you should take a look at.) This is not a trivial task and the documentation about this is scarce at best.

Once this is done, your code can run with any privileges you need, and cross-domain requests are just as easy as resetting Mime-Sweeper high scores.

Hope this helps.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top