"uncaught exception: permission denied to call method XMLHttpRequest.open"

I'm running JSP file on Apache Tomcat.  It embeds Javascript codes that send XMLHttpRequest to a website (http://api.clickatell.com/http/sendmsg) and (is supposed to) receive response.

This doesn't work on IE and Firefox, however, due to some security restrictions.  The javascript error message is:

            "uncaught exception: permission denied to call method XMLHttpRequest.open"

I researched the web and found that the solution is by enabling UniversalBrowserRead setting.  So, I copied and added these lines:

            try {
                        netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
            } catch (e) {
                        alert("Permission UniversalBrowserRead denied.");
            }

This works on a standalone HTML file, but when I deployed it into Apache-Tomcat server, it doesn't work anymore.  It doesn't allow the UniversalBrowserRead to be enabled.

So, what should I do now?  What is the cause of this?  Should I add some browser security configuration using .htaccess?  

Below is the complete line of the Javascript codes:

<script language="javascript" type="text/javascript">
<!--
                        function sendSMS(url, data) {
                  
                  alert("test");
                  var res;
                  var req;
                  
                  try {
                        req = new XMLHttpRequest();
                  }
                  catch(error) {
                        try{
                              req=new  ActiveXObject("Microsoft.XMLHTTP");
                        }
                        catch(error) {
                              req=null;
                        }
                  }
            try {
                        netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
                  } catch (e) {
                        alert("Permission UniversalBrowserRead denied.");
                  }
                    req.open("POST", url, false);
                  req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
                  req.send(data);
                  res= req.readyState;
                  
                  alert("test");
                  return res;
            }
                        
                        sendSMS("<%out.print(sUrl);%>", "<%out.print(sPostData);%>");
//-->
</script>

Thanks!!
SWB-ConsultingAsked:
Who is Participating?
 
DireOrbAntConnect With a Mentor Commented:
XMLHttpRequest doesn't allow you to call URLs that are not on the same domain as the page you're in. It's called cross-domain scripting and you can read about it here and there ;)
http://en.wikipedia.org/wiki/Cross_site_scripting
0
 
Michel PlungjanIT ExpertCommented:
Also you can only change privileges on a stand alone html file loaded from your hard disk, as soon as you load it from the web, the code needs to be signed.

You can bypass these things by accessing the site in question from your server and present the result - that may violate copyright though
0
 
SWB-ConsultingAuthor Commented:
Argh shoot.

Is there any other way to run this function successfully?  There should be a way, shouldn't it?

I'm using Java and JSP, so if you can direct me to a possible implementation that would be very helpful.
0
 
DireOrbAntCommented:
No other way (well, I've seen hacks, but most get patched by browser vendors soon enough).
It's about security, I guess if you could go around it, it would not be security...

You can call it from an app you would build and do the bridging.
0
 
Michel PlungjanConnect With a Mentor IT ExpertCommented:
Call it using an httpurlconnection at the server and serve it from there
0
All Courses

From novice to tech pro — start learning today.