The Infamous "Access Denied" AJAX Error

A client of mine had a website issue--the red X in the lower left in IE saying an error had occurred. I dug in a little and discovered the famous pop-up that you have probably seen if you have done any amount of AJAX development:

The error message can change slightly depending on your browser, but you will get some variation of "This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?" or "Access denied" or "Access is denied."

Essentially, here is the problem. It is not uncommon, especially in large corporate environments, for the web services being called to actually live in a different domain from the page that is rendered. Browsers consider it a security hole to be displaying data from site X and be performing an XmlHttpRequest against site Y. And this is probably for the best.

To remedy this situation, you need to either (1) get your application and web services on the same domain or (2) provide some kind of proxy that allows for calling the web service on the other domain within your own domain.

Sometimes this is easier said then done, but I was very lucky in my case. My client actually was using a domain name that resolved to the same domain the page was being served up from. They had created separation in case the web services and web sites were ever migrated to different machines. So, it was a simple matter of using the same domain for the services used by the web site.

The client is actually moving in the direction of making all their machines the same, at least for this collection of web apps and services. It is not often a resolution to a problem is so easy. Anyway, this is something to keep in mind when you get the "access denied" error on an AJAX-enabled site.

Good luck out there!


Post a Comment