Bug 221661

Summary: allow XMLHttpRequests to retrieve documents from a different domain
Product: [Applications] konqueror Reporter: Elmar Stellnberger (AT/K) <estellnb>
Component: khtmlAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED UNMAINTAINED    
Severity: normal CC: kde
Priority: NOR    
Version First Reported In: 4.3.1   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Elmar Stellnberger (AT/K) 2010-01-07 15:23:21 UTC 
Version:           4.3.1 (KDE 4.3.1) "release 9" (using 4.3.1 (KDE 4.3.1) "release 9", KDE:KDE4:STABLE:Desktop / openSUSE_11.2)
Compiler:          gcc
OS:                Linux (x86_64) release 2.6.32.2-0.0.16.d8b32f9-desktop

 XMLHttpRequests need to be capable of retrieving documents from different
domains. Just think about content aggregation.
  This is also a necessity for users of URL-Framing. It is not possible to
directly retrieve a document on behalf of an URL-Framed URL because you will
then only receive the frame instead of the document. To circumvent URL-Framing
I have defined a domain redirect from a second domain mirror.elstel.com instead
of using http://www.elstel.com: i.e. you have two domains that belong to the same
page.
Comment 1 Tim Brown 2010-01-07 15:38:50 UTC 
Making XMLHttpRequests across domains has the potential to break Same Origin Policy and could lead to easier cross-site request forgery attacks, cookie stealing etc.  Please don't implement it.
Comment 2 Elmar Stellnberger (AT/K) 2010-01-07 18:14:01 UTC 
  At least issuing XMLHttpRequests on the same subdomain i.e. www.elstel.com and mirror.elstel.com needs to work since this is an absolutely unnecessary restriction.
Comment 3 Elmar Stellnberger (AT/K) 2010-01-07 19:06:54 UTC 
Firefox does already implement it. It won`t make a difference if Konqueror does so, too.
Comment 4 Andrew Crouthamel 2018-11-06 15:13:39 UTC 
Dear Bug Submitter,

This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond.

Thank you for helping us make KDE software even better for everyone!
Comment 5 Andrew Crouthamel 2018-11-18 03:28:05 UTC 
Dear Bug Submitter,

This is a reminder that this bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? This bug will be moved back to REPORTED Status for manual review later, which may take a while. If you are able to, please lend us a hand.

Thank you for helping us make KDE software even better for everyone!
Comment 6 Justin Zobel 2022-12-20 22:51:45 UTC 
Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version?

If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you!
Comment 7 Elmar Stellnberger (AT/K) 2022-12-21 10:17:38 UTC 
I am not sure if this would be intended behaviour or if other browsers forbid this for reasons of policy/security.
Comment 8 Christoph Cullmann 2024-05-06 18:38:23 UTC 
Dear user,

KHTML (and KJS) was a long time more or less unmaintained and got removed in KF6.

Please migrate to use a QWebEngine based HTML component.

We will do no further fixes or improvements to the KF5 branches of these components beside important security fixes.

For security issues, please see:

https://kde.org/info/security/

Sorry that we did not fix this issue during the life-time of KHTML.

Greetings
Christoph Cullmann