Search code examples
javascriptfirefoxonloadsecurityexception

SecurityException 1000, even though using same domain


I'm facing a troublesome Javascript/Firefox problem. Relevant code is listed below.

What happens basically is the following:
1. document.ready fires and initiates an AJAX request (to document.domain:8484/getTrack.php or whatever)
2. AJAX response is received. This response contains the url (same domain) of the location of the image. So, sourceImage.onload is set, then sourceImage.src is set
3. sourceImage.onload fires. The idea is now to keep a resized image in memory that perfectly fits the canvas it's going to be drawn on. I want to keep this resized image in memory because I'm going to write (parts of) it to my canvas a lot of times, and resizing every time should be a lot slower.


    var SourceImage = new Image();
    var preparedImageData;

    sourceImage.onload = function() { 
        var canvas = document.createElement('canvas');
        canvas.width = 100; canvas.height = 100;
        var ctx = canvas.getContext("2d");        
        // resize image
        ctx.drawImage(sourceImage, 0, 0, sourceImage.width, sourceImage.height, 0, 0, canvas.width, canvas.height);    
        // save as imagedata
        try {
            try { 
                preparedImageData = ctx.getImageData(0, 0, canvas.width, canvas.height);
            } 
            catch (e) { 
                netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
                preparedImageData = ctx.getImageData(0, 0, canvas.width, canvas.height);
            }                          
        }
        catch (e) {
            throw new Error("unable to access image data: " + e)
        }
    }

The first getImageData call throws and the enablePrivilege call also throws inmediately. The errror text is "A script from "http://127.0.0.1" was denied UniversalBrowserRead privileges.". I've checked and it appears these messages should only appear when trying to access getImageData on an image from another domain, which isn't the case though (right?). have no strict security policy in place (everything default), Firefox 4.0. Same code works fine on Chrome.


Solution

  • The context.getImageData and the PrivilegeManager.enablePrivilege calls fail as soon as I set document.domain = document.domain which is done for cooperation with iframes hosted on a different subdomain. As a workaround I proxied domain.tld/subdomain/ to subdomain.domain.tld/ and obtained the desired result.