permission denied with document.write and xhr.responseText (no iframe involved)

Issue #13171974 • Unassigned

Details

Author
tim d.
Created
Aug 10, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

In Edge (tested on 14 and 15), navigate to

Each page performs an XHR and then document.write's the responseText. This should succeed (and does in Chrome/FF/Safari) but throws a SCRIPT70: permission denied error in Edge (and a similar access is denied error in IE 9-11).

The relevant failing code from fails1.html:

addEventListener('load', function () {
  var xhr = new XMLHttpRequest();
  xhr.addEventListener('load', function() {
    document.open();
    document.write(xhr.responseText);
    document.close();
  });
  xhr.open("get", './success.html');
  xhr.send();
});

Ok, so the error says something about permissions, maybe Edge is getting confused about which document we’re talking about so maybe be explicit in fails2.html:

addEventListener('load', function () {
  var xhr = new XMLHttpRequest();
  xhr.addEventListener('load', function() {
    window.document.open();
    window.document.write(xhr.responseText);
    window.document.close();
  });
  xhr.open("get", './success.html');
  xhr.send();
});

Same error, so how about we store the responseText in a local variable (fails3.html):

addEventListener('load', function () {
  var xhr = new XMLHttpRequest();
  xhr.addEventListener('load', function() {
    var text = xhr.responseText;
    document.open();
    document.write(text);
    document.close();
  });
  xhr.open("get", './success.html');
  xhr.send();
});

This page fails but only if dev tools is open so we’re on the right track.

How about we combine the solution of window.document and the local variable (works.html):

addEventListener('load', function () {
  var xhr = new XMLHttpRequest();
  xhr.addEventListener('load', function() {
    var text = xhr.responseText;
    window.document.open();
    window.document.write(text);
    window.document.close();
  });
  xhr.open("get", './success.html');
  xhr.send();
});

This works with and without dev tools open.

Seems like a bug.

Attachments

0 attachments

    Comments and activity

    Nothing to see here! No one has commented on this issue yet.

    You need to sign in to your Microsoft account to add a comment.

    Sign in