Microsoft KB Archive/304420

= Accessing a secure URL from a non-secure page with XMLHTTP fails with &quot;Permission denied&quot; error =

Article ID: 304420

Article Last Modified on 4/7/2005

-

APPLIES TO


 * Microsoft XML Core Services 4.0
 * Microsoft XML Core Services 4.0

-



This article was previously published under Q304420



SYMPTOMS
When you attempt to access a secure URL by using the XMLHTTP request object from a script on a non-secure Web page, you may receive one of the following error messages:

With Msxml2.XMLHTTP:

Permission Denied

With Microsoft.XMLHTTP:

Access is Denied

This problem only occurs if a non-secure page attempts to access a secure page. Accessing a secure page from another secure page does not generate an error.



STATUS
This behavior is by design.



Steps to Reproduce Behavior
In Microsoft Internet Information Services (IIS), create two Web sites named SiteA and SiteB.Under SiteA, save the following code as Client.asp: <%@ Language=JavaScript %> <%   try {               var Req = Server.CreateObject(&quot;Msxml2.DOMDocument.3.0&quot;); Req.async = false; Req.load(&quot;http://localhost/book.xml&quot;); Response.Write(&quot;responseText = &quot; + Req.xml); }   catch( e ) {          Response.Write( &quot;Exception!!&quot;); Response.Write(e.number + &quot;&quot;); Response.Write(e.description + &quot;&quot;); }  %> Under SiteB, save the following code as Client.htm:  

function onLoad {   var Req = new ActiveXObject(&quot;Msxml2.XMLHTTP.3.0&quot;); var newURL = &quot;http://SiteA/client.asp&quot;; Req.open(&quot;GET&quot;, newURL, false); Req.send;

alert(Req.status); alert(Req.responseText); } 

   Run the http://localhost/Client.htm file from either of the Web sites. The XML data is displayed. Install Secure Sockets Layer (SSL) on one of the sites, then modify the non-SSL Client.htm page so that it makes a request to Client.asp.Run the non-SSL Client.htm page. You receive the &quot;Permission Denied&quot; error. The Client.htm page on the SSL site does not produce this error.

