534CHAPTER 13

Building stand-alone applications with Ajax

have created, the RSS viewer allows us to read the feeds from our desktops without visiting the individual websites that host the feeds.

13.6 Avoiding the project’s restrictions

With the Ajax-based RSS syndication feed reader that we have developed, we are able to view RSS feeds from an HTML file stored on the desktop with no serverside code required. We can use this application to grab the RSS feeds we read without having to go to the websites. We may want to offer this page as a download for the users on our websites. We can set it up to read our site’s RSS feeds. Because we can run this script on our website too, we can use it for other things as well. One use can be a banner ad rotator, a company news banner, or anything else we can think of. But there are some limitations to what this script can do, and we may have trouble running this application with Mozilla on our desktop.

13.6.1Overcoming Mozilla’s security restriction

Unlike Microsoft Internet Explorer, Firefox and Mozilla cannot execute the application from our desktop due to security restrictions. The security restrictions keep Ajax from communicating from our desktop to other websites since they want to protect us from having code send information without our knowledge.

To verify that this is the problem with the Ajax script, we need to look for an error message. In Mozilla, we need to open up the JavaScript Console. The JavaScript console is located under Tools > Web Development > JavaScript Console (figure 13.12).

When we click on the JavaScript Console menu option, another window opens (figure 13.13).

Figure 13.12

In Mozilla, choose Tools >

Web Development >

JavaScript Console.

Figure 13.13

The permission denied error message caused by the XMLHttpRequest object

In figure 13.13, we see a permission denied error caused by the XMLHttpRequest object. There are two ways to correct this. The first is to go into the configuration file of Mozilla and set the permission setting to allow the XMLHttpRequest object to perform its desired task. To do this, we type about:config into the address bar of the browser and adjust the setting, but that is not a safe procedure to perform.

The reason it is not safe is that we are enabling it for anything that runs on our computer. That means any script that wants to talk to the outside world would be able to do so. How can we avoid this and allow only our Ajax application to talk to the outside? The solution is to set the security with JavaScript. We showed how to do this in chapter 7, provided the browser is configured to listen to programmatic requests to the Privilege Manager, but let’s recap briefly here. Listing 13.18 shows the generic code for enabling the additional privileges required to read external resources.

Listing 13.18 Security Privilege Manager code

if(window.netscape && window.netscape.security.PrivilegeManager.enablePrivilege) netscape.security.PrivilegeManager.enablePrivilege(

'UniversalBrowserRead');

In listing 13.18, we check if we can access the Privilege Manager. If we can, we enable the UniversalBrowserRead privilege. We need to add this code in two separate places inside our ContentLoader object that handles the Ajax functionality.

The first place we need to add it is directly after the loadXMLDoc declaration, as shown in listing 13.19.

Listing 13.19 Code placement for loadXMLDoc

net.ContentLoader.prototype.loadXMLDoc = function( url,method,params,contentType){

if(window.netscape && window.netscape.security.PrivilegeManager.enablePrivilege) netscape.security.PrivilegeManager.enablePrivilege(

'UniversalBrowserRead');

536CHAPTER 13

Building stand-alone applications with Ajax

We also need to add it to our onReadyState function (listing 13.20).

Listing 13.20 Code placement for onReadyState

net.ContentLoader.onReadyState=function(){ if(window.netscape &&

window.netscape.security

.PrivilegeManager.enablePrivilege)

netscape.security.PrivilegeManager

.enablePrivilege('

UniversalBrowserRead');

Both of these functions interact with the data from the outside world. That is why we are required to add this functionality in both locations. When the script is executed, we will get a message prompt informing us of the request to change the security settings (figure 13.14).

If we simply click the Allow button at the prompt, the security prompt will still open every single time the function is accessed. To avoid this, click the “Remember this decision” checkbox. That way, the browser makes a note of your decision and allows the XMLHttpRequest to execute every time it is accessed without issuing the prompt.

With the security settings of the browser changed, we are able to make this application work off the desktop with Mozilla, Firefox, and Netscape. We can

Figure 13.14

The security prompt notifies the user about the request for access rights.