Friday, August 29, 2014

CORS XMLHttpRequest in IE10 and newer: "access is denied" caused by Sarissa/Richfaces

If you receive the message "access is denied" when using a CORS XMLHttpRequest in IE10 and newer when using JSF/Richfaces 3.x or Sarissa alone, it is most likely that Sarissa has overridden your window.XMLHttpRequest object.

From the latest Sarissa source code:

if (Sarissa._SARISSA_IS_IE) {
    // commenting the condition out; we need to redefine XMLHttpRequest 
    // anyway as IE7 hardcodes it to MSXML3.0 causing version problems 
    // between different activex controls 

    Sarissa.originalXMLHttpRequest = window.XMLHttpRequest;

     * Emulate XMLHttpRequest
     * @constructor
    XMLHttpRequest = function() {
            _SARISSA_XMLHTTP_PROGID = Sarissa.pickRecentProgID(["Msxml2.XMLHTTP.6.0", "MSXML2.XMLHTTP.3.0", "MSXML2.XMLHTTP", "Microsoft.XMLHTTP"]);
        return new ActiveXObject(_SARISSA_XMLHTTP_PROGID);

As you can see, the original method is still available as Sarissa.originalXMLHttpRequest = window.XMLHttpRequest;. I tried adding a condition to prevent Sarissa from creating its own request when an HTML5 XMLHttpRequest2 is available. Sadly, this breaks Richfaces/a4j because of some invalid property being set. I guess this can be fixed too, but I did not have time to dig further. So the easiest workarround now is to use new Sarissa.originalXMLHttpRequest() instead of new window.XMLHttpRequest() if Sarissa.originalXMLHttpRequest is defined.

A note for Richfaces 3.3.3: In my case, the newest Sarissa version was included after the one from Richfaces to fix, so I had to backup the original request manually before loading Sarissa a second time as it would have been overridden twice and the old Sarissa request would have erased the original window.XMLHttpRequest backup.

Edit (some days later): I modified Sarissa to leave IEs greater than 9 completely alone and patched the richfaces jar. The newer IEs seem to work fine with RF this way as they support the majority of APIs by their own. Feel free to comment if further information is wanted.