From 1b6cf934746c21623ce7372962e53cb0bcfefd81 Mon Sep 17 00:00:00 2001 From: Chris Adams Date: Thu, 29 Aug 2013 16:13:13 -0400 Subject: [PATCH 1/2] Graceful handling of IE cross-domain AJAX failures Prior to IE 10, XmlHttpRequest cannot be used for requests to a different origin even when the target URL's CORS headers would allow access (see http://caniuse.com/#feat=cors). This is easy to miss in testing if you use a single origin during testing but have a CDN or domain-sharding for production and will break the error handler function passed to makeAjaxRequest() if that code assumes it can access properties on the request object. This adds a more informative pointer to Microsoft's documentation when a security exception is raised. --- src/openseadragon.js | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/openseadragon.js b/src/openseadragon.js index e5913772..e2743779 100644 --- a/src/openseadragon.js +++ b/src/openseadragon.js @@ -1345,7 +1345,25 @@ window.OpenSeadragon = window.OpenSeadragon || function( options ){ request.open( "GET", url, true ); request.send( null ); } catch (e) { - $.console.log( "%s while making AJAX request: %s", e.name, e.message ); + var msg = e.message; + + /* + IE < 10 does not support CORS and an XHR request to a different origin will fail as soon + as send() is called. This is particularly easy to miss during development and appear in + production if you use a CDN or domain sharding and the security policy is likely to break + exception handlers since any attempt to access a property of the request object will + raise an access denied TypeError inside the catch block. + + To be friendlier, we'll check for this specific error and add a documentation pointer + to point developers in the right direction. We test the exception number because IE's + error messages are localized. + */ + var oldIE = $.Browser.vendor == $.BROWSERS.IE && $.Browser.version < 10; + if ( oldIE && typeof( e.number ) != "undefined" && e.number == -2147024891 ) { + msg += "\nSee http://msdn.microsoft.com/en-us/library/ms537505(v=vs.85).aspx#xdomain"; + } + + $.console.log( "%s while making AJAX request: %s", e.name, msg ); request.onreadystatechange = function(){}; From baa3559df187b74fdd54caff87eddef2d8bb132b Mon Sep 17 00:00:00 2001 From: Chris Adams Date: Thu, 29 Aug 2013 16:15:52 -0400 Subject: [PATCH 2/2] Graceful handling of cross-domain tilesource failures on IE<10 The TileSource error handling path used to raise non-obvious "Unspecified error" exceptions on IE < 10 when configured with a URL from a different origin (hostname or port) because the handler included ``xhr.status`` in the error message, triggering a security exception. Now the second exception is caught and the log message will use the original exception message instead to make the root cause more obvious. --- src/tilesource.js | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/src/tilesource.js b/src/tilesource.js index fb22b21c..e1529b3f 100644 --- a/src/tilesource.js +++ b/src/tilesource.js @@ -320,9 +320,29 @@ $.TileSource.prototype = { $.makeAjaxRequest( url, function( xhr ) { var data = processResponse( xhr ); callback( data ); - }, function ( xhr ) { + }, function ( xhr, exc ) { + var msg; + + /* + IE < 10 will block XHR requests to different origins. Any property access on the request + object will raise an exception which we'll attempt to handle by formatting the original + exception rather than the second one raised when we try to access xhr.status + */ + try { + msg = "HTTP " + xhr.status + " attempting to load TileSource"; + } catch ( e ) { + var formattedExc; + if ( typeof( exc ) == "undefined" || !exc.toString ) { + formattedExc = "Unknown error"; + } else { + formattedExc = exc.toString(); + } + + msg = formattedExc + " attempting to load TileSource"; + } + _this.raiseEvent( 'open-failed', { - message: "HTTP " + xhr.status + " attempting to load TileSource", + message: msg, source: url }); });