Home/ Questions/Q 7968797
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T07:08:03+00:00

The following code works fine in Chrome, Firefox and Komodo Dragon. I’ts even a

  • 0

The following code works fine in Chrome, Firefox and Komodo Dragon. I’ts even a clean install of firefox (proving I’m not authenticated to FB or anything). It does not work in IE. Chrome, FF and dragon all result in an alert with a valid access_token. IE results in “Access Denied”. I’ve tried GET and POST, both have same results.

    function getWallPosts() {
        $.ajax({
            url: 'https://graph.facebook.com/oauth/access_token?client_id=<facebookid>&client_secret=<secretcode>&grant_type=client_credentials',
            type: 'POST',
            success: function (data) {
                alert(data)
            },
            error: function (a, b, c) {
                alert(a + ' ' + b + ' ' + c);
            }
        });
    };

EDIT: Additional Information*

I tried using XDomainRequest as recommended in the comments, however I still receive Access Denied in IE only. I believe this is the reason why:

http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx

Requests must be targeted to the same scheme as the hosting page

This restriction means that if your AJAX page is at
http://example.com, then your target URL must also begin with HTTP.
Similarly, if your AJAX page is at https://example.com, then your
target URL must also begin with HTTPS.

It was definitely our intent to prevent HTTPS pages from making
XDomainRequests for HTTP-based resources, as that scenario presents a
Mixed Content Security Threat which many developers and most users do
not understand.

However, this restriction is overly broad, because it prevents HTTP
pages from issuing XDomainRequests targeted to HTTPS pages. While it’s
true that the HTTP page itself may have been compromised, there’s no
reason that it should be forbidden from receiving public resources
securely.

Worst of all, the Same Scheme restriction means that web developers
testing their pages locally using the file:// scheme will find that
all of the XDomainRequests are blocked because file:// doesn’t match
either http:// or https://, which are the only valid target schemes
(point #1). To workaround this issue, web developers must host their
pages on a local web server (e.g. IIS, the Visual Studio hosting
server, etc).

To workaround this limitation, you can build a
postMessage-Proxy-for-XDR.

The hosting package I have been provided does not include any SSL options. Does anyone else have any other ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The answer was making the ajax call to a server-side service, then having that service make the OAuth call. In my case, I used an asp.net ASMX service. It could also be PHP or anything. This is now working.

    • 0