|
 |
 |
 |
|
Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms
of Use |
Trademarks
XMLHTTP call fails for URLs with embedded user credentials| Article ID | : | 832414 | | Last Review | : | December 26, 2006 | | Revision | : | 11.5 |
Note The update that is described in this article is superseded by the
update that is described in the following Microsoft Knowledge Base article:
887606 (http://kbalertz.com/Feedback.aspx?kbNumber=887606/) MSXML uses cached credentials incorrectly
SYMPTOMSYou make XMLHTTP calls with the following formats:
Xmlhttp.open("GET",
"http://someone:mypass@www.northwindtraders.com/default.asp",
false, "", "");
Xmlhttp.open("GET",
"http://someone:mypass@www.northwindtraders.com/default.asp",
false, "someone", "passwd");
Xmlhttp.open("GET",
"http://www.northwindtraders.com/default.asp",
false, "someone", "mypass");
The call fails, and you receive the following error message: Invalid Syntax Error However, the following call is
successful: Xmlhttp.open("GET", "http://www.northwindtraders.com/default.asp", false, "", ""); Back to the top
CAUSEThe Microsoft Internet Explorer security update that is
described in the following Microsoft Knowledge Base article bans URLs with
embedded user credentials: 832894 (http://kbalertz.com/Feedback.aspx?kbNumber=832894/) MS04-004: Cumulative Security Update for Internet Explorer . Back to the top MORE INFORMATIONEven after you apply the fix that is provided in this
article, XMLHTTP calls with URLs in the following formats still fail. Xmlhttp.open("GET",
"http://someone:mypass@www.northwindtraders.com/default.asp",
false);
Xmlhttp.open("GET",
"http://someone:mypass@www.northwindtraders.com/default.asp",
false, "someone", "passwd");
You must apply the fix, and you must also change the URL to the
following format. Xmlhttp.open("GET", "http://www.northwindtraders.com/default.asp", false, "someone", "mypass");Back to the top RESOLUTIONA supported fix is now available from Microsoft. This fix
will only enable the scenario where user credentials are passed as parameters
in the Open() method call. This fix will not enable scenarios where the user
credentials are embedded in the URL. Note This fix is only for the following versions of the Microsoft XML
Parser (MSXML):
| • | Microsoft XML 2.6 | | • | Microsoft XML 3.0 Service Pack 2 | | • | Microsoft XML 3.0 Service Pack 3 | | • | Microsoft XML 3.0 Service Pack 4 | | • | Microsoft XML 4.0 Service Pack 2 |
For additional information about how to obtain the
updated files and for additional details, click the following article number to
view the article in the Microsoft Knowledge Base: 887606 (http://kbalertz.com/Feedback.aspx?kbNumber=887606/)
MSXML uses cached credentials incorrectly
Back to the top WORKAROUNDTo work around this problem, use the following format. Xmlhttp.open("GET", "http://www.northwindtraders.com/default.asp", false, "", "");Back to the top STATUSMicrosoft has confirmed that the scenario where user
credentials are passed as parameters in the Open() method call and are not embedded in the URL, is a problem in the
Microsoft products that are listed in the "Applies to" section. Back to the top REFERENCESFor additional information, see the following Microsoft
Security Bulletin:
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
834489 (http://kbalertz.com/Feedback.aspx?kbNumber=834489/)
Internet Explorer does not support user names and passwords in Web site addresses (HTTP or HTTPS URLs)
887606 (http://kbalertz.com/Feedback.aspx?kbNumber=887606/) MSXML uses cached credentials incorrectly
269238 (http://kbalertz.com/Feedback.aspx?kbNumber=269238/) INFO: Version List of the Microsoft XML Parser
278674 (http://kbalertz.com/Feedback.aspx?kbNumber=278674/) Determine the Version of MSXML Parser Installed on a Computer
The example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization,
product, domain name, e-mail address, logo, person, places, or events is
intended or should be inferred. Back to the top
APPLIES TO| • | Microsoft XML Parser 2.6 | | • | Microsoft XML Parser 3.0 | | • | Microsoft XML Core Services 4.0 |
Back to the top | kbfix kbbug kbsecvulnerability kbsecbulletin kbsecurity kbhotfixserver kbqfe KB832414 |
Back to the top 
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
Be the first to leave feedback, to help others about this knowledge base
article.
(Optional) Name
(Optional)
Public URL Or Email
Comments
No
HTML -- Text Only Please
|
|
 |
|
 |
|
|
|
| |