Altova Mailing List Archives

Re: Access denied error using SERVERXMLHTTP

From: "juliemango@-------.---" <---------@-----------.---------.--->
Date: 1/5/2004 7:33:00 AM
Thanks for the info.

>-----Original Message-----
>Submitting non-encrypted form data via XMLHTTP or 
ServerXMLHTTP is
>essentially the same as submitting regular form data in a 
>fashion. What this means is that data submitted via 
XMLHTTP (or the Server
>equivalent in the case of the aforementioned article, 
820882) is simply
>passed via clear text using HTTP POST.
>So, in answer to your first question, one common way of 
encrypting the data
>is to use HTTPS. If your pages are HTTPS, the data you 
send will be
>In answer to your second question, it is a security risk 
if the data you are
>passing is sensitive. For example, if you were to pass 
social security
>numbers or such using XMLHTTP (or the Server equivalent), 
just as you would
>with a normal HTTP POST operation using forms, you would 
most likely want to
>encrypt this data using SSL.
>Finally, note that XMLHTTP uses the client's browser 
settings to determine
>if data will be passed on an unencrypted channel (and 
will deny access as
>appropriate), whereas ServerXMLHTTP (as of MSXML 4.0 SP2, 
per 820882) uses
>the server settings to determine this (and will also deny 
access as
>     Dave Beauchemin
>     Microsoft MVP, MCP
<anonymous@d...> wrote in
>message news:416201c3cfa8$611669a0$7d02280a@p......
>> According to MS Knowledgebase article Q820882 all that 
>> necessary is to enabled the "Submit nonencrypted form
>> data" Internet security option to allow the POST command
>> to function properly.
>> I have a few questions about this solution:
>> 1. If it is apparently possible to send nonencrypted 
>> data, how do I send ENCRYPTED form data?
>> 2.  What are the implications of enabling this option?  
>> I creating a security leak on my clients computer by
>> enabling this option?
>> Any comments, tips, Knowledgebase article numbers would 
>> appreciated.
>> Thanks.


These Archives are provided for informational purposes only and have been generated directly from the Altova mailing list archive system and are comprised of the lists set forth on Therefore, Altova does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content on the Altova Mailing List Archive(s), regardless of who originates that content. You expressly understand and agree that you bear all risks associated with using or relying on that content. Altova will not be liable or responsible in any way for any content posted including, but not limited to, any errors or omissions in content, or for any losses or damage of any kind incurred as a result of the use of or reliance on any content. This disclaimer and limitation on liability is in addition to the disclaimers and limitations contained in the Website Terms of Use and elsewhere on the site.