13

In our site certain pages use SSL, most pages however don't (as they need to be crawled by web bots).

It pretty much boils down to any page where the user is logged in, with a few exceptions is under SSL,

But the user first has to login from a non https page (The login form is a form that drops from the top of the screen on any page).

So,

How can I force the requests over ajax to use SSL?

Is this even secure?

Hailwood
  • 89,623
  • 107
  • 270
  • 423
  • 7
    Since when do web crawlers not work over SSL? Googlebot / Bing index it just fine. – vcsjones Jun 20 '11 at 23:20
  • 1
    Well, SSL pages load slower. They should be crawlable just fine though – nzifnab Jun 20 '11 at 23:33
  • 1
    Use an iframe. I like iframes. They're cool, and they let you get around things like this. With an iframe you can do all that you have in mind to do. God bless the man who invented the iframe. – Magmatic Aug 27 '12 at 22:10

1 Answers1

11

It violates JavaScript's same-origin policy, because it doesn't see the HTTPS URL as being from the same source as the HTTP URL. You can get around this by using JSONP or setting a Access-Control-Allow-Origin header in the response from the web service. Many web services will be setup to do this already.

Casey Rodarmor
  • 14,878
  • 5
  • 30
  • 33
nzifnab
  • 15,876
  • 3
  • 50
  • 65
  • 2
    This is an easily solved problem though, have the ajax javascript files comes from https. – James Black Jun 21 '11 at 01:34
  • Are you sure that works? If you're on `http:// www.mysite.com` with a form loaded on that page that is going to ajax-ly POST to `https:// www.mysite.com/login`, it works if your JS files are loaded from `https:// www.mysite.com/javascripts`? That...is interesting. I might have to try that next time I need to solve this problem. EDIT: stupid thing took out the http vs. https – nzifnab Jun 21 '11 at 16:15
  • As long as your ajax call goes to the same url as the source of the html then there is no issue, so if you want to go to an https:// site for the ajax call then serve the page from https://. I am not certain it needs to be done this way, but if there are errors when testing then just change the javascript to come from https. According to this article it shouldn't matter, which is why I didn't suggest this in my answer. http://bytes.com/topic/javascript/answers/459071-ajax-https – James Black Jun 22 '11 at 02:17
  • 1
    @James Er... ya but if you have a login form on every single page, but don't want to serve every single page over SSL because it slows down all requests, then what you're saying *won't* work, right? Performing a javascript call to https when on an http page. There's lots of pages that have you login over SSL while being on http; Facebook being one of them, and I have yet to see any of them do it with javascript. Soooo I don't really feel like that's a 'solution' – nzifnab Jun 22 '11 at 16:13
  • First, the browser caches the javascript pages, if the – James Black Jun 22 '11 at 16:52
  • Soooo... this is just wrong. You can serve headers on the login script that allow cross-domain access. You can even allow access for just your own domain. Then you can use HTTPS protocol on your AJAX request while on a page served over HTTP. I am not aware of the security concerns related to doing this, my guess is that man in the middle attacks will still be usable. – Jasper Jan 22 '14 at 17:40
  • @Jasper you are correct sir. I wrote this answer 3 years ago apparently. My knowledge has improved since. The technology you're referring to is called `CORS` - cross-origin resource sharing. And ya, as long as the server responds appropriately to `CORS` you can get these kinds of requests to succeed. – nzifnab Jan 22 '14 at 17:48
  • @nzifnab Yeah, this should probably be removed as an answer, or updated. I found it pretty high up in some Google results. If you remove it you'll get the Disciplined badge :) – Jasper Jan 22 '14 at 17:49