28

Would there be any problems calling an HTTPS page (e.g. a credit card authorisation service i.e. WorldPay) from a standard HTTP page via AJAX?

I can't imagine why there would be a problem, the response would be an HTML page which I could then embed in a result pane or such like?

Duncan
  • 10,218
  • 14
  • 64
  • 96

2 Answers2

27

Yes this would be a Cross domain posting and would be blocked by the browser.

AnthonyWJones
  • 187,081
  • 35
  • 232
  • 306
  • 3
    and the reason browsers do this is because if users see https:// in their address bar (along with the lock symbol or whatever depending on browser), they have a different expectation of security and privacy than if it is http://. In fact, if I was at your site and I was asked for credit card verification on a page that was http://, I would leave (even if the form or ajax involved used https). Even Verisign had a page set up this way once, but it is bad form... – jwl Jun 18 '09 at 14:06
  • Would it really be blocked though? http://domscripting.com/blog/display/91 Not saying it's a good idea - I agree with ferocious - but just need to be prepared! – Duncan Jun 18 '09 at 14:51
  • @Duncan: yes, its highly unlikely the hacks suggested in that article would be supported by a site like WorldPay. The only sensible options are a secure server-to-server exchange or a framed form supplied directly from the payment site (ala the VISA verfication thing that is quite common these days). – AnthonyWJones Jun 18 '09 at 15:31
  • 5
    I understand the Problem when requesting HTTP content in a HTTPS context, but the other way round i think it wouldn't pose a security problem. – mikezter Aug 05 '11 at 15:10
  • 1
    Yes, I don't understand the insecurity of requesting HTTPS from HTTP. Only thing I can think of is the potential for the requested URL to include non-SSL requests and not also be validated. So no workaround? – FlavorScape Jul 16 '13 at 00:41
5

Anthony is right, but what you could do is create a local page the AJAX calls and that communicates with the HTTPS service via cURL or something else and returns. That way everything is done locally according to Java script.

Ólafur Waage
  • 68,817
  • 22
  • 142
  • 198
  • 11
    Of course, since (in this case) this would involve credit card details being sent across the network in the clear, you absolutely should not do this. – Quentin Jun 18 '09 at 14:15