Ajax using https on an http page

Question

My site uses http and https protocol; it doesn't affect the content. My site uses jQuery ajax calls, which fills some areas on the page, too.

Now, I would like to do all ajax calls over https. (please dont ask me why :)) When I am on a page with https protocol, ajax requests are working. When I'm on a page with http protocol, I get a javascript error: Access to restricted URI denied

I know that this is a cross domain problem (in fact, it's a cross protocol problem), and I know that I should use the same protocol in ajax calls as on the current page.

Still, I want to all ajax calls to be https, and call them on a page that was served over http. Is there any workaround to achieve this (some json/proxy solution?), or is it simply impossible?

For example for a more dynamical checkout form which is connecting to a payment gateway like paypal in the background so people can see what is happening.. Just one of more possibilities — kentor, Feb 05 '15 at 22:00

score 58 · Answer 1 · answered May 10 '11 at 17:04

58

Add the Access-Control-Allow-Origin header from the server

Access-Control-Allow-Origin: https://www.mysite.com

http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing

answered May 10 '11 at 17:04

DalSoft

10,673
3
42
55

7

Great respond - but not supported by some used browsers like Opera (not at all) and Internet Explorer (supported since version 8) http://caniuse.com/#search=cors – SimonSimCity Sep 27 '11 at 12:08
1

Seems like Opera supports it now: http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing#Browser_support Only not Opera Mini though... – gitaarik Mar 05 '14 at 11:07

score 11 · Answer 2 · answered Jul 09 '09 at 19:58

11

Try JSONP.

most JS libraries make it just as easy as other AJAX calls, but internally use an iframe to do the query.

if you're not using JSON for your payload, then you'll have to roll your own mechanism around the iframe.

personally, i'd just redirect form the http:// page to the https:// one

answered Jul 09 '09 at 19:58

Javier

60,510
8
78
126

1

hmm i have tried jquery .ajax with jsonp:'jsonp_callback' option set, but still same js error. – user135863 Jul 09 '09 at 20:18
maybe you have to add the callback parameter in the URL – Javier Jul 10 '09 at 03:47
@user135863 Does the endpoint you're sending the query to *support* JSONP in the first place? – Daisy Leigh Brenecki Jan 02 '14 at 03:49
1

For the sake of my sanity I'm going to go with your last option... Simple redirect to `https:` – Dzeimsas Zvirblis May 13 '16 at 20:04

score 9 · Answer 3 · edited May 11 '12 at 13:01

9

http://example.com/ may resolve to a different VirtualHost than https://example.com/ (which, as the Host header is not sent, responds to the default for that IP), so the two are treated as separate domains and thus subject to crossdomain JS restrictions.

JSON callbacks may let you avoid this.

edited May 11 '12 at 13:01

mit

11,083
11
50
74

answered Jul 09 '09 at 19:24

ceejayoz

176,543
40
303
368

dead link on JSON callbacks :( – Kubie Jul 08 '19 at 21:42
@Kubie This answer is ten years old tomorrow, and broken links are why we ask that questions include enough information to survive one. – ceejayoz Jul 09 '19 at 00:16
just noticed the 10 years ha... and yes good point. Its okay, will google around for this one & edit answer if I find anything – Kubie Jul 09 '19 at 00:29

score 4 · Answer 4 · answered Jul 22 '10 at 20:11

Check out the opensource Forge project. It provides a JavaScript TLS implementation, along with some Flash to handle the actual cross-domain requests:

http://github.com/digitalbazaar/forge/blob/master/README

In short, Forge will enable you to make XmlHttpRequests from a web page loaded over http to an https site. You will need to provide a Flash cross-domain policy file via your server to enable the cross-domain requests. Check out the blog posts at the end of the README to get a more in-depth explanation for how it works.

However, I should mention that Forge is better suited for requests between two different https-domains. The reason is that there's a potential MiTM attack. If you load the JavaScript and Flash from a non-secure site it could be compromised. The most secure use is to load it from a secure site and then use it to access other sites (secure or otherwise).

score 2 · Answer 5 · answered Jul 09 '09 at 19:22

2

You could attempt to load the the https page in an iframe and route all ajax requests in/out of the frame via some bridge, it's a hackaround but it might work (not sure if it will impose the same access restrictions given the secure context). Otherwise a local http proxy to reroute requests (like any cross domain calls) would be the accepted solution.

answered Jul 09 '09 at 19:22

Quintin Robinson

81,193
14
123
132

2

After reading this thread, I'd stick with JSONP http://www.dslreports.com/forum/r21425467-IFrame-With-HTTPS-on-HTTP-Page – JGFMK Feb 17 '11 at 14:13
This can be done, but be sure to set P3P headers if you need sessions cookies from the iFrame... otherwise MSE will say "nu uh uh" – srquinn May 24 '13 at 18:10

score 2 · Answer 6 · answered Sep 12 '11 at 13:51

2

Here's what I do:

Generate a hidden iFrame with the data you would like to post. Since you still control that iFrame, same origin does not apply. Then submit the form in that iFrame to the ssl page. The ssl page then redirects to a non-ssl page with status messages. You have access to the iFrame.

answered Sep 12 '11 at 13:51

kjv

1,057
9
6

This can be done, but be sure to set P3P headers if you need sessions cookies from the iFrame... otherwise MSE will say "nu uh uh" – srquinn May 24 '13 at 18:09

Ajax using https on an http page

6 Answers6

Linked

Related