16

I have code that uses Microsoft's XDomainRequest object in IE8. The code looks like this:

var url = "http://<host>/api/acquire?<query string>";  
var xdr = new XDomainRequest();  
xdr.onload = function(){  
    $.("#identifier").text(xdr.responseText);  
};  
xdr.open("GET", url);  
xdr.send();

When the scheme in "url" is "http://" the command works fine. However, when the scheme is "https://" IE8 gives me an "Access denied" JavaScript error. Both schemes work fine in FF 3.6.3, where I am, of course, using XmlHttpRequest. With both browsers I am complying with W3C Access Control. "http://" works cross origin for both browsers. So the problem is with IE8, XDomainRequest, and SSL.

The SSL certificate is not the problem. If I type https://<host>/ into the address bar of IE8, where <host> is the same as in "url" above, the page loads fine.

So we have the following:
- hitting https://<host>/ directly from the browser works fine;
- hitting https://<host>/api/acquire?<query string> via XDomainRequest is not allowed.

Can it be done? Am I leaving something out?

Kijewski
  • 25,517
  • 12
  • 101
  • 143
Ralph McArthur
  • 385
  • 3
  • 10

1 Answers1

18

Apparently, the answer is here: Link

Point 7 on this page says, "Requests must be targeted to the same scheme as the hosting page."

Here is some of the supporting text for point 7:

"It was definitely our intent to prevent HTTPS pages from making XDomainRequests for HTTP-based resources, as that scenario presents a Mixed Content Security Threat which many developers and most users do not understand.

However, this restriction is overly broad, because it prevents HTTP pages from issuing XDomainRequests targeted to HTTPS pages. While it’s true that the HTTP page itself may have been compromised, there’s no reason that it should be forbidden from receiving public resources securely."

It would appear at present that the answer to my original question is: YES, if the hosting page can use the "https://" scheme; NO, if it cannot.

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Ralph McArthur
  • 385
  • 3
  • 10
  • 1
    fwiw, I'm having issues with XDR requests to https URLs, even when the hosting page is also served via https (and the requested domain is a subdomain of the hosting page.) 'Works when I use http for both, however. – broofa Aug 21 '12 at 16:40
  • 1
    I too have had no luck with XDR using https, even when the requesting page is also https. It simply trips the `onerror` event (a callback which is helpfully given zero information). I'm communicating between two virtual hosts on my development computer & have begun to wonder if that has anything to do with it (self-signed certificate?). – Seth Bro Aug 22 '12 at 17:56
  • @SethBro yeah i am also wondering about a self-signed certificate in a project i'm currently working on. – Randy L May 01 '13 at 02:25
  • If you use an invalid certificate (self-signed and not trusted) then yes, XDR will immediately fail the connection. – EricLaw Aug 15 '13 at 20:56
  • @EricLaw if it's self sign but trusted internally does that constitute an invalid certificate? – Greg Nov 21 '13 at 15:45
  • If the certificate is properly trusted, within its validity period, and bears the proper SubjectCN hostname, it will be treated as valid. – EricLaw Nov 26 '13 at 18:13
  • So happy to find this post, so thanks. The "Access Denied" error message is pretty vague. – Carlton Oct 16 '14 at 08:29