1

I have a device in the local-network which serve data using API over http. and a web application that is hosted on a secure (ssl, https) internet web server.

Because the web application is accessed via https, it cannot perform ajax calls directly to the device via http.

thought about two workarounds, but interested to see if i'm missing something:

Option 1 - Flash - Write flash component that will do the communication with the device over http. as flash is not restricted by the browser to secure communication only. The downside in this option is that whoever using the site will have to have flash installed.

Option 2 - new window - Open a new window using 'window.open' command, and passing it the html+script via parameter (similar to this SO). This window is consider non-secure and can communicate with the device over http. The downside in this option is that the user lose the context of the app, and that the new window could possibly be blocked by popup blockers.

Are there any other options i'm missing? (unfortunately opening a https server on the device is not possible)

Community
  • 1
  • 1
avivr
  • 2,573
  • 3
  • 22
  • 34

1 Answers1

0

Because of the mixed content it's impossible in many browsers, such requests are blocked. You have to choose:

  • serve your internet site over HTTP
  • use HTTPS on local site. If this site is part of your application, then application creates self-signed certificate, sends sign-request (google for SCEP) to your own Certificate Authority (CA) over internet. Sign the certificate with your CA, send signed certificate back to application. To avoid browser's security warning your application installs your CA's certificate as Trusted Root on local machine. Then while subscriber visiting your website can access his localhost data from the same page (on internet site) without any security warning about bad SSL certificate in browser.
Denis Kalinin
  • 337
  • 2
  • 8