-6

I have one issue below:

Mixed Content: The page at 'https://example.com' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://api.example.com/api/demo.php'. This request has been blocked; the content must be served over HTTPS.

It's work fine when request from 'https://example.com' to 'http://api.example.com/api/demo.php'

Cœur
  • 37,241
  • 25
  • 195
  • 267
Phan Thinh
  • 85
  • 1
  • 8

1 Answers1

4

This is a mixed content warning and is a bad practice. See below from mozilla

When a user visits a page served over HTTPS, their connection with the web server is encrypted with TLS and hence safeguarded from sniffers and man-in-the-middle attacks.

If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted: the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, and therefore the connection is not safeguarded anymore. When a webpage exhibits this behavior, it is called a mixed content page.

You should either;

  • Modify to use the https endpoint or
  • proxy the request as https.
Jerome Anthony
  • 7,823
  • 2
  • 40
  • 31
  • Using a protocol-relative URL for the AJAX call (and any other resource) is one way to 'trivially fix' this issue. – user2864740 Sep 20 '15 at 05:36