0

I have a resource from a third party vendor that serves through http protocol only. When I include a script tag like this...

<script src="http://example.com"></script>

I get a javascript variable with the JSON data, similar to this...

var data = {"total": "10", "results": [{"name": "Joe", "title": "developer"}, {"name": "Jane", "title": "engineer"}]};

I can then use the variable data in my page to output results, etc.

The problem is, I need to serve this data on a page over SSL (https) and I cannot make a resource request through http for an https page - meaning the <script/> include does not work.

As a solution I am requesting the resource from a server page, lets say data.cfm for example, then re-serving the JS variable through https from my server. So, in this case, I'd like a request to https://anotherserver.com/data.cfm to serve the same JS as http://example.com

<cfhttp result="myData" method="GET" charset="utf-8" url="http://example.com">
<cfoutput><pre>#myData.fileContent#</pre></cfoutput>

I should also note that the JSON data has HTML tags in it.

When I try to go to https://anotherserver.com/data.cfm I get the data, but it is not formatted correctly. For example, hyperlinks are active as hyperlinks.

I also tried using <cfdump> which returns the data as an unformatted string, but when I use the <script src="https://anotherserver.com/data.cfm"></script> tag I do not get the JS variable.

Update

With further testing, I found that if I just copy the data as text in 2 files: data.cfm and data.js the js file works as expected and the cfm file does not. This leads me to believe that the file extension is causing the resource to be read as html. So, it's really more of a Coldfusion question. How can I set the cfm file to be read as javascript by the browser? Is there some response header or metadata field that will accomplish this?

littlewolf
  • 173
  • 1
  • 2
  • 19
  • 1
    "I need to serve this data on a page over SSL (https) and I cannot make a resource request through http for an https page" This part doesn't make sense to me. What about serving your system via HTTPS prevents you from making requests to a resource served over HTTP? – Ken May 18 '17 at 16:46
  • @Ken http://stackoverflow.com/questions/28517391/allow-loading-http-resources-over-https – Vincent van der Weele May 18 '17 at 17:02
  • @VincentvanderWeele Yes, if you are loading a resource. He is loading from a script the returns a json object and then uses the data. Why not just request the object via AJAX? – Ken May 18 '17 at 17:05
  • Why note just download the JavaScript file and save it to your server (assuming you are free to do so). Then just serve the JS file from your server behind HTTPS. – Miguel-F May 18 '17 at 17:07
  • @Ken You cannot make cross origin ajax requests – littlewolf May 18 '17 at 17:22
  • @Miguel-F This is dynamic data which changes all the time. The third party service has some method that keeps their url data up to date - but it is only available over http – littlewolf May 18 '17 at 17:23
  • Have you tried returning the `fileContent` as JSON data? Something like this `#SerializeJSON(myData.fileContent)#` instead of this `
    #myData.fileContent#
    `.     – Miguel-F May 18 '17 at 17:31
  • @littlewolf Only if the source does not allow them. You can allow them. – Ken May 18 '17 at 17:59
  • @Miguel-F parsing error. It is a javascript variable declaration, not valid json – littlewolf May 18 '17 at 18:15
  • @Ken It's a third party server. I cannot allow them – littlewolf May 18 '17 at 18:15
  • @littlewolf Correct, now that you have specified that they are not allowing cross origin, you are correct that you cannot get the data via AJAX. – Ken May 18 '17 at 18:43
  • *but it is not formatted correctly* Load the data.cfm script in a browser. Do a view-source. What does the content look like and how does it differ from the original? Does `data.cfm` include a header indicating the response content-type is JSON? – Leigh May 18 '17 at 18:58

2 Answers2

1

I'll probably get creamed in negative votes for this. The correct thing to happen is you tell that service to enable https on their servers. A public facing web based service not using https is not acceptable.

Jules
  • 1,941
  • 15
  • 18
0

First of all if you are viewing the js and cfm files in the browser then js is going to show essentially as text output and cfm will be interpreted as html. This is due to mime types returned automatically by the web server or guessing done by the browser. This is why the cfm method looks different. However if you are pulling a url using a script tag it will be assumed to be javascript. If you do source code view on the cfm page it should look fine.

Secondly we would need more information to diagnose exactly what is causing the problem you are experiencing where a js file included vs a cfm file hosting the same info is resulting an error in the latter. My initial guess would be that more is going on here than we can see in your question and there is a javascript escaping issue. (edit: actually I see that some js code may make decisions based on content type so returning that could be the difference depending on how things are used)

Lastly, if you save exact output of the cfm file to a js file then you should be set. Pulling javascript from cfm file by way of script tags should have no issue. However to avoid any potential issues and also to add some caching you can save right to a static file. Caching will allow the file to only ever be pulled once in a time period (ex: once a minute). In your normal code you could add this...

<cfif not structKeyExists(application, "jsfilename_cachesaved") or application.jsfilename_cachesaved lt dateAdd("n", -1, now())>
    <cflock name="jsfileupdate" timeout="5">
        <cfif not structKeyExists(application, "jsfilename_cachesaved") or application.jsfilename_cachesaved lt dateAdd("n", -1, now())>
            <cfhttp result="myData" method="GET" charset="utf-8" url="http://example.com">
            <cffile action="write" file="#jsfilepath#" output="myData.fileContent" />
            <cfset application.jsfilename_cachesaved = now() />
        </cfif>
    </cflock>
</cfif>

(the double if statement is there to avoid unnecessary hits to lock and also unnecessary saves for users who hit the lock at the same time)

Dan Roberts
  • 4,664
  • 3
  • 34
  • 43