10

I am working on a project which is written in javascript. I can see that for requesting, XMLHttpRequest object has been created.

It is working fine for "http" requests but fails for "https". Since I am debugging it in the Development environment, I just want to know how to ignore self-signed certificate in XmlHttpRequest objects?

While searching I have found this, 

httpreq = new ActiveXObject("Msxml2.ServerXMLHTTP.3.0");
httpreq.setOption(2, 13056);

But the answer is not working for morden browsers like Microsoft edge, chorme...

I have also found this, and it clearly says the setOption() can be used for ignoring ssl certificates.

One difference I can see in my code is that I an creating the httpreq using:

httpreq = new xmlhttprequest();//This is for chorme and Firefox

So is there any way I can ignore self-signed certificates in XmlHttpRequest?

Pranay Deep
  • 1,371
  • 4
  • 24
  • 44

2 Answers2

3

The Bad News:

There is no way to accomplish this with XmlHttpRequest directly. This is logical as SSL needs to be secure on the web as any ability to disable it would present a major security risk.

You are also right that setOption is not a standard/modern method under XmlHttpRequest.

The Good(ish) News:

What you can do is accomplish this via a trusted/properly configured proxy, with the example below as a Node/Express server configured to allow the insecure SSL connection:

$router.get("/", (oRequest, oResponse) => {
    $nonStrictSSLRequest = require('request').defaults({strictSSL: false});
    
    $nonStrictSSLRequest(
        { url: "https://192.168.1.2:8080/api/apiVer" },
        function (err, oAPIResponse, sBody) {
            oResponse.status(200).json(JSON.parse(sBody));
        }
    );
});

I had to do this to support RainMachine's (stupid HTTPS only) self signed certificates.

Campbeln
  • 2,880
  • 3
  • 33
  • 33
3

If you are developing on Chromium based browser, you can use flag --ignore-certificate-errors. Always pass also --user-data-dir to prevent affecting of your main secure profile. Use this only as last resort and only during local development, as this completely ignores all SSL errors. --ignore-certificate-errors is undocumented flag, which can be removed from chromium at any time.

Chromium Linux:

chromium-browser --ignore-certificate-errors --user-data-dir=~/chromium_dev_session

Chrome Windows:

"C:\Program Files\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors --user-data-dir="c:/chrome_dev_session"

Chromium XHR test with --ignore-certificate-errors

Bedla
  • 4,789
  • 2
  • 13
  • 27