3

I'd like to make a web service call from http://www.somedomain.com to https://www.somedomain.com

Without going to the trouble of setting up a test, could someone confirm if this will be considered the same origin?

My assumption is that this will be fine, seeing as cookies are shared successfully in this situation.

ScottE
  • 21,530
  • 18
  • 94
  • 131

2 Answers2

5

No, it wont work the url needs the same domain and the same protocol see http://en.wikipedia.org/wiki/Same_origin_policy

red-X
  • 5,108
  • 1
  • 25
  • 38
3

No, it is not same origin.

Perhaps you can configure your server to accept either http or https call? If this is the case you can use protocol relative urls to make your requests use whatever protocol you are already using.

reqUrl = "//www.somedomain.com"

By the way, it is usually not correct to make a httrps call from an http page. The initial http page makes you lose all securty the https would give since there is no way to authenticate the page has been served correctly and is running the intended scripts instead of something evil.

hugomg
  • 68,213
  • 24
  • 160
  • 246
  • where did you get your information for the second part of your answer? http://stackoverflow.com/questions/3978354/is-a-post-from-http-to-https-secure – ScottE Nov 11 '11 at 13:10
  • The thing is that if the original page is HTTP the user has no guarantee that he is using the correct page you sent him instead of an evil page sent by a third party. – hugomg Nov 11 '11 at 13:14
  • If you are already on an unsecure page and then access a secure page from it, I really don't see how that makes things any worse than they already are. Worse than that, your solution (which is a perfectly good one), abandons security altogether - surely that's no better. The same-origin policy might make sense in most cases, but this is not one of them. – Arnon Weinberg Jun 25 '15 at 06:42