JavaScript cross-domain call: call from HTTP to HTTPS

Question

I need to make an asynchronous call to a secure (HTTPS) URL for the same domain.

Currently the page is working with regular HTTP (non-secure).

In other words: this is calling an URL in the same domain but using HTTPS.

Before switching this calls to HTTPS I ended implementing a server-side proxy to allow cross-domain AJAX calls, but now I'm facing same origin policy since HTTP and HTTPS are considered different origins too. So this proxy is unusable.

Summary: how to do cross-domain, asnynchronous POST requests in this scenario?

Various notes:

I couldn't accept any answer suggesting JSONP. Asynchronous calls must be using POST verb.
I'm using latest version of jQuery. Answer could be based on this library, or any other solving this problem.
Accessing the entire page over HTTPS isn't a solution.
Server platform is Microsoft .NET 4.0 (ASP.NET 4.0).
UDPATE: CORS isn't an option. There's no wide support for this in modern browsers.

There is no solution that fulfills all your requirements (if there is in any browser, it is a security bug per the cross-origin policy). — gsnedders, Dec 07 '11 at 12:28
@gsnedders Well, I'm looking for a workaround, you're right. — Matías Fidemraizer, Dec 07 '11 at 14:53

Matías Fidemraizer · Accepted Answer · 2012-12-18T19:19:28.767

First of all, I've +1 both questions from @missingo and @PiTheNumber.

After spending a lot of hours, I've arrived to the conclusion I'm going to switch the entire page to HTTPS. That's because:

Most moderns browsers support CORS, but Internet Explorer, starting from 8th version has a proprietary implementation (XDomainRequest object), which may be disabled in some computers (mine had cross-domain request disabled by default in Internet security zone).
- Opera doesn't support CORS. 12th version will support it, but this isn't an option as users should adopt this new version first, and this won't be in 2 days.
- I need to do cross-domain requests since Web client application must request a RESTful service layer located in another domain. No way.
- Switching everything to HTTPS makes the service layer proxy approach work again (this is the expected behavior).

Thanks anyway because both answer have helped me a lot for arriving to this conclusion.

UPDATE

@Sam has added a comment that could be interesting for anyone. It's about how to get CORS in Internet Explorer 8 and 9 (see #7): http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx

For anyone wanting to support IE8 and IE9 with cross origin requests from HTTP to HTTPS, there is workaround using the postMessage API described by Microsoft here (see #7): http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx — Sam, Dec 18 '12 at 18:26
@Sam I've updated my own anser with your info. Thanks for your comment ;) — Matías Fidemraizer, Dec 18 '12 at 19:19

score 9 · Answer 2 · edited May 23 '17 at 11:53

9

I am using Access-Control-Allow-Origin. You just send the header and you are fine.

See also AJAX, Subdomains, and SSL

edited May 23 '17 at 11:53

Community

1
1

answered Dec 07 '11 at 11:50

PiTheNumber

22,828
17
107
180

Ops, sorry, I've updated my question, CORS isn't an option. It's the desirable one, but you know which is current browsers' support. – Matías Fidemraizer Dec 07 '11 at 11:52
In addition, your link is useful. I'm going to check that solution based on including the script calling to HTTPS using HTTPS too. Let's see. – Matías Fidemraizer Dec 07 '11 at 11:56
What browser does not support it? You can make it work in IE by using XDomainRequest. There is an jquery transport for that. – PiTheNumber Dec 07 '11 at 11:59
1

Opera has no support for CORS in 11.x trunk (12 will have it). Sure Opera isn't a massive Web browser in desktop, but it is in mobile arena. By the way, I'm thinking about CORS since a lot of hours and maybe I'll need to go this way, because it's the right way of solving this problem. – Matías Fidemraizer Dec 07 '11 at 12:03
I tried using the XDomainRequest but still got Access is Denied. Was told you can't go from http to https – Jack Marchetti Apr 19 '13 at 02:22
@JackMarchetti You should make a new question for that. Use a debugging tool to verify your Access-Control-Allow-Origin header was correctly returned by your target page. – PiTheNumber Apr 22 '13 at 12:04

score 2 · Answer 3 · answered Dec 07 '11 at 11:56

2

You should reconsider accessing the whole page over HTTPS or at least be really sure this is not feasible.

By loading the initial page and script over HTTP the user has no security guarantee that the script is the one you originally intended to send and is not being manipulated by a third party (by, for example, keylogging his password). This means that any HTTPS request that bypasses the SOP will not provide the same security guarantees as a HTTPS request from a page originally served over HTTPS.

answered Dec 07 '11 at 11:56

hugomg

68,213
24
160
246

First part of your answer is ok, but I pointed out in my question I won't switch the entire page to HTTPS. I'm absolutely sure unsecure data has no sensitive info (this only comes from async service calls). This last statement answer your second part too. Check @PiTheNumber answer. My second comment talks about some of other linked question solutions, which could be the suitable one. I'm working on that. – Matías Fidemraizer Dec 07 '11 at 11:59
And about second part, using the so called solution should be enough to be sure the caller is the desired script. – Matías Fidemraizer Dec 07 '11 at 12:00
If you're using a Facebook Page Tab you can't load the page over HTTPS if the user is browsing facebook with HTTP for example. – Jack Marchetti Apr 19 '13 at 02:20
@JackMarchetti: But what difference does that make? Accessing an HTTPS service in an HTTP page is still fundamentally insecure so if you don't care about security why not just make the service you are trying to AJAX to also be available over HTTP? – hugomg Apr 19 '13 at 04:18

score 1 · Answer 4 · answered Oct 03 '14 at 11:14

1

Has anyone looked at:

https://github.com/jpillora/xdomain

It uses postMessage and iframes to achieve cors requests, and is cross browser (no need for teeth clenching XDomainRequests in IE).

Perhaps it will allow cross protocol cors requests?

answered Oct 03 '14 at 11:14

Matt Newell

108
1
5

1

But now CORS is supported by all major Web browsers, even in mobile editions, am I wrong? :D – Matías Fidemraizer Oct 03 '14 at 11:18
Our project requires that we can work with IE 8 and 9, meaning that we do painful browser detection and XDomainRequests - but even with that sorted out IE still rejects mixed protocol cors. I'm yet to test, but I'm hoping that this library will allow us to simplify / unify our Ajax js and allow them cross protocol! – Matt Newell Oct 03 '14 at 11:32
You're right about the limitation of even modern IE.... Well, in your case it seems like this lib should solve the issue! – Matías Fidemraizer Oct 03 '14 at 11:41
Great, will give it a try - but does anyone have any security concerns with the way this library works? – Matt Newell Oct 03 '14 at 12:04

JavaScript cross-domain call: call from HTTP to HTTPS

4 Answers4

UPDATE

Linked