Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can XDomainRequest be made to work with SSL?

Tags:

ajax

ssl

internet-explorer-9

internet-explorer-8

xdomainrequest

I have code that uses Microsoft's XDomainRequest object in IE8. The code looks like this:

var url = "http://<host>/api/acquire?<query string>";  
var xdr = new XDomainRequest();  
xdr.onload = function(){  
    $.("#identifier").text(xdr.responseText);  
};  
xdr.open("GET", url);  
xdr.send();

When the scheme in "url" is "http://" the command works fine. However, when the scheme is "https://" IE8 gives me an "Access denied" JavaScript error. Both schemes work fine in FF 3.6.3, where I am, of course, using XmlHttpRequest. With both browsers I am complying with W3C Access Control. "http://" works cross origin for both browsers. So the problem is with IE8, XDomainRequest, and SSL.

The SSL certificate is not the problem. If I type https://<host>/ into the address bar of IE8, where <host> is the same as in "url" above, the page loads fine.

So we have the following:
- hitting https://<host>/ directly from the browser works fine;
- hitting https://<host>/api/acquire?<query string> via XDomainRequest is not allowed.

Can it be done? Am I leaving something out?

like image 562
Ralph McArthur Avatar asked Jun 08 '10 16:06

Ralph McArthur

1 Answers

Apparently, the answer is here: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx

Point 7 on this page says, "Requests must be targeted to the same scheme as the hosting page."

Here is some of the supporting text for point 7:

"It was definitely our intent to prevent HTTPS pages from making XDomainRequests for HTTP-based resources, as that scenario presents a Mixed Content Security Threat which many developers and most users do not understand.

However, this restriction is overly broad, because it prevents HTTP pages from issuing XDomainRequests targeted to HTTPS pages. While it’s true that the HTTP page itself may have been compromised, there’s no reason that it should be forbidden from receiving public resources securely."

It would appear at present that the answer to my original question is: YES, if the hosting page can use the "https://" scheme; NO, if it cannot.

like image 60
Ralph McArthur Avatar answered Oct 06 '22 01:10

Ralph McArthur
Sign in to Comment

Related questions

how to learn the primefaces javascript API?
Best practice: loading rendered html or json?
How to launch the beforeShowDay of DatePicker from another function
Googlebot doesn't see jquery generated content
Run Python script from AJAX or JQuery
Failed to load resource: Request timed out on Safari
Submitting a form with ajax in Wordpress
Abort JSONP ajax request with jQuery
jQuery ajax success error
AJAX Request is hiding text rather than placing the partial
Tools for Ajax load testing
What are possible techniques to cache an Ajax response in Javascript? [closed]
Is Form Tag Necessary in AJAX Web Application?
Ajax security issues and possible attacks
How Gmail makes IE Back work without refresh?
ajax post within jquery onclick
bootstrap toggle doesn't work after ajax load
Returning form errors for AJAX request in Django
Set-Cookie header not setting cookie in Chrome
axios post request with json data

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!