I'm trying to make Cross-Domain webservice calls from an HTTP page to an HTTPS service.
I have set up the proper CORS headers on the server (it works with HTTP-HTTP and HTTPS-HTTPS).
It does work if I change the requests to JSONp.
What I'm seeing in Chrome and Firefox is the HTTPS request is never sent, it's immediately aborted, and the server never sees the request.
It is worth noting that the preflight OPTIONS
request is aborted (and it doesn't reach the server).
I can't find any source that explains that this is indeed not possible (HTTP to HTTPS) and better yet: explains why. I can understand HTTPS to HTTP is unsafe, but the othe way around should be fine right? It seems silly to me because JSONp works (but it's messy).
notes
I also have withCredentials
set to true
and I'm sending some custom headers and a custom Content-Type
: application/json
I'm using the regular XMLHTTPRequest with fallbacks to JSONp for IE<=9
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.
Ok, I figured it out. The certificate I'm using for the HTTPS domain is self-signed and unverified. Adding it to the list of trusted third-party authorities fixed it for me.
You can install the certificate in Windows 7 through IE. This worked for me:
http://productforums.google.com/forum/#!topic/chrome/bds-Ao9LigA%5B1-25%5D
post by zacharysyoung 2/11/09
Make sure you run IE(9) as administrator or the install will fail even-though it says it installed it correctly.
- Open Internet Explorer (IE) and navigate to the site hosting the self-signed certificate.
- IE should display a page warning that, 'There is a problem with this web site's security certificate.'
- Click the, 'Continue to this website (not recommended)' link.
- Once the page has loaded, look to the right of the address bar. A red/pink button, labeled 'Certificate Error,' should be visible. Click that button.
- A pop-up, titled 'Untrusted Certificate,' will appear. Click the 'View certificates' link at the bottom of the pop-up.
- Another pop-up, titled 'Certificate,' will appear. Click the 'Install Certificate...' button.
- The 'Certificate Import Wizard' will be started. Click the 'Next' button.
- ** For XP: a. Leave 'Automatically select the certificate...' option selected, and click the 'Next' button. ** For Vista: a. Choose 'Place all certificates in the following store' option, and click the 'Browse' button. b. Click the 'Show physica stores' checkbox. c. Expand the 'Third-Party Root Certification Authorities' folder, and choose 'Local Computer'. Click the 'OK' button. d. Click the 'Next' button.
- This should display the 'Completing the Certificate Import Wizard' dialog. Click the 'Finish' button.
- A 'Security Warning' pop-up will appear. The warning is informing you that the certificate's origin cannot actually be validated. You should know where the certificate is coming from. If you do, click the 'Yes' button to install the certificate.
- A final pop-up informing you that, 'The import was successful,' will be displayed. Click the 'OK' button.
- Restart/Open Chrome and navigate to the site in question. You should not be greeted by the security warning page.
Aside from that, I think I may have discovered a bug in Chrome. See: https://code.google.com/p/chromium/issues/detail?id=141839
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With