My questions is simple, but I cannot find an answer and I haven't got any resources to test it myself. <ul> <li>Can I make HTTPS CORS request from one domain to another HTTPS domain?</li> <li>Can I make HTTP CORS request from one domain to another HTTPS domain?</li> </ul> I know that I can do HTTP CORS request from one domain to another HTTP domain, but I don't know if there is any difference when I use HTTPS.

Beware if you still need to support IE8/IE9 and are using XDomainRequest as it does not support cross-protocol requests. As per MDN: <blockquote> The origin's security protocol must match that of the requested URL. (http to http, https to https). If these do not match, the request will error "Access is Denied". </blockquote>

HTTPS and HTTP CORS

My questions is simple, but I cannot find an answer and I haven't got any resources to test it myself.

Can I make HTTPS CORS request from one domain to another HTTPS domain?
Can I make HTTP CORS request from one domain to another HTTPS domain?

I know that I can do HTTP CORS request from one domain to another HTTP domain, but I don't know if there is any difference when I use HTTPS.

Is CORS required with https?

For the HTML5 SDK to serve ads over SSL, the ad server must include a Cross-Origin Resource Sharing (CORS) header in all its responses. CORS extends the standard set of HTTP headers with a new response header that allows servers to specify domains authorized to make file requests.

Does CORS apply to HTTP?

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

Is CORS blocked by browser or server?

It's a bit of both actually. Your browser will prevent CORS requests unless the origin of the request (i.e the referrer URL domain) is in a white list on the destination, or the destination approves all requests regardless of origin.

What is a CORS URL?

CORS stands for Cross Origin Resource Sharing. It is a HTTP-header based mechanism which enables the server to allow or restrict access from any other origins. A protocol, domain name, port or scheme requesting a URL which is different from the current page address depicts a cross-origin request.

Yes you can do a CORS request from a HTTPS domain to another HTTPS domain.

The only difference is because HTTPS is a secure origin, you can only make call to secure origin, so not to HTTP, the browser will block it with a message like:

Mixed Content: The page at 'https://example.com/index.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example2.com/endpoint'. This request has been blocked; the content must be served over HTTPS.

Warning: If you allow http requests to call your https webpage, it will be insecure because it means an attacker can force requests to your https webpage with the cookies of a victim and read the answer

Beware if you still need to support IE8/IE9 and are using XDomainRequest as it does not support cross-protocol requests. As per MDN:

The origin's security protocol must match that of the requested URL. (http to http, https to https). If these do not match, the request will error "Access is Denied".

HTTPS and HTTP CORS

Tags:

ajax

http

cors

https

request

Raiper34

People also ask

2 Answers

Tom

user9285144

Recent Activity

Donate For Us

HTTPS and HTTP CORS

Tags:

ajax

http

cors

https

request

Raiper34

People also ask

2 Answers

Tom

user9285144

Related questions

Recent Activity

Donate For Us