HTTPS to HTTP JSONP request

Question

I'm having issues sending JSONP requests from HTTPS site to HTTP site.

I have a (non local) test environment over https (with valid certificate) where i'm able to run all these cross site/"cross protocol" requests successfully (with warnings, but without errors).

Google Chrome Javascript Console output:

The page at https://my.test.environment/ ran insecure content from http://non.secure.site/service?jsonCallback=jsonp1331132928704

However, in production, (on Google App Engine, appspot subdomain) Google Chrome is blocking all requests waiting for user confirmation.

Google Chrome Javascript Console output (special attention to [blocked] text):

[blocked] The page at https://production.appspot.com/ ran insecure content from http://non.secure.site/service?jsonCallback=jsonp1331132928704

I know what i'm doing is not secure, but this services are provided by third-party and there is no SSL communication available so far. I'm really confused with this because i don't get why is working (with warnings) in test environment and not under appspot (Google App Engine).

I tried to investigate headers with no success.

Test environment headers:

Connection:Keep-Alive
Content-Encoding:gzip
Content-Language:es
Content-Length:2524
Content-Type:text/html;charset=utf-8
Date:Wed, 07 Mar 2012 15:48:30 GMT
Keep-Alive:timeout=15, max=100
Set-Cookie: cookie_info...
Vary:Accept-Encoding

APPSpot headers:

access-control-allow-credentials:false
access-control-allow-origin:*
cache-control:no-cache, must-revalidate
content-encoding:gzip
content-length:47890
content-type:text/html; charset=utf-8
date:Wed, 07 Mar 2012 14:52:02 GMT
expires:Fri, 01 Jan 1990 00:00:00 GMT
pragma:no-cache
server:Google Frontend
set-cookie: coookie_info....
status:200 OK
vary:Accept-Encoding
version:HTTP/1.1

I have no idea why this is working on test envinroment and the same approach is blocked on APPSpot by Google Chrome.

Any thoughts?

Answer 1

An apache proxy will make a request to the endpoint on your behalf. You can even have non-jsonp requests to a service (json, xml, images, post, put, delete, etc) because the browser thinks it's doing the request to the same domain.

Your non.secure.site vhost file would contain something like

ProxyRequests Off
ProxyPreserveHost On 
<Proxy *>
    Allow from all
</Proxy>
ProxyPass /appspot https://production.appspot.com/
ProxyPassReverse /appspot https://production.appspot.com/

Once you set it up you just call the service like...

http://non.secure.site/appspot/service?jsonCallback=jsonp1331132928704

Google proxypass for more info

https://serverfault.com/questions/429404/help-me-understand-how-to-use-proxypass