I need to make an asynchronous call to a secure (HTTPS) URL for the same domain.
Currently the page is working with regular HTTP (non-secure).
In other words: this is calling an URL in the same domain but using HTTPS.
Before switching this calls to HTTPS I ended implementing a server-side proxy to allow cross-domain AJAX calls, but now I'm facing same origin policy since HTTP and HTTPS are considered different origins too. So this proxy is unusable.
Summary: how to do cross-domain, asnynchronous POST requests in this scenario?
Various notes:
No way. Switching everything to HTTPS makes the service layer proxy approach work again (this is the expected behavior).
CORS requests may only use the HTTP or HTTPS URL scheme, but the URL specified by the request is of a different type. This often occurs if the URL specifies a local file, using the file:/// scheme.
About cross-domain request enforcement. Cross-Origin Resource Sharing (CORS) is an HTML5 feature that enables one website to access the resources of another website using JavaScript within the browser.
Cross-Domain JavaScript Requests allow developers to work around security restrictions that would prevent an application from contacting Places (Search) API directly. For example, certain location information might not be retrievable without enabling this method.
First of all, I've +1 both questions from @missingo and @PiTheNumber.
After spending a lot of hours, I've arrived to the conclusion I'm going to switch the entire page to HTTPS. That's because:
Most moderns browsers support CORS, but Internet Explorer, starting from 8th version has a proprietary implementation (XDomainRequest object), which may be disabled in some computers (mine had cross-domain request disabled by default in Internet security zone).
Opera doesn't support CORS. 12th version will support it, but this isn't an option as users should adopt this new version first, and this won't be in 2 days.
I need to do cross-domain requests since Web client application must request a RESTful service layer located in another domain. No way.
Switching everything to HTTPS makes the service layer proxy approach work again (this is the expected behavior).
Thanks anyway because both answer have helped me a lot for arriving to this conclusion.
@Sam has added a comment that could be interesting for anyone. It's about how to get CORS in Internet Explorer 8 and 9 (see #7): http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With