Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JavaScript cross-domain call: call from HTTP to HTTPS

I need to make an asynchronous call to a secure (HTTPS) URL for the same domain.

Currently the page is working with regular HTTP (non-secure).

In other words: this is calling an URL in the same domain but using HTTPS.

Before switching this calls to HTTPS I ended implementing a server-side proxy to allow cross-domain AJAX calls, but now I'm facing same origin policy since HTTP and HTTPS are considered different origins too. So this proxy is unusable.

Summary: how to do cross-domain, asnynchronous POST requests in this scenario?

Various notes:

  • I couldn't accept any answer suggesting JSONP. Asynchronous calls must be using POST verb.
  • I'm using latest version of jQuery. Answer could be based on this library, or any other solving this problem.
  • Accessing the entire page over HTTPS isn't a solution.
  • Server platform is Microsoft .NET 4.0 (ASP.NET 4.0).
  • UDPATE: CORS isn't an option. There's no wide support for this in modern browsers.
like image 381
Matías Fidemraizer Avatar asked Dec 07 '11 11:12

Matías Fidemraizer


People also ask

Can you call HTTP from HTTPS?

No way. Switching everything to HTTPS makes the service layer proxy approach work again (this is the expected behavior).

Does CORS work with HTTPS?

CORS requests may only use the HTTP or HTTPS URL scheme, but the URL specified by the request is of a different type. This often occurs if the URL specifies a local file, using the file:/// scheme.

What are cross-domain requests?

About cross-domain request enforcement. Cross-Origin Resource Sharing (CORS) is an HTML5 feature that enables one website to access the resources of another website using JavaScript within the browser.

What is cross-domain request in JavaScript?

Cross-Domain JavaScript Requests allow developers to work around security restrictions that would prevent an application from contacting Places (Search) API directly. For example, certain location information might not be retrievable without enabling this method.


1 Answers

First of all, I've +1 both questions from @missingo and @PiTheNumber.

After spending a lot of hours, I've arrived to the conclusion I'm going to switch the entire page to HTTPS. That's because:

  • Most moderns browsers support CORS, but Internet Explorer, starting from 8th version has a proprietary implementation (XDomainRequest object), which may be disabled in some computers (mine had cross-domain request disabled by default in Internet security zone).

    • Opera doesn't support CORS. 12th version will support it, but this isn't an option as users should adopt this new version first, and this won't be in 2 days.

    • I need to do cross-domain requests since Web client application must request a RESTful service layer located in another domain. No way.

    • Switching everything to HTTPS makes the service layer proxy approach work again (this is the expected behavior).

Thanks anyway because both answer have helped me a lot for arriving to this conclusion.

UPDATE

@Sam has added a comment that could be interesting for anyone. It's about how to get CORS in Internet Explorer 8 and 9 (see #7): http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx

like image 68
Matías Fidemraizer Avatar answered Sep 18 '22 04:09

Matías Fidemraizer