Ajax http / https problem

Question

Hi there, i would like to ask you for workaround on following problem. My site can use http and https protocol, it doesnt affect the content. My site uses jquery ajax calls, which fills some areas on page, too.

Now, i would like to do all ajax calls by https protocol. (please dont ask me why :)) When i am on page with https protocol, all is correct. Ajaxes are working. When im on page with http protocol, i got javascript error: Access to restricted URI denied

I know that this is cross domain problem (in fact its not, its cross protocol problem), and i know, that i should use same protocol in ajax call as protocol on current page.

Still i want to have all ajax calls starting with https, and call them from page starting with http. is there any workaround to achieve this(some json/proxy solution?), or is it simply imposible?

Answer 1

You could attempt to load the the https page in an iframe and route all ajax requests in/out of the frame via some bridge, it's a hackaround but it might work (not sure if it will impose the same access restrictions given the secure context). Otherwise a local http proxy to reroute requests (like any cross domain calls) would be the accepted solution.

Answer 2

Proxy all your requests through a non-https resource on your domain, would be the way to go, as you suggested. Along the lines of:

<html>
<head>
<script src="/js/jquery-1.3.2.js"></script>
</head>
<body>
<script>
$.get("www.mydomain.com/?get=someresource", function(response) { 
    alert(response) 
});
</script>
</body>

Answer 3

http://example.com/ may resolve to a different VirtualHost than https://example.com/ (which, as the Host header is not sent, responds to the default for that IP), so the two are treated as separate domains and thus subject to crossdomain JS restrictions.

JSON callbacks may let you avoid this.

Answer 4

Try JSONP.

most JS libraries make it just as easy as other AJAX calls, but internally use an iframe to do the query.

if you're not using JSON for your payload, then you'll have to roll your own mechanism around the iframe.

personally, i'd just redirect form the http:// page to the https:// one

Answer 5

Check out the opensource Forge project. It provides a JavaScript TLS implementation, along with some Flash to handle the actual cross-domain requests:

http://github.com/digitalbazaar/forge/blob/master/README

In short, Forge will enable you to make XmlHttpRequests from a web page loaded over http to an https site. You will need to provide a Flash cross-domain policy file via your server to enable the cross-domain requests. Check out the blog posts at the end of the README to get a more in-depth explanation for how it works.

However, I should mention that Forge is better suited for requests between two different https-domains. The reason is that there's a potential MiTM attack. If you load the JavaScript and Flash from a non-secure site it could be compromised. The most secure use is to load it from a secure site and then use it to access other sites (secure or otherwise).