ansaurus

Question

secure xmlhttprequest from nonsecure page

Answer 1

+1 A:

I don't think this is possible. Previously asked: http://stackoverflow.com/questions/1105934/ajax-http-https-problem

dkamins 2010-05-28 02:10:48

it's probably sort of possible using iframes and bookmark hashes but that is ugly ugly ugly and only secure if the part after the hash is not sent to server.

amwinter 2010-05-28 02:16:31

Answer 2

+1 A:

You can't circumvent cross-domain origin with XHR (well, only in Firefox 3.5 with user's permission, not a good solution). Technically, moving from port 80 (http) to 443 (https) is breaking that policy (must be same domain and port). This is the example the specification itself sites here - http://www.w3.org/Security/wiki/Same_Origin_Policy#General_Principles.

Have you looked into JSONP (http://en.wikipedia.org/wiki/JSON#JSONP) or CSSHttpRequests (http://nb.io/hacks/csshttprequest)?

JSONP is a way to add a <script> tag to a page with a pre-defined global callback across domains (as you can put the <script>s src to anywhere on the web). Example:

<script>

    function globalCallback (a) { /* do stuff with a */ }

And then you insert a <script> tag to your other domain, like so:

    var jsonp = document.createElement('script');
    json.setAttribute('src','http://path.to/my/script');
    document.body.appendChild(jsonp);

</script>

And in the source of the external script, you must call the globalCallback function with the data you want to pass to it, like this:

 globalCallback({"big":{"phat":"object"}});

And you'll get the data you want after that script executes!

CSSHttpRequests is a bit more of a hack, so I've never had the need to use it, though feel free to give it a try if you don't like JSONP, :).

Dan Beam 2010-05-28 02:16:02

ok, but {big {phat object}} is defined in the external script. no way to pass in data, is there?

amwinter 2010-05-28 02:23:09

when you call the `globalCallback` it's passing it to the originating page's function ... "pass[ing] in data"

Dan Beam 2010-05-28 02:30:35

returning it to the originating page. I want to pass data to the remote script without putting it in the url.

amwinter 2010-05-29 12:15:59

you're not putting it in the URL...you're just calling a global function. ignore the `src` of the tag in this instance. it's just like you declared a `function` in a `<script>`, and then called it later in another `<script>` on the same page (because you really are).

Dan Beam 2010-06-02 03:27:10

oh, I see what you're saying - you want to send data to your remote script (not get it from it). you could store it in a secure cookie or in the GET/POST of an SSL page (the GET/POST is encrypted, like I've said) if you want it to be functionally hidden.

Dan Beam 2010-06-02 03:30:45

Answer 3

+1 A:

That won't work by default due to the same origin policy, as you mentioned. Modern browsers are implementing CORS (Cross-Origin Resource Sharing) which you could use to get around this problem. However this will only work in Internet Explorer 8+, Firefox 3.5+, Safari 4+, and Chrome, and requires some server-side work. You may want to check out the following article for further reading on this topic:

Cross-domain Ajax with Cross-Origin Resource Sharing by Nicholas C. Zakas

You can also use JSONP as Dan Beam suggested in another answer. It requires some extra JavaScript work, and you may need to "pad" your web service response, but it's another option which works in all current browsers.

Daniel Vassallo 2010-05-28 02:18:14

solid. would love to see a solution for older browsers but this is clean and works today.

amwinter 2010-05-28 02:27:40

JSONP or a proxy page (i.e. http://path.to/me?get=https://path.to/get)

Dan Beam 2010-05-28 02:29:14

There are solutions for older browsers, using a reverse proxy, but you will lose the benefit of SSL... I guess you aren't willing to sacrifice that, because in that case you could just have served your `/ajaxservice/` from http (or both).

Daniel Vassallo 2010-05-28 02:29:58

You won't lose the benefits if you use https:// in the `src` of the `<script>`...

Dan Beam 2010-05-28 02:31:36

@Dan Beam: That would pop up some browser warning I guess, won't it? Saying that you have mixed secure and non-secure content?

Daniel Vassallo 2010-05-28 02:33:46

sending data in https url is not ok for this specific app -- not fair to my users to have passwords in server logs

amwinter 2010-05-28 02:37:51

@amwinter - the `GET` and `POST` data of `https://` calls is encrypted as well (just learned that recently). @Daniel No, the warning only shows up when the source page is `https://` and you try to access non SSL assets (https://mypage.com/ tries to get http://mypage.com/something.js).

Dan Beam 2010-05-28 02:45:55

trust me on the ( http + https script != warning ) thing, I just tried it from this page to a secure script, :)

Dan Beam 2010-05-28 02:47:16

@Dan Beam: True, it's past my bed time :) Let me update my answer with reference to yours.

Daniel Vassallo 2010-05-28 02:47:53

@Dan Beam. yes, the transmission is encrypted, but my server logs will still have the URI in plaintext.

amwinter 2010-05-28 02:50:38

You're right about not wanting to pass sensitive parameters through the query string. With JSONP you cannot issue a POST request.

Daniel Vassallo 2010-05-28 03:01:09

@amwinter: Use easyXDM (http://easyxdm.net/wp/) it will enable you to do this easily even in older browsers - and its much easier to set up than CORS as it has no server side requirements! Check out the ajax example here http://consumer.easyxdm.net/current/example/xhr.html and read more about it here http://easyxdm.net/wp/2010/03/17/cross-domain-ajax/

Sean Kinsey 2010-05-28 09:32:44

@seankinsey am I wrong or is easyxdm a cool wrapper around window.opener and iframe hash methods? not that there's anything wrong with that.

amwinter 2010-05-28 10:50:19

postMessage, window.opener (nix), window.name, FIM (hash fragment) and friends :) This solves the cross domain issue (http vs https) meaning that you can run the XHR in the domain that it is requesting from, and pass data across the boundry using easyXDM. Thats what that last sample shows.

Sean Kinsey 2010-05-28 11:06:11

@seankinsey your live example is hard to follow. the two helper pages are confusing. is there a self-contained example?

amwinter 2010-05-28 11:18:23

What do you mean by 'helper pages' ? There is the '/current/xhr.html', which exposes the easyXDM RPC interface, and then there is the '/current/example/xhr.html' that consumes the interface. If you are referring to 'local' and 'remoteHelper' then you can disregard these now. I just forgot to update the examples :)

Sean Kinsey 2010-05-28 13:27:53

Answer 4

+1 A:

You said you would take anything short of having the SSL protocol written in JavaScript... but I assume you meant if you had to write it yourself.

The opensource Forge project provides a JavaScript TLS implementation, along with some Flash to handle cross-domain requests:

http://github.com/digitalbazaar/forge/blob/master/README

Check out the blog posts at the end of the README to get a more in-depth explanation of how it works.

dlongley 2010-07-22 20:07:02

cool man! this is useful

amwinter 2010-08-01 21:50:32

ansaurus

tags:

views:

answers:

secure xmlhttprequest from nonsecure page

related questions