Its possible to secure Jquery ui dialog with https when the rest of the page in http?

The "page" doesn't need to be HTTPS. Only the connection that is grabbing the info (as long as that data doesn't persist on the non-secure page to another non-secure page).

Security like this works on a transaction basis.

Once you load your page non-securely (HTTP) you can load up the secure content as long as your ajax is hitting a secure url (HTTPS).

Beyond that there are definitely other security concerns when dealing with secure user data, but as long as the call that is grabbing that data is done over an HTTPS connection, then you are good.

Another example of this is if you made a form taking users' information. The page containing the form doesn't need to be delivered via HTTPS, you only need HTTPS when the user is submitting that data to your app for processing. Don't thing of the "page" as being secured by HTTPS, just the "transaction".

EDIT:

Rereading your question, I think I may have made an assumption. IF you are grabbing this secure data after your page loads, and you do so using ajax over an HTTPS connection you are good.

But in your question you don't mention using ajax. If you are grabbing all data and sending it to the user all at once, and then just hiding/displaying it on the page then YES, that page needs to be HTTPS. You are still transferring secure data over an non-secure connection even if the end page is 'hiding' it.

It is sending only data from dialog and not from all page.After I check Http request i also see https request with HttPFox (I thing it sending with ajax) - (I analize website I didnt bulid it, if you know online tool that can check it please tell me. )

Yosef 2010-06-21 18:52:32

HttpFox works fine. If you are using chrome you could use their built in dev tools also. Using whatever tool you are using, you just need to verify that the secure data is ONLY ever being transmitted with HTTPS calls. If that is the case, which it sounds like in your case, then you are good to go.

threendib 2010-06-21 18:56:34

soo why google, yahoo, etc.. use 1. https page for all their login page to gmail, yahoo mail? 2. Not use in their content pages dialog to register or login with https security.The question really why not everybody use this option if its secure, because its very comfortable for website users

Yosef 2010-06-21 19:11:26

I find good explanation in this answer: http://stackoverflow.com/questions/1541329/http-https-ajax-bypass-maybe by Caf

Yosef 2010-06-21 19:32:07

People see the lock or see the S in the HTTPS and feel safe despite not understanding the underlying technology. So it's just easier for companies to use HTTPS on any pages related to logging in, submitting secure info, etc... to make people feel safe. Or they may be transmitting data in the background that is hidden from the user on the page so they use HTTPS.

threendib 2010-06-21 19:32:59

WRONG. You cannot guarantee that subsequent communication happens over https. Since the first page was downloaded over http, anybody could have modified the `<form>` tag or your `js` code to submit the data to their own website. With https - its all or none. Use https to protect the entire website, or its a waste. See 'The Rook's answer below for more information.

sri 2010-06-21 20:00:39

@threendib this is an owasp violation, and I agree with sri in this case (and most of the time.)

Rook 2010-06-22 19:55:26

ansaurus

tags:

views:

answers:

Its possible to secure Jquery ui dialog with https when the rest of the page in http?

related questions