Recently I've been carrying on a series of tests to see how HTTPS behaves with normal requests and Ajax requests in different situations. Here is the tests results (I've been using jQuery to do the ajax calls):
- When going from a page with Https to a normal Http one, will a popup appear to the user?Result: the ipod touch (IPT from now on) doesn't issue any warning. Neither Chrome. Safari and Firefox will instead come out with a window saying that you are going away from a secure zone. My Android device showed a behaviour similar to IPT and Chrome.
- When doing a request using ajax, to a URL with HTTPS from a page with HTTPS: as expected everything works well and no popups show up (they're not supposed to come as we are still using an encrypted channel).
- When doing a request using ajax to an URL with HTTP from a page with HTTPS (so we are doing an unsafe request from a safe page): here all requests fail, this is seen in javascript as the request completes, but it gives an empty response. The user is not prompted in any way. The same result is obtained on every device and every desktop browser. It is then impossible to do unsafe Ajax requests to unsafe pages on the same domain.
- Let's try to do a HTTP to another domain request using Ajax, from a HTTPS page. This could potentially be a risk, as the request may send sensible data, that you received through HTTPS, using an non encrypted channel. Surprisingly this works on every platform without errors or complaints. This is in contrast with the last result as I can do unsafe requests to other domains, but not to the same one! It is a strange behaviour... If it let's you do a non encrypted request from an encrypted page, it will let you do an encrypted request, common sense says... in fact we are right, it does on every platform.
- Let's try to do a HTTP to another domain request using Ajax, from a HTTPS page. This could potentially be a risk, as the request may send sensible data, that you received through HTTPS, using an non encrypted channel. Surprisingly this works on every platform without errors or complaints. This is in contrast with the last result as I can do unsafe requests to other domains, but not to the same one! It is a strange behaviour...
- If it let's you do a non encrypted request from an encrypted page, it will let you do an encrypted request, common sense says... in fact we are right, it does on every platform.
I'm surprised that it doesn't let you do an HTTP Ajax call from a HTTPS page to your same domain (in this situation it was the same page) and it allows you to do it to other domains. Do you know more about this issue?