Is it possible to send a request to HTTP from HTTPS website? - https

I have a HTTPS website and non-SSL server, and I should send a request to non-SSL server from HTTPS website.
If I send a request to HTTP server, there occurs Mixed Content error.
Mixed Content: The page at 'https://my-website' was loaded over HTTPS,
but requested an insecure resource 'http://my-server/'. This request
has been blocked; the content must be served over HTTPS.
So I added this line to html.
<head>
...
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
...
</head>
But this transfers all the HTTP request into HTTPS, so I cannot send a valid non-SSL request to my server. Is it possible to send a request to HTTP(non-SSL) server from HTTPS website? (Each server has different host.)

Related

Mixed Content: The page at [url] was loaded over HTTPS, but requested an insecure XMLHttpRequest , Laravel

I got this error:
Mixed Content: The page at 'https://url.app/admin' was loaded over
HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://url.app/json/questions?search=&page=1&per_page=20&sort_by=&sort_direction=asc'.
This request has been blocked; the content must be served over HTTPS.
The rest of the requests works fine, not sure why I got an error on this route.
I am using Laravel / Vue. All routes are in web.php (If I access the url from error I got data from server.)
I'm not sure, but you are sending the request /json/questions over HTTP not HTTPS.
Try to change it to HTTPS and see what will happen.
Add this code to your HTML file,
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />

Why won't Axios use the same protocol

I'm getting the error:
Mixed Content: The page at 'https://mywebsite.io/content_library' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://mywebsite.io/api/blog_posts/'. This request has been blocked; the content must be served over HTTPS.
In my axios request, I'm simply using relative urls, '/api/blog_posts/` so why isn't axios sending the requests with https instead of http?
I had the same error, my site is served with haproxy over https and the nginx server just runs http
I don't think its axios related but a general problem for XmlHttpRequest?
However, i've set: Content-Security-Policy to upgrade-insecure-requests, which fixes this problem at least on chrome. But I think microsoft edge does not support this.
So, the better fix should be to use an absoluteURL in axios with https.
I still don't get, why axios/browser is using http here...

HTTPS and HTTP CORS

My questions is simple, but I cannot find an answer and I haven't got any resources to test it myself.
Can I make HTTPS CORS request from one domain to another HTTPS domain?
Can I make HTTP CORS request from one domain to another HTTPS domain?
I know that I can do HTTP CORS request from one domain to another HTTP domain, but I don't know if there is any difference when I use HTTPS.
Yes you can do a CORS request from a HTTPS domain to another HTTPS domain.
The only difference is because HTTPS is a secure origin, you can only make call to secure origin, so not to HTTP, the browser will block it with a message like:
Mixed Content: The page at 'https://example.com/index.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example2.com/endpoint'. This request has been blocked; the content must be served over HTTPS.
Warning: If you allow http requests to call your https webpage, it will be insecure because it means an attacker can force requests to your https webpage with the cookies of a victim and read the answer
Beware if you still need to support IE8/IE9 and are using XDomainRequest as it does not support cross-protocol requests. As per MDN:
The origin's security protocol must match that of the requested URL. (http to http, https to https). If these do not match, the request will error "Access is Denied".

Mixed Content: Call http content from API from https page

My page is on https but the API url I am calling in AJAX is on http.
I am unable to get the AJAX response.
Mixed Content: The page at 'https://localhost:8443/examples/demo.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.earthtools.org/timezone-1.1/40.71417/-74.00639?_=1431270529277'. This request has been blocked; the content must be served over HTTPS.
How can I resolve this?
The HTTPS version of API does not exist. How can I still call from my HTTPS enable page. I want my page to be HTTPS it is very important.
Any help?
I had a similar issue where I was on HTTP and had to call an API on HTTPS.
For me disabling the Website tracking i.e. uncheck the Prevent cross-site tracking worked.
I fixed it by using this chrome extension and then reloading my page. it works. https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en
Other option is to turn on Proxy and then use it,
https://chrome.google.com/webstore/detail/zenmate-security-privacy/fdcgdnkidjaadafnichfpabhfomcebme?hl=en

Forwarded domain not working with https

I had an old web site: https://oldsite.com. I created a new site on a different web server: https://newsite.com
I forwarded the domain oldsite.com to newsite.com. The problem is that when https://oldsite.com is entered, I get a site cannot be found message. It redirects fine when entered with just http, but breaks down on the https.
How can I go about forwarding both the http and the https to a the new site?
Thank you?
try <meta http-equiv="refresh" content="0; URL=https://www.newsite.com/newurl.html">
this will just use the meta in your site to redirect it to your new site.

Resources