I'm getting the error:
Mixed Content: The page at 'https://mywebsite.io/content_library' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://mywebsite.io/api/blog_posts/'. This request has been blocked; the content must be served over HTTPS.
In my axios request, I'm simply using relative urls, '/api/blog_posts/` so why isn't axios sending the requests with https instead of http?
I had the same error, my site is served with haproxy over https and the nginx server just runs http
I don't think its axios related but a general problem for XmlHttpRequest?
However, i've set: Content-Security-Policy to upgrade-insecure-requests, which fixes this problem at least on chrome. But I think microsoft edge does not support this.
So, the better fix should be to use an absoluteURL in axios with https.
I still don't get, why axios/browser is using http here...
Related
My questions is simple, but I cannot find an answer and I haven't got any resources to test it myself.
Can I make HTTPS CORS request from one domain to another HTTPS domain?
Can I make HTTP CORS request from one domain to another HTTPS domain?
I know that I can do HTTP CORS request from one domain to another HTTP domain, but I don't know if there is any difference when I use HTTPS.
Yes you can do a CORS request from a HTTPS domain to another HTTPS domain.
The only difference is because HTTPS is a secure origin, you can only make call to secure origin, so not to HTTP, the browser will block it with a message like:
Mixed Content: The page at 'https://example.com/index.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example2.com/endpoint'. This request has been blocked; the content must be served over HTTPS.
Warning: If you allow http requests to call your https webpage, it will be insecure because it means an attacker can force requests to your https webpage with the cookies of a victim and read the answer
Beware if you still need to support IE8/IE9 and are using XDomainRequest as it does not support cross-protocol requests. As per MDN:
The origin's security protocol must match that of the requested URL. (http to http, https to https). If these do not match, the request will error "Access is Denied".
My page is on https but the API url I am calling in AJAX is on http.
I am unable to get the AJAX response.
Mixed Content: The page at 'https://localhost:8443/examples/demo.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.earthtools.org/timezone-1.1/40.71417/-74.00639?_=1431270529277'. This request has been blocked; the content must be served over HTTPS.
How can I resolve this?
The HTTPS version of API does not exist. How can I still call from my HTTPS enable page. I want my page to be HTTPS it is very important.
Any help?
I had a similar issue where I was on HTTP and had to call an API on HTTPS.
For me disabling the Website tracking i.e. uncheck the Prevent cross-site tracking worked.
I fixed it by using this chrome extension and then reloading my page. it works. https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en
Other option is to turn on Proxy and then use it,
https://chrome.google.com/webstore/detail/zenmate-security-privacy/fdcgdnkidjaadafnichfpabhfomcebme?hl=en
I'm writing a simple Flask api that will serve data to a d3.js frontend and I am getting this error when I try to query for the data:
XMLHttpRequest cannot load localhost:5000/data/sample_data. Cross origin requests are only supported for protocol schemes: http, data, chrome-extension, https, chrome-extension-resource.
I am using the flask-cors extension for flask, even though I am querying from my own domain (localhost) so I thought that this shouldn't even count as "Cross-domain". Can anyone shed some light on why this isn't working?
URLs should have a valid schema for CORS to kick in. While Chrome's address bar can prefix the schema for URLs, most AJAX libraries (jQuery, d3, etc.) do not smartly do it before making the request.
Appending http:// to the URL(s) should fix the problem.
I'm getting this error when trying to make an ajax request in a custom module:
XMLHttpRequest cannot load https://www.vossmarket.com/index.php/shoppinglist/index/showLists/product/4294/form_key/6erZKqom1ynOWDKI/qty/1/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.vossmarket.com' is therefore not allowed access.
I'm assuming the problem is that I am calling https from the http, but I'm not able to figure out why it is calling the https. I've turned off https in the magento config (I changed secure_base_url to http://vossmarket.com and I turned Use Secure URLs in Frontend to "no"). Now all links stay http, but when I visit my custom module, it is still redirecting (302) to https. This happens to every link http://vossmarket.com/shoppinglist (my custom module), any other route stays http, but any route that hits my module in any ways 302s to https
Any ideas what might be happening or the best way to fix it?
Have you tried putting a file called crossdomain.xml in your web root (accessible by both http and https), ie at http(s)://vossmarket.com/crossdomain.xml
This should help define that cross site origin is allowed between http and https.
In your case, I think the custom module is upset about being accessed over http and is sending the 302 to your browser, so it would be a case of studying the controller action of the custom module to figure out why it is forcing https (instead of asking Magento what the secure URL is).
Actually, if you try this crossdomain.xml you will need the browser to request https out of the http loaded page otherwise I think you will still get the 302 redirect - but with crossdomain.xml in place you should be able to XMLHttpRequest from http://vossmarket.com to https://vossmarket.com
But, you know, often there is good reason for https so I think you should understand why https is being forced and also I don't know about that XML secure="false" - does it really mean an https request is returned over http? I hope not but I don't know.
For more information read up on CORS although your 'cross domain' is http crossing to https.
I have an ajax call that really needs to be https. However, the page that it is being called from is http. The browser complains about restricted URI denied, presumably due to the same origin policy. Are there any known workaround for this?
Yes, that's same-origin policy stopping you. You have to use same workarounds as for cross-domain requests.
Requests from non-secure website are not secure, even if you're making requests to HTTPS URLs (because MITM attack can replace all "https" with "http"), so you should consider using HTTPS for the whole page.