I have created an ASP.NET Web API which uses CORS.
As IE7 doesn't support CORS, what would be the result if I made a request from another origin to this API, using IE7?
Am I right in saying that as IE7 is pre-CORS, this would allow the API to be requested, and by-pass the cross-origin checks?
The same origin policy predates IE7. Any browser that does not support CORS will simply not allow you to make cross-domain ajax requests. The same origin policy is enforced in IE7. Perhaps JSONP is an option for you. Hard to say without more knowledge of your situation. If JSONP is not an option for you, the request must be proxied from a server on the same origin when using IE7.
Related
I am working with a project in which I have to send data from arduino using http post request to my web rest api. I know web browsers do not allow cross domain requests. So here do I have to take care of same origin policy or not? If yes then while testing my api I use fiddler , so is not it cross domain?
If the client making the request isn’t running in a browser, the same-origin policy doesn’t apply.
The “origin” concept and the notion of same-origin are in practice really only relevant to web apps running in browsers. Browsers are the only runtimes that enforce the same-origin policy. Runtimes other than browsers can all freely make cross-origin requests without restrictions.
So unless the client code you’re sending data from on the Arduino is running in a browser, you don’t need to worry about any cross-origin restrictions prevent you from doing anything.
I'm working on extensions for Firefox and Chrome. The data used by my extensions is mostly generated from ajax requests. The type of data being returned is private, so it needs to be secure. My server supports https and the ajax calls are being sent to an https domain. Information is being sent back and forth, and the extensions are working correctly.
My questions are:
Do the extensions actually make secure connections with the server, or is this considered the same as cross domain posting, sending a request from a http page to a https page?
Am I putting my users' information at more risk during the transfers than if the user were to access the information directly from an https web page in the browser?
Thanks in advance!
The browser absolutely makes a secure connection when you use HTTPS. Certainly, a browser would never downgrade the security of your connection without telling you: it will either complete the request as written or it throw some sort of error if it is not possible.
Extensions for both Chrome and Firefox are permitted to make cross-domain AJAX requests. In Chrome, you simply need to supply the protocol/name of the host as a permission in your manifest.json. In Firefox, I think you may need to use Components.classes to get a cross-domain requester, as described in the MDN page for Using XMLHttpRequest, but I'm not 100% sure about that. Just try doing a normal request and see if it succeeds; if not, use the Components.classes solution.
I'm trying to make a secure authentication POST request from an HTTP domain to an HTTPS domain using Ajax. For Firefox, Chrome and other modern browsers, it's possible to do this using a CORS request. Unfortunately IE8 and IE9 don't support CORS, which makes this type of authentication difficult.
In point 7 of XDomainRequest - Restrictions, Limitations and Workarounds, Eric Law mentions a workaround for IE's limitation on HTTP-to-HTTPS cross-domain requests. However, while the workaround demo works for IE9, it doesn't work for IE8.
Is there any other workaround for IE8 to send a cross-domain POST request from an HTTP domain to an HTTPS domain?
Note that sending a JSONP GET request probably won't due, because passing user credentials in the authentication request's URL parameters means that the credentials would be recorded in web server logs files. If those logs were compromised, then users' credentials would be compromised too.
The demo doesn't work because IE8 doesn't support the addEventListener method for adding event listeners. Instead, the demo should use the attachEvent method.
I have verified that it works in IE8 if the correct attachEvent method is used.
I have an ajax call that really needs to be https. However, the page that it is being called from is http. The browser complains about restricted URI denied, presumably due to the same origin policy. Are there any known workaround for this?
Yes, that's same-origin policy stopping you. You have to use same workarounds as for cross-domain requests.
Requests from non-secure website are not secure, even if you're making requests to HTTPS URLs (because MITM attack can replace all "https" with "http"), so you should consider using HTTPS for the whole page.
Assuming a single page application accessed initially via HTTP that uses AJAX for all server interaction, is it possible to use HTTP for regular data transfers and then switch to AJAXian HTTPS requests for secure data transfers?
If so, how would the browser handle the certificate and locking notification when a HTTPS AJAX request was made?
If this is not possible, then are there any workarounds to mixing AJAX HTTP and AJAX HTTPS within the same page such as loading an iFrame for HTTPS?
Thanks!
Attempting to switch protocols will violate the same origin policy.
I am not sure how a workaround using iFrames would behave, but I think the browser may block access to the frame that was loaded as HTTPS, again due to the same origin policy.
I know this is old post but since i arrived here by search engine it would be a worth to spill what I've learn.
It is possible to use something called CORS but as usual old MSIE has problem implementing it.
It should be simple as sending additional HTTP headers:
Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com