I'm trying to make a secure authentication POST request from an HTTP domain to an HTTPS domain using Ajax. For Firefox, Chrome and other modern browsers, it's possible to do this using a CORS request. Unfortunately IE8 and IE9 don't support CORS, which makes this type of authentication difficult.
In point 7 of XDomainRequest - Restrictions, Limitations and Workarounds, Eric Law mentions a workaround for IE's limitation on HTTP-to-HTTPS cross-domain requests. However, while the workaround demo works for IE9, it doesn't work for IE8.
Is there any other workaround for IE8 to send a cross-domain POST request from an HTTP domain to an HTTPS domain?
Note that sending a JSONP GET request probably won't due, because passing user credentials in the authentication request's URL parameters means that the credentials would be recorded in web server logs files. If those logs were compromised, then users' credentials would be compromised too.
The demo doesn't work because IE8 doesn't support the addEventListener method for adding event listeners. Instead, the demo should use the attachEvent method.
I have verified that it works in IE8 if the correct attachEvent method is used.
Related
I have created an ASP.NET Web API which uses CORS.
As IE7 doesn't support CORS, what would be the result if I made a request from another origin to this API, using IE7?
Am I right in saying that as IE7 is pre-CORS, this would allow the API to be requested, and by-pass the cross-origin checks?
The same origin policy predates IE7. Any browser that does not support CORS will simply not allow you to make cross-domain ajax requests. The same origin policy is enforced in IE7. Perhaps JSONP is an option for you. Hard to say without more knowledge of your situation. If JSONP is not an option for you, the request must be proxied from a server on the same origin when using IE7.
I have developed a web application that makes ajax requests to a web service on a server in a different domain from the server that hosts the web app.
I have configured the web service to do a pre-flight check to set the necessary headers to allow a cross domain request.
In the web app I am using a JQuery client to access the web service. I have set the properties on the Jquery command to allow cross domain access.
$.support.cors = true;
In Chrome this all works fine. In IE9, however the cross domain behavior is only partially successful. All get requests work. But post requests with a content-type of application/json fail because IE9 refuses to make post requests with any content-type except text/html. IE9 switches the content-type on the request and the request fails on the server with a 400 bad request.
I had read that with IE10 the cross domain request would work as in Chrome. But after just testing this, I find that IE10 has the same behavior as IE9. The browser will not set the content-type to application/json. So post requests fail.
Does anyone know whether it is possible in IE10 to do cross domain post requests with other content-types than text/html. This makes writing web apps that do anything more than display data extremely difficult.
Are there other settings I need to make on the Jquery request? Or in the service pre-flight?
What does your $.ajax() call look like? You could try adding data: 'json' to your JQuery call in order to force the data type to be json. You also shouldn't need to set $.support.cors = true;, JQuery should figure this out for you (but its ok to leave it in for now).
I do have the content type param set data: 'json'.
Chrome honors this but IE switches to text/html. I had read that this was a know issue in IE9 and below but that IE10 would be using the same ajax implementation as Chrome, but this is apparently not the case.
I'm working on extensions for Firefox and Chrome. The data used by my extensions is mostly generated from ajax requests. The type of data being returned is private, so it needs to be secure. My server supports https and the ajax calls are being sent to an https domain. Information is being sent back and forth, and the extensions are working correctly.
My questions are:
Do the extensions actually make secure connections with the server, or is this considered the same as cross domain posting, sending a request from a http page to a https page?
Am I putting my users' information at more risk during the transfers than if the user were to access the information directly from an https web page in the browser?
Thanks in advance!
The browser absolutely makes a secure connection when you use HTTPS. Certainly, a browser would never downgrade the security of your connection without telling you: it will either complete the request as written or it throw some sort of error if it is not possible.
Extensions for both Chrome and Firefox are permitted to make cross-domain AJAX requests. In Chrome, you simply need to supply the protocol/name of the host as a permission in your manifest.json. In Firefox, I think you may need to use Components.classes to get a cross-domain requester, as described in the MDN page for Using XMLHttpRequest, but I'm not 100% sure about that. Just try doing a normal request and see if it succeeds; if not, use the Components.classes solution.
Given all the coverage FireSheep has been getting, I have been trying to work out the best practices for balancing HTTP / HTTPS usage for some sites I manage (e.g. blogging sites, magazine sites with user contributed comments).
To me, its over kill to deliver all pages over HTTPS if the user is logged in. If a page is public (e.g. a blog) there is little point encrypting the public page. All I want to do is prevent session hijacking by sniffing cookies over HTTP channels.
So, one plan is:
Login form is over HTTPS
Issue two cookies: One cookie is 'public' and identifies there user for read only aspects (e.g. 'welcome bob!'). The second cookie is private and 'HTTPS only'. This is the cookie that is verified whenever the user makes a change (e.g. adds a comment, deletes a post).
This means that all 'changing' requests must be issued over HTTPS.
We use a lot of AJAX. Indeed, many comment forms use AJAX to post the content.
Obviously, I cant use AJAX directly to post content to a HTTPS backend from a HTTP frontend.
My question is: Can I use script injection (I think this is commonly called 'JSONP'?) to access the API? So in this case there would be a HTTP public page that sends data to the private backend by injecting a script accessed via HTTPS (so that the private cookie is visible in the request).
Can you have HTTPS content inside a HTTP page? I know you get warnings the other way around, but I figure that HTTPS inside HTTP is not a security breach.
Would that work? It seems to work in chrome and FF, but its IE that would be the party pooper!
Another way is to have an iframe which points to a https page that can make all kinds (GET, POST, PUT etc) of Ajax calls to the server over https (same domain as iframe is on https too). Once the response is back inside the iframe, you can post a message back to the main window using HTML5 postMessage API.
Pseudo code:
<iframe src="https://<hostname>/sslProxy">
sslProxy:
MakeAjaxyCall('GET', 'https://<hostname>/endpoint', function (response) {
top.postMessage(response, domain);
});
This works in all modern browsers except IE <= 7 for which you'll have to either resort to JSONP or cross domain communication using Flash.
The problem with JSONP is that you can only use it for GETs.
Can you have HTTPS content inside a
HTTP page? I know you get warnings the
other way around, but I figure that
HTTPS inside HTTP is not a security
breach.breach.
Including HTTPS content inside a regular HTTP page won't raise any alerts in any browser.
However, I don't think JSONP will help you out of this one. Using GETs to post content and modify data is a very bad idea, and prone to other attacks like CSFR
Assuming a single page application accessed initially via HTTP that uses AJAX for all server interaction, is it possible to use HTTP for regular data transfers and then switch to AJAXian HTTPS requests for secure data transfers?
If so, how would the browser handle the certificate and locking notification when a HTTPS AJAX request was made?
If this is not possible, then are there any workarounds to mixing AJAX HTTP and AJAX HTTPS within the same page such as loading an iFrame for HTTPS?
Thanks!
Attempting to switch protocols will violate the same origin policy.
I am not sure how a workaround using iFrames would behave, but I think the browser may block access to the frame that was loaded as HTTPS, again due to the same origin policy.
I know this is old post but since i arrived here by search engine it would be a worth to spill what I've learn.
It is possible to use something called CORS but as usual old MSIE has problem implementing it.
It should be simple as sending additional HTTP headers:
Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com