I am having problems calling a web service using AJAX via HTTP when it's on an HTTPS page.
Is this a cross-domain/protocol problem? Do I need to do the AJAX call in the same protocol as the page?
Just wondering if it's the same problem as trying to do an HTTPS AJAX call when on an HTTP page, I suspect it is.
Any advice appreciated.
Thanks
Duncan
Yes, the protocol is part of the same origin policy.
Don't do that. You run a serious risk of someone intercepting and modifying just the HTTP traffic to break your security.
Related
I'm creating a web appliacation that will run on a server that I can not manage nor modify in any case.
Within that application, I need to exceute a AJAX call to a different server.
This will always be blocked by the 'Same Origin Policy'.
Where server01.test.net is the webserver and mail.test.net is the second server.
Is there a way to enable CORS by any means in the client side, as I'm not able to add the 'Access-Control-Allow-Origin "*"' on the server. Or any other workaournd?
Thanks
CORS is an option with the SERVER. In no way client can by themselves enable CORS.
If client would have been allowed to do that, the whole purpose of CORS would be defeated.
If the server you are calling does not support CORS, you will not be able to make the request to the third-party server using AJAX.
You will have to resort to setting up a pass-through AJAX route in your application. The client (browser) makes a request to your AJAX route which proxies the call to the third-party server and returns the result. Because the third-party request is happening on the server rather than the browser, Same Origin Policy doesn't apply.
This approach means there will be an additional request that wouldn't be necessary if you could use CORS, but there really isn't another option.
I'm getting this error when trying to make an ajax request in a custom module:
XMLHttpRequest cannot load https://www.vossmarket.com/index.php/shoppinglist/index/showLists/product/4294/form_key/6erZKqom1ynOWDKI/qty/1/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.vossmarket.com' is therefore not allowed access.
I'm assuming the problem is that I am calling https from the http, but I'm not able to figure out why it is calling the https. I've turned off https in the magento config (I changed secure_base_url to http://vossmarket.com and I turned Use Secure URLs in Frontend to "no"). Now all links stay http, but when I visit my custom module, it is still redirecting (302) to https. This happens to every link http://vossmarket.com/shoppinglist (my custom module), any other route stays http, but any route that hits my module in any ways 302s to https
Any ideas what might be happening or the best way to fix it?
Have you tried putting a file called crossdomain.xml in your web root (accessible by both http and https), ie at http(s)://vossmarket.com/crossdomain.xml
This should help define that cross site origin is allowed between http and https.
In your case, I think the custom module is upset about being accessed over http and is sending the 302 to your browser, so it would be a case of studying the controller action of the custom module to figure out why it is forcing https (instead of asking Magento what the secure URL is).
Actually, if you try this crossdomain.xml you will need the browser to request https out of the http loaded page otherwise I think you will still get the 302 redirect - but with crossdomain.xml in place you should be able to XMLHttpRequest from http://vossmarket.com to https://vossmarket.com
But, you know, often there is good reason for https so I think you should understand why https is being forced and also I don't know about that XML secure="false" - does it really mean an https request is returned over http? I hope not but I don't know.
For more information read up on CORS although your 'cross domain' is http crossing to https.
I have an ajax call that really needs to be https. However, the page that it is being called from is http. The browser complains about restricted URI denied, presumably due to the same origin policy. Are there any known workaround for this?
Yes, that's same-origin policy stopping you. You have to use same workarounds as for cross-domain requests.
Requests from non-secure website are not secure, even if you're making requests to HTTPS URLs (because MITM attack can replace all "https" with "http"), so you should consider using HTTPS for the whole page.
Would there be any problems calling an HTTPS page (e.g. a credit card authorisation service i.e. WorldPay) from a standard HTTP page via AJAX?
I can't imagine why there would be a problem, the response would be an HTML page which I could then embed in a result pane or such like?
Yes this would be a Cross domain posting and would be blocked by the browser.
Anthony is right, but what you could do is create a local page the AJAX calls and that communicates with the HTTPS service via cURL or something else and returns. That way everything is done locally according to Java script.
Assuming a single page application accessed initially via HTTP that uses AJAX for all server interaction, is it possible to use HTTP for regular data transfers and then switch to AJAXian HTTPS requests for secure data transfers?
If so, how would the browser handle the certificate and locking notification when a HTTPS AJAX request was made?
If this is not possible, then are there any workarounds to mixing AJAX HTTP and AJAX HTTPS within the same page such as loading an iFrame for HTTPS?
Thanks!
Attempting to switch protocols will violate the same origin policy.
I am not sure how a workaround using iFrames would behave, but I think the browser may block access to the frame that was loaded as HTTPS, again due to the same origin policy.
I know this is old post but since i arrived here by search engine it would be a worth to spill what I've learn.
It is possible to use something called CORS but as usual old MSIE has problem implementing it.
It should be simple as sending additional HTTP headers:
Access-Control-Allow-Origin: http://example.com:8080 http://foo.example.com